Don't pin certs

The guidelines on how to do this properly are just too confusing

src/freedombone-addcert

 
 source /usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-git
 
+# Don't pin certs by default
+PIN_CERTS=
+
 HOSTNAME=
 LETSENCRYPT_HOSTNAME=
 COUNTRY_CODE="US"
 
 function read_repo_servers {
     if [ -f $CONFIGURATION_FILE ]; then
-    if grep -q "FRIENDS_MIRRORS_SERVER" $CONFIGURATION_FILE; then
-        FRIENDS_MIRRORS_SERVER=$(grep "FRIENDS_MIRRORS_SERVER" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
-    fi
-    if grep -q "FRIENDS_MIRRORS_SSH_PORT" $CONFIGURATION_FILE; then
-        FRIENDS_MIRRORS_SSH_PORT=$(grep "FRIENDS_MIRRORS_SSH_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
-    fi
-    if grep -q "MY_MIRRORS_PASSWORD" $CONFIGURATION_FILE; then
-        MY_MIRRORS_PASSWORD=$(grep "MY_MIRRORS_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
-    fi
-    if grep -q "FRIENDS_MIRRORS_PASSWORD" $CONFIGURATION_FILE; then
-        FRIENDS_MIRRORS_PASSWORD=$(grep "FRIENDS_MIRRORS_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
-    fi
+        if grep -q "FRIENDS_MIRRORS_SERVER" $CONFIGURATION_FILE; then
+            FRIENDS_MIRRORS_SERVER=$(grep "FRIENDS_MIRRORS_SERVER" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+        fi
+        if grep -q "FRIENDS_MIRRORS_SSH_PORT" $CONFIGURATION_FILE; then
+            FRIENDS_MIRRORS_SSH_PORT=$(grep "FRIENDS_MIRRORS_SSH_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+        fi
+        if grep -q "MY_MIRRORS_PASSWORD" $CONFIGURATION_FILE; then
+            MY_MIRRORS_PASSWORD=$(grep "MY_MIRRORS_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+        fi
+        if grep -q "FRIENDS_MIRRORS_PASSWORD" $CONFIGURATION_FILE; then
+            FRIENDS_MIRRORS_PASSWORD=$(grep "FRIENDS_MIRRORS_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+        fi
     fi
 
     if [ ! $FRIENDS_MIRRORS_SERVER ]; then
-    return
+        return
     fi
     if [ ${#FRIENDS_MIRRORS_SERVER} -lt 2 ]; then
-    return
+        return
     fi
 
     MAIN_COMMAND=/usr/local/bin/${PROJECT_NAME}
     if [ ! -f $MAIN_COMMAND ]; then
-    MAIN_COMMAND=/usr/bin/${PROJECT_NAME}
+        MAIN_COMMAND=/usr/bin/${PROJECT_NAME}
     fi
 
     REPOS=($(cat ${MAIN_COMMAND} | grep "_REPO=\"" | uniq -u | sed 's|${PROJECT_NAME}|'"${PROJECT_NAME}"'|g'))
 
     for line in "${REPOS[@]}"
     do
-    repo_name=$(echo "$line" | awk -F '=' '{print $1}')
-    mirrors_name=$(echo "$repo_name" | sed "s|_REPO||g" | awk '{print tolower($0)}')
-    friends_repo_url="ssh://mirrors@${FRIENDS_MIRRORS_SERVER}:${FRIENDS_MIRRORS_SSH_PORT}/home/mirrors/${mirrors_name}"
-    ${repo_name}="${friends_repo_url}"
+        repo_name=$(echo "$line" | awk -F '=' '{print $1}')
+        mirrors_name=$(echo "$repo_name" | sed "s|_REPO||g" | awk '{print tolower($0)}')
+        friends_repo_url="ssh://mirrors@${FRIENDS_MIRRORS_SERVER}:${FRIENDS_MIRRORS_SSH_PORT}/home/mirrors/${mirrors_name}"
+        ${repo_name}="${friends_repo_url}"
     done
 }
 
