Improve tls hardening flow & options

2025-12-13 18:02:32 +00:00 · 2023-09-06 19:59:44 +10:00 · 2023-09-06 19:59:44 +10:00 · 9c15a6ae11
commit 9c15a6ae11
parent 30f6bc59d7
3 changed files with 34 additions and 22 deletions
--- a/1-setup.sh
+++ b/1-setup.sh
@ -665,6 +665,7 @@ sed -i "s|CERT_STATE=|CERT_STATE='${CERT_STATE}'|g" $DOWNLOAD_DIR/add-tls-guac-d
 sed -i "s|CERT_LOCATION=|CERT_LOCATION='${CERT_LOCATION=}'|g" $DOWNLOAD_DIR/add-tls-guac-daemon.sh
 sed -i "s|CERT_ORG=|CERT_ORG='${CERT_ORG}'|g" $DOWNLOAD_DIR/add-tls-guac-daemon.sh
 sed -i "s|CERT_OU=|CERT_OU='${CERT_OU}'|g" $DOWNLOAD_DIR/add-tls-guac-daemon.sh
+sed -i "s|CERT_DAYS=|CERT_DAYS='${CERT_DAYS}'|g" $DOWNLOAD_DIR/add-tls-guac-daemon.sh
 sed -i "s|MYSQL_HOST=|MYSQL_HOST='${MYSQL_HOST}'|g" $DOWNLOAD_DIR/upgrade-guac.sh
 sed -i "s|MYSQL_PORT=|MYSQL_PORT='${MYSQL_PORT}'|g" $DOWNLOAD_DIR/upgrade-guac.sh
 sed -i "s|GUAC_USER=|GUAC_USER='${GUAC_USER}'|g" $DOWNLOAD_DIR/upgrade-guac.sh
--- a/4a-install-tls-self-signed-nginx.sh
+++ b/4a-install-tls-self-signed-nginx.sh
@ -38,7 +38,7 @@ fi

 echo -e "${GREY}New self signed TLS certificate attributes are shown below...${DGREY}"
 # Display the new TLS cert parameters.
-cat <<EOF | tee -a $TMP_DIR/cert_attributes.txt
+cat <<EOF | tee $TMP_DIR/cert_attributes.txt
 [req]
 distinguished_name  = req_distinguished_name
 x509_extensions     = v3_req
--- a/add-tls-guac-daemon.sh
+++ b/add-tls-guac-daemon.sh
@ -6,6 +6,9 @@
 # April 2023
 #######################################################################################################################

+# To delete and reissue a new cert
+# sudo keytool -delete -alias guacd -noprompt -cacerts -storepass changeit -file guacd.crt
+
 # Prepare text output colours
 GREY='\033[0;37m'
 DGREY='\033[0;90m'
@ -15,15 +18,6 @@ LGREEN='\033[0;92m'
 LYELLOW='\033[0;93m'
 NC='\033[0m' #No Colour

-# Below variables are automatically updated by the 1-setup.sh script with the respective values given at install
-CERT_COUNTRY=
-CERT_STATE=
-CERT_LOCATION=
-CERT_ORG=
-CERT_OU=
-
-clear
-
 # Check if user is root or sudo
 if ! [ $(id -u) = 0 ]; then
    echo
@ -31,10 +25,23 @@ if ! [ $(id -u) = 0 ]; then
    exit 1
 fi

+TOMCAT_VERSION=$(ls /etc/ | grep tomcat)
+RSA_KEY_LENGTH=2048
+
+# Auto updated values from main installer (manually update if blank)
+CERT_COUNTRY=
+CERT_STATE=
+CERT_LOCATION=
+CERT_ORG=
+CERT_OU=
+CERT_DAYS=
+
+clear
+
 # Create the special directory for guacd tls certificate and key.
-sudo mkdir /etc/guacamole/ssl
+mkdir -p /etc/guacamole/ssl
 echo
-cat <<EOF | tee -a cert_attributes.txt
+cat <<EOF | tee cert_attributes.txt
 [req]
 distinguished_name  = req_distinguished_name
 x509_extensions     = v3_req
@ -60,11 +67,12 @@ IP.1                = 127.0.0.1
 EOF

 # Create the self signing request, certificate & key
-sudo openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /etc/guacamole/ssl/guacd.key -out /etc/guacamole/ssl/guacd.crt -config cert_attributes.txt
+openssl req -x509 -nodes -days $CERT_DAYS -newkey rsa:$RSA_KEY_LENGTH -keyout /etc/guacamole/ssl/guacd.key -out /etc/guacamole/ssl/guacd.crt -config cert_attributes.txt
 rm -f cert_attributes.txt

 # Point Guacamole config file to certificate and key
-sudo cat <<EOF | sudo tee /etc/guacamole/guacd.conf
+cp /etc/guacamole/guacd.conf /etc/guacamole/guacd.conf.bak
+cat <<EOF | sudo tee /etc/guacamole/guacd.conf
 [server]
 bind_host = 127.0.0.1
 bind_port = 4822
@ -74,21 +82,24 @@ server_key = /etc/guacamole/ssl/guacd.key
 EOF

 # Enable TLS backend
-sudo cat <<EOF | sudo tee -a /etc/guacamole/guacamole.properties
+cat <<EOF | sudo tee -a /etc/guacamole/guacamole.properties
 guacd-ssl: true
 EOF

 # Fix required permissions as guacd only runs as daemon
-sudo chown daemon:daemon /etc/guacamole/ssl
-sudo chown daemon:daemon /etc/guacamole/ssl/guacd.key
-sudo chown daemon:daemon /etc/guacamole/ssl/guacd.crt
-sudo chmod 644 /etc/guacamole/ssl/guacd.crt
-sudo chmod 644 /etc/guacamole/ssl/guacd.key
+chown daemon:daemon /etc/guacamole/ssl
+chown daemon:daemon /etc/guacamole/ssl/guacd.key
+chown daemon:daemon /etc/guacamole/ssl/guacd.crt
+chmod 644 /etc/guacamole/ssl/guacd.crt
+chmod 644 /etc/guacamole/ssl/guacd.key

 # Add the new certificate into the Java Runtime certificate store and set JRE to trust it.
 cd /etc/guacamole/ssl
-sudo keytool -importcert -alias guacd -noprompt -cacerts -storepass changeit -file guacd.crt
-sudo systemctl restart guacd
+keytool -importcert -alias guacd -noprompt -cacerts -storepass changeit -file guacd.crt
+
+
+systemctl restart guacd
+systemctl restart ${TOMCAT_VERSION}

 echo
 echo "Done!"