dave/coolify
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

feat/fix(ssl): fix some issues and improve ssl generation helper

Browse Source 
- set default country to XX
- fix array handling of the subjectAlternativeNames so that no indexes are added or skipped
- add extendedKeyUsage to server certs to make them more secure
- add keyAgreement to server certs
- remove authorityKeyIdentifier as it caused the following issue: unable to get local issuer certificate
- removed duplicated distinguished_name entries
- improved formatting
This commit is contained in:
peaklabs-dev
2025-02-06 15:13:08 +01:00
parent 367eebc9fc
commit 6eabfd5c8e
1 changed files with 43 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
app/Helpers/SslHelper.php
View File

@@ -10,7 +10,7 @@ class SslHelper
{ {
private const DEFAULT_ORGANIZATION_NAME = 'Coolify'; private const DEFAULT_ORGANIZATION_NAME = 'Coolify';
private const DEFAULT_COUNTRY_NAME = 'ZZ'; private const DEFAULT_COUNTRY_NAME = 'XX';
private const DEFAULT_STATE_NAME = 'Default'; private const DEFAULT_STATE_NAME = 'Default';
@@ -50,29 +50,44 @@ class SslHelper
if ($server) { if ($server) {
$ip = $server->getIp; $ip = $server->getIp;
if ($ip) { if ($ip) {
if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 | FILTER_FLAG_IPV6)) { $type = filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 | FILTER_FLAG_IPV6)
$subjectAlternativeNames[] = "IP:$ip"; ? 'IP'
} else { : 'DNS';
$subjectAlternativeNames[] = "DNS:$ip";
}
}
}
}
$subjectAlternativeNames = array_unique( $subjectAlternativeNames = array_unique(
array_merge(["DNS:$commonName"], $subjectAlternativeNames) array_merge($subjectAlternativeNames, ["$type:$ip"])
); );
$formattedSubjectAltNames = [];
foreach ($subjectAlternativeNames as $index => $san) {
[$type, $value] = explode(':', $san, 2);
$formattedSubjectAltNames[] = "{$type}.".($index + 1)." = $value";
} }
$formattedSubjectAltNamesSection = implode("\n", $formattedSubjectAltNames); }
}
$basicConstraints = $isCaCertificate ? 'critical, CA:TRUE, pathlen:0' : 'critical, CA:FALSE'; $basicConstraints = $isCaCertificate ? 'critical, CA:TRUE, pathlen:0' : 'critical, CA:FALSE';
$keyUsage = $isCaCertificate ? 'critical, keyCertSign, cRLSign' : 'critical, digitalSignature'; $keyUsage = $isCaCertificate ? 'critical, keyCertSign, cRLSign' : 'critical, digitalSignature, keyAgreement';
$authorityKeyIdentifierLine = $isCaCertificate ? '' : "authorityKeyIdentifier = critical,keyid,issuer\n";
$subjectAltNameSection = '';
$extendedKeyUsageSection = '';
if (! $isCaCertificate) {
$extendedKeyUsageSection = "\nextendedKeyUsage = serverAuth";
$subjectAlternativeNames = array_values(
array_unique(
array_merge(["DNS:$commonName"], $subjectAlternativeNames)
)
);
$formattedSubjectAltNames = array_map(
function ($index, $san) {
[$type, $value] = explode(':', $san, 2);
return "{$type}.".($index + 1)." = $value";
},
array_keys($subjectAlternativeNames),
$subjectAlternativeNames
);
$subjectAltNameSection = "subjectAltName = @subject_alt_names\n\n[ subject_alt_names ]\n"
.implode("\n", $formattedSubjectAltNames);
}
$config = <<<CONF $config = <<<CONF
[ req ] [ req ]
@@ -81,24 +96,19 @@ class SslHelper
req_extensions = req_ext req_extensions = req_ext
[ distinguished_name ] [ distinguished_name ]
C = $countryName
ST = $stateName
O = $organizationName
CN = $commonName CN = $commonName
[ req_ext ] [ req_ext ]
basicConstraints = $basicConstraints basicConstraints = $basicConstraints
keyUsage = $keyUsage keyUsage = $keyUsage
{$extendedKeyUsageSection}
[ v3_req ] [ v3_req ]
basicConstraints = $basicConstraints basicConstraints = $basicConstraints
keyUsage = $keyUsage keyUsage = $keyUsage
subjectKeyIdentifier = critical,hash {$extendedKeyUsageSection}
{$authorityKeyIdentifierLine} subjectKeyIdentifier = hash
subjectAltName = critical,@subject_alt_names {$subjectAltNameSection}
[subject_alt_names]
$formattedSubjectAltNamesSection
CONF; CONF;
$tempConfig = tmpfile(); $tempConfig = tmpfile();