From 7cf54b0e4c2eefa5999228a82e4132d4ae8ca471 Mon Sep 17 00:00:00 2001
From: Kyle Spearrin <kyle.spearrin@gmail.com>
Date: Tue, 8 Aug 2017 14:35:31 -0400
Subject: [PATCH] setup for ssl certs

---
 docker/docker-compose.linux.yml    |  2 +-
 docker/docker-compose.override.yml |  2 +-
 docker/docker-compose.windows.yml  |  2 +-
 scripts/setup.ps1                  | 19 +++----
 scripts/setup.sh                   |  9 ++--
 util/Setup/Program.cs              | 87 ++++++++++++++++++++++++------
 6 files changed, 89 insertions(+), 32 deletions(-)

diff --git a/docker/docker-compose.linux.yml b/docker/docker-compose.linux.yml
index e3b94a763..d9ab2fe5d 100644
--- a/docker/docker-compose.linux.yml
+++ b/docker/docker-compose.linux.yml
@@ -18,4 +18,4 @@ services:
     volumes:
       - /etc/bitwarden/nginx:/etc/bitwarden/nginx
       - /etc/bitwarden/letsencrypt:/etc/letsencrypt
-      - /etc/bitwarden/ssl:/etc/certificates
+      - /etc/bitwarden/ssl:/etc/ssl
diff --git a/docker/docker-compose.override.yml b/docker/docker-compose.override.yml
index 20ffe537d..8baa6cdc1 100644
--- a/docker/docker-compose.override.yml
+++ b/docker/docker-compose.override.yml
@@ -18,6 +18,6 @@ services:
     volumes:
       - c:/bitwarden/nginx:/etc/bitwarden/nginx
       - c:/bitwarden/letsencrypt:/etc/letsencrypt
-      - c:/bitwarden/ssl:/etc/certificates
+      - c:/bitwarden/ssl:/etc/ssl
 volumes:
   mssql_data:
diff --git a/docker/docker-compose.windows.yml b/docker/docker-compose.windows.yml
index 20ffe537d..8baa6cdc1 100644
--- a/docker/docker-compose.windows.yml
+++ b/docker/docker-compose.windows.yml
@@ -18,6 +18,6 @@ services:
     volumes:
       - c:/bitwarden/nginx:/etc/bitwarden/nginx
       - c:/bitwarden/letsencrypt:/etc/letsencrypt
-      - c:/bitwarden/ssl:/etc/certificates
+      - c:/bitwarden/ssl:/etc/ssl
 volumes:
   mssql_data:
diff --git a/scripts/setup.ps1 b/scripts/setup.ps1
index a637f934e..3eefc3ed6 100644
--- a/scripts/setup.ps1
+++ b/scripts/setup.ps1
@@ -1,18 +1,19 @@
 param (
-  [string]$outputDir = "c:/bitwarden",
-  [string]$domain = $( Read-Host "Please enter your domain name (i.e. bitwarden.company.com)" ),
-  [string]$email = $( Read-Host "Please enter your email address: " ),
-  [string]$letsencrypt = $( Read-Host "Generate Let's Encrypt Cert (y/n)" )
+    [string]$outputDir = "c:/bitwarden",
+    [string]$domain = $( Read-Host "Enter your domain name (i.e. bitwarden.company.com)" ),
+    [string]$email = $( Read-Host "Enter your email address" ),
+    [string]$letsencrypt = $( Read-Host "Do you want to use Let's Encrypt to generate a free SSL certificate? (y/n)" )
 )
 
+docker --version
+
 $dockerDir="../docker"
 $databasePassword=-join ((48..57) + (97..122) | Get-Random -Count 32 | % {[char]$_})
 
-docker --version
-
-#mkdir -p $outputDir/letsencrypt/live/$domain
-#docker run -it --rm -p 80:80 -v $outputDir/letsencrypt:/etc/letsencrypt/ certbot/certbot certonly --standalone --noninteractive --preferred-challenges http --email $email --agree-tos -d $domain
-#docker run -it --rm -v $outputDir/letsencrypt/live:/certificates/ bitwarden/openssl openssl dhparam -out /certificates/$domain/dhparam.pem 2048
+if($letsencrypt -eq "y") {
+    mkdir -p $outputDir/letsencrypt/live/$domain
+    docker run -it --rm -p 80:80 -v $outputDir/letsencrypt:/etc/letsencrypt/ certbot/certbot certonly --standalone --noninteractive --preferred-challenges http --email $email --agree-tos -d $domain
+}
 
 docker run -it --rm -v ${outputDir}:/bitwarden bitwarden/setup dotnet Setup.dll -domain ${domain} -letsencrypt ${letsencrypt} -db_pass ${databasePassword}
 
diff --git a/scripts/setup.sh b/scripts/setup.sh
index 467b661cb..89aab2193 100644
--- a/scripts/setup.sh
+++ b/scripts/setup.sh
@@ -3,18 +3,19 @@ set -e
 
 echo "Please enter your domain name (i.e. bitwarden.company.com): "
 read DOMAIN
-echo -e "\nPlease enter your email address (used to generate an HTTPS certificate with LetsEncrypt): "
+echo -e "\nPlease enter your email address: "
 read EMAIL
+echo -e "\nDo you want to use Let's Encrypt to generate a free SSL certificate (y/n)? "
+read LETS_ENCRYPT
 
-OUTPUT_DIR=./bitwarden
+OUTPUT_DIR=/etc/bitwarden
 DATABASE_PASSWORD=$(LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom | head -c 32)
 
 docker --version
 
 #mkdir -p $OUTPUT_DIR/letsencrypt/live/$DOMAIN
 #docker run -it --rm -p 80:80 -v $OUTPUT_DIR/letsencrypt:/etc/letsencrypt/ certbot/certbot certonly --standalone --noninteractive --preferred-challenges http --email $EMAIL --agree-tos -d $DOMAIN
-#docker run -it --rm -v $OUTPUT_DIR/letsencrypt/live:/certificates/ bitwarden/openssl openssl dhparam -out /certificates/$DOMAIN/dhparam.pem 2048
 
-docker run -it --rm -v $OUTPUT_DIR:/bitwarden bitwarden/setup dotnet Setup.dll -domain $DOMAIN -letsencrypt y -db_pass $DATABASE_PASSWORD
+docker run -it --rm -v $OUTPUT_DIR:/bitwarden bitwarden/setup dotnet