Software / code / prosody
Annotate
certs/GNUmakefile @ 13627:2db7b3b65363
core.configmanager: Add function for getting secrets from separate files
Idea is to enable easily retrieving of secret values from files outside
of the config, e.g. via the method used by systemd credentials.
CREDENTIALS_DIRECTORY is expected to be set by the process manager
invoking Prosody, so being unset and unavailable from prosodyctl is
going to be normal and a warning is reported in that case. Care will
have to be taken to make it clear that prosodyctl check will not work
with such values. An error is thrown if the directory is unavailable
when running under Prosody.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 16 Jan 2025 15:21:34 +0100 |
| parent | 8592:bd4f8a2b72c7 |
| rev | line source |
|---|---|
|
5293
fe9215155453
prosodyctl, prosody.cfg.lua.dist, certs/Makefile: Use .crt as suffix for certificates everywhere (thanks jasperixla)
Kim Alvefur <zash@zash.se>
parents:
3714
diff
changeset
|
1 .DEFAULT: localhost.crt |
|
3701
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 keysize=2048 |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 # How to: |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 # First, `make yourhost.cnf` which creates a openssl config file. |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 # Then edit this file and fill in the details you want it to have, |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
7 # and add or change hosts and components it should cover. |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
8 # Then `make yourhost.key` to create your private key, you can |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 # include keysize=number to change the size of the key. |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 # Then you can either `make yourhost.csr` to generate a certificate |
|
5293
fe9215155453
prosodyctl, prosody.cfg.lua.dist, certs/Makefile: Use .crt as suffix for certificates everywhere (thanks jasperixla)
Kim Alvefur <zash@zash.se>
parents:
3714
diff
changeset
|
11 # signing request that you can submit to a CA, or `make yourhost.crt` |
|
3701
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
12 # to generate a self signed certificate. |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
13 |
|
3703
5bca5f90286f
certs/Makefile: Add .PRECIOUS to stop make deleting the key as an intermediate file (thanks deryni/Zash)
Matthew Wild <mwild1@gmail.com>
parents:
3701
diff
changeset
|
14 .PRECIOUS: %.cnf %.key |
|
5bca5f90286f
certs/Makefile: Add .PRECIOUS to stop make deleting the key as an intermediate file (thanks deryni/Zash)
Matthew Wild <mwild1@gmail.com>
parents:
3701
diff
changeset
|
15 |
|
3701
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
16 # To request a cert |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
17 %.csr: %.cnf %.key |
|
7028
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
18 openssl req -new -key $(lastword $^) \ |
|
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
19 -sha256 -utf8 -config $(firstword $^) -out $@ |
|
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
20 |
|
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
21 %.csr: %.cnf |
|
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
22 umask 0077 && touch $*.key |
|
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
23 openssl req -new -newkey rsa:$(keysize) -nodes -keyout $*.key \ |
|
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
24 -sha256 -utf8 -config $^ -out $@ |
|
7715
08989f8464b9
certs/Makefile: Remove more -c flags
Kim Alvefur <zash@zash.se>
parents:
7714
diff
changeset
|
25 @chmod 400 $*.key |
|
7028
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
26 |
|
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
27 %.csr: %.key |
|
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
28 openssl req -new -key $^ -utf8 -subj /CN=$* -out $@ |
|
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
29 |
|
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
30 %.csr: |
|
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
31 umask 0077 && touch $*.key |
|
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
32 openssl req -new -newkey rsa:$(keysize) -nodes -keyout $*.key \ |
|
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
33 -utf8 -subj /CN=$* -out $@ |
|
7715
08989f8464b9
certs/Makefile: Remove more -c flags
Kim Alvefur <zash@zash.se>
parents:
7714
diff
changeset
|
34 @chmod 400 $*.key |
|
3701
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
35 |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
36 # Self signed |
|
5293
fe9215155453
prosodyctl, prosody.cfg.lua.dist, certs/Makefile: Use .crt as suffix for certificates everywhere (thanks jasperixla)
Kim Alvefur <zash@zash.se>
parents:
3714
diff
changeset
|
37 %.crt: %.cnf %.key |
|
7028
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
38 openssl req -new -x509 -key $(lastword $^) -days 365 -sha256 -utf8 \ |
|
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
39 -config $(firstword $^) -out $@ |
|
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
40 |
|
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
41 %.crt: %.cnf |
|
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
42 umask 0077 && touch $*.key |
|
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
43 openssl req -new -x509 -newkey rsa:$(keysize) -nodes -keyout $*.key \ |
|
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
44 -days 365 -sha256 -utf8 -config $(firstword $^) -out $@ |
|
7715
08989f8464b9
certs/Makefile: Remove more -c flags
Kim Alvefur <zash@zash.se>
parents:
7714
diff
changeset
|
45 @chmod 400 $*.key |
|
3701
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
46 |
|
7028
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
47 %.crt: %.key |
|
7035
085a286e2873
certs/Makefile: Fix generating cert from only a key (no config then)
Kim Alvefur <zash@zash.se>
parents:
7031
diff
changeset
|
48 openssl req -new -x509 -key $^ -days 365 -sha256 -utf8 -subj /CN=$* -out $@ |
|
7028
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
49 |
|
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
50 %.crt: |
|
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
51 umask 0077 && touch $*.key |
|
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
52 openssl req -new -x509 -newkey rsa:$(keysize) -nodes -keyout $*.key \ |
|
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
53 -days 365 -sha256 -out $@ -utf8 -subj /CN=$* |
|
7715
08989f8464b9
certs/Makefile: Remove more -c flags
Kim Alvefur <zash@zash.se>
parents:
7714
diff
changeset
|
54 @chmod 400 $*.key |
|
7028
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
55 |
|
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
56 # Generate a config from the example |
|
3701
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
57 %.cnf: |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
58 sed 's,example\.com,$*,g' openssl.cnf > $@ |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
59 |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
60 %.key: |
|
7030
b5bc9f77f096
certs/Makefile: Run key generation with a stricter umask (fixes a race condition)
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
61 umask 0077 && openssl genrsa -out $@ $(keysize) |
|
7713
003ee2be2635
certs/Makefile: Remove -c flag to chmod, which appears to be a GNUism ... again (thanks waqas)
Kim Alvefur <zash@zash.se>
parents:
7030
diff
changeset
|
62 @chmod 400 $@ |
|
7194
1c55403d06c4
certs/Makefile: Add target for generating DH params
Kim Alvefur <zash@zash.se>
parents:
7035
diff
changeset
|
63 |
|
1c55403d06c4
certs/Makefile: Add target for generating DH params
Kim Alvefur <zash@zash.se>
parents:
7035
diff
changeset
|
64 # Generate Diffie-Hellman parameters |
|
1c55403d06c4
certs/Makefile: Add target for generating DH params
Kim Alvefur <zash@zash.se>
parents:
7035
diff
changeset
|
65 dh-%.pem: |
|
1c55403d06c4
certs/Makefile: Add target for generating DH params
Kim Alvefur <zash@zash.se>
parents:
7035
diff
changeset
|
66 openssl dhparam -out $@ $* |
