Cerificate pinning

src/freedombone

@@ -4325,7 +4325,7 @@ function configure_imap_client_certs {
       if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
           ${PROJECT_NAME}-addcert -h $DEFAULT_DOMAIN_NAME --ca "" --dhkey $DH_KEYLENGTH
       else
-          ${PROJECT_NAME}-addcert -e $DEFAULT_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
+          ${PROJECT_NAME}-addcert -e $DEFAULT_DOMAIN_NAME -s $LETSENCRYPT_SERVER --ca "" --dhkey $DH_KEYLENGTH
       fi
   fi
   # CA configuration
@@ -6767,14 +6767,6 @@ function install_wiki {
   if [ -d /var/www/$WIKI_DOMAIN_NAME/htdocs ]; then
       rm -rf /var/www/$WIKI_DOMAIN_NAME/htdocs
   fi
-  if [ ! -f /etc/ssl/certs/$WIKI_DOMAIN_NAME.dhparam ]; then
-      if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
-          ${PROJECT_NAME}-addcert -h $WIKI_DOMAIN_NAME --dhkey $DH_KEYLENGTH
-      else
-          ${PROJECT_NAME}-addcert -e $WIKI_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
-      fi
-      check_certificates $WIKI_DOMAIN_NAME
-  fi
 
   ln -s /usr/share/dokuwiki /var/www/$WIKI_DOMAIN_NAME/htdocs
 
@@ -7002,6 +6994,15 @@ function install_wiki {
   echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
   echo '}' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
 
+  if [ ! -f /etc/ssl/certs/$WIKI_DOMAIN_NAME.dhparam ]; then
+      if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
+          ${PROJECT_NAME}-addcert -h $WIKI_DOMAIN_NAME --dhkey $DH_KEYLENGTH
+      else
+          ${PROJECT_NAME}-addcert -e $WIKI_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
+      fi
+      check_certificates $WIKI_DOMAIN_NAME
+  fi
+
   configure_php
 
   nginx_ensite $WIKI_DOMAIN_NAME
@@ -7090,15 +7091,6 @@ function install_blog {
 
   chown -R www-data:www-data /var/www/$FULLBLOG_DOMAIN_NAME/htdocs
 
-  if [ ! -f /etc/ssl/certs/$FULLBLOG_DOMAIN_NAME.dhparam ]; then
-      if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
-          ${PROJECT_NAME}-addcert -h $FULLBLOG_DOMAIN_NAME --dhkey $DH_KEYLENGTH
-      else
-          ${PROJECT_NAME}-addcert -e $FULLBLOG_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
-      fi
-      check_certificates $FULLBLOG_DOMAIN_NAME
-  fi
-
   echo 'server {' > /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
   echo '    listen 80;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
   echo "    root /var/www/$FULLBLOG_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
@@ -7272,6 +7264,15 @@ function install_blog {
   echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
   echo '}' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
 
+  if [ ! -f /etc/ssl/certs/$FULLBLOG_DOMAIN_NAME.dhparam ]; then
+      if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
+          ${PROJECT_NAME}-addcert -h $FULLBLOG_DOMAIN_NAME --dhkey $DH_KEYLENGTH
+      else
+          ${PROJECT_NAME}-addcert -e $FULLBLOG_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
+      fi
+      check_certificates $FULLBLOG_DOMAIN_NAME
+  fi
+
   configure_php
 
   # blog settings

src/freedombone-addcert

@@ -205,7 +205,14 @@ if [ $LETSENCRYPT_HOSTNAME ]; then
     ln -s /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/fullchain.pem /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
 
     cp /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/fullchain.pem /etc/ssl/mycerts/${LETSENCRYPT_HOSTNAME}.pem
+
     systemctl start nginx
+
+    ${PROJECT_NAME}-pin-cert $LETSENCRYPT_HOSTNAME
+    if [ ! "$?" = "0" ]; then
+        echo $"Certificate for $LETSENCRYPT_HOSTNAME could not be pinned"
+        exit 62878
+    fi
 else
     CERTFILE=$HOSTNAME
     if [[ $ORGANISATION == "Freedombone-CA" ]]; then
@@ -219,6 +226,12 @@ else
     chmod 400 /etc/ssl/private/${CERTFILE}.key
     chmod 640 /etc/ssl/certs/${CERTFILE}.crt
     cp /etc/ssl/certs/${CERTFILE}.crt /etc/ssl/mycerts
+
+    ${PROJECT_NAME}-pin-cert $CERTFILE
+    if [ ! "$?" = "0" ]; then
+        echo $"Certificate for $CERTFILE could not be pinned"
+        exit 62879
+    fi
 fi
 
 # generate DH params

src/freedombone-pin-cert

@@ -0,0 +1,60 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# Performs certificate pinning (HPKP) on a given domain name
+
+# License
+# =======
+#
+# Copyright (C) 2015 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+PROJECT_NAME='freedombone'
+
+export TEXTDOMAIN=${PROJECT_NAME}-pin-cert
+export TEXTDOMAINDIR="/usr/share/locale"
+
+DOMAIN_NAME=$1
+KEY_FILENAME=/etc/ssl/private/${DOMAIN_NAME}.key
+SITE_FILENAME=/etc/nginx/sites-available/${DOMAIN_NAME}
+
+if [ ! -f "$KEY_FILENAME" ]; then
+    echo $"No certificate found for $DOMAIN_NAME"
+    exit 1
+fi
+
+if [ ! -f "$SITE_FILENAME" ]; then
+    exit 0
+fi
+
+KEY_HASH=$(openssl rsa -in $KEY_FILENAME -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)
+
+PIN_HEADER="add_header Public-Key-Pins 'pin-sha256=\"${KEY_HASH}\"; max-age=5184000; includeSubDomains';"
+if ! grep -q "add_header Public-Key-Pins" $SITE_FILENAME; then
+    sed -i "/add_header Access-Control-Allow-Origin.*/a $PIN_HEADER" $SITE_FILENAME
+else
+    sed -i "s/add_header Public-Key-Pins.*/$PIN_HEADER/g" $SITE_FILENAME
+fi
+
+systemctl restart nginx
+
+exit 0

src/freedombone-renew-cert

@@ -73,6 +73,8 @@ function renew_letsencrypt {
     # Ensure that links are in place
     ln -s /etc/letsencrypt/live/${HOSTNAME}/privkey.pem /etc/ssl/private/${HOSTNAME}.key
     ln -s /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem /etc/ssl/certs/${HOSTNAME}.pem
+
+    ${PROJECT_NAME}-pin-cert $HOSTNAME
 }
 
 function renew_startssl {
@@ -171,6 +173,8 @@ function renew_startssl {
     echo $'Once you have retrieved the new public certificate paste it to:'
     echo $"/etc/ssl/certs/$HOSTNAME.new.crt then run this command again."
     echo ''
+
+    ${PROJECT_NAME}-pin-cert $HOSTNAME
 }
 
 while [[ $# > 1 ]]