idk/reseed-tools
1
0
Fork 0
Code Issues 4 Pull Requests Packages Projects Releases Wiki Activity

Move TLS certificate generation for clearnet sites to the front, use same cert across all domains, will be invalid on .onion and .i2p when using Let's Encrypt

Browse Source
This commit is contained in:
idk
2021-05-11 17:23:18 -04:00
parent 8afd6c6f28
commit 19c29cfdc6
2 changed files with 45 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
README.md
View File

@@ -10,7 +10,7 @@ If you have go installed you can download, build, and install this tool with `go
``` ```
go get i2pgit.org/idk/reseed-tools go get i2pgit.org/idk/reseed-tools
i2p-tools -h reseed-tools -h
``` ```
## Usage ## Usage
@@ -76,13 +76,13 @@ work for you. In that case, just copy-and-paste:
### Locally behind a webserver (reverse proxy setup), preferred: ### Locally behind a webserver (reverse proxy setup), preferred:
``` ```
i2p-tools reseed --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --port=8443 --ip=127.0.0.1 --trustProxy reseed-tools reseed --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --port=8443 --ip=127.0.0.1 --trustProxy
``` ```
### Without a webserver, standalone with TLS support ### Without a webserver, standalone with TLS support
``` ```
i2p-tools reseed --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --tlsHost=your-domain.tld reseed-tools reseed --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --tlsHost=your-domain.tld
``` ```
If this is your first time running a reseed server (ie. you don't have any existing keys), If this is your first time running a reseed server (ie. you don't have any existing keys),
@@ -103,25 +103,25 @@ Requires ```go mod``` and at least go 1.13. To build the idk/reseed-tools
fork, from anywhere: fork, from anywhere:
git clone https://i2pgit.org/idk/reseed-tools git clone https://i2pgit.org/idk/reseed-tools
cd i2p-tools-1 cd reseed-tools
make build make build
### Without a webserver, standalone, self-supervising(Automatic restarts) ### Without a webserver, standalone, self-supervising(Automatic restarts)
``` ```
./i2p-tools-1 reseed --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --littleboss=start ./reseed-tools reseed --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --littleboss=start
``` ```
### Without a webserver, standalone, automatic OnionV3 with TLS support ### Without a webserver, standalone, automatic OnionV3 with TLS support
``` ```
./i2p-tools-1 reseed --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --onion --i2p --p2p ./reseed-tools reseed --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --onion --i2p --p2p
``` ```
### Without a webserver, standalone, serve P2P with LibP2P ### Without a webserver, standalone, serve P2P with LibP2P
``` ```
./i2p-tools-1 reseed --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --p2p ./reseed-tools reseed --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --p2p
``` ```
### Without a webserver, standalone, upload a single signed .su3 to github ### Without a webserver, standalone, upload a single signed .su3 to github
@@ -129,29 +129,29 @@ fork, from anywhere:
* This one isn't working yet, I'll get to it eventually, I've got a cooler idea now. * This one isn't working yet, I'll get to it eventually, I've got a cooler idea now.
``` ```
./i2p-tools-1 reseed --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --github --ghrepo=i2p-tools-1 --ghuser=eyedeekay ./reseed-tools reseed --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --github --ghrepo=reseed-tools --ghuser=eyedeekay
``` ```
### Without a webserver, standalone, in-network reseed ### Without a webserver, standalone, in-network reseed
``` ```
./i2p-tools-1 reseed --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --i2p ./reseed-tools reseed --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --i2p
``` ```
### Without a webserver, standalone, Regular TLS, OnionV3 with TLS ### Without a webserver, standalone, Regular TLS, OnionV3 with TLS
``` ```
./i2p-tools-1 reseed --tlsHost=your-domain.tld --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --onion ./reseed-tools reseed --tlsHost=your-domain.tld --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --onion
``` ```
### Without a webserver, standalone, Regular TLS, OnionV3 with TLS, and LibP2P ### Without a webserver, standalone, Regular TLS, OnionV3 with TLS, and LibP2P
``` ```
./i2p-tools-1 reseed --tlsHost=your-domain.tld --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --onion --p2p ./reseed-tools reseed --tlsHost=your-domain.tld --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --onion --p2p
``` ```
### Without a webserver, standalone, Regular TLS, OnionV3 with TLS, I2P In-Network reseed, and LibP2P, self-supervising ### Without a webserver, standalone, Regular TLS, OnionV3 with TLS, I2P In-Network reseed, and LibP2P, self-supervising
``` ```
./i2p-tools-1 reseed --tlsHost=your-domain.tld --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --onion --p2p --littleboss=start ./reseed-tools reseed --tlsHost=your-domain.tld --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --onion --p2p --littleboss=start
``` ```

