search

CA17 / TeamsACS

TeamsACS exclusively serves Mikrotik's TR069 ACS server
GNU Lesser General Public License v3.0
78 stars 25 forks source link

TR069 certificate docker #17

Open saambd opened 1 year ago

saambd commented 1 year ago

hello sir, how to generate the tr069 certificate in the docker container? can you help me out?

hhao97 commented 1 year ago

hello sir, how to generate the tr069 certificate in the docker container? can you help me out?

me too. also got this error

jamiesun commented 1 year ago

Custom script integration is recommended,

    # 1 Generate CA private key
    test -f assets/ca.key || openssl genrsa -out assets/ca.key 4096
    # 2 Generate CA certificate
    test -f assets/ca.crt || openssl req -x509 -new -nodes -key assets/ca.key -days 3650 -out assets/ca.crt -subj \
    "/C=CN/ST=Shanghai/O=teamsacs/CN=TeamsacsCA/emailAddress=master@teamsacs.cc"
    # 3 Generate server private key
    openssl genrsa -out assets/server.key 2048
    # 4 Generate a certificate request file
    openssl req -new -key assets/server.key -out assets/server.csr -subj \
    "/C=CN/ST=Shanghai/O=teamsacs/CN=*.teamsacs.cc/emailAddress=master@teamsacs.cc"
    # 5 Generate a server certificate based on the CA's private key and the above certificate request file
    openssl x509 -req -in assets/server.csr -CA assets/ca.crt -CAkey assets/ca.key -CAcreateserial -out assets/server.crt -days 7300
    mv assets/server.key assets/cwmp.tls.key
    mv assets/server.crt assets/cwmp.tls.crt

The tr069 server's certificate directory is currently fixed at /var/teamsacs/private

/var/teamsacs should be mounted as a volume and the certificate should be automatically generated and saved to the following directory via script

 /var/teamsacs/private/ca.crt
 /var/teamsacs/private/cwmp.tls.crt
 /var/teamsacs/private/cwmp.tls.key

Here is the logic for the server to load the certificate

func (s *Tr069Server) startTlsServer() error {
    caCert := path.Join(app.GConfig().System.Workdir, "private/ca.crt")
    serverCert := path.Join(app.GConfig().System.Workdir, "private/cwmp.tls.crt")
    serverKey := path.Join(app.GConfig().System.Workdir, "private/cwmp.tls.key")
    if !common.FileExists(caCert) {
        os.WriteFile(caCert, assets.CaCrt, 0644)
    }
    if !common.FileExists(serverCert) {
        os.WriteFile(serverCert, assets.CwmpCert, 0644)
    }
    if !common.FileExists(serverKey) {
        os.WriteFile(serverKey, assets.CwmpKey, 0644)
    }

    address := fmt.Sprintf("%s:%d", app.GConfig().Tr069.Host, app.GConfig().Tr069.Port)
    pool := x509.NewCertPool()
    pool.AppendCertsFromPEM(assets.CaCrt)
    ss := &http.Server{
        Addr:    address,
        Handler: s.root,
        TLSConfig: &tls.Config{
            ClientCAs:  pool,
            ClientAuth: tls.VerifyClientCertIfGiven,
        },
    }
    return ss.ListenAndServeTLS(serverCert, serverKey)
}

By default, the startup service will check the /var/teamsacs/private directory for certificates, and if not, it will write the assets pre-compiled embedded certificate to the directory, if you can compile it yourself, then the problem is simple.

The Makefile provides commands for generating certificates, which is what I did.