From 8d5b2881f81ec1eaec18ca1ea57bbac28eb7c7ba Mon Sep 17 00:00:00 2001 From: nightwing Date: Sat, 15 Apr 2017 19:00:43 +0400 Subject: [PATCH 1/3] add https support to allow using service worker --- configs/standalone.js | 12 ++++++- scripts/create-cert.sh | 78 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 89 insertions(+), 1 deletion(-) create mode 100644 scripts/create-cert.sh diff --git a/configs/standalone.js b/configs/standalone.js index 2643e04b..31b33d68 100644 --- a/configs/standalone.js +++ b/configs/standalone.js @@ -107,13 +107,23 @@ module.exports = function(config, optimist) { console.log("or use -a username:password to setup HTTP authentication\n"); } + if (argv.secure) { + var certPath = path.isAbsolute(argv.secure) ? argv.secure : path.join(__dirname, "..", argv.secure); + var key = require("fs").readFileSync(certPath , "utf8"); + config.secure = { + key: key.match(/^(-+BEGIN RSA PRIVATE KEY[\s\S]*END RSA PRIVATE KEY-+)/m)[0], + cert: key.match(/^(-+BEGIN CERTIFICATE[\s\S]*END CERTIFICATE-+)/m)[0], + }; + } + var plugins = [ { packagePath: "connect-architect/connect", port: port, host: host, websocket: true, - showRealIP: !config.mode + showRealIP: !config.mode, + secure: config.secure, }, { packagePath: "connect-architect/connect.basicauth", diff --git a/scripts/create-cert.sh b/scripts/create-cert.sh new file mode 100644 index 00000000..5924f437 --- /dev/null +++ b/scripts/create-cert.sh @@ -0,0 +1,78 @@ +#!/bin/bash +set -e + +# http://apetec.com/support/GenerateSAN-CSR.htm +# http://chschneider.eu/linux/server/openssl.shtml + +DOMAIN=$1 +IP=$2 +if [ -z "$DOMAIN" ]; then DOMAIN=c9.dev; fi +if [ -z "$IP" ]; then IP=127.0.0.1; fi + +if [[ "$DOMAIN" =~ [/[:space:]] ]]; then echo "Invalid domain name $DOMAIN"; exit 1; fi + +FQDN=" +IP.1 = $IP +DNS.1 = $DOMAIN +DNS.2 = *.$DOMAIN +" + +CRT_NAME=$DOMAIN + +echo creating certificates for $FQDN at CRT_NAME + +mkdir -p tmp +pushd tmp +echo ' +[req] +distinguished_name = req_distinguished_name +req_extensions = v3_req + +[req_distinguished_name] +commonName = Internet Widgits Ltd +commonName_max = 64 + +[ v3_req ] +# Extensions to add to a certificate request +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth +subjectAltName = @alt_names + +[alt_names] +'"$FQDN" > openssl.cnf + +# Generate a private key +openssl genrsa -out $CRT_NAME.key 2048 +# Create the CSR file +openssl req -new -out $CRT_NAME.csr -key $CRT_NAME.key -config openssl.cnf \ + -subj "/C=NL/ST=Noord-Holland/L=Amsterdam/OU=ACME Self Signed CA" + +# check +# openssl req -text -noout -in $CRT_NAME.csr + +# Self-sign and create the certificate: +openssl x509 -req -days 3650 -in $CRT_NAME.csr -signkey $CRT_NAME.key\ + -out $CRT_NAME.crt -extensions v3_req -extfile openssl.cnf + +cat $CRT_NAME.crt > $CRT_NAME.pem +cat $CRT_NAME.key >> $CRT_NAME.pem + +mv $CRT_NAME.pem ../$CRT_NAME.pem +mv $CRT_NAME.crt ../$CRT_NAME.crt +popd +rm -r tmp + +echo ' +To add the custom cerificate: +On Windows run + cmd.exe /c "certmgr.msc" # to see installed certificates + certutil -addstore "Root" '"$CRT_NAME"'.crt # to add certificate to root +On Mac + sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain '"$CRT_NAME"'.crt +On Linux + TODO + +For older versions of firefox set + pref("security.enterprise_roots.enabled", true); +' From 1c33465119ba05153a23f33543d6286c25839ee3 Mon Sep 17 00:00:00 2001 From: nightwing Date: Fri, 21 Apr 2017 13:52:30 +0400 Subject: [PATCH 2/3] cleanup --- scripts/create-cert.sh | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/scripts/create-cert.sh b/scripts/create-cert.sh index 5924f437..ea3cad01 100644 --- a/scripts/create-cert.sh +++ b/scripts/create-cert.sh @@ -1,5 +1,5 @@ #!