What are the best ways and practices to manage local SSL certificates with my own CA, to get local HTTPS sites like https://testsite.local ?

ZhaoLin1457 · 02-04-2021, 12:07 PM

I try to to setup a Slackware box (technically a laptop) for a friend who's web developer, but not a Slacker.

He have idea how to use a Linux operating system, but has no interests and time to become a Linux Guru. So I try to automatize a bit the things for him.

As preamble, I think that Slackware-current looks like an ideal platform for a web-developer specialized on PHP sites, who needs a desktop with a good editor, the major web browsers and a LAMP server running in background to permit to inspect the site on development.

Our -current has now Plasma5, with Kate and KDevelop, which looks being quite decent for PHP development (at least so says my friend) and also it have Apache, PHP and MySQL, exactly what we need for the local web server.

However, there's a condition: he needs to use local HTTPS sites for testing and Let's Encrypt does not help on this case.

My idea is to create a set of scripts which could be used to create, remove or list the local sites and until now, I've managed to configure the Apache (and the associated PHP and MySQL) to use a directory /etc/httpd/vhosts , where are put config files defining virtual hosts and also I used a poor man's local DNS resolution, adding/removing the local sites from /etc/hosts

So, I'm currently able to create and run locally over HTTP a PHP site with MySQL support, named like: http://testsite.local

However, at final this site should use the HTTPS, like https://testsite.local

And another condition is that this local HTTPS site should work fine with Firefox, Chromium, Chrome and Microsoft Edge for Linux. Of course, everything locally.

For this, I understand that I need to create a convenient master CA certificate to be put into /etc/ssl/certs then to generate SSL certificates for every local site.

And there comes my question:

what are the best ways and practices to manage local SSL certificates for sites living literally in the box and not accessible from outside?

LuckyCyborg · 02-04-2021, 02:30 PM

With the note that I am not a specialist on self signed SSL certificates, I have remembered that on Mr. Kiki Novak's Microlinux I've seen two scripts for generating local SSL certificates. For your convenience, this is their contents:

Code:

#!/bin/sh
#
# mkcert-lan.sh
#
# Script to generate a self-signed certificate for a LAN server.
#
# Usage: copy this script to an appropriate place on the system like
# /usr/local/sbin. Edit it to your needs and run it as root.
#
# The script creates a 'certs' system group. Certificates and keyfiles are
# owned by root:certs. Make sure you add the relevant system users to the
# 'certs' group, so they can access the files.
#
# Niki Kovacs <info@microlinux.fr>

HCMD=/bin/hostname
HOST=$($HCMD --fqdn)
TIME=3650
SSLDIR="/etc/ssl"
CRTDIR="$SSLDIR/mycerts"
KEYDIR="$SSLDIR/private"
CNFFILE="$CRTDIR/$HOST.cnf"
KEYFILE="$KEYDIR/$HOST.key"
CSRFILE="$CRTDIR/$HOST.csr"
CRTFILE="$CRTDIR/$HOST.crt"

# Testing
# rm -f $CNFFILE $KEYFILE $CSRFILE $CRTFILE

# Create certs group 
if ! grep -q "^certs:" /etc/group ; then
  groupadd -g 240 certs
  echo 
  echo ":: Added certs group."
  echo 
  sleep 3
fi

for DIRECTORY in $CRTDIR $KEYDIR; do
  if [ ! -d $DIRECTORY ]; then
    echo 
    echo ":: Creating directory $DIRECTORY."
    echo 
    mkdir -p $DIRECTORY
  fi
done

for FILE in $CNFFILE $KEYFILE $CSRFILE $CRTFILE; do
  if [ -f $FILE ]; then
    echo 
    echo ":: $FILE already exists, won't overwrite."
    echo 
    exit 1
  fi
done

cat > $CNFFILE << EOF
[req]
distinguished_name          = req_distinguished_name
string_mask                 = nombstr
req_extensions              = v3_req