     key="$1"
 
     case $key in
-    --help)
-        show_help
-        ;;
-    -h|--hostname)
-        shift
-        HOSTNAME="$1"
-        ;;
-    -e|--letsencrypt)
-        shift
-        LETSENCRYPT_HOSTNAME="$1"
-        ;;
-    --email)
-        shift
-        MY_EMAIL_ADDRESS="$1"
-        ;;
-    -s|--server)
-        shift
-        LETSENCRYPT_SERVER="$1"
-        ;;
-    -c|--country)
-        shift
-        COUNTRY_CODE="$1"
-        ;;
-    -a|--area)
-        shift
-        AREA="$1"
-        ;;
-    -l|--location)
-        shift
-        LOCATION="$1"
-        ;;
-    -o|--organisation)
-        shift
-        ORGANISATION="$1"
-        ;;
-    -u|--unit)
-        shift
-        UNIT="$1"
-        ;;
-    --ca)
-        shift
-        EXTENSIONS="-extensions v3_ca"
-        ORGANISATION="Freedombone-CA"
-        ;;
-    --nodh)
-        shift
-        NODH="true"
-        ;;
-    --dhkey)
-        shift
-        DH_KEYLENGTH=${1}
-        ;;
-    *)
-        # unknown option
-        ;;
+        --help)
+            show_help
+            ;;
+        -h|--hostname)
+            shift
+            HOSTNAME="$1"
+            ;;
+        -e|--letsencrypt)
+            shift
+            LETSENCRYPT_HOSTNAME="$1"
+            ;;
+        --email)
+            shift
+            MY_EMAIL_ADDRESS="$1"
+            ;;
+        -s|--server)
+            shift
+            LETSENCRYPT_SERVER="$1"
+            ;;
+        -c|--country)
+            shift
+            COUNTRY_CODE="$1"
+            ;;
+        -a|--area)
+            shift
+            AREA="$1"
+            ;;
+        -l|--location)
+            shift
+            LOCATION="$1"
+            ;;
+        -o|--organisation)
+            shift
+            ORGANISATION="$1"
+            ;;
+        -u|--unit)
+            shift
+            UNIT="$1"
+            ;;
+        --ca)
+            shift
+            EXTENSIONS="-extensions v3_ca"
+            ORGANISATION="Freedombone-CA"
+            ;;
+        --nodh)
+            shift
+            NODH="true"
+            ;;
+        --dhkey)
+            shift
+            DH_KEYLENGTH=${1}
+            ;;
+        --pin)
+            shift
+            PIN_CERTS=${1}
+            ;;
+        *)
+            # unknown option
+            ;;
     esac
     shift
 done
 
 if [ ! $HOSTNAME ]; then
     if [ ! $LETSENCRYPT_HOSTNAME ]; then
-    echo $'No hostname specified'
-    exit 5748
+        echo $'No hostname specified'
+        exit 5748
     fi
 fi
 
 
     # obtain the email address for the admin user
     if [ ! $MY_EMAIL_ADDRESS ]; then
-    if [ -f $CONFIGURATION_FILE ]; then
-        if grep -q "MY_EMAIL_ADDRESS=" $CONFIGURATION_FILE; then
-        MY_EMAIL_ADDRESS=$(cat $CONFIGURATION_FILE | grep "MY_EMAIL_ADDRESS=" | awk -F '=' '{print $2}')
+        if [ -f $CONFIGURATION_FILE ]; then
+            if grep -q "MY_EMAIL_ADDRESS=" $CONFIGURATION_FILE; then
+                MY_EMAIL_ADDRESS=$(cat $CONFIGURATION_FILE | grep "MY_EMAIL_ADDRESS=" | awk -F '=' '{print $2}')
+            fi
         fi
     fi
-    fi
     if [ ! $MY_EMAIL_ADDRESS ]; then
-    if [ -f $COMPLETION_FILE ]; then
-        if grep -q "Admin user:" $COMPLETION_FILE; then
-        ADMIN_USER=$(cat $COMPLETION_FILE | grep "Admin user" | awk -F ':' '{print $2}')
-        MY_EMAIL_ADDRESS=$ADMIN_USER@$HOSTNAME
+        if [ -f $COMPLETION_FILE ]; then
+            if grep -q "Admin user:" $COMPLETION_FILE; then
+                ADMIN_USER=$(cat $COMPLETION_FILE | grep "Admin user" | awk -F ':' '{print $2}')
+                MY_EMAIL_ADDRESS=$ADMIN_USER@$HOSTNAME
+            fi
         fi
     fi
-    fi
 
