jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Save generated fallback certs as part of the backup

Browse Source 
this way we don't get a new cert across restarts
This commit is contained in:
Girish Ramakrishnan
2017-01-14 13:18:53 -08:00
parent 7c72cd4399
commit da2aecc76a
1 changed files with 10 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/certificates.js
+10 -4
View File
@@ -99,7 +99,7 @@ function ensureFallbackCertificate(callback) {
var fallbackCertPath = path.join(paths.NGINX_CERT_DIR, 'host.cert');
var fallbackKeyPath = path.join(paths.NGINX_CERT_DIR, 'host.key');
if (fs.existsSync(certFilePath) && fs.existsSync(keyFilePath)) { // user's custom fallback certs (when restoring, updating)
if (fs.existsSync(certFilePath) && fs.existsSync(keyFilePath)) { // existing custom fallback certs (when restarting, restoring, updating)
debug('ensureFallbackCertificate: using fallback certs provided by user');
if (!safe.child_process.execSync('cp ' + certFilePath + ' ' + fallbackCertPath)) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, safe.error.message));
if (!safe.child_process.execSync('cp ' + keyFilePath + ' ' + fallbackKeyPath)) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, safe.error.message));
@@ -107,7 +107,8 @@ function ensureFallbackCertificate(callback) {
return callback();
}
if (config.tlsCert() && config.tlsKey()) { // cert from CaaS or cloudron-setup
if (config.tlsCert() && config.tlsKey()) {
// cert from CaaS or cloudron-setup. these files should _not_ be part of the backup
debug('ensureFallbackCertificate: using CaaS/cloudron-setup fallback certs');
if (!safe.fs.writeFileSync(fallbackCertPath, config.tlsCert())) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, safe.error.message));
if (!safe.fs.writeFileSync(fallbackKeyPath, config.tlsKey())) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, safe.error.message));
@@ -115,11 +116,16 @@ function ensureFallbackCertificate(callback) {
return callback();
}
// generate a self-signed cert (FIXME: this cert does not cover the naked domain. needs SAN)
// generate a self-signed cert. it's in backup dir so that we don't create a new cert across restarts
// FIXME: this cert does not cover the naked domain. needs SAN
if (config.fqdn()) {
debug('ensureFallbackCertificate: generating self-signed certificate');
var certCommand = util.format('openssl req -x509 -newkey rsa:2048 -keyout %s -out %s -days 3650 -subj /CN=*.%s -nodes', fallbackKeyPath, fallbackCertPath, config.fqdn());
var certCommand = util.format('openssl req -x509 -newkey rsa:2048 -keyout %s -out %s -days 3650 -subj /CN=*.%s -nodes', keyFilePath, certFilePath, config.fqdn());
safe.child_process.execSync(certCommand);
if (!safe.child_process.execSync('cp ' + certFilePath + ' ' + fallbackCertPath)) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, safe.error.message));
if (!safe.child_process.execSync('cp ' + keyFilePath + ' ' + fallbackKeyPath)) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, safe.error.message));
return callback();
} else {
debug('ensureFallbackCertificate: cannot generate fallback certificate without domain');