[req_distinguished_name]
organizationName            = Organization Name (company)
emailAddress                = Email Address
emailAddress_max            = 40
localityName                = Locality Name
stateOrProvinceName         = State or Province Name
countryName                 = Country Name (2 letter code)
countryName_min             = 2
countryName_max             = 2
commonName                  = Common Name
commonName_max              = 64
organizationName_default    = Microlinux
emailAddress_default        = info@microlinux.fr
localityName_default        = Montpezat
stateOrProvinceName_default = Gard
countryName_default         = FR
commonName_default          = $HOST

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = $HOST
DNS.2 = subdomain1.$HOST
DNS.3 = subdomain2.$HOST
DNS.4 = subdomain3.$HOST
EOF

# Generate private key
openssl genrsa \
  -out $KEYFILE \
  4096 

# Generate Certificate Signing Request
openssl req \
  -new \
  -sha256 \
  -out $CSRFILE \
  -key $KEYFILE \
  -config $CNFFILE

# Self-sign and generate Certificate
openssl x509 \
  -req \
  -sha256 \
  -days $TIME \
  -in $CSRFILE \
  -signkey $KEYFILE \
  -out $CRTFILE \
  -extensions v3_req \
  -extfile $CNFFILE

# Set permissions
chown root:certs $KEYFILE $CRTFILE
chmod 0640 $KEYFILE $CRTFILE

# Create a symlink in /etc/ssl/certs
pushd $SSLDIR/certs
  rm -f $HOST.crt
  ln -s ../mycerts/$HOST.crt .
popd

echo 

exit 0

https://slackware.uk/microlinux/temp.../mkcert-lan.sh

Code:

#!/bin/sh
#
# mkcert-example.lan.sh
#
# Script to generate a self-signed certificate for multiple local domains.
#
# Usage: copy this script to an appropriate place on the system like
# /root/scripts/ or /etc/ssl/scripts/. Eventually, rename it to something like
# mkcrt.$DOMAIN.sh. Edit it to your needs and run it as root.
#
# /!\ The script creates a 'certs' system group. Certificates and keyfiles are
# owned by root:certs. Make sure you add the relevant system users 
# to the 'certs' group, so they can access the files. Example:
#
# # usermod -a -G certs prosody
#
# Niki Kovacs <info@microlinux.fr>

DOMAIN="amandine.microlinux.lan"

SSLDIR="/etc/ssl"
CRTDIR="$SSLDIR/mycerts"
KEYDIR="$SSLDIR/private"
CNFFILE="$CRTDIR/$DOMAIN.cnf"
KEYFILE="$KEYDIR/$DOMAIN.key"
CSRFILE="$CRTDIR/$DOMAIN.csr"
CRTFILE="$CRTDIR/$DOMAIN.crt"

# Testing
rm -f $CNFFILE $KEYFILE $CSRFILE $CRTFILE

# Create certs group 
if ! grep -q "^certs:" /etc/group ; then
  groupadd -g 240 certs
  echo 
  echo ":: Added certs group."
  echo 
  sleep 3
fi

for DIRECTORY in $CRTDIR $KEYDIR; do
  if [ ! -d $DIRECTORY ]; then
    echo 
    echo ":: $DIRECTORY directory doesn't exist."
    echo 
    exit 1
  fi
done

for FILE in $CNFFILE $KEYFILE $CSRFILE $CRTFILE; do
  if [ -f $FILE ]; then
    echo 
    echo ":: $FILE already exists, won't overwrite."
    echo 
    exit 1
  fi
done

cat > $CNFFILE << EOF
[req]
distinguished_name          = req_distinguished_name
string_mask                 = nombstr
req_extensions              = v3_req

[req_distinguished_name]
organizationName            = Organization Name (company)
emailAddress                = Email Address
emailAddress_max            = 40
localityName                = Locality Name
stateOrProvinceName         = State or Province Name
countryName                 = Country Name (2 letter code)
countryName_min             = 2
countryName_max             = 2
commonName                  = Common Name
commonName_max              = 64
organizationName_default    = Microlinux
emailAddress_default        = info@microlinux.fr
localityName_default        = Montpezat
stateOrProvinceName_default = Gard
countryName_default         = FR
commonName_default          = $DOMAIN

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = $DOMAIN
DNS.2 = cloud.$DOMAIN
DNS.3 = cmsmadesimple.$DOMAIN
DNS.4 = ftp.$DOMAIN
EOF