     if [ ! -d $INSTALL_DIR ]; then
-    mkdir -p $INSTALL_DIR
+        mkdir -p $INSTALL_DIR
     fi
     cd $INSTALL_DIR
 
     # obtain the repo
     if [ ! -d ${INSTALL_DIR}/letsencrypt ]; then
-    git_clone $LETSENCRYPT_REPO ${INSTALL_DIR}/letsencrypt
-    if [ ! -d ${INSTALL_DIR}/letsencrypt ]; then
-        exit 76283
-    fi
+        git_clone $LETSENCRYPT_REPO ${INSTALL_DIR}/letsencrypt
+        if [ ! -d ${INSTALL_DIR}/letsencrypt ]; then
+            exit 76283
+        fi
     else
-    cd ${INSTALL_DIR}/letsencrypt
-    git_pull $LETSENCRYPT_REPO
+        cd ${INSTALL_DIR}/letsencrypt
+        git_pull $LETSENCRYPT_REPO
     fi
 
     # stop the web server
     cd ${INSTALL_DIR}/letsencrypt
     ./letsencrypt-auto certonly --server $LETSENCRYPT_SERVER --standalone -d $LETSENCRYPT_HOSTNAME --renew-by-default --agree-tos --email $MY_EMAIL_ADDRESS
     if [ ! "$?" = "0" ]; then
-    echo $"Failed to install letsencrypt for domain $LETSENCRYPT_HOSTNAME"
-    systemctl start nginx
-    exit 63216
+        echo $"Failed to install letsencrypt for domain $LETSENCRYPT_HOSTNAME"
+        systemctl start nginx
+        exit 63216
     fi
 
     # replace some legacy filenames
     if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt ]; then
-    mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
+        mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
     fi
     if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt ]; then
-    mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
+        mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
     fi
     sed -i "s|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem|g" /etc/nginx/sites-available/$LETSENCRYPT_HOSTNAME
     sed -i "s|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem|g" /etc/nginx/sites-available/$LETSENCRYPT_HOSTNAME
 
     # link the private key
     if [ -f /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key ]; then
-    if [ ! -f /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key.old ]; then
-        mv /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key.old
-    else
-        rm -f /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key
-    fi
+        if [ ! -f /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key.old ]; then
+            mv /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key.old
+        else
+            rm -f /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key
+        fi
     fi
     ln -s /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/privkey.pem /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key
 
     # link the public key
     if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem ]; then
-    if [ ! -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem.old ]; then
-        mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem.old
-    else
-        rm -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
-    fi
+        if [ ! -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem.old ]; then
+            mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem.old
+        else
+            rm -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
+        fi
     fi
     ln -s /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/fullchain.pem /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
 
 
     systemctl start nginx
 
-    ${PROJECT_NAME}-pin-cert $LETSENCRYPT_HOSTNAME
-    if [ ! "$?" = "0" ]; then
-    echo $"Certificate for $LETSENCRYPT_HOSTNAME could not be pinned"
-    exit 62878
+    if [ $PIN_CERTS ]; then
+        ${PROJECT_NAME}-pin-cert $LETSENCRYPT_HOSTNAME
+        if [ ! "$?" = "0" ]; then
+            echo $"Certificate for $LETSENCRYPT_HOSTNAME could not be pinned"
+            exit 62878
+        fi
     fi
 }
 
