search

GothenburgBitFactory / taskserver

Taskserver - Taskwarrior Synchronisation Server
Other
214 stars 38 forks source link

self-signed certs are unnecessary and avoidable #154

Closed yrps closed 2 months ago

yrps commented 5 years ago

The documentation implies that your only options are self-signed certs, or buying a cert from a provider. Both of these are problematic: A publicly verifiable cert is pointless for a private server (which most of us are using), and you can set up your own (private/offline) CA to avoid self-signing.

(The only reason to resort to self-signed certs is for a product that has to be configured by https, to get around the chicken-egg problem. That doesn't apply to taskserver.)

Here is a minimal shell session to set up your own CA and generate the files that the server and client need. This uses the LibreSSL/OpenSSL toolset, but it could probably be translated to GnuTLS (certtool et al). It puts a passphrase on the CA key but not the server and client keys.

$ rm -fr pki
$ mkdir pki
$ cd pki
$ cat <<@ >taskd.cnf
[ca]
default_ca  = ca.cert
unique_subject  = yes

[ca.cert]
certificate = ca.cert.pem
private_key = ca.key.pem
new_certs_dir   = .
database    = index.txt
serial      = serial
default_md  = sha256
policy      = optional
email_in_dn = no
default_days    = 180
default_crl_days= 90

[optional]
@
$ touch index.txt index.txt.attr
$ openssl rand -hex -out serial 16
$ openssl req -new -newkey rsa:2048 -keyout ca.key.pem -out ca.cert.pem \
-x509 -days 365 -subj '/CN=taskd CA'
Generating a RSA private key
.+++++
........................................................+++++
writing new private key to 'ca.key.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
$ openssl req -new -newkey rsa:2048 -keyout server.key.pem -out server.req.pem \
-nodes -subj '/CN=taskd server'
Generating a RSA private key
..................................................................+++++
......................................+++++
writing new private key to 'server.key.pem'
-----
$ openssl req -new -newkey rsa:2048 -keyout client.key.pem -out client.req.pem \
-nodes -subj '/CN=taskd client'
Generating a RSA private key
..+++++
...................................................................................+++++
writing new private key to 'client.key.pem'
-----
$ openssl ca -config taskd.cnf -gencrl -cert ca.cert.pem -out server.crl.pem
Using configuration from taskd.cnf
Enter pass phrase for ca.key.pem:
$ openssl ca -config taskd.cnf -in server.req.pem -out server.cert.pem -batch
Using configuration from taskd.cnf
Enter pass phrase for ca.key.pem:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'taskd server'
Certificate is to be certified until Jul  5 11:31:36 2019 GMT (180 days)

Write out database with 1 new entries
Data Base Updated
$ openssl ca -config taskd.cnf -in client.req.pem -out client.cert.pem -batch
Using configuration from taskd.cnf
Enter pass phrase for ca.key.pem:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'taskd client'
Certificate is to be certified until Jul  5 11:31:38 2019 GMT (180 days)

Write out database with 1 new entries
Data Base Updated
$ openssl rsa -in client.key.pem -out client.pk1.pem
writing RSA key

$ # Additional step if client (e.g. Android Taskwarrior) requires private key
$ # in PKCS#1 format
$ openssl rsa -in client.key.pem -out client.pk1.pem
writing RSA key
$ tail -n1 ca.cert.pem server.crl.pem server.cert.pem server.key.pem \
client.cert.pem client.key.pem client.pk1.pem
==> ca.cert.pem <==
-----END CERTIFICATE-----

==> server.crl.pem <==
-----END X509 CRL-----

==> server.cert.pem <==
-----END CERTIFICATE-----

==> server.key.pem <==
-----END PRIVATE KEY-----

==> client.cert.pem <==
-----END CERTIFICATE-----

==> client.key.pem <==
-----END PRIVATE KEY-----

==> client.pk1.pem <==
-----END RSA PRIVATE KEY-----

It could of course be modularized like the generate scripts, but that's something that easy-rsa has already done.

My suggestion is to update the scripts and documentation to facilitate making a CA instead of self-signing.

lauft commented 2 months ago

[!IMPORTANT] Taskserver is only compatible with Taskwarrior 2.x, and is no longer actively developed. See man task-sync for task synchronization with Taskwarrior 3