# Generate private key
openssl genrsa \
  -out $KEYFILE \
  4096 

# Generate Certificate Signing Request
openssl req \
  -new \
  -sha256 \
  -out $CSRFILE \
  -key $KEYFILE \
  -config $CNFFILE

# Self-sign and generate Certificate
openssl x509 \
  -req \
  -sha256 \
  -days 3650 \
  -in $CSRFILE \
  -signkey $KEYFILE \
  -out $CRTFILE \
  -extensions v3_req \
  -extfile $CNFFILE

# Set permissions
chown root:certs $KEYFILE $CRTFILE
chmod 0640 $KEYFILE $CRTFILE

# Create a symlink in /etc/ssl/certs
pushd $SSLDIR/certs
  rm -f $DOMAIN.crt
  ln -s ../mycerts/$DOMAIN.crt .
popd

echo

https://slackware.uk/microlinux/temp...example.lan.sh

They also installs a CRT file (practically, a symlink) on /etc/ssl/certs directory, then maybe it's along with what you need as a start point.

Didier Spaier · 02-04-2021, 03:15 PM

Not a local website, but for https://slint.fr in a VPS I use acme.sh to get and renew a free certificate from Let's Encrypt. Very simple to use: as an example to renew a certificate I just type

Code:

./acme.sh --renew -d slint.fr

If you prefer Eric has written a blog article for another software to do the same thing, dehydrated for which a SlackBuilds is available @ SBo.

ZhaoLin1457 · 02-04-2021, 03:26 PM

Quote:

Originally Posted by Didier Spaier

Not a local website, but for https://slint.fr in a VPS I use acme.sh to get and renew a free certificate from Let's Encrypt. Very simple to use: as an example to renew a certificate I just type

Code:

./acme.sh --renew -d slint.fr

If you prefer Eric has written a blog article for another software to do the same thing, dehydrated for which a SlackBuilds is available @ SBo.

Unfortunately, I cannot use Let's Encrypt for a local site, because the LE servers wants to verify that you are the owner of that site, either putting a particular file on a precise web location, either to present a DNS server with certain records.

However, a local site exists only in the box, because it is in the form of a Virtual Server handled by Apache and as DNS resolver it have something like bellow into /etc/hosts

Code:

127.0.0.1 testsite.local www.testsite.local

That's right. It's name is basically an alias for localhost.

ZhaoLin1457 · 02-04-2021, 03:31 PM

Quote:

Originally Posted by LuckyCyborg

They also installs a CRT file (practically, a symlink) on /etc/ssl/certs directory, then maybe it's along with what you need as a start point.

Thanks you very much, I will try this.

BUT, looks that it is not a final solution for me.

Because looks like for every local site, there should be some kind of SSL certificate import into browsers, possible manually.

That's WHY I want to use a custom CA certificate.

Because once the system is setup properly, the SSL certificates signed with this master CA certificate just needs to be setup into the local sites served by Apache.

That's what I want to solve with some scripts, named: createsite, removesite and showsites

My friend would have only to use them to add/remove/lists his local sites.

astrogeek · 02-04-2021, 03:40 PM

Quote:

Originally Posted by ZhaoLin1457

Unfortunately, I cannot use Let's Encrypt for a local site, because the LE servers wants to verify that you are the owner of that site, either putting a particular file on a precise web location, either to present a DNS server with certain records.

You should be able do that actually. Assuming you have a suitable internet accessible domain available, like real-domain.com, simply get a wildcard cert for the domain from LE using DNS validation, then make your local test site a subdomain of the one you validate, perhaps testsite.real-domain.com, and point your local DNS accordingly.

Alien Bob · 02-04-2021, 03:47 PM

Why the hassle of setting up HTTPS if your server is never going to be connected to the Internet?

ZhaoLin1457 · 02-04-2021, 03:55 PM

Quote:

Originally Posted by Alien Bob

Why the hassle of setting up HTTPS if your server is never going to be connected to the Internet?

From what my friend explained me, the modern browsers forces some limitations on behavior, when lacks the HTTPS.

