Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Investigate updating turnkey-make-ssl-cert? #1023

Open
JedMeister opened this Issue Mar 8, 2018 · 7 comments

Comments

Projects
None yet
3 participants
@JedMeister
Copy link
Member

JedMeister commented Mar 8, 2018

Stuart noted in a comment that the turnkey-make-ssl-cert tool isn't making a proper .crt file, it's actually generating a certificate, which his CA is not accepting.

I'm not very familiar with SSL but that doesn't seem right to me.

Any ideas @Dude4Linux?

@JedMeister JedMeister added this to the 15.0 milestone Mar 8, 2018

@Dude4Linux

This comment has been minimized.

Copy link
Member

Dude4Linux commented Mar 9, 2018

@JedMeister The turnkey-make-ssl-cert followed StartCom's instructions for preparing a request and it was the only cert supplier that I tested against. My guess is that Stuart is correct and it's not making a proper .crt file. It would take some research, but it could be fixed for 15.0.

@l-arnold

This comment has been minimized.

Copy link

l-arnold commented Mar 10, 2018

My experience is that the CRT is not actually sent to the SSL provider. The CSR is sent to them, against which they generate the CRT.

Where would a Turnkey Generated CRT be sent to an SSL provider?

@Dude4Linux

This comment has been minimized.

Copy link
Member

Dude4Linux commented Mar 10, 2018

@JedMeister @l-arnold is correct. turnkey-make-ssl-cert with the --csr option produces three files, a .csr certificate request, a .crt temporary certificate used while waiting, and a .key key file used to sign the other two files. I've asked Stuart to look for the .csr file and try submitting that. If he confirms that the .csr was accepted, then we can close this as works as designed.

# turnkey-make-ssl-cert -o example.com -r www.example.com
# ls
example.com.crt  example.com.csr  example.com.key

# head -1 example.com.*
==> example.com.crt <==
-----BEGIN CERTIFICATE-----

==> example.com.csr <==
-----BEGIN CERTIFICATE REQUEST-----

==> example.com.key <==
-----BEGIN PRIVATE KEY-----
@JedMeister

This comment has been minimized.

Copy link
Member Author

JedMeister commented Mar 15, 2018

Thanks @Dude4Linux & @l-arnold

My mistake! You are both correct. It was actually the CSR we needed!

The script still doesn't work quite the way I think it ideally should, but I'm not going to even look at that at this point. I image that most users these days would be using Let's Encrypt.

This particular scenario is on an intranet, with a local CA, which I imagine is a bit of a corner case these days.

@JedMeister JedMeister modified the milestones: 15.0, 15.1 Mar 15, 2018

@JedMeister JedMeister added feature and removed bug labels Mar 19, 2018

@JedMeister JedMeister changed the title turnkey-make-ssl-cert not making a valid .crt file?! Investigate updating turnkey-make-ssl-cert? Mar 19, 2018

@JedMeister

This comment has been minimized.

Copy link
Member Author

JedMeister commented Mar 19, 2018

I've just changed this to feature request, as well as updating the subject. I could probably do better still, and I'm not even sure that we'll bother (now that we have Let's Encrypt) but I figured we may as well leave the issue here, for now at least.

Bottom line is, if we plan to keep it and keep using it, it should perhaps be a little more intuitive. I don't mean that as a complaint against you John. You've done a great job with it and it's served us quite well over the years. But it could probably do with some tweaking.

@Dude4Linux

This comment has been minimized.

Copy link
Member

Dude4Linux commented Mar 20, 2018

When I wrote turnkey-make-ssl-cert, I had two goals in mind

  1. The default certs at that time were failing the security tests (too short)
  2. I was manually preparing CSR's for my proposed business, linuxgeeks.biz

For the second, I wanted an easy to use method that didn't require installing and running a CA certificate authority.

No project is ever complete, but I can think of two areas that could be improved. In the current program, certs/keys are generated and installed in /etc/ssl/.. Only the default cert.pem is installed in the applications e.g. apache, nginx, etc. The script could be improved to handle installing non-default certs into the applications, but that would take a significant effort. The second area is documentation. I looked and couldn't find anything other than the built in help. When I get home (about a month) I'd be happy to take a look at writing some usage documentation along with examples of how to use the script.

@JedMeister

This comment has been minimized.

Copy link
Member Author

JedMeister commented Mar 22, 2018

When I get home (about a month) I'd be happy to take a look at writing some usage documentation along with examples of how to use the script.

If you feel like it John. But as I said above, I'm not sure how much it will get used these days, now that Let's Encrypt is a thing. I think it was just coincidental that 2 users recently wanted to use third party certs so this came up. As I've noted elsewhere, it was probably more my lack of understanding than a bug that caused the main issue I was having...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.