 function add_cert_selfsigned {
     if [[ $ORGANISATION == "Freedombone-CA" ]]; then
-    CERTFILE="ca-$HOSTNAME"
+        CERTFILE="ca-$HOSTNAME"
     fi
 
     openssl req -x509 ${EXTENSIONS} -nodes -days 3650 -sha256 \
-        -subj "/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME" \
-        -newkey rsa:4096 -keyout /etc/ssl/private/${CERTFILE}.key \
-        -out /etc/ssl/certs/${CERTFILE}.crt
+            -subj "/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME" \
+            -newkey rsa:4096 -keyout /etc/ssl/private/${CERTFILE}.key \
+            -out /etc/ssl/certs/${CERTFILE}.crt
     chmod 400 /etc/ssl/private/${CERTFILE}.key
     chmod 640 /etc/ssl/certs/${CERTFILE}.crt
     cp /etc/ssl/certs/${CERTFILE}.crt /etc/ssl/mycerts
 
-    ${PROJECT_NAME}-pin-cert $CERTFILE
-    if [ ! "$?" = "0" ]; then
-    echo $"Certificate for $CERTFILE could not be pinned"
-    exit 62879
+    if [ $PIN_CERTS ]; then
+        ${PROJECT_NAME}-pin-cert $CERTFILE
+        if [ ! "$?" = "0" ]; then
+            echo $"Certificate for $CERTFILE could not be pinned"
+            exit 62879
+        fi
     fi
 }
 
 function generate_dh_params {
     if [ ! $NODH ]; then
-    if [ ! -f /etc/ssl/certs/${CERTFILE}.dhparam ]; then
-        ${PROJECT_NAME}-dhparam -h ${CERTFILE} --fast yes
-    fi
+        if [ ! -f /etc/ssl/certs/${CERTFILE}.dhparam ]; then
+            ${PROJECT_NAME}-dhparam -h ${CERTFILE} --fast yes
+        fi
     fi
 }
 
 function restart_web_server {
     if [ -f /etc/init.d/nginx ]; then
-    /etc/init.d/nginx reload
+        /etc/init.d/nginx reload
     fi
 }
 
 
 function create_cert {
     if [ $LETSENCRYPT_HOSTNAME ]; then
-    add_cert_letsencrypt
+        add_cert_letsencrypt
     else
-    add_cert_selfsigned
+        add_cert_selfsigned
     fi
 }
 

src/freedombone-renew-cert

     ln -s /etc/letsencrypt/live/${HOSTNAME}/privkey.pem /etc/ssl/private/${HOSTNAME}.key
     ln -s /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem /etc/ssl/certs/${HOSTNAME}.pem
 
-    ${PROJECT_NAME}-pin-cert $HOSTNAME
+    ${PROJECT_NAME}-pin-cert $HOSTNAME remove
 }
 
 function renew_startssl {
     echo $"/etc/ssl/certs/$HOSTNAME.new.crt then run this command again."
     echo ''
 
-    ${PROJECT_NAME}-pin-cert $HOSTNAME
+    ${PROJECT_NAME}-pin-cert $HOSTNAME remove
 }
 
 while [[ $# > 1 ]]

src/freedombone-restore-local

 backup_unmount_drive
 
 # ensure that all TLS certificates are pinned
-${PROJECT_NAME}-pin-cert all
+#${PROJECT_NAME}-pin-cert all
 
 echo $"Restore from USB drive is complete. You can now unplug it."
 

src/freedombone-restore-remote

 set_user_permissions
 
 # ensure that all TLS certificates are pinned
-${PROJECT_NAME}-pin-cert all
+#${PROJECT_NAME}-pin-cert all
 
 echo $"*** Remote restore was successful ***"