Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Add Let's Encrypt Support #1257
This is an RFC for a feature idea. Tl;dr I'd like to add Let's Encrypt support to Gophish.
How Certificates Are Handled Right Now
When Gophish is started, two webservers are created: a phishing server and an admin server. By default, Gophish configures the admin server to use a self-signed certificate that is created when the server first starts. The phishing server is started with TLS disabled, since having phishing pages served using a self-signed certificate is less-than-ideal.
If a user obtained a key/certificate from a trusted CA, Gophish allows these to be specified in the config.json and they'll be used on the server. More information can be found in our documentation.
The way things are set up now works, but there are a couple of problems:
Introducing Lets Encrypt
Let's Encrypt is a trusted CA sponsored by major companies to provide free TLS certificates in an automated way. Some users have manually setup Let's Encrypt for use with Gophish, which is super cool!
My goal here is to support Let's Encrypt natively. This will make it so that trusted TLS certificates are obtained and used automatically. There is an
This approach should help quite a bit, but there are some open questions I'll need to think through:
As always, I'm open to hearing any feedback on how y'all would want this to work
Should this be handled with the Wildcard/san support in LetsEncrypt? That would let one have up to 100 domains
The other benefit of going this route is you end up not worrying about a ratelimit so much if someone hits your Gophish server with a malformed/random sni/host header
This is a great question!
Unfortunately, the autocert package doesn’t support the creation of wildcard certificates. When I write up the docs, I’ll show two methods of Let’s Encrypt deployment - using it natively to get the certs or generating the certs outside of Gophish and pointing Gophish to them a la how some blogs show it done now.
The question about domains is an interesting one. One thing I’ve been strongly considering is making URLs a first class citizen in Gophish and having them be managed in the database- similar to groups, or templates.
If I did this, I’d have a dynamic whitelist of valid domains. This would prevent a restart anytime a new domain was added, make it easier to type in URLs when building campaigns (since itd be a drop down) and still prevent let’s encrypt requests from being sent out for bad hostnames.
Does that sound like a reasonable approach?
I think that would work.
I really do like the idea of URLs becoming first class citizens. I know one of the biggest gotcha points I have with creating domains is fat fingering a URL.
The one thing this does not address is what happens with the config.json. Specifically the admin server. Should the call just be made that the admin server and the phish server will use the same certs and domains, just different ports?
Yes, this will have to be the case. I don't think it will be possible to have separate certificates for the admin and phishing servers.