diff --git a/bin/gen-syncthing-cert b/bin/gen-syncthing-cert index edf3181..bb33b65 100755 --- a/bin/gen-syncthing-cert +++ b/bin/gen-syncthing-cert @@ -1,5 +1,5 @@ #!/bin/sh -set -euo pipefail +set -eu tmp=$(mktemp -d) trap 'rm -rf -- "$tmp"' EXIT @@ -41,4 +41,4 @@ jq --arg client "$first_missing" \ && mv "$tmp/new-syncthing-managed-clients.json" "$FILEPATH" # Revoke self to handle next client -"$0" \ No newline at end of file +"$0" diff --git a/bin/gen-tls-cert b/bin/gen-tls-cert index 1858e37..35a9c1f 100755 --- a/bin/gen-tls-cert +++ b/bin/gen-tls-cert @@ -4,27 +4,35 @@ trap 'rm -rf -- "$tmp"' EXIT # ref https://stackoverflow.com/questions/59738140/why-is-firefox-not-trusting-my-self-signed-certificate openssl req -x509 -nodes \ - -newkey RSA:2048 \ - -keyout "$tmp/ca.key" \ - -days 365 \ - -out "$tmp/ca.cert" \ - -subj '/CN=hd_root' + -newkey RSA:2048 \ + -keyout "$tmp/ca.key" \ + -days 365 \ + -out "$tmp/ca.cert" \ + -subj '/CN=hd_root' rm secrets/tlskey.age openssl req -nodes \ - -newkey rsa:2048 \ - -keyout - \ - -out "$tmp/server.csr" \ - -subj '/CN=lan' \ - | agenix -e secrets/tlskey.age + -newkey rsa:2048 \ + -keyout - \ + -out "$tmp/server.csr" \ + -subj '/CN=lan' \ + | agenix -e secrets/tlskey.age + +cat > "$tmp/extfile" << EOF +subjectAltName=DNS:roam.lan,DNS:*.roam.lan +authorityKeyIdentifier=keyid,issuer +basicConstraints=CA:FALSE +keyUsage=digitalSignature,keyEncipherment +extendedKeyUsage=serverAuth +EOF openssl x509 -req \ - -CA "$tmp/ca.cert" \ - -CAkey "$tmp/ca.key" \ - -in "$tmp/server.csr" \ - -out pki/server.cert \ - -days 365 \ - -CAcreateserial \ - -extfile <(printf "subjectAltName=DNS:roam.lan,DNS:*.roam.lan\nauthorityKeyIdentifier=keyid,issuer\nbasicConstraints=CA:FALSE\nkeyUsage=digitalSignature,keyEncipherment\nextendedKeyUsage=serverAuth") + -CA "$tmp/ca.cert" \ + -CAkey "$tmp/ca.key" \ + -in "$tmp/server.csr" \ + -out pki/server.cert \ + -days 365 \ + -CAcreateserial \ + -extfile "$tmp/extfile" mv "$tmp/ca.cert" pki/ca.cert