diff --git a/certidude/builder/common.sh b/certidude/builder/common.sh index e2f5068..f07e43d 100644 --- a/certidude/builder/common.sh +++ b/certidude/builder/common.sh @@ -81,7 +81,7 @@ config setup ca $AUTHORITY auto=add cacert=/etc/certidude/authority/$AUTHORITY/ca_cert.pem - ocspuri = http://$AUTHORITY/api/ocsp/ + # OCSP and CRL URL-s embedded in certificates conn %default keyingtries=%forever @@ -94,7 +94,7 @@ conn %default leftca="$AUTHORITY_CERTIFICATE_DISTINGUISHED_NAME" rightca="$AUTHORITY_CERTIFICATE_DISTINGUISHED_NAME" -conn client-to-site +conn c2s auto=start right="$ROUTER" rightsubnet="$SUBNETS" @@ -103,7 +103,4 @@ conn client-to-site EOF -cat << EOF > $OVERLAY/etc/uci-defaults/99-uhttpd-disable-https -uci delete uhttpd.main.listen_https -uci delete uhttpd.main.redirect_https -EOF +# Note that auto=route is not supported at the moment with libipsec diff --git a/certidude/builder/overlay/etc/uci-defaults/40-hostname b/certidude/builder/overlay/etc/uci-defaults/40-hostname old mode 100644 new mode 100755 diff --git a/certidude/builder/overlay/etc/uci-defaults/60-cron b/certidude/builder/overlay/etc/uci-defaults/60-cron old mode 100644 new mode 100755 index 43ed67c..58dfa14 --- a/certidude/builder/overlay/etc/uci-defaults/60-cron +++ b/certidude/builder/overlay/etc/uci-defaults/60-cron @@ -1,5 +1,7 @@ #!/bin/sh +/etc/init.d/ipsec enable + # Randomize restart time OFFSET=$(awk -v min=1 -v max=59 'BEGIN{srand(); print int(min+rand()*(max-min+1))}') @@ -14,3 +16,4 @@ chmod 0600 /etc/crontabs/root /etc/init.d/cron enable +exit 0 diff --git a/certidude/builder/overlay/etc/uci-defaults/90-certidude-sysupgrade b/certidude/builder/overlay/etc/uci-defaults/90-certidude-sysupgrade old mode 100644 new mode 100755 diff --git a/certidude/builder/overlay/etc/uci-defaults/99-uhttpd-disable-https b/certidude/builder/overlay/etc/uci-defaults/99-uhttpd-disable-https new file mode 100755 index 0000000..78f4dce --- /dev/null +++ b/certidude/builder/overlay/etc/uci-defaults/99-uhttpd-disable-https @@ -0,0 +1,3 @@ +uci delete uhttpd.main.listen_https +uci delete uhttpd.main.redirect_https +exit 0 diff --git a/certidude/builder/overlay/usr/bin/certidude-enroll b/certidude/builder/overlay/usr/bin/certidude-enroll index ea1b620..68c8004 100755 --- a/certidude/builder/overlay/usr/bin/certidude-enroll +++ b/certidude/builder/overlay/usr/bin/certidude-enroll @@ -126,5 +126,4 @@ mv $CERTIFICATE_PATH.part $CERTIFICATE_PATH # Start services logger -t certidude -s "Starting IPSec IKEv2 daemon..." -/etc/init.d/ipsec enable /etc/init.d/ipsec restart diff --git a/certidude/static/index.html b/certidude/static/index.html index 3f8a85e..31d12f8 100644 --- a/certidude/static/index.html +++ b/certidude/static/index.html @@ -26,9 +26,9 @@ Log -
+
- +
diff --git a/certidude/static/js/certidude.js b/certidude/static/js/certidude.js index 678357b..573794a 100644 --- a/certidude/static/js/certidude.js +++ b/certidude/static/js/certidude.js @@ -155,7 +155,7 @@ function onEnroll(encoding) { gateway: query.router, p12_uuid: blobToUuid(p12), p12: forge.util.encode64(p12), - ca_uuid: blobToUuid(forge.pki.certificateToAsn1(ca)).getBytes()), + ca_uuid: blobToUuid(forge.asn1.toDer(forge.pki.certificateToAsn1(ca)).getBytes()), ca: forge.util.encode64(forge.asn1.toDer(forge.pki.certificateToAsn1(ca)).getBytes()) }); var mimetype = "application/x-apple-aspen-config"; diff --git a/certidude/static/snippets/strongswan-server.sh b/certidude/static/snippets/strongswan-server.sh index 6bce914..b1fcdec 100644 --- a/certidude/static/snippets/strongswan-server.sh +++ b/certidude/static/snippets/strongswan-server.sh @@ -16,18 +16,22 @@ conn default-{{ session.authority.hostname }} leftupdown=/etc/certidude/authority/{{ session.authority.hostname }}/updown leftcert=/etc/certidude/authority/{{ session.authority.hostname }}/host_cert.pem leftsubnet=$(uci get network.lan.ipaddr | cut -d . -f 1-3).0/24 # Subnets pushed to roadwarriors - leftdns=$(uci get network.lan.ipaddr) # IP of DNS server advertised to roadwarriors leftca="{{ session.authority.certificate.distinguished_name }}" rightca="{{ session.authority.certificate.distinguished_name }}" rightsourceip=172.21.0.0/24 # Roadwarrior virtual IP pool dpddelay=0 dpdaction=clear + fragmentation=yes + reauth=no + rekey=no + leftsendcert=always -conn site-to-clients +conn s2c-rw auto=add also=default-{{ session.authority.hostname }} + rightdns=$(uci get network.lan.ipaddr) # IP of DNS server advertised to roadwarriors -conn site-to-client1 +conn s2c-client1 auto=ignore also=default-{{ session.authority.hostname }} rightid="CN=*, OU=IP Camera, O=*, DC=*, DC=*, DC=*" diff --git a/certidude/static/snippets/update-trust.sh b/certidude/static/snippets/update-trust.sh index d78545a..5328b27 100644 --- a/certidude/static/snippets/update-trust.sh +++ b/certidude/static/snippets/update-trust.sh @@ -7,3 +7,10 @@ test -e /etc/pki/ca-trust/source/anchors \ test -e /usr/local/share/ca-certificates/ \ && ln -s /etc/certidude/authority/{{ session.authority.hostname }}/ca_cert.pem /usr/local/share/ca-certificates/{{ session.authority.hostname }}.crt \ && update-ca-certificates + +# Patch Firefox trust store on Ubuntu +if [ ! -h /usr/lib/firefox/libnssckbi.so ]; then + apt install p11-kit p11-kit-modules + mv /usr/lib/firefox/libnssckbi.so /usr/lib/firefox/libnssckbi.so.bak + ln -s /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so /usr/lib/firefox/libnssckbi.so +fi diff --git a/certidude/static/views/authority.html b/certidude/static/views/authority.html index 584033a..018c7cb 100644 --- a/certidude/static/views/authority.html +++ b/certidude/static/views/authority.html @@ -192,7 +192,7 @@ curl http://{{ session.authority.hostname }}/api/revoked/?wait=yes -L -H "Accept
-

