From 9c15a6ae11de3ebeab1acb797e715c98167f9a17 Mon Sep 17 00:00:00 2001
From: itiligent <github@itiligent.com>
Date: Wed, 6 Sep 2023 19:59:44 +1000
Subject: [PATCH] Improve tls hardening flow & options

---
 1-setup.sh                          |  1 +
 4a-install-tls-self-signed-nginx.sh |  2 +-
 add-tls-guac-daemon.sh              | 53 +++++++++++++++++------------
 3 files changed, 34 insertions(+), 22 deletions(-)

diff --git a/1-setup.sh b/1-setup.sh
index ecdd66d..9a76a03 100644
--- a/1-setup.sh
+++ b/1-setup.sh
@@ -665,6 +665,7 @@ sed -i "s|CERT_STATE=|CERT_STATE='${CERT_STATE}'|g" $DOWNLOAD_DIR/add-tls-guac-d
 sed -i "s|CERT_LOCATION=|CERT_LOCATION='${CERT_LOCATION=}'|g" $DOWNLOAD_DIR/add-tls-guac-daemon.sh
 sed -i "s|CERT_ORG=|CERT_ORG='${CERT_ORG}'|g" $DOWNLOAD_DIR/add-tls-guac-daemon.sh
 sed -i "s|CERT_OU=|CERT_OU='${CERT_OU}'|g" $DOWNLOAD_DIR/add-tls-guac-daemon.sh
+sed -i "s|CERT_DAYS=|CERT_DAYS='${CERT_DAYS}'|g" $DOWNLOAD_DIR/add-tls-guac-daemon.sh
 sed -i "s|MYSQL_HOST=|MYSQL_HOST='${MYSQL_HOST}'|g" $DOWNLOAD_DIR/upgrade-guac.sh
 sed -i "s|MYSQL_PORT=|MYSQL_PORT='${MYSQL_PORT}'|g" $DOWNLOAD_DIR/upgrade-guac.sh
 sed -i "s|GUAC_USER=|GUAC_USER='${GUAC_USER}'|g" $DOWNLOAD_DIR/upgrade-guac.sh
diff --git a/4a-install-tls-self-signed-nginx.sh b/4a-install-tls-self-signed-nginx.sh
index 734fa81..9ed6c0a 100644
--- a/4a-install-tls-self-signed-nginx.sh
+++ b/4a-install-tls-self-signed-nginx.sh
@@ -38,7 +38,7 @@ fi
 
 echo -e "${GREY}New self signed TLS certificate attributes are shown below...${DGREY}"
 # Display the new TLS cert parameters.
-cat <<EOF | tee -a $TMP_DIR/cert_attributes.txt
+cat <<EOF | tee $TMP_DIR/cert_attributes.txt
 [req]
 distinguished_name  = req_distinguished_name
 x509_extensions     = v3_req
diff --git a/add-tls-guac-daemon.sh b/add-tls-guac-daemon.sh
index 0ff2795..33fba84 100644
--- a/add-tls-guac-daemon.sh
+++ b/add-tls-guac-daemon.sh
@@ -6,6 +6,9 @@
 # April 2023
 #######################################################################################################################
 
+# To delete and reissue a new cert
+# sudo keytool -delete -alias guacd -noprompt -cacerts -storepass changeit -file guacd.crt
+
 # Prepare text output colours
 GREY='\033[0;37m'
 DGREY='\033[0;90m'
@@ -15,15 +18,6 @@ LGREEN='\033[0;92m'
 LYELLOW='\033[0;93m'
 NC='\033[0m' #No Colour
 
-# Below variables are automatically updated by the 1-setup.sh script with the respective values given at install
-CERT_COUNTRY=
-CERT_STATE=
-CERT_LOCATION=
-CERT_ORG=
-CERT_OU=
-
-clear
-
 # Check if user is root or sudo
 if ! [ $(id -u) = 0 ]; then
     echo
@@ -31,10 +25,23 @@ if ! [ $(id -u) = 0 ]; then
     exit 1
 fi
 
+TOMCAT_VERSION=$(ls /etc/ | grep tomcat)
+RSA_KEY_LENGTH=2048
+
+# Auto updated values from main installer (manually update if blank)
+CERT_COUNTRY=
+CERT_STATE=
+CERT_LOCATION=
+CERT_ORG=
+CERT_OU=
+CERT_DAYS=
+
+clear
+
 # Create the special directory for guacd tls certificate and key.
-sudo mkdir /etc/guacamole/ssl
+mkdir -p /etc/guacamole/ssl
 echo
-cat <<EOF | tee -a cert_attributes.txt
+cat <<EOF | tee cert_attributes.txt
 [req]
 distinguished_name  = req_distinguished_name
 x509_extensions     = v3_req
@@ -60,11 +67,12 @@ IP.1                = 127.0.0.1
 EOF
 
 # Create the self signing request, certificate & key
-sudo openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /etc/guacamole/ssl/guacd.key -out /etc/guacamole/ssl/guacd.crt -config cert_attributes.txt
+openssl req -x509 -nodes -days $CERT_DAYS -newkey rsa:$RSA_KEY_LENGTH -keyout /etc/guacamole/ssl/guacd.key -out /etc/guacamole/ssl/guacd.crt -config cert_attributes.txt
 rm -f cert_attributes.txt
 
 # Point Guacamole config file to certificate and key
-sudo cat <<EOF | sudo tee /etc/guacamole/guacd.conf
+cp /etc/guacamole/guacd.conf /etc/guacamole/guacd.conf.bak
+cat <<EOF | sudo tee /etc/guacamole/guacd.conf
 [server]
 bind_host = 127.0.0.1
 bind_port = 4822
@@ -74,21 +82,24 @@ server_key = /etc/guacamole/ssl/guacd.key
 EOF
 
 # Enable TLS backend
-sudo cat <<EOF | sudo tee -a /etc/guacamole/guacamole.properties
+cat <<EOF | sudo tee -a /etc/guacamole/guacamole.properties
 guacd-ssl: true
 EOF
 
 # Fix required permissions as guacd only runs as daemon
-sudo chown daemon:daemon /etc/guacamole/ssl
-sudo chown daemon:daemon /etc/guacamole/ssl/guacd.key
-sudo chown daemon:daemon /etc/guacamole/ssl/guacd.crt
-sudo chmod 644 /etc/guacamole/ssl/guacd.crt
-sudo chmod 644 /etc/guacamole/ssl/guacd.key
+chown daemon:daemon /etc/guacamole/ssl
+chown daemon:daemon /etc/guacamole/ssl/guacd.key
+chown daemon:daemon /etc/guacamole/ssl/guacd.crt
+chmod 644 /etc/guacamole/ssl/guacd.crt
+chmod 644 /etc/guacamole/ssl/guacd.key
 
 # Add the new certificate into the Java Runtime certificate store and set JRE to trust it.
 cd /etc/guacamole/ssl
-sudo keytool -importcert -alias guacd -noprompt -cacerts -storepass changeit -file guacd.crt
-sudo systemctl restart guacd
+keytool -importcert -alias guacd -noprompt -cacerts -storepass changeit -file guacd.crt
+
+
+systemctl restart guacd
+systemctl restart ${TOMCAT_VERSION}
 
 echo
 echo "Done!"