268 lines
No EOL
6.7 KiB
Text
268 lines
No EOL
6.7 KiB
Text
====== SSL ======
|
|
|
|
Be your own SSL Certificate Authority.
|
|
|
|
This tutorial is based on the domain ''nextcloud.home''. So change the domain to your specific domain.
|
|
|
|
It is also important that the domain address gets redirected from your router or use [[/en/server/services/adguardhome#dns_rewrites|AdGuardHome]]. This can also be set in the ''/etc/hosts'' file of your computer, but to reach the domain on every device, it is easier to change this directly in the router or [[/en/server/services/adguardhome#dns_rewrites|AdGuardHome]]:
|
|
|
|
<code>
|
|
nextcloud.domain SERVER-IP
|
|
</code>
|
|
|
|
|
|
===== mkcert =====
|
|
|
|
[[https://github.com/FiloSottile/mkcert|mkcert]] is a simple tool for making locally-trusted development certificates. It requires no configuration.
|
|
|
|
|
|
==== Packages ====
|
|
|
|
<code>
|
|
pacman -S nss mkcert
|
|
</code>
|
|
|
|
|
|
==== Create root certificate ====
|
|
|
|
<code>
|
|
mkcert -install
|
|
</code>
|
|
|
|
|
|
==== Create certificates for your domains ====
|
|
|
|
<code>
|
|
mkcert nextcloud.home
|
|
</code>
|
|
|
|
|
|
===== Manually =====
|
|
|
|
|
|
==== Generating the private key and root certificate ====
|
|
|
|
<code>
|
|
openssl genrsa -des3 -out rootCA.key 2048
|
|
</code>
|
|
|
|
<code>
|
|
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1825 -out rootCA.pem
|
|
</code>
|
|
|
|
Change the following information as you wish. It appears when you view the certificate through your browser.
|
|
<code>
|
|
Country Name (2 letter code) [AU]:
|
|
State or Province Name (full name) [Some-State]:
|
|
Locality Name (eg, city) []:
|
|
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
|
|
Organizational Unit Name (eg, section) []:
|
|
Common Name (e.g. server FQDN or YOUR name) []:
|
|
Email Address []:
|
|
</code>
|
|
|
|
|
|
==== Creating CA-Signed certificates for your domains ====
|
|
|
|
<code>
|
|
openssl genrsa -out nextcloud.home-key.pem 2048
|
|
</code>
|
|
|
|
<code>
|
|
openssl req -new -key nextcloud.home-key.pem -out nextcloud.home.pem
|
|
</code>
|
|
|
|
<code>
|
|
nano nextcloud.home.ext
|
|
</code>
|
|
|
|
<code>
|
|
authorityKeyIdentifier=keyid,issuer
|
|
basicConstraints=CA:FALSE
|
|
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
|
|
subjectAltName = @alt_names
|
|
|
|
[alt_names]
|
|
DNS.1 = nextcloud.home
|
|
</code>
|
|
|
|
|
|
=== Script ===
|
|
|
|
Create the file in ''nano /etc/nginx/ssl/ssl.sh''.
|
|
|
|
<code>
|
|
#!/bin/sh
|
|
|
|
if [ "$#" -ne 1 ]
|
|
then
|
|
echo "Usage: Must supply a domain"
|
|
exit 1
|
|
fi
|
|
|
|
DOMAIN=$1
|
|
|
|
openssl genrsa -out $DOMAIN-key.pem 2048
|
|
openssl req -new -key $DOMAIN-key.pem -out $DOMAIN.pem
|
|
|
|
cat > $DOMAIN.ext << EOF
|
|
authorityKeyIdentifier=keyid,issuer
|
|
basicConstraints=CA:FALSE
|
|
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
|
|
subjectAltName = @alt_names
|
|
[alt_names]
|
|
DNS.1 = $DOMAIN
|
|
EOF
|
|
|
|
openssl x509 -req -in $DOMAIN.pem -CA rootCA.pem -CAkey rootCA.key -CAcreateserial \
|
|
-out $DOMAIN.crt -days 825 -sha256 -extfile $DOMAIN.ext
|
|
</code>
|
|
|
|
<code>
|
|
chmod +x ssl.sh
|
|
./ssl.sh nextcloud.home
|
|
</code>
|
|
|
|
|
|
===== Installing your root certificate on all the devices =====
|
|
|
|
You'll need to create a ''rootCA.pem'' file on every device and copy the content of ''cat rootCA.pem'' file wherever you created it in section [[#generating_the_private_key_and_root_certificate]] (manually).
|
|
|
|
If you used [[#mkcert]] just run this command ''cat $(mkcert -CAROOT)/rootCA.pem''.
