-
Notifications
You must be signed in to change notification settings - Fork 257
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
ba170d9
commit 0f5bba8
Showing
13 changed files
with
380 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1,3 @@ | ||
local.yml | ||
assets/certs/certs | ||
assets/certs/ca |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
<VirtualHost *:443> | ||
ServerName webserver | ||
DocumentRoot /var/www/html | ||
ErrorLog /var/log/apache2/error.log | ||
CustomLog /var/log/apache2/access.log combined | ||
SSLEngine on | ||
SSLCertificateFile "/etc/ssl/certs/moodle/webserver.crt" | ||
SSLCertificateKeyFile "/etc/ssl/certs/moodle/webserver.key" | ||
</VirtualHost> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
# IMPORTANT | ||
|
||
These are test Certificates and Keys only! | ||
|
||
Do NOT use them outside of a closed development environment. | ||
|
||
DO NOT commit them to the git repository. | ||
|
||
## Generating new certificates | ||
|
||
A helper script exists at the project root and takes a list of names for the certificate. | ||
|
||
For example: | ||
|
||
``` | ||
./createcerts.sh webserver webserver.container.docker.internal | ||
``` | ||
|
||
Each argument is used as a subject alternative name for the certificate. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,155 @@ | ||
#!/bin/bash | ||
|
||
CERTDIR="`pwd`/assets/certs/" | ||
|
||
CACONF="${CERTDIR}/openssl.cnf" | ||
CAKEY="${CERTDIR}/ca/ca.key" | ||
CACERT="${CERTDIR}/ca/ca.pem" | ||
|
||
if [ -f "$CAKEY" ] && [ -f "${CACERT}" ]; then | ||
echo "Using existing CA private key" | ||
echo | ||
else | ||
# Generate the private key for the CA: | ||
echo "Generating the key and certificate for the CA server" | ||
mkdir -p "${CERTDIR}/ca" | ||
mkdir -p "${CERTDIR}/certs" | ||
|
||
# Generate the key and certificate for the CA. | ||
cat <<EOF | openssl req -config ${CACONF} -nodes -new -x509 -keyout "${CAKEY}" -out "${CACERT}" | ||
AU | ||
Western Australia | ||
Perth | ||
Moodle Pty Ltd | ||
Moodle LMS | ||
EOF | ||
|
||
echo "Generated an OpenSSL Certificate Authority" | ||
touch "${CERTDIR}/ca/index.txt" | ||
echo '01' > "${CERTDIR}/ca/serial.txt" | ||
echo | ||
echo "You should add this certificate to your root certificate store." | ||
|
||
OS=`uname -s` | ||
if [ "${OS}" = "Darwin" ] | ||
then | ||
echo "You can use the following command:" | ||
echo "sudo security add-trusted-cert -d -r trustRoot -k '/Library/Keychains/System.keychain' ${CACERT}" | ||
read -p "Do you want me to do that for you now? " yn | ||
case $yn in | ||
[Yy]* ) sudo security add-trusted-cert -d -r trustRoot -k '/Library/Keychains/System.keychain' "${CACERT}"; break;; | ||
esac | ||
fi | ||
|
||
if [ "${OS}" = "Linux" ] | ||
then | ||
echo "You can use the following command:" | ||
echo "sudo cp ${CERTDIR}/ca/ca.pem usr/local/share/ca-certificates/moodle-docker-ca.crt && sudo update-ca-certificates" | ||
read -p "Do you want me to do that for you now? " yn | ||
case $yn in | ||
[Yy]* ) sudo cp "${CERTDIR}/ca/ca.pem" usr/local/share/ca-certificates/moodle-docker-ca.crt && sudo update-ca-certificates; break;; | ||
esac | ||
|
||
fi | ||
fi | ||
|
||
if [ "$#" -lt 1 ] | ||
then | ||
echo "Usage: Must supply at least one hostname." | ||
exit 1 | ||
fi | ||
|
||
# The first hostname is canonical. | ||
DOMAIN=$1 | ||
|
||
HOSTKEY="${CERTDIR}/certs/${DOMAIN}.key" | ||
HOSTCSR="${CERTDIR}/certs/${DOMAIN}.csr" | ||
HOSTCRT="${CERTDIR}/certs/${DOMAIN}.crt" | ||
HOSTEXT="${CERTDIR}/certs/${DOMAIN}.ext" | ||
|
||
# Create a private key for the dev site: | ||
echo | ||
echo "Generating a private key for the $DOMAIN dev site" | ||
echo | ||
openssl genrsa -out "${HOSTKEY}" 2048 | ||
|
||
echo "Generating a CSR for $DOMAIN" | ||
cat <<EOF | openssl req -nodes -new -key "${HOSTKEY}" -out "${HOSTCSR}" | ||
AU | ||
Western Australia | ||
Perth | ||
Moodle Pty Ltd | ||
Moodle LMS | ||
EOF | ||
echo | ||
|
||
DNSCOUNT=1 | ||
for var in "$@" | ||
do | ||
DNS=$(cat <<-EOF | ||
${DNS} | ||
DNS.${DNSCOUNT} = ${var} | ||
EOF | ||
) | ||
DNSCOUNT=$((DNSCOUNT + 1)) | ||
done | ||
|
||
cat > "${HOSTEXT}" << EOF | ||
[ req ] | ||
default_bits = 2048 | ||
default_keyfile = ${HOSTKEY} | ||
distinguished_name = server_distinguished_name | ||
req_extensions = server_req_extensions | ||
string_mask = utf8only | ||
[ server_distinguished_name ] | ||
countryName = Country Name (2 letter code) | ||
countryName_default = AU | ||
stateOrProvinceName = State or Province Name (full name) | ||
stateOrProvinceName_default = Western Australia | ||
localityName = Locality Name (eg, city) | ||
localityName_default = Perth | ||
organizationName = Organization Name (eg, company) | ||
organizationName_default = Moodle Pty Ltd | ||
organizationalUnitName = Organizational Unit (eg, division) | ||
organizationalUnitName_default = Moodle LMS | ||
commonName = Common Name (e.g. server FQDN or YOUR name) | ||