/bin/bash -set -e +set -eo pipefail # http://apetec.com/support/GenerateSAN-CSR.htm # http://chschneider.eu/linux/server/openssl.shtml @@ -22,7 +22,7 @@ CRT_NAME=$DOMAIN echo creating certificates for $FQDN at CRT_NAME mkdir -p tmp -pushd tmp + echo ' [req] distinguished_name = req_distinguished_name @@ -40,34 +40,34 @@ extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] -'"$FQDN" > openssl.cnf +'"$FQDN" > tmp/openssl.cnf # Generate a private key -openssl genrsa -out $CRT_NAME.key 2048 +openssl genrsa -out tmp/$CRT_NAME.key 2048 # Create the CSR file -openssl req -new -out $CRT_NAME.csr -key $CRT_NAME.key -config openssl.cnf \ +openssl req -new -out tmp/$CRT_NAME.csr -key tmp/$CRT_NAME.key -config tmp/openssl.cnf \ -subj "/C=NL/ST=Noord-Holland/L=Amsterdam/OU=ACME Self Signed CA" # check # openssl req -text -noout -in $CRT_NAME.csr # Self-sign and create the certificate: -openssl x509 -req -days 3650 -in $CRT_NAME.csr -signkey $CRT_NAME.key\ - -out $CRT_NAME.crt -extensions v3_req -extfile openssl.cnf +openssl x509 -req -days 3650 -in tmp/$CRT_NAME.csr -signkey tmp/$CRT_NAME.key\ + -out tmp/$CRT_NAME.crt -extensions v3_req -extfile tmp/openssl.cnf -cat $CRT_NAME.crt > $CRT_NAME.pem -cat $CRT_NAME.key >> $CRT_NAME.pem +cat tmp/$CRT_NAME.crt > tmp/$CRT_NAME.pem +cat tmp/$CRT_NAME.key >> tmp/$CRT_NAME.pem + +mv tmp/$CRT_NAME.pem ./$CRT_NAME.pem +mv tmp/$CRT_NAME.crt ./$CRT_NAME.crt -mv $CRT_NAME.pem ../$CRT_NAME.pem -mv $CRT_NAME.crt ../$CRT_NAME.crt -popd rm -r tmp echo ' To add the custom cerificate: On Windows run - cmd.exe /c "certmgr.msc" # to see installed certificates certutil -addstore "Root" '"$CRT_NAME"'.crt # to add certificate to root + cmd.exe /c "certmgr.msc" # to see installed certificates On Mac sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain '"$CRT_NAME"'.crt On Linux From bbf4fb5b129a2617fc6ea6d7cb70a1024b3bfe4c Mon Sep 17 00:00:00 2001 From: Harutyun Amirjanyan Date: Wed, 26 Apr 2017 19:51:00 +0400 Subject: [PATCH 3/3] found the correct incantation --- scripts/create-cert.sh | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/scripts/create-cert.sh b/scripts/create-cert.sh index ea3cad01..7ed081e1 100644 --- a/scripts/create-cert.sh +++ b/scripts/create-cert.sh @@ -1,15 +1,16 @@ #!/bin/bash -set -eo pipefail +set -euo pipefail # http://apetec.com/support/GenerateSAN-CSR.htm # http://chschneider.eu/linux/server/openssl.shtml -DOMAIN=$1 -IP=$2 -if [ -z "$DOMAIN" ]; then DOMAIN=c9.dev; fi -if [ -z "$IP" ]; then IP=127.0.0.1; fi +DOMAIN=${1:-c9.dev} +IP=${2:-127.0.0.1} -if [[ "$DOMAIN" =~ [/[:space:]] ]]; then echo "Invalid domain name $DOMAIN"; exit 1; fi +if [[ "$DOMAIN$IP" =~ [/[:space:]] ]]; then + echo "$DOMAIN and $IP can't contain special character"; + exit 1; +fi FQDN=" IP.1 = $IP