|
|
|
|
|
|
==== Arch Linux ====
|
|
|
|
<code>
|
|
trust anchor --store rootCA.pem
|
|
</code>
|
|
|
|
|
|
==== Android ====
|
|
|
|
=== User trusted credentials ===
|
|
|
|
''Settings'' - ''Security'' - ''Encryption and credentials'' - ''Install a certificate''
|
|
|
|
Check under:
|
|
|
|
''Settings'' - ''Security'' - ''Trusted credentials'' - ''User''
|
|
|
|
|
|
=== System trusted credentials ===
|
|
|
|
If "User trusted credentials" is not enough and you'll need the certificate in system, follow the next lines. It needs a rooted device though:
|
|
|
|
<code>
|
|
hashed_name=`openssl x509 -inform PEM -subject_hash_old -in rootCA.pem | head -1` && cp rootCA.pem $hashed_name.0
|
|
ls $hashed_name.0
|
|
</code>
|
|
|
|
**Android 13:**
|
|
<code>
|
|
adb root
|
|
adb shell mount -o rw,remount /
|
|
adb push $hashed_name.0 /system/etc/security/cacerts/
|
|
adb shell chmod 644 /system/etc/security/cacerts/$hashed_name.0
|
|
adb shell chown root:root /system/etc/security/cacerts/$hashed_name.0
|
|
adb shell reboot
|
|
</code>
|
|
|
|
**Android 14 (this only works until a restart):**
|
|
<code>
|
|
adb root
|
|
adb shell mkdir -p -m 700 /data/local/tmp/cacerts
|
|
adb shell cp /apex/com.android.conscrypt/cacerts/* /data/local/tmp/cacerts/
|
|
adb shell mount -t tmpfs tmpfs /system/etc/security/cacerts
|
|
adb shell mv /data/local/tmp/cacerts/* /system/etc/security/cacerts/
|
|
adb push $hashed_name.0 /system/etc/security/cacerts/
|
|
adb shell chown root:root /system/etc/security/cacerts/*
|
|
adb shell chmod 644 /system/etc/security/cacerts/*
|
|
adb shell chcon u:object_r:system_file:s0 /system/etc/security/cacerts/*
|
|
adb shell
|
|
</code>
|
|
|
|
<code>
|
|
ZYGOTE_PID=$(pidof zygote || true)
|
|
ZYGOTE64_PID=$(pidof zygote64 || true)
|
|
|
|
for Z_PID in "$ZYGOTE_PID" "$ZYGOTE64_PID"; do
|
|
if [ -n "$Z_PID" ]; then
|
|
nsenter --mount=/proc/$Z_PID/ns/mnt -- \
|
|
/bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts
|
|
fi
|
|
done
|
|
|
|
APP_PIDS=$(
|
|
echo "$ZYGOTE_PID $ZYGOTE64_PID" | \
|
|
xargs -n1 ps -o 'PID' -P | \
|
|
grep -v PID
|
|
)
|
|
|
|
for PID in $APP_PIDS; do
|
|
nsenter --mount=/proc/$PID/ns/mnt -- \
|
|
/bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts &
|
|
done
|
|
</code>
|
|
|
|
You can also use the Magisk module [[https://github.com/NVISOsecurity/MagiskTrustUserCerts/releases|MagiskTrustUserCerts]] (Android 13) or [[https://github.com/nccgroup/ConscryptTrustUserCerts|ConscryptTrustUserCerts]] (Android 14) which does basically the same as above.
|
|
|
|
|
|
=== Use third party CA certificates for firefox ===
|
|
|
|
You might want to ''Use third party CA certificates'' for Firefox browser:
|
|
|
|
- Open your browser and scroll to the bottom and click About firefox/iceraven/mull ...
|
|
- Click several times on the logo and go back
|
|
- Click on secret settings and enable ''Use third party CA certificates''
|
|
|
|
|
|
===== Nginx =====
|
|
|
|
Check also [[/en/server/services/nginx]]
|
|
|
|
|
|
==== ssl-params.conf ====
|
|
|
|
<code>
|
|
nano /etc/nginx/conf.d/ssl-params.conf
|
|
</code>
|
|
|
|
<code>
|
|
ssl_protocols TLSv1.3;
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
|
ssl_ecdh_curve secp384r1;
|
|
ssl_session_cache shared:SSL:10m;
|
|
</code>
|
|
|
|
|
|
==== example ====
|
|
|
|
<code>
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name nextcloud.home;
|
|
|
|
# enforce https
|
|
return 301 https://$server_name:443$request_uri;
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl http2;
|
|
listen [::]:443 ssl http2;
|
|
server_name nextcloud.home;
|
|
|
|
ssl_certificate /etc/nginx/ssl/nextcloud.home.pem;
|
|
ssl_certificate_key /etc/nginx/ssl/nextcloud.home-key.pem;
|
|
include conf.d/ssl-params.conf;
|
|
|
|
access_log /var/log/nginx/nextcloud.home_access_log;
|
|
error_log /var/log/nginx/nextcloud.home-error_log;
|
|
|
|
location / {
|
|
your things;
|
|
}
|
|
}
|
|
</code> |