-
Notifications
You must be signed in to change notification settings - Fork 98
Webterminal: Added SSL support with existing LE certificates. #130
Conversation
FULLCHAIN=$(find "$CERTDIR" -type f | grep fullchain) | ||
PRIVKEY=$(find "$CERTDIR" -type f | grep privkey) | ||
DOMAIN=$(ls "$CERTDIR") | ||
cat $FULLCHAIN $PRIVKEY > /var/lib/shellinabox/certificate-"$DOMAIN".pem |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Double quote to prevent globbing and word splitting.
PRIVKEY=$(find "$CERTDIR" -type f | grep privkey) | ||
DOMAIN=$(ls "$CERTDIR") | ||
echo "Merging files and adding to correct dir..." | ||
cat $FULLCHAIN $PRIVKEY > /var/lib/shellinabox/certificate-"$DOMAIN".pem |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Double quote to prevent globbing and word splitting.
@juan11perez Can you test this with your certificates generated with the certbot? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Question is if we want to copy the certificate or if you should try to link the certificate instead.
docs/webterminal.md
Outdated
#### Notes for SSL | ||
If you enable the use of existing Let's Encrypt certificates you need to open ports in your firewall to use them. | ||
|
||
If SSL is used the panel_iframe has to use your domain. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use the same domain.
FULLCHAIN=$(find "$CERTDIR" -type f | grep fullchain) | ||
PRIVKEY=$(find "$CERTDIR" -type f | grep privkey) | ||
DOMAIN=$(ls "$CERTDIR") | ||
cat "$FULLCHAIN" "$PRIVKEY" > /var/lib/shellinabox/certificate-"$DOMAIN".pem |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Doing it this way would not link the cert but only "copy" it. Preferable would be to create a symlink to the certificate so that it's linked to the used certificate.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In every guide I have found, and my own testing. the cert file used for shellinabox has to include both certificate and privkey, is it possible to merge with linking?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I missed that. That would require some strange magic.
Most likely this will stop working as soon as the certificate expires. If your ok with that then we can merge this.
Could you add to the update function to update the certificate if it's there?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I hope not :( that defeats the purpose of the separate webterminalhelper.sh script..
Should't this update the cert for shellinabox 1AM every night?
looking at the timestamp after running the file it looks like that would work.
I can add a note about running that file in the docs?
"Could you add to the update function to update the certificate if it's there?"
Do you mean the update for dehydrated with the DuckDNS script, then no. that will result in certbot certs not being updated.
If this was not what you ment, enlighten me :D
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I missed that part of the webterminalhepler.sh script.
This look great now!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me.
Ready to merge? If so remove the WIP tag :)
I still want someone that can use certbot certs to verify this before er merge. |
@ludeeus i'll pull out my Pi and test it. I still have a valid installation, I think ;-) |
@juan11perez Great! |
@ludeeus ok, give me about half hour and ill contact you in discord |
Steps for testing this: sudo hassbian-config upgrade hassbian-script && sudo hassbian-config upgrade hassbian-script-dev Then download the new files: sudo curl -o /opt/hassbian/suites/webterminal.sh https://raw.githubusercontent.com/ludeeus/hassbian-scripts/webterminal-ssl/package/opt/hassbian/suites/webterminal.sh && sudo curl -o /opt/hassbian/suites/files/webterminalhelper.sh https://raw.githubusercontent.com/ludeeus/hassbian-scripts/webterminal-ssl/package/opt/hassbian/suites/files/webterminalsslhelper.sh Then run it: sudo hassbian-config install webterminal --force If you at an earlier time have installed webterminal, you need to change the settings for it: |
@ludeeus not working. see entire process |
I added my fulchain.pem and privkey.pem to an folder named |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me.
Great job!
Description:
This add the option to use existing Let's Encrypt certificates.
Tested with:
Related issue (if applicable): Fixes #74
Checklist:
If pertinent:
/docs