For example, from what he said that WebRTC system does not permit all features, without a HTTPS connection.

So, the sites development MUST be done over HTTPS sites, even they are local. And those local sites are like debuggers on their work.

ZhaoLin1457 · 02-04-2021, 03:59 PM

Quote:

Originally Posted by astrogeek

You should be able do that actually. Assuming you have a suitable internet accessible domain available, like real-domain.com, simply get a wildcard cert for the domain from LE using DNS validation, then make your local test site a subdomain of the one you validate, perhaps testsite.real-domain.com, and point your local DNS accordingly.

Thanks, could be a solution, I will talk with my friend if it is OK this variant.

However, I still look for a full locally solution. What IF he goes in a prolonged vacation in a place without Internet?

For example, China or Russia are really big, and not all places are covered with a convenient Internet connection...

LuckyCyborg · 02-04-2021, 04:07 PM

Well, I do not know about China, but the Russian Federation is better covered by Internet than you think...

True, it is not always high speed, but the 3G is available almost everywhere, even in Siberia.

BTW, your friend is Russian?

He lives in Vladivostok by chances?

Meanwhile, how about having your own ACME server like the one of Let's Encrypt?

https://smallstep.com/certificates/
https://github.com/smallstep/certificates

There's such thing. True, it is written in Golang, I do not know how well works on Slackware, but you can try to setup it.

astrogeek · 02-04-2021, 04:07 PM

Then I think he needs to define exactly what problem he is really trying to solve.

Alien Bob · 02-04-2021, 04:15 PM

Quote:

Originally Posted by ZhaoLin1457

From what my friend explained me, the modern browsers forces some limitations on behavior, when lacks the HTTPS.

For example, from what he said that WebRTC system does not permit all features, without a HTTPS connection.

So, the sites development MUST be done over HTTPS sites, even they are local. And those local sites are like debuggers on their work.

If they just tell their browsers to trust the self-signed certificate then your friend does not have to import anything into the browsers' certificate store.
Before I switched to LEt's Encrypt I used CACert certificates (also free) and before that, I generated them myself. I made some changes to /etc/ssl/openssl.cnf so that I could use /etc/ssl as the place for a Certificate Authority (CA). There are some provisions in that file to setup a CA (look for "demoCA") and this is the diff to that original file:

Code:

42c42
< dir           = ./demoCA              # Where everything is kept
---
> dir           = /etc/ssl              # Where everything is kept
73c73
< default_days  = 365                   # how long to certify for
---
> default_days  = 730                   # how long to certify for
125c125
< # req_extensions = v3_req # The extensions to add to a certificate request
---
> req_extensions = v3_req # The extensions to add to a certificate request
129c129
< countryName_default           = AU
---
> countryName_default           = NL
134c134
< stateOrProvinceName_default   = Some-State
---
> stateOrProvinceName_default   = Netherlands
136a137
> localityName_default            = Alien County
139c140
< 0.organizationName_default    = Internet Widgits Pty Ltd
---
> 0.organizationName_default    = Alien Base
223a225,229
> # Added by Eric Hameleers, see:
> # http://lists.spack.org/archives/padl.com/2167.html
> #subjectAltName=DNS:*.alienbase.nl
> subjectAltName=DNS:*.local,DNS:*.alienbase.nl
> 
234c240
< authorityKeyIdentifier=keyid:always,issuer
---
> authorityKeyIdentifier=keyid:always,issuer:always
260a267,271
> # Added by Eric Hameleers, see:
> # http://lists.spack.org/archives/padl.com/2167.html
> #subjectAltName=DNS:*.alienbase.nl
> subjectAltName=DNS:*.local,DNS:*.alienbase.nl
> 
267c278
< authorityKeyIdentifier=keyid:always
---
> authorityKeyIdentifier=keyid:always,issuer:always
300c311
< authorityKeyIdentifier=keyid,issuer
---
> authorityKeyIdentifier=keyid,issuer:always
330c341
< dir           = ./demoCA              # TSA root directory
---
> dir           = /etc/ssl              # TSA root directory

After that, you are only limited by your own imagination. Kikinovak's scripts from a previous posts will do the job too.