feat(tls): generate certificates on first run

[fzipi]

• generates a new tls certificate on first run only
• do not run if certificates are mapped/mounted
• use ecdsa instead of rsa for speed

Fixes #106.

[fzipi]

Manual tests:

1. Apache without certificate:

   ❯ docker run -it owasp/modsecurity-crs:3.3.4-apache-202302270302
   /usr/local/bin/generate-certificate: generating new certificate
   /usr/local/bin/generate-certificate: generated /usr/local/apache2/conf/server.key and /usr/local/apache2/conf/server.crt
   [Mon Feb 27 15:59:57.407678 2023] [ssl:error] [pid 1:tid 140629504445760] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: OU=MyUnit,O=MyOrg,L=NY,ST=NY,C=US,emailAddress=none@none.com,CN=localhost / issuer: OU=MyUnit,O=MyOrg,L=NY,ST=NY,C=US,emailAddress=none@none.com,CN=localhost / serial: 50992AECA374A461B89C748CC10C0AE0DE276530 / notbefore: Feb 27 15:59:57 2023 GMT / notafter: Feb 27 15:59:57 2024 GMT]
   [Mon Feb 27 15:59:57.407812 2023] [ssl:error] [pid 1:tid 140629504445760] AH02604: Unable to configure certificate localhost:443:0 for stapling
   [Mon Feb 27 15:59:57.418932 2023] [security2:notice] [pid 1:tid 140629504445760] ModSecurity for Apache/2.9.7 (http://www.modsecurity.org/) configured.
   [Mon Feb 27 15:59:57.418975 2023] [security2:notice] [pid 1:tid 140629504445760] ModSecurity: APR compiled version="1.7.0"; loaded version="1.7.0"
   [Mon Feb 27 15:59:57.418981 2023] [security2:notice] [pid 1:tid 140629504445760] ModSecurity: PCRE compiled version="8.39 "; loaded version="8.39 2016-06-14"
   [Mon Feb 27 15:59:57.418983 2023] [security2:notice] [pid 1:tid 140629504445760] ModSecurity: LUA compiled version="Lua 5.2"
   [Mon Feb 27 15:59:57.418985 2023] [security2:notice] [pid 1:tid 140629504445760] ModSecurity: YAJL compiled version="2.1.0"
   [Mon Feb 27 15:59:57.418987 2023] [security2:notice] [pid 1:tid 140629504445760] ModSecurity: LIBXML compiled version="2.9.10"
   [Mon Feb 27 15:59:57.418990 2023] [security2:notice] [pid 1:tid 140629504445760] ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On.
   [Mon Feb 27 15:59:57.471282 2023] [ssl:error] [pid 1:tid 140629504445760] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: OU=MyUnit,O=MyOrg,L=NY,ST=NY,C=US,emailAddress=none@none.com,CN=localhost / issuer: OU=MyUnit,O=MyOrg,L=NY,ST=NY,C=US,emailAddress=none@none.com,CN=localhost / serial: 50992AECA374A461B89C748CC10C0AE0DE276530 / notbefore: Feb 27 15:59:57 2023 GMT / notafter: Feb 27 15:59:57 2024 GMT]
   [Mon Feb 27 15:59:57.471332 2023] [ssl:error] [pid 1:tid 140629504445760] AH02604: Unable to configure certificate localhost:443:0 for stapling
   [Mon Feb 27 15:59:57.490456 2023] [mpm_event:notice] [pid 1:tid 140629504445760] AH00489: Apache/2.4.55 (Unix) OpenSSL/1.1.1n configured -- resuming normal operations
   [Mon Feb 27 15:59:57.490499 2023] [core:notice] [pid 1:tid 140629504445760] AH00094: Command line: 'httpd -D FOREGROUND'

