From 7a4df66f5016c67beed8bfd75ee691505c686fee Mon Sep 17 00:00:00 2001 From: openoms Date: Sun, 22 Sep 2019 00:17:41 +0100 Subject: [PATCH] elecrs: change to self signed SSL certificate --- ..._Nginx_and_Certbot_for_SSL.sh => 3_SSL.sh} | 117 +++++++----------- electrs/certbot.sh | 84 +++++++++++++ 2 files changed, 126 insertions(+), 75 deletions(-) rename electrs/{3_Nginx_and_Certbot_for_SSL.sh => 3_SSL.sh} (51%) create mode 100644 electrs/certbot.sh diff --git a/electrs/3_Nginx_and_Certbot_for_SSL.sh b/electrs/3_SSL.sh similarity index 51% rename from electrs/3_Nginx_and_Certbot_for_SSL.sh rename to electrs/3_SSL.sh index ab13bb3..1a0a376 100644 --- a/electrs/3_Nginx_and_Certbot_for_SSL.sh +++ b/electrs/3_SSL.sh @@ -4,27 +4,6 @@ # To download and run: # $ wget https://raw.githubusercontent.com/openoms/bitcoin-tutorials/master/electrs/3_Nginx_and_Certbot_for_SSL.sh && bash 3_Nginx_and_Certbot_for_SSL.sh -# For the certificate to be obtained successfully a dynamic DNS and port forwarding is needed -# Need to forward port 80 to the IP of your RaspiBlitz for certbot -# Forward port 50002 to be able to access you electrs from outside of your LAN - -# https://www.raspberrypi.org/documentation/remote-access/web-server/nginx.md - -echo "" -echo "***" -echo "Please type the domain/dynamicDNS you want to use for Electrs and press [ENTER]" -read YOUR_DOMAIN - -echo "" -echo "***" -echo "Please type an email that will be used to register the SSL certificate and press [ENTER]" -read YOUR_EMAIL - -echo "" -echo "***" -echo "Please confirm that the port 80 is forwarded to the IP of the RaspiBlitz by pressing [ENTER]" -read key - echo "" echo "***" echo "installing Nginx" @@ -34,70 +13,58 @@ echo "" sudo apt-get install -y nginx sudo /etc/init.d/nginx start -echo "allow port 80 on ufw" -sudo ufw allow 80 - -# https://certbot.eff.org/lets-encrypt/debianother-nginx echo "" echo "***" -echo "Installing certbot" -echo "Will ask for an email address and a domain name - a dynamic DNS can be used" -echo "Use the default settings in the other options" +echo "Create a self signed SSL certificate" echo "***" echo "" -#wget https://dl.eff.org/certbot-auto -#chmod +x certbot-auto -#sudo ./certbot-auto --nginx - -sudo apt install -y certbot -# get SSL cert -sudo certbot certonly -a standalone -m $YOUR_EMAIL --agree-tos -d $YOUR_DOMAIN --pre-hook "service nginx stop" --post-hook "service nginx start" - - -# Your certificate and chain have been saved at: -# /etc/letsencrypt/live/$YOUR_DOMAIN/fullchain.pem -# Your key file has been saved at: -# /etc/letsencrypt/live/$YOUR_DOMAIN/privkey.pem - -echo "" -echo "***" -echo "Setting up certbot-auto renewal service" -echo "***" -echo "" +#https://www.humankode.com/ssl/create-a-selfsigned-certificate-for-nginx-in-5-minutes +#https://stackoverflow.com/questions/8075274/is-it-possible-making-openssl-skipping-the-country-common-name-prompts echo " -[Unit] -Description=Certbot-auto renewal service +[req] +prompt=no +default_bits = 2048 +default_keyfile = localhost.key +distinguished_name = req_distinguished_name +req_extensions = req_ext +x509_extensions = v3_ca -[Timer] -OnBootSec=20min -OnCalendar=*-*-* 4:00:00 +[req_distinguished_name] +countryName = Country Name (2 letter code) +countryName_default = US +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = New York +localityName = Locality Name (eg, city) +localityName_default = Rochester +organizationName = Organization Name (eg, company) +organizationName_default = localhost +organizationalUnitName = organizationalunit +organizationalUnitName_default = Development +commonName = Common Name (e.g. server FQDN or YOUR name) +commonName_default = localhost +commonName_max = 64 -[Install] -WantedBy=timers.target -" | sudo tee -a /etc/systemd/system/certbot.timer +[req_ext] +subjectAltName = @alt_names -echo " -[Unit] -Description=Certbot-auto renewal service -After=bitcoind.service +[v3_ca] +subjectAltName = @alt_names -[Service] -WorkingDirectory=/home/admin/ -ExecStart=sudo certbot renew --pre-hook \"service nginx stop\" --post-hook \"service nginx start\" +[alt_names] +DNS.1 = localhost +DNS.2 = 127.0.0.1 +" | sudo tee /mnt/hdd/electrs/localhost.conf -User=admin -Group=admin -Type=simple -KillMode=process -TimeoutSec=60 -Restart=always -RestartSec=60 -" | sudo tee -a /etc/systemd/system/certbot.service +cd /mnt/hdd/electrs +sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config localhost.conf -sudo systemctl enable certbot.timer +sudo cp localhost.crt /etc/ssl/certs/localhost.crt +sudo cp localhost.key /etc/ssl/private/localhost.key +echo "" +echo "***" echo "Setting up nginx.conf" echo "***" echo "" @@ -119,8 +86,8 @@ stream { server { listen 50002 ssl; proxy_pass electrs; - ssl_certificate /etc/letsencrypt/live/$YOUR_DOMAIN/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/$YOUR_DOMAIN/privkey.pem; + ssl_certificate /etc/ssl/certs/localhost.crt; + ssl_certificate_key /etc/ssl/private/localhost.key; ssl_session_cache shared:SSL-electrs:1m; ssl_session_timeout 4h; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; @@ -138,8 +105,8 @@ stream { server { listen 50002 ssl; proxy_pass electrs; - ssl_certificate /etc/letsencrypt/live/$YOUR_DOMAIN/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/$YOUR_DOMAIN/privkey.pem; + ssl_certificate /etc/ssl/certs/localhost.crt; + ssl_certificate_key /etc/ssl/private/localhost.key; ssl_session_cache shared:SSL-electrs:1m; ssl_session_timeout 4h; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; diff --git a/electrs/certbot.sh b/electrs/certbot.sh new file mode 100644 index 0000000..4e3fd25 --- /dev/null +++ b/electrs/certbot.sh @@ -0,0 +1,84 @@ +# For the certificate to be obtained successfully a dynamic DNS and port forwarding is needed +# Need to forward port 80 to the IP of your RaspiBlitz for certbot +# Forward port 50002 to be able to access you electrs from outside of your LAN + +# https://www.raspberrypi.org/documentation/remote-access/web-server/nginx.md + +echo "" +echo "***" +echo "Please type the domain/dynamicDNS you want to use for Electrs and press [ENTER]" +read YOUR_DOMAIN + +echo "" +echo "***" +echo "Please type an email that will be used to register the SSL certificate and press [ENTER]" +read YOUR_EMAIL + +echo "" +echo "***" +echo "Please confirm that the port 80 is forwarded to the IP of the RaspiBlitz by pressing [ENTER]" +read key + +echo "allow port 80 on ufw" +sudo ufw allow 80 + +# https://certbot.eff.org/lets-encrypt/debianother-nginx +echo "" +echo "***" +echo "Installing certbot" +echo "Will ask for an email address and a domain name - a dynamic DNS can be used" +echo "Use the default settings in the other options" +echo "***" +echo "" + +#wget https://dl.eff.org/certbot-auto +#chmod +x certbot-auto +#sudo ./certbot-auto --nginx + +sudo apt install -y certbot +# get SSL cert +sudo certbot certonly -a standalone -m $YOUR_EMAIL --agree-tos -d $YOUR_DOMAIN --pre-hook "service nginx stop" --post-hook "service nginx start" + + +# Your certificate and chain have been saved at: +# /etc/letsencrypt/live/$YOUR_DOMAIN/fullchain.pem +# Your key file has been saved at: +# /etc/letsencrypt/live/$YOUR_DOMAIN/privkey.pem + +echo "" +echo "***" +echo "Setting up certbot-auto renewal service" +echo "***" +echo "" + +echo " +[Unit] +Description=Certbot-auto renewal service + +[Timer] +OnBootSec=20min +OnCalendar=*-*-* 4:00:00 + +[Install] +WantedBy=timers.target +" | sudo tee -a /etc/systemd/system/certbot.timer + +echo " +[Unit] +Description=Certbot-auto renewal service +After=bitcoind.service + +[Service] +WorkingDirectory=/home/admin/ +ExecStart=sudo certbot renew --pre-hook \"service nginx stop\" --post-hook \"service nginx start\" + +User=admin +Group=admin +Type=simple +KillMode=process +TimeoutSec=60 +Restart=always +RestartSec=60 +" | sudo tee -a /etc/systemd/system/certbot.service + +sudo systemctl enable certbot.timer \ No newline at end of file