commonName_default = ${DOMAIN} | ||
emailAddress = Email Address | ||
emailAddress_default = [email protected] | ||
[ server_req_extensions ] | ||
subjectKeyIdentifier = hash | ||
basicConstraints = CA:FALSE | ||
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment | ||
subjectAltName = @alternate_names | ||
[ alternate_names ] | ||
$DNS | ||
EOF | ||
|
||
#Next run the command to create the certificate: using our CSR, the CA private key, the CA certificate, and the config file: | ||
echo "Generating a certificate for $DOMAIN" | ||
cat <<EOF | openssl req -config "${HOSTEXT}" -newkey rsa:2048 -sha256 -nodes -out "${HOSTCSR}" -outform PEM | ||
AU | ||
Western Australia | ||
Perth | ||
Moodle Pty Ltd | ||
Moodle LMS | ||
EOF | ||
echo | ||
|
||
echo "Signing the request" | ||
openssl ca -config "${CACONF}" -policy signing_policy -extensions signing_req -out "${HOSTCRT}" -infiles "${HOSTCSR}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
#!/usr/bin/env bash | ||
set -Eeo pipefail | ||
|
||
a2enmod ssl |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
#!/usr/bin/env bash | ||
set -Eeo pipefail | ||
|
||
update-ca-certificates |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,85 @@ | ||
HOME = . | ||
RANDFILE = $ENV::HOME/.rnd | ||
|
||
#################################################################### | ||
[ ca ] | ||
default_ca = CA_default # The default ca section | ||
|
||
[ CA_default ] | ||
|
||
default_days = 365 # How long to certify for | ||
default_crl_days = 30 # How long before next CRL | ||
default_md = sha256 # Use public key default MD | ||
preserve = no # Keep passed DN ordering | ||
|
||
x509_extensions = ca_extensions # The extensions to add to the cert | ||
|
||
email_in_dn = no # Don't concat the email in the DN | ||
copy_extensions = copy # Required to copy SANs from CSR to cert | ||
|
||
base_dir = assets/certs | ||
certificate = $base_dir/ca/ca.pem # The CA certifcate | ||
private_key = $base_dir/ca/ca.key # The CA private key | ||
new_certs_dir = $base_dir/certs # Location for new certs after signing | ||
database = $base_dir/ca/index.txt # Database index file | ||
serial = $base_dir/ca/serial.txt # The current serial number | ||
|
||
unique_subject = no # Set to 'no' to allow creation of | ||
# several certificates with same subject. | ||
|
||
|
||
#################################################################### | ||
[ req ] | ||
default_bits = 4096 | ||
default_keyfile = cakey.pem | ||
distinguished_name = ca_distinguished_name | ||
x509_extensions = ca_extensions | ||
string_mask = utf8only | ||
|
||
#################################################################### | ||
[ ca_distinguished_name ] | ||
countryName = Country Name (2 letter code) | ||
countryName_default = AU | ||
|
||
stateOrProvinceName = State or Province Name (full name) | ||
stateOrProvinceName_default = Western Australia | ||
|
||
localityName = Locality Name (eg, city) | ||
localityName_default = Perth | ||
|
||
organizationName = Organization Name (eg, company) | ||
organizationName_default = Moodle Pty Ltd | ||
|
||
organizationalUnitName = Organizational Unit (eg, division) | ||
organizationalUnitName_default = Moodle LMS | ||
|
||
commonName = Common Name (e.g. server FQDN or YOUR name) | ||
commonName_default = Testing CA | ||
|
||
emailAddress = Email Address | ||
emailAddress_default = [email protected] | ||
|
||
#################################################################### | ||
[ ca_extensions ] | ||
|
||
subjectKeyIdentifier = hash | ||
authorityKeyIdentifier = keyid:always, issuer | ||
basicConstraints = critical, CA:true | ||
keyUsage = keyCertSign, cRLSign | ||
|
||
#################################################################### | ||
[ signing_policy ] | ||
countryName = optional | ||
stateOrProvinceName = optional | ||
localityName = optional | ||
organizationName = optional | ||
organizationalUnitName = optional | ||
commonName = supplied | ||
emailAddress = optional | ||
|
||
#################################################################### | ||
[ signing_req ] | ||
subjectKeyIdentifier = hash | ||
authorityKeyIdentifier = keyid,issuer | ||
basicConstraints = CA:FALSE | ||
keyUsage = digitalSignature, keyEncipherment |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
#!/usr/bin/env bash | ||
set -Eeo pipefail | ||
|
||
docker_process_init_files() { | ||
echo | ||
local f | ||
for f; do | ||
case "$f" in | ||
*.sh) | ||
if [ -x "$f" ]; then | ||
echo "$0: running $f" | ||
"$f" | ||
else | ||
echo "$0: sourcing $f" | ||
. "$f" | ||
fi | ||
;; | ||
esac | ||
done | ||
} | ||
|
||
echo "Running entrypoint files from /docker-entrypoint-initdb.d/*" | ||
docker_process_init_files /docker-entrypoint-initdb.d/* | ||
|
||
echo "Starting docker=php-entrypoint with $@" | ||
/usr/local/bin/docker-php-entrypoint "$@" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.