chayleaf/dotfiles
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

certspotter: fix cert check

Browse source
This commit is contained in:
chayleaf 2023-10-24 16:49:22 +07:00
parent 67f43298e8
commit 1d77aed15f
1 changed files with 7 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
system/hosts/server/default.nix
View file

@ -349,20 +349,23 @@ in {
}; };
}; };
users.users.certspotter.extraGroups = [ "acme" ]; # TODO: create a separate group for nginx and certspotter
# TODO: calc tbs instead of pubkey hash?
users.users.certspotter.extraGroups = [ "nginx" ];
services.certspotter = { services.certspotter = {
enable = true; enable = true;
extraFlags = [ ];
watchlist = [ ".pavluk.org" ]; watchlist = [ ".pavluk.org" ];
hooks = let hooks = let
openssl = "${pkgs.openssl.bin}/bin/openssl"; openssl = "${pkgs.openssl.bin}/bin/openssl";
in lib.toList (pkgs.writeShellScript "certspotter-hook" '' in lib.toList (pkgs.writeShellScript "certspotter-hook" ''
if [[ "$EVENT" == discovered_cert ]]; then if [[ "$EVENT" == discovered_cert ]]; then
mkdir -p /var/lib/certspotter/allowed_tbs mkdir -p /var/lib/certspotter/allowed_keys
for cert in $(find /var/lib/acme -regex ".*/fullchain.pem"); do for cert in $(find /var/lib/acme -regex ".*/fullchain.pem"); do
hash="$(${openssl} x509 -in "$cert" -pubkey -noout | ${openssl} pkey -pubin -outform DER | ${openssl} sha256 | cut -d" " -f2)" hash="$(${openssl} x509 -in "$cert" -pubkey -noout | ${openssl} pkey -pubin -outform DER | ${openssl} sha256 | cut -d" " -f2)"
touch "/var/lib/certspotter/allowed_tbs/$hash" touch "/var/lib/certspotter/allowed_keys/$hash"
done done
[[ -f "/var/lib/certspotter/allowed_tbs/$TBS_SHA256" ]] && exit 0 [[ -f "/var/lib/certspotter/allowed_keys/$PUBKEY_SHA256" ]] && exit 0
fi fi
(echo "Subject: $SUMMARY" && echo && cat "$TEXT_FILENAME") | /run/wrappers/bin/sendmail -i webmaster-certspotter@${cfg.domainName} (echo "Subject: $SUMMARY" && echo && cat "$TEXT_FILENAME") | /run/wrappers/bin/sendmail -i webmaster-certspotter@${cfg.domainName}
''); '');