|
|
|
|
@ -73,14 +73,30 @@ fi |
|
|
|
|
|
|
|
|
|
# Generate a TLS key, then generate a certificate by having Complement's CA sign it |
|
|
|
|
# Note that both the key and certificate are in PEM format (not DER). |
|
|
|
|
|
|
|
|
|
# First generate a configuration file to set up a Subject Alternative Name. |
|
|
|
|
cat > /conf/server.tls.conf <<EOF |
|
|
|
|
.include /etc/ssl/openssl.cnf |
|
|
|
|
|
|
|
|
|
[SAN] |
|
|
|
|
subjectAltName=DNS:${SERVER_NAME} |
|
|
|
|
EOF |
|
|
|
|
|
|
|
|
|
# Generate an RSA key |
|
|
|
|
openssl genrsa -out /conf/server.tls.key 2048 |
|
|
|
|
|
|
|
|
|
openssl req -new -key /conf/server.tls.key -out /conf/server.tls.csr \ |
|
|
|
|
-subj "/CN=${SERVER_NAME}" |
|
|
|
|
# Generate a certificate signing request |
|
|
|
|
openssl req -new -config /conf/server.tls.conf -key /conf/server.tls.key -out /conf/server.tls.csr \ |
|
|
|
|
-subj "/CN=${SERVER_NAME}" -reqexts SAN |
|
|
|
|
|
|
|
|
|
# Make the Complement Certificate Authority sign and generate a certificate. |
|
|
|
|
openssl x509 -req -in /conf/server.tls.csr \ |
|
|
|
|
-CA /complement/ca/ca.crt -CAkey /complement/ca/ca.key -set_serial 1 \ |
|
|
|
|
-out /conf/server.tls.crt |
|
|
|
|
-out /conf/server.tls.crt -extfile /conf/server.tls.conf -extensions SAN |
|
|
|
|
|
|
|
|
|
# Assert that we have a Subject Alternative Name in the certificate. |
|
|
|
|
# (grep will exit with 1 here if there isn't a SAN in the certificate.) |
|
|
|
|
openssl x509 -in /conf/server.tls.crt -noout -text | grep DNS: |
|
|
|
|
|
|
|
|
|
export SYNAPSE_TLS_CERT=/conf/server.tls.crt |
|
|
|
|
export SYNAPSE_TLS_KEY=/conf/server.tls.key |
|
|
|
|
|
reivilibre
2 years ago
committed by