From 2dbcd4a8458368983059c7dade8f052765bf8dfc Mon Sep 17 00:00:00 2001 From: Asif Bacchus Date: Sat, 24 Jul 2021 01:55:13 -0600 Subject: [PATCH] fix(entrypoint): fix permissions on generated certs - set private key to be group readable - create chain.pem from fullchain.pem - generate dhparams for TLS1.2 --- build/entrypoint.sh | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/build/entrypoint.sh b/build/entrypoint.sh index 741b23b..667c364 100644 --- a/build/entrypoint.sh +++ b/build/entrypoint.sh @@ -22,10 +22,20 @@ certificateGenerateNew() { printf "\nGenerating new self-signed certificate:\n" # shellcheck disable=SC3028 if [ -z "$CERT_HOSTNAME" ]; then export CERT_HOSTNAME="$HOSTNAME"; fi + # create placeholder files to set permissions + touch /certs/fullchain.pem && chmod 664 /certs/fullchain.pem + touch /certs/privkey.pem && chmod 640 /certs/privkey.pem + # generate certificate if ! openssl req -new -x509 -days 365 -nodes -out /certs/fullchain.pem -keyout /certs/privkey.pem -config /etc/selfsigned.cnf; then printf "\nUnable to generate certificate. Is your 'certs' directory writable by this container?\n\n" exit 55 fi + cp /certs/fullchain.pem /certs/chain.pem + # generate dh-params for TLS1.2 + if ! openssl dhparam -dsaparam -out /certs/dhparam.pem 4096; then + printf "\nUnable to generate dh-params. Is you 'certs' directory writable by this container?\n\n" + exit 56 + fi # print message to user printf "\n\nA self-signed certificate has been generated and saved in the location mounted to '/certs' in this container.\n" @@ -161,6 +171,7 @@ exit 99 # 52: unable to read certificate/chain # 53: unable to read private key # 55: unable to generate new certificate +# 56: unable to generate dh-params # 99: code error #EOF