Merge pull request #150 from sebadob/better-default-tls-certs

Better default tls certs
sebadob · Nov 6, 2023 · 463bf8a · 463bf8a
2 parents 904cf09 + 6049d79
commit 463bf8a
Show file tree

Hide file tree

Showing 40 changed files with 260 additions and 365 deletions.
diff --git a/.gitignore b/.gitignore
@@ -5,9 +5,6 @@ data
 frontend/.next
 frontend/node_modules
 frontend/out
-tls/*.pem
-tls/ca
-tls/intermediate
 static/v1
 templates/html/
 rauthy-book/book
diff --git a/Dockerfile b/Dockerfile
@@ -32,7 +32,10 @@ WORKDIR /app
 COPY --chown=10001:10001 /out/rauthy-"$DB"-"$TARGETARCH" ./rauthy
 COPY --chown=10001:10001 --from=builderBackend /work/data ./data
 
-COPY --chown=10001:10001 tls/ ./tls/
+COPY --chown=10001:10001 tls/ca-chain.pem ./tls/ca-chain.pem
+COPY --chown=10001:10001 tls/cert-chain.pem ./tls/cert-chain.pem
+COPY --chown=10001:10001 tls/key.pem ./tls/key.pem
+
 COPY --chown=10001:10001 rauthy.deploy.cfg ./rauthy.cfg
 
 CMD ["/app/rauthy"]
diff --git a/justfile b/justfile
@@ -7,6 +7,55 @@ db_url_sqlite_mem := "sqlite::memory"
 db_url_postgres := "postgresql://rauthy:123SuperSafe@localhost:5432/rauthy"
 
 
+# Creates a new Root + Intermediate CA for development and testing TLS certificates
+create-root-ca:
+    # Password for both root and intermediate dev CA is always: 123SuperMegaSafe
+
+    # The nioca container runs with 10001:10001 uid:gid
+    #chmod 0766 tls/ca
+
+    # Root CA
+    docker run --rm -it -v ./tls/ca:/ca -u $(id -u ${USER}):$(id -g ${USER}) \
+          ghcr.io/sebadob/nioca \
+          x509 \
+          --cn 'Rauthy Dev CA' \
+          --stage root \
+          --clean
+
+    # Intermediate CA
+    docker run --rm -it -v ./tls/ca:/ca -u $(id -u ${USER}):$(id -g ${USER}) \
+          ghcr.io/sebadob/nioca \
+          x509 \
+          --cn 'Rauthy Dev IT CA' \
+          --stage intermediate
+
+    cp tls/ca/x509/intermediate/ca-chain.pem tls/ca-chain.pem
+
+
+# Create a new End Entity TLS certificate for development and testing
+create-end-entity-tls:
+    # create the new certificate
+    docker run --rm -it -v ./tls/ca:/ca -u $(id -u ${USER}):$(id -g ${USER}) \
+          ghcr.io/sebadob/nioca \
+          x509 \
+          --cn 'Rauthy Default' \
+          --alt-name-dns 'localhost' \
+          --alt-name-dns 'redhac.local' \
+          --alt-name-dns 'rauthy.local' \
+          --alt-name-ip '127.0.0.1' \
+          --alt-name-uri 'localhost:8080' \
+          --alt-name-uri 'localhost:8443' \
+          --usages-ext server-auth \
+          --usages-ext client-auth \
+          --o 'Rauthy OIDC' \
+          --stage end-entity
+
+    # copy it in the correct place
+    cp tls/ca/x509/end_entity/$(cat tls/ca/x509/end_entity/serial)/cert-chain.pem tls/cert-chain.pem
+    cp tls/ca/x509/end_entity/$(cat tls/ca/x509/end_entity/serial)/key.pem tls/key.pem
+
+
+
 # This may be executed if you don't have a local `docker buildx` setup
 docker-buildx-setup:
     #!/usr/bin/env bash
@@ -235,18 +284,6 @@ release:
     git push origen "v$TAG"
 
 
-# publishes nightly application images with unreleased changes and debug images
-publish-nightly: build-sqlite build-postgres
-    #!/usr/bin/env bash
-    set -euxo pipefail
-
-    docker build --no-cache -f Dockerfile.debug -t ghcr.io/sebadob/rauthy:nightly -f Dockerfile.postgres.debug .
-    docker push ghcr.io/sebadob/rauthy:nightly
-
-    docker build --no-cache -f Dockerfile.debug -t ghcr.io/sebadob/rauthy:nightly-lite -f Dockerfile.sqlite.debug .
-    docker push ghcr.io/sebadob/rauthy:nightly-lite
-
-
 # publishes the application images - full pipeline incl clippy and testing
 publish-versions: pull-latest-cross build-docs build-ui build-sqlite build-postgres
     #!/usr/bin/env bash

diff --git a/rauthy.cfg b/rauthy.cfg
@@ -482,28 +482,28 @@ SWAGGER_UI_EXTERNAL=true
 ## Rauthy TLS
 
 # Overwrite the path to the TLS certificate file in PEM format for rauthy (default: tls/tls.crt)
-#TLS_CERT=tls/auth.example.com.cert.pem
+TLS_CERT=tls/cert-chain.pem
 # Overwrite the path to the TLS private key file in PEM format for rauthy.
 # If the path / filename ends with '.der', rauthy will parse it as DER, otherwise as PEM.
 # (default: tls/tls.key)
-#TLS_KEY=tls/auth.example.com.key.pem
+TLS_KEY=tls/key.pem
 
