scripts/kvmd-gencert


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63

#!/bin/bash
# ========================================================================== #
#                                                                            #
#    KVMD - The main PiKVM daemon.                                           #
#                                                                            #
#    Copyright (C) 2018-2022  Maxim Devaev <[email protected]>               #
#                                                                            #
#    This program is free software: you can redistribute it and/or modify    #
#    it under the terms of the GNU General Public License as published by    #
#    the Free Software Foundation, either version 3 of the License, or       #
#    (at your option) any later version.                                     #
#                                                                            #
#    This program is distributed in the hope that it will be useful,         #
#    but WITHOUT ANY WARRANTY; without even the implied warranty of          #
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the           #
#    GNU General Public License for more details.                            #
#                                                                            #
#    You should have received a copy of the GNU General Public License       #
#    along with this program.  If not, see <https://www.gnu.org/licenses/>.  #
#                                                                            #
# ========================================================================== #


set -e
export LC_ALL=C

if [ "$(whoami)" != root ]; then
	echo "Only root can do that"
	exit 1
fi

if [ "$1" != --do-the-thing ]; then
	echo "This script will generate new self-signed SSL certificates for KVMD Nginx"
	echo "and put them to /etc/kvmd/nginx/ssl. If you're sure of what you're doing,"
	echo "append the option '--do-the-thing' to execute. You can also append --vnc"
	echo "to generate a certificate for VNC not for Nginx."
	exit 1
fi

target=nginx
if [ "$2" == --vnc ]; then
	target=vnc
fi
path="/etc/kvmd/$target/ssl"

set -x

mkdir -p "$path"
rm -f "$path"/*
cd "$path"

# XXX: Why ECC?
#   - https://www.leaderssl.com/articles/345-what-is-ecc-and-why-you-should-use-it
#   - https://www.digitalocean.com/community/tutorials/how-to-create-an-ecc-certificate-on-nginx-for-debian-8
#   - https://msol.io/blog/tech/create-a-self-signed-ecc-certificate
openssl ecparam -out server.key -name prime256v1 -genkey
openssl req -new -x509 -sha256 -nodes -key server.key -out server.crt -days 3650 \
	-subj "/C=RU/ST=Moscow/L=Moscow/O=PiKVM/OU=PiKVM/CN=localhost"

chown "root:kvmd-$target" "$path"/*
chmod 440 "$path/server.key"
chmod 444 "$path/server.crt"
chmod 755 "$path"