v1.4.5 (#23)

Major updates
* Adding support for setting bit length of RSA keys via SSL_KEY_BITS (default: 4096)
* Add `ssl-regenerate-full` executable, which removes everything except DH parameters

Author: bfren

Dockerfile

@@ -18,6 +18,8 @@ ENV \
     CLEAN_INSTALL=0 \
     # set to 1 to use live instead of staging server
     LETS_ENCRYPT_LIVE=0 \
+    # set to the number of bits to use for generating private key
+    SSL_KEY_BITS=4096 \
     # set to the number of bits to use for generating DHPARAM
     SSL_DHPARAM_BITS=4096 \
     # canonical domain name redirection

Dockerfile-automated

@@ -18,6 +18,8 @@ ENV \
     CLEAN_INSTALL=0 \
     # set to 1 to use live instead of staging server
     LETS_ENCRYPT_LIVE=0 \
+    # set to the number of bits to use for generating private key
+    SSL_KEY_BITS=4096 \
     # set to the number of bits to use for generating DHPARAM
     SSL_DHPARAM_BITS=4096 \
     # canonical domain name redirection

VERSION

@@ -1 +1 @@
-1.4.4
+1.4.5

overlay/etc/cont-init.d/20-paths

@@ -31,11 +31,12 @@ add_env "TEMPLATES" "/etc/templates"
 
 SSL=/ssl
 add_env "SSL" ${SSL}
+add_env "SSL_DHPARAM" "${SSL}/dhparam.pem"
 
 SSL_CERTS=${SSL}/certs
 add_env "SSL_CERTS" "${SSL_CERTS}"
-add_env "SSL_DHPARAM" "${SSL_CERTS}/dhparam.pem"
 add_env "SSL_GLOBAL_CFG" "${SSL_CERTS}/${GETSSL_CFG}"
+add_env "SSL_ACCOUNT_KEY" "${SSL_CERTS}/account.key"
 
 add_env "SITES" "/sites"
 

overlay/etc/cont-init.d/21-ssl

@@ -11,6 +11,7 @@ if [ "${CLEAN_INSTALL}" = "1" ] ; then
 
     bcg-echo "Clean install detected..."
     bcg-rmrf "${SSL_GLOBAL_CFG}"
+    bcg-rmrf "${SSL_DHPARAM}"
     bcg-rmrf "${SSL_CERTS}/*"
     bcg-rmrf "${SITES}/*"
     bcg-done

overlay/etc/ssl/inc/setup-ssl.sh

@@ -8,13 +8,14 @@
 
 generate_temp_cert () {
 
-    openssl req -newkey rsa:1024 \
+    openssl req \
         -x509 \
         -sha256 \
-        -days 3650 \
         -nodes \
-        -out ${1} \
+        -days 3650 \
+        -newkey rsa:${SSL_KEY_BITS} \
         -keyout ${2} \
+        -out ${1} \
         -subj "/C=NA/ST=NA/L=NA/O=NA/OU=NA/CN=${3}"
 
 }

overlay/etc/templates/getssl-global.conf.esh

@@ -19,9 +19,9 @@ CA="https://acme-staging-v02.api.letsencrypt.org"
 #AGREEMENT=""
 
 # Set an email address associated with your account - generally set at account level rather than domain.
-ACCOUNT_EMAIL=<%= "${LETS_ENCRYPT_EMAIL}" %>
+ACCOUNT_EMAIL=<%= ${LETS_ENCRYPT_EMAIL} %>
 ACCOUNT_KEY_LENGTH=4096
-ACCOUNT_KEY="<%= "${SSL_CERTS}account.key" %>"
+ACCOUNT_KEY="<%= ${SSL_ACCOUNT_KEY} %>"
 
 # Account key and private key types - can be rsa, prime256v1, secp384r1 or secp521r1
 #ACCOUNT_KEY_TYPE="rsa"
@@ -49,4 +49,4 @@ CHECK_REMOTE="true"
 #DNS_ADD_COMMAND=
 #DNS_DEL_COMMAND=
 
-SKIP_HTTP_TOKEN_CHECK=<%= "${GETSSL_SKIP_HTTP_TOKEN_CHECK}" %>
+SKIP_HTTP_TOKEN_CHECK=<%= ${GETSSL_SKIP_HTTP_TOKEN_CHECK} %>

overlay/usr/local/bin/ssl-regenerate

@@ -7,7 +7,7 @@ set -euo pipefail
 # Delete SSL files and reinitialise
 #======================================================================================================================
 
-bcg-echo "Removing SSL configuration files and certificates..."
+bcg-echo "Removing SSL certificates and configuration..."
 bcg-rmrf "${SSL_CERTS}/*"
 bcg-done
 

overlay/usr/local/bin/ssl-regenerate-full

@@ -0,0 +1,16 @@
+#!/usr/bin/with-contenv bash
+
+set -euo pipefail
+
+
+#======================================================================================================================
+# Delete SSL files and reinitialise
+#======================================================================================================================
+
+ssl-regenerate
+
+bcg-echo "Removing DH parameters..."
+bcg-rmrf "${SSL_DHPARAM}"
+bcg-done
+
+ssl-init