Signed certificates

+

Signed certificates

Authority administration {% if session.authority.certificate.organization %}of {{ session.authority.certificate.organization }}{% endif %} allowed for @@ -213,7 +213,7 @@ curl http://{{ session.authority.hostname }}/api/revoked/?wait=yes -L -H "Accept

{% if session.authority %} {% if session.features.token %} -

Tokens

+

Tokens

Tokens allow enrolling smartphones and third party devices.

  • You can issue yourself a token to be used on a mobile device
    • @@ -241,7 +241,8 @@ curl http://{{ session.authority.hostname }}/api/revoked/?wait=yes -L -H "Accept {% endif %} {% if session.authorization.request_subnets %} -

    Pending requests

    +

     

    +

    Pending requests

    Use Certidude client to apply for a certificate. @@ -291,7 +292,7 @@ curl http://{{ session.authority.hostname }}/api/revoked/?wait=yes -L -H "Accept {% endif %} {% if session.builder.profiles %} -

    LEDE imagebuilder

    +

    LEDE imagebuilder

    Hit a link to generate machine specific image. Note that this might take couple minutes to finish.

      {% for name, title, filename in session.builder.profiles %} @@ -303,7 +304,7 @@ curl http://{{ session.authority.hostname }}/api/revoked/?wait=yes -L -H "Accept
-

Revoked certificates

+

Revoked certificates

Following certificates have been revoked{% if session.features.crl %}, for more information click here{% endif %}.

@@ -317,7 +318,7 @@ curl http://{{ session.authority.hostname }}/api/revoked/?wait=yes -L -H "Accept

Loading logs, this might take a while...