Fix SSL generation script and strengthen from 2048 bit to 4096 bit RSA (

#234)
kizniche · Apr 3, 2017 · 5d99253 · 5d99253
1 parent 01c0057
commit 5d99253
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 25 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 5.0.22 (Unreleased)
+
+### Bugfixes
+
+  - Fix SSL generation script and strengthen from 2048 bit to 4096 bit RSA ([#234](https://github.com/kizniche/mycodo/issues/234))
+
 ## 5.0.21 (2017-04-02)
 
 ### Bugfixes

diff --git a/install/mycodo_flask_apache.conf b/install/mycodo_flask_apache.conf
@@ -24,7 +24,6 @@
     SSLEngine On
     SSLCertificateFile /var/www/mycodo/mycodo/mycodo_flask/ssl_certs/cert.pem
     SSLCertificateKeyFile /var/www/mycodo/mycodo/mycodo_flask/ssl_certs/privkey.pem
-    SSLCertificateChainFile /var/www/mycodo/mycodo/mycodo_flask/ssl_certs/chain.pem
 
     <Directory /var/www/mycodo>
         WSGIProcessGroup mycodo_flask

diff --git a/mycodo/scripts/upgrade_commands.sh b/mycodo/scripts/upgrade_commands.sh
@@ -22,34 +22,25 @@ case "${1:-''}" in
         printf "\n#### Generating SSL certificates at ${INSTALL_DIRECTORY}/Mycodo/mycodo/mycodo_flask/ssl_certs (replace with your own if desired)\n"
         mkdir -p ${INSTALL_DIRECTORY}/Mycodo/mycodo/mycodo_flask/ssl_certs
         cd ${INSTALL_DIRECTORY}/Mycodo/mycodo/mycodo_flask/ssl_certs/
-        rm -f ./*.pem
-
-        openssl req \
-            -new \
-            -x509 \
-            -sha512 \
-            -days 365 \
-            -nodes \
-            -out cert.pem \
-            -keyout privkey.pem\
-            -subj "/C=US/ST=Georgia/L=Atlanta/O=mycodo/OU=mycodo/CN=mycodo"
-
-        openssl genrsa -out certificate.key 1024
-
-        openssl req \
-            -new \
-            -key certificate.key \
-            -out certificate.csr \
-            -subj "/C=US/ST=Georgia/L=Atlanta/O=mycodo/OU=mycodo/CN=mycodo"
+        rm -f ./*.pem ./*.csr ./*.crt ./*.key
 
+        openssl genrsa -out server.pass.key 4096
+        openssl rsa -in server.pass.key -out server.key
+        rm -f server.pass.key
+        openssl req -new -key server.key -out server.csr \
+            -subj "/O=mycodo/OU=mycodo/CN=mycodo"
         openssl x509 -req \
             -days 365 \
-            -in certificate.csr -CA cert.pem \
-            -CAkey privkey.pem \
-            -set_serial $RANDOM \
-            -out chain.pem
+            -in server.csr \
+            -signkey server.key \
+            -out server.crt
+
+        # Conform to current file-naming format
+        # TODO: Change to appropriate names in the future
+        ln -s server.key privkey.pem
+        ln -s server.crt cert.pem
 
-        rm -f certificate.csr certificate.key
+        chown mycodo.mycodo ${INSTALL_DIRECTORY}/Mycodo/mycodo/mycodo_flask/ssl_certs/*
     ;;
     'initialize')
         printf "\n#### Creating proper users, directories, and permissions\n"