From 4752c304287b6285a32eb45d77e84b31ef7f3bc9 Mon Sep 17 00:00:00 2001 From: Adam Outler Date: Sat, 8 Jun 2024 16:44:34 +0000 Subject: [PATCH 1/3] Update Gencert with TLS1.3 compatibility --- scripts/kvmd-gencert | 105 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 105 insertions(+) diff --git a/scripts/kvmd-gencert b/scripts/kvmd-gencert index 7bd95cf23..75fb3e228 100755 --- a/scripts/kvmd-gencert +++ b/scripts/kvmd-gencert @@ -61,3 +61,108 @@ chown "root:kvmd-$target" "$path"/* chmod 440 "$path/server.key" chmod 444 "$path/server.crt" chmod 755 "$path" +#!/bin/bash +# ========================================================================== # +# # +# KVMD - The main PiKVM daemon. # +# # +# Copyright (C) 2018-2024 Maxim Devaev # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +# ========================================================================== # + +set -e +export LC_ALL=C + +if [ "$(whoami)" != root ]; then + echo "Only root can do that" + exit 1 +fi + +if [ "$1" != --do-the-thing ]; then + echo "This script will generate new self-signed SSL certificates for KVMD Nginx" + echo "and put them to /etc/kvmd/nginx/ssl. If you're sure of what you're doing," + echo "append the option '--do-the-thing' to execute. You can also append --vnc" + echo "to generate a certificate for VNC not for Nginx." + exit 1 +fi + +target=nginx +if [ "$2" == --vnc ]; then + target=vnc +fi +path="/etc/kvmd/$target/ssl" + +set -e + +#Read Serial Number or use default all-zeros +if read -r serialnumber openssl.cnf < Date: Sat, 8 Jun 2024 12:57:01 -0400 Subject: [PATCH 2/3] Fix copy error --- scripts/kvmd-gencert | 65 +------------------------------------------- 1 file changed, 1 insertion(+), 64 deletions(-) diff --git a/scripts/kvmd-gencert b/scripts/kvmd-gencert index 75fb3e228..6ce9c65e5 100755 --- a/scripts/kvmd-gencert +++ b/scripts/kvmd-gencert @@ -20,69 +20,6 @@ # # # ========================================================================== # - -set -e -export LC_ALL=C - -if [ "$(whoami)" != root ]; then - echo "Only root can do that" - exit 1 -fi - -if [ "$1" != --do-the-thing ]; then - echo "This script will generate new self-signed SSL certificates for KVMD Nginx" - echo "and put them to /etc/kvmd/nginx/ssl. If you're sure of what you're doing," - echo "append the option '--do-the-thing' to execute. You can also append --vnc" - echo "to generate a certificate for VNC not for Nginx." - exit 1 -fi - -target=nginx -if [ "$2" == --vnc ]; then - target=vnc -fi -path="/etc/kvmd/$target/ssl" - -set -x - -mkdir -p "$path" -rm -f "$path"/* -cd "$path" - -# XXX: Why ECC? -# - https://www.leaderssl.com/articles/345-what-is-ecc-and-why-you-should-use-it -# - https://www.digitalocean.com/community/tutorials/how-to-create-an-ecc-certificate-on-nginx-for-debian-8 -# - https://msol.io/blog/tech/create-a-self-signed-ecc-certificate -openssl ecparam -out server.key -name prime256v1 -genkey -openssl req -new -x509 -sha256 -nodes -key server.key -out server.crt -days 3650 \ - -subj "/C=RU/ST=Moscow/L=Moscow/O=PiKVM/OU=PiKVM/CN=localhost" - -chown "root:kvmd-$target" "$path"/* -chmod 440 "$path/server.key" -chmod 444 "$path/server.crt" -chmod 755 "$path" -#!/bin/bash -# ========================================================================== # -# # -# KVMD - The main PiKVM daemon. # -# # -# Copyright (C) 2018-2024 Maxim Devaev # -# # -# This program is free software: you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation, either version 3 of the License, or # -# (at your option) any later version. # -# # -# This program is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with this program. If not, see . # -# # -# ========================================================================== # - set -e export LC_ALL=C @@ -114,7 +51,7 @@ else serial="0000000000000000" fi -san="DNS:pikvm-${serialnumber}.local" +san="DNS:pikvm-${serial}.local" # Function to fetch IP addresses get_ip_addresses() { From 35e5360835b73915356f43b8a1d017c8bda2d9e8 Mon Sep 17 00:00:00 2001 From: Adam Outler Date: Sat, 8 Jun 2024 13:19:47 -0400 Subject: [PATCH 3/3] Update getserial for oddities in method call --- scripts/kvmd-gencert | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/scripts/kvmd-gencert b/scripts/kvmd-gencert index 6ce9c65e5..bb120bc13 100755 --- a/scripts/kvmd-gencert +++ b/scripts/kvmd-gencert @@ -45,12 +45,11 @@ path="/etc/kvmd/$target/ssl" set -e #Read Serial Number or use default all-zeros -if read -r serialnumber /dev/null || echo "0000000000000000") + echo "$serialnumber" +} +serial=$(get_serial_number) san="DNS:pikvm-${serial}.local" # Function to fetch IP addresses