56
cmd/reseed.go
View File

@@ -208,13 +208,42 @@ func reseedAction(c *cli.Context) {
var i2pTlsCert, i2pTlsKey string var i2pTlsCert, i2pTlsKey string
var i2pkey i2pkeys.I2PKeys var i2pkey i2pkeys.I2PKeys
if tlsHost != "" {
onionTlsHost = tlsHost
i2pTlsHost = tlsHost
tlsKey = c.String("tlsKey")
// if no key is specified, default to the host.pem in the current dir
if tlsKey == "" {
tlsKey = tlsHost + ".pem"
onionTlsKey = tlsHost + ".pem"
i2pTlsKey = tlsHost + ".pem"
}
tlsCert = c.String("tlsCert")
// if no certificate is specified, default to the host.crt in the current dir
if tlsCert == "" {
tlsCert = tlsHost + ".crt"
onionTlsCert = tlsHost + ".crt"
i2pTlsCert = tlsHost + ".crt"
}
// prompt to create tls keys if they don't exist?
auto := c.Bool("yes")
err := checkOrNewTLSCert(tlsHost, &tlsCert, &tlsKey, auto)
if nil != err {
log.Fatalln(err)
}
}
if c.Bool("i2p") { if c.Bool("i2p") {
var err error var err error
i2pkey, err = LoadKeys("reseed.i2pkeys", c) i2pkey, err = LoadKeys("reseed.i2pkeys", c)
if err != nil { if err != nil {
log.Fatalln(err) log.Fatalln(err)
} }
i2pTlsHost = i2pkey.Addr().Base32() if i2pTlsHost == "" {
i2pTlsHost = i2pkey.Addr().Base32()
}
if i2pTlsHost != "" { if i2pTlsHost != "" {
// if no key is specified, default to the host.pem in the current dir // if no key is specified, default to the host.pem in the current dir
if i2pTlsKey == "" { if i2pTlsKey == "" {
@@ -250,7 +279,9 @@ func reseedAction(c *cli.Context) {
} }
ok = []byte(key.PrivateKey()) ok = []byte(key.PrivateKey())
} }
onionTlsHost = torutil.OnionServiceIDFromPrivateKey(ed25519.PrivateKey(ok)) + ".onion" if onionTlsHost == "" {
onionTlsHost = torutil.OnionServiceIDFromPrivateKey(ed25519.PrivateKey(ok)) + ".onion"
}
err = ioutil.WriteFile(c.String("onionKey"), ok, 0644) err = ioutil.WriteFile(c.String("onionKey"), ok, 0644)
if err != nil { if err != nil {
log.Fatalln(err.Error()) log.Fatalln(err.Error())
@@ -275,27 +306,6 @@ func reseedAction(c *cli.Context) {
} }
} }
if tlsHost != "" {
tlsKey = c.String("tlsKey")
// if no key is specified, default to the host.pem in the current dir
if tlsKey == "" {
tlsKey = tlsHost + ".pem"
}
tlsCert = c.String("tlsCert")
// if no certificate is specified, default to the host.crt in the current dir
if tlsCert == "" {
tlsCert = tlsHost + ".crt"
}
// prompt to create tls keys if they don't exist?
auto := c.Bool("yes")
err := checkOrNewTLSCert(tlsHost, &tlsCert, &tlsKey, auto)
if nil != err {
log.Fatalln(err)
}
}
reloadIntvl, err := time.ParseDuration(c.String("interval")) reloadIntvl, err := time.ParseDuration(c.String("interval"))
if nil != err { if nil != err {
fmt.Printf("'%s' is not a valid time interval.\n", reloadIntvl) fmt.Printf("'%s' is not a valid time interval.\n", reloadIntvl)