2. Apache with existing certificate and key

   ❯ ./src/bin/generate-certificate /tmp/kkcert
   ./src/bin/generate-certificate: generating new certificate
   ./src/bin/generate-certificate: generated /tmp/kkcert/conf/server.key and /tmp/kkcert/conf/server.crt
   ❯ docker run -p 8443:443 -v /tmp/kkcert/conf/server.key:/usr/local/apache2/conf/server.key -v /tmp/kkcert/conf/server.crt:/usr/local/apache2/conf/server.crt -it owasp/modsecurity-crs:3.3.4-apache-202302270302
   /usr/local/bin/generate-certificate: using existing key/certicate
   [Mon Feb 27 16:05:02.827733 2023] [ssl:error] [pid 1:tid 140560098942272] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: OU=MyUnit,O=MyOrg,L=NY,ST=NY,C=US,emailAddress=none@none.com,CN=localhost / issuer: OU=MyUnit,O=MyOrg,L=NY,ST=NY,C=US,emailAddress=none@none.com,CN=localhost / serial: D5FE440EDF7BD56F / notbefore: Feb 27 16:04:11 2023 GMT / notafter: Feb 27 16:04:11 2024 GMT]
   [Mon Feb 27 16:05:02.827893 2023] [ssl:error] [pid 1:tid 140560098942272] AH02604: Unable to configure certificate localhost:443:0 for stapling
   [Mon Feb 27 16:05:02.840057 2023] [security2:notice] [pid 1:tid 140560098942272] ModSecurity for Apache/2.9.7 (http://www.modsecurity.org/) configured.
   [Mon Feb 27 16:05:02.840099 2023] [security2:notice] [pid 1:tid 140560098942272] ModSecurity: APR compiled version="1.7.0"; loaded version="1.7.0"
   [Mon Feb 27 16:05:02.840105 2023] [security2:notice] [pid 1:tid 140560098942272] ModSecurity: PCRE compiled version="8.39 "; loaded version="8.39 2016-06-14"
   [Mon Feb 27 16:05:02.840107 2023] [security2:notice] [pid 1:tid 140560098942272] ModSecurity: LUA compiled version="Lua 5.2"
   [Mon Feb 27 16:05:02.840109 2023] [security2:notice] [pid 1:tid 140560098942272] ModSecurity: YAJL compiled version="2.1.0"
   [Mon Feb 27 16:05:02.840111 2023] [security2:notice] [pid 1:tid 140560098942272] ModSecurity: LIBXML compiled version="2.9.10"
   [Mon Feb 27 16:05:02.840114 2023] [security2:notice] [pid 1:tid 140560098942272] ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On.
   [Mon Feb 27 16:05:02.897864 2023] [ssl:error] [pid 1:tid 140560098942272] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: OU=MyUnit,O=MyOrg,L=NY,ST=NY,C=US,emailAddress=none@none.com,CN=localhost / issuer: OU=MyUnit,O=MyOrg,L=NY,ST=NY,C=US,emailAddress=none@none.com,CN=localhost / serial: D5FE440EDF7BD56F / notbefore: Feb 27 16:04:11 2023 GMT / notafter: Feb 27 16:04:11 2024 GMT]
   [Mon Feb 27 16:05:02.897914 2023] [ssl:error] [pid 1:tid 140560098942272] AH02604: Unable to configure certificate localhost:443:0 for stapling
   [Mon Feb 27 16:05:02.911427 2023] [mpm_event:notice] [pid 1:tid 140560098942272] AH00489: Apache/2.4.55 (Unix) OpenSSL/1.1.1n configured -- resuming normal operations
   [Mon Feb 27 16:05:02.911510 2023] [core:notice] [pid 1:tid 140560098942272] AH00094: Command line: 'httpd -D FOREGROUND'

3. Nginx without certificate

   docker run -p 8443:443 -it owasp/modsecurity-crs:3.3.4-nginx-202302270402
   /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
   /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
   /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-generate-certificate.sh
   /usr/local/bin/generate-certificate: generating new certificate
   /usr/local/bin/generate-certificate: generated /etc/nginx/conf/server.key and /etc/nginx/conf/server.crt
   /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
   10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
   10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
   /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
   20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/modsecurity.d/modsecurity-override.conf.template to /etc/nginx/modsecurity.d/modsecurity-override.conf
   20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/modsecurity.d/setup.conf.template to /etc/nginx/modsecurity.d/setup.conf
   20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/conf.d/modsecurity.conf.template to /etc/nginx/conf.d/modsecurity.conf
   20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/conf.d/default.conf.template to /etc/nginx/conf.d/default.conf
   20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/conf.d/logging.conf.template to /etc/nginx/conf.d/logging.conf
   20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/nginx.conf.template to /etc/nginx/nginx.conf
   20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/includes/cors.conf.template to /etc/nginx/includes/cors.conf
   20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/includes/proxy_backend.conf.template to /etc/nginx/includes/proxy_backend.conf
   20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/includes/location_common.conf.template to /etc/nginx/includes/location_common.conf
   /docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
   /docker-entrypoint.sh: Launching /docker-entrypoint.d/90-copy-modsecurity-config.sh
   /docker-entrypoint.sh: Launching /docker-entrypoint.d/91-update-resolver.sh
   /docker-entrypoint.sh: Launching /docker-entrypoint.d/92-update-real_ip.sh
   /docker-entrypoint.sh: Launching /docker-entrypoint.d/94-activate-plugins.sh
   /docker-entrypoint.sh: Launching /docker-entrypoint.d/95-activate-rules.sh
   /docker-entrypoint.sh: Configuration complete; ready for start up
   2023/02/27 16:29:36 [notice] 1#1: ModSecurity-nginx v1.0.3 (rules loaded inline/local/remote: 0/920/0)

