ELUG Meetup: August 26, 2021

In our meeting on August 26 Spencer walked us through how to setup different machines and ensure that they are equipped with certificates. Once accessed with a browser these devices show up as “secure” where as the default behaviour would highlight the site as not secure.

A video of that session was recorded so if you want to take a look at look check that out here:

https://nextcloud.elug.rocks/index.php/s/AkaeFBHDBZ8DFpL?path=%2F2021-08%20Certificate%20authority%20(Spencer)

Spencer also was kind enough to provide a high level overview:

# "something about a self-signed certificate and pi-hole"## Objective
---
​
As a user I want to view the pi-hole admin page using https instead of http. As the creator of a local certificate authority, I accept the risk of installing its certificate on my local devices.
​
## Requirements (prework)
---
​
1. Lessons 1.1, 1.2, and 1.3 from *resource #1*
    1. Check the device hostname
    1. Sync your clock
    1. Review your OpenSSL configuration (openssl version -a)
    1. Create a directory structure to store the keys, signing requests, and certs
    1. Lock it down (chmod 600)
​
## Create the private key and cert for the CA
---
``` sh
# Create a private key for the CA
openssl genrsa -aes256 -out private/cakey.pem 4096
​
# Create a certificate for the CA
openssl req -new -x509 -key /root/ca/private/cakey.pem -out cacert.pem -days 3650 -set_serial 0
```
## Create the private key and cert for the pihole
---
​
``` sh
# Create a new private key
openssl genpkey -algorithm RSA -out /root/ca/private/my_server.key
​
# Create a new certificate signing request (CSR)
openssl req -new -key /root/ca/private/my_server.key -out /root/ca/requests/my_server.csr
​
# CA signing the CSR 
openssl ca -in /root/ca/requests/my_server.csr -out /root/ca/certs/my_server_NO-SAN.crt
​
# CA signing the CSR with configuration file with X509v3 extensions to add
# NET::ERR_CERT_COMMON_NAME_INVALID is resolved by adding 'subjectAltName'
openssl ca -in /root/ca/requests/my_server.csr -extfile /root/ca/my_server.ext -out /root/ca/certs/my_server_SAN.crt
```
​> my_server.ext
​
``` sh
subjectAltName = DNS:my_server.local, DNS:pi.hole, IP:10.0.0.10
```
​
### Checking the certificate
---
​
``` sh
# Check for SAN
openssl x509 -text -in /root/ca/certs/my_server_SAN.crt -noout
```
> Expected output should include:
``` sh
X509v3 extensions:
    X509v3 Subject Alternative Name:
        DNS:my_server.local, DNS:pi.hole, IP Address:10.0.0.10
```
​
## lighttpd config
---
​
``` sh
nano /etc/lighttpd/external.conf
```
​
``` sh
server.modules += ("mod_openssl")
$HTTP["host"] == "my_server.local" {
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"                                # basic option
    ssl.pemfile = "/usr/lib/ssl/certs/my_server_SAN.crt" # basic option
#   ssl.pemfile = "/usr/lib/ssl/certs/my_server_NO-SAN.crt"
    ssl.privkey = "/usr/lib/ssl/private/my_server.key"   # basic option
    ssl.ca-file = "/usr/lib/ssl/certs/cacert.pem"        # (deprecated) renamed ssl.verifyclient.ca-file (since 1.4.60)
  }
}
```
​## Resources
---
​
1. [OpenSSL Certification Authority (CA) on Ubuntu Server](https://networklessons.com/uncategorized/openssl-certification-authority-ca-ubuntu-server)
    1. Prerequisites
        1. hostname, /etc/hosts, and ntp
    1. OpenSSL Configuration
        1. Specify the path, generate cakey.pem & cacert.pem
        1. Install cacert.pem on your client machine(s)
2. [Enabling HTTPS for your Pi-hole Web Interface](https://discourse.pi-hole.net/t/enabling-https-for-your-pi-hole-web-interface/5771)
    1. Which config file to edit (/etc/lighttpd/external.conf)
3. [OpenSSL man pages - genpkey](https://www.openssl.org/docs/man1.1.1/man1/genpkey.html)
    1. Generate a private key using genpkey; 
4. [Lighttpd wiki #Self-Signed-Certificates](https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL#Self-Signed-Certificates)
    1. Used the 'Quick Start'
    1. Tip: keep your lighttpd -version in mind
5. [Firefox no longer trusts my internal certificate authority used for internal sites on our domain.](https://support.mozilla.org/en-US/questions/1175296)
    1. See also *security.enterprise_roots.enabled* on the about:config page.

Leave a Comment