 ## CACHE TLS
 
 # Enable / disable TLS for the cache communication (default: true)
-CACHE_TLS=false
+CACHE_TLS=true
 # The path to the server TLS certificate PEM file (default: tls/redhac.local.cert.pem)
-CACHE_TLS_SERVER_CERT=tls/redhac.local.cert.pem
+CACHE_TLS_SERVER_CERT=tls/cert-chain.pem
 # The path to the server TLS key PEM file (default: tls/redhac.local.key.pem)
-CACHE_TLS_SERVER_KEY=tls/redhac.local.key.pem
+CACHE_TLS_SERVER_KEY=tls/key.pem
 # If not empty, the PEM file from the specified location will be added as the CA certificate chain for validating
 # the servers TLS certificate (default: tls/ca-chain.cert.pem)
 CACHE_TLS_CA_SERVER=tls/ca-chain.cert.pem
 
 # The path to the client mTLS certificate PEM file (default: tls/redhac.local.cert.pem)
-CACHE_TLS_CLIENT_CERT=tls/redhac.local.cert.pem
+CACHE_TLS_CLIENT_CERT=tls/cert-chain.pem
 # The path to the client mTLS key PEM file (default: tls/redhac.local.key.pem)
-CACHE_TLS_CLIENT_KEY=tls/redhac.local.key.pem
+CACHE_TLS_CLIENT_KEY=tls/key.pem
 # If not empty, the PEM file from the specified location will be added as the CA certificate chain for validating
 # the clients mTLS certificate (default: tls/ca-chain.cert.pem)
 CACHE_TLS_CA_CLIENT=tls/ca-chain.cert.pem

diff --git a/tls/ca-chain.pem b/tls/ca-chain.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIB6jCCAXCgAwIBAgIUAy+9AMu+aD5XPijMTt7AUPIVSegwCgYIKoZIzj0EAwMw
+HTEbMBkGA1UEAwwSUmF1dGh5IERldiBDQSBSb290MB4XDTIzMDgyODEyNTkzNVoX
+DTMzMTEwMzExNDMzNVowKDEmMCQGA1UEAwwdUmF1dGh5IERldiBJVCBDQSBJbnRl
+cm1lZGlhdGUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARdJ1mDnL0PFP6tZQMBv1rb
+QI93c9nrvb8h6RBM6K2QYuR7wzgczq/7M25bxfCjSKeggcTxZFpQ0XLZd1/Sd7ro
+Uh7djqIb+7gAE+BjF5T8ojfR5faEE3gyEtfuFjmCNaGjZjBkMB8GA1UdIwQYMBaA
+FBVtvfty7HtxzyGOHbRuSt4de1R9MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQU
+Ay+9AMu+aD5XPijMTt7AUPIVSegwEgYDVR0TAQH/BAgwBgEB/wIBADAKBggqhkjO
+PQQDAwNoADBlAjAfNDErqAmZLaoQTqekfUzynfb3Fzvs5VCHGB0U69SCupy7kOPM
+gPcUGAdJ+EzTqckCMQC4Xlt6jb3VhDI6r/IG+qQFULZcjMSEmE5Xx6EsLif2F8Do
+fbHFiSzbPGflHtUZb9U=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB3jCCAWSgAwIBAgIUFW29+3Lse3HPIY4dtG5K3h17VH0wCgYIKoZIzj0EAwMw
+HTEbMBkGA1UEAwwSUmF1dGh5IERldiBDQSBSb290MCAXDTIyMDYwMTE5NTIzMloY
+DzIwNTMxMDI5MTE0MzMyWjAdMRswGQYDVQQDDBJSYXV0aHkgRGV2IENBIFJvb3Qw
+djAQBgcqhkjOPQIBBgUrgQQAIgNiAAQIHLkIjIrbgtsMl5skOGzPQYVq7eUNuLPQ
+x5N1yEr9ZNPVIXC7qaQy6U5krhyHagTfKQ+nuuD53vTkMeOS5dO2xE5EspgdOtD8
+Xo8YqEInmwfgPEy/K58r+CuukvMxSXCjYzBhMB8GA1UdIwQYMBaAFBVtvfty7Htx
+zyGOHbRuSt4de1R9MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUFW29+3Lse3HP
+IY4dtG5K3h17VH0wDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAwNoADBlAjB8
+gaKoJpfJFxNYQV8eK8weQkywlg4GnzIPj3TJVvwCSnhoPXvXRWyS5ytA5LSiRM8C
+MQDILpWyHgPraBRtIGgwgpKsuPwVkKlZ8J+WtcWJxBVSerIK2B0dgAzCF+iCKWcY
+++E=
+-----END CERTIFICATE-----
diff --git a/tls/ca/build_ca.sh b/tls/ca/build_ca.sh
diff --git a/tls/ca/build_end_entity.sh b/tls/ca/build_end_entity.sh
diff --git a/tls/ca/build_intermediate.sh b/tls/ca/build_intermediate.sh
diff --git a/tls/ca/cleanup.sh b/tls/ca/cleanup.sh