4. Nginx with certificate

   ❯ docker run -p 8443:443 -v /tmp/kkcert/conf/server.key:/etc/nginx/conf/server.key -v /tmp/kkcert/conf/server.crt:/etc/nginx/conf/server.crt -it owasp/modsecurity-crs:3.3.4-nginx-202302270402
   /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
   /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
   /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-generate-certificate.sh
   /usr/local/bin/generate-certificate: using existing key/certicate
   /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
   10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
   10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
   /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
   20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/modsecurity.d/modsecurity-override.conf.template to /etc/nginx/modsecurity.d/modsecurity-override.conf
   20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/modsecurity.d/setup.conf.template to /etc/nginx/modsecurity.d/setup.conf
   20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/conf.d/modsecurity.conf.template to /etc/nginx/conf.d/modsecurity.conf
   20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/conf.d/default.conf.template to /etc/nginx/conf.d/default.conf
   20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/conf.d/logging.conf.template to /etc/nginx/conf.d/logging.conf
   20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/nginx.conf.template to /etc/nginx/nginx.conf
   20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/includes/cors.conf.template to /etc/nginx/includes/cors.conf
   20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/includes/proxy_backend.conf.template to /etc/nginx/includes/proxy_backend.conf
   20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/includes/location_common.conf.template to /etc/nginx/includes/location_common.conf
   /docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
   /docker-entrypoint.sh: Launching /docker-entrypoint.d/90-copy-modsecurity-config.sh
   /docker-entrypoint.sh: Launching /docker-entrypoint.d/91-update-resolver.sh
   /docker-entrypoint.sh: Launching /docker-entrypoint.d/92-update-real_ip.sh
   /docker-entrypoint.sh: Launching /docker-entrypoint.d/94-activate-plugins.sh
   /docker-entrypoint.sh: Launching /docker-entrypoint.d/95-activate-rules.sh
   /docker-entrypoint.sh: Configuration complete; ready for start up
   2023/02/27 17:36:26 [notice] 1#1: ModSecurity-nginx v1.0.3 (rules loaded inline/local/remote: 0/920/0)

5. sslscan on certificate

   
   ❯ sslscan localhost:8443
   Version: 2.0.15-static
   OpenSSL 1.1.1s  1 Nov 2022

Connected to ::1

Testing SSL server localhost on port 8443 using SNI name localhost

SSL/TLS Protocols: SSLv2 disabled SSLv3 disabled TLSv1.0 disabled TLSv1.1 disabled TLSv1.2 enabled TLSv1.3 enabled

TLS Fallback SCSV: Server supports TLS Fallback SCSV

TLS renegotiation: Session renegotiation not supported

TLS Compression: OpenSSL version does not support compression Rebuild with zlib1g-dev package for zlib support

Heartbleed: TLSv1.3 not vulnerable to heartbleed TLSv1.2 not vulnerable to heartbleed

Supported Server Cipher(s): Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve 25519 DHE 253 Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve 25519 DHE 253 Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve 25519 DHE 253 Preferred TLSv1.2 256 bits ECDHE-ECDSA-AES256-GCM-SHA384 Curve 25519 DHE 253 Accepted TLSv1.2 256 bits ECDHE-ECDSA-CHACHA20-POLY1305 Curve 25519 DHE 253 Accepted TLSv1.2 128 bits ECDHE-ECDSA-AES128-GCM-SHA256 Curve 25519 DHE 253

Server Key Exchange Group(s): TLSv1.3 128 bits secp256r1 (NIST P-256) TLSv1.3 192 bits secp384r1 (NIST P-384) TLSv1.3 260 bits secp521r1 (NIST P-521) TLSv1.3 128 bits x25519 TLSv1.3 224 bits x448 TLSv1.2 128 bits secp256r1 (NIST P-256)

SSL Certificate: Signature Algorithm: ecdsa-with-SHA256 ECC Curve Name: prime256v1 ECC Key Strength: 128

Subject: localhost Issuer: localhost

Not valid before: Feb 27 16:01:32 2023 GMT Not valid after: Feb 27 16:01:32 2024 GMT

[fzipi]

@theseion I don't think I want to go back to && in Dockerfiles anymore. All the other code is using the ; and if we change this one we should change all. And I prefer the other way around.

[fzipi]

Generating the certificate is so quick in this case, that I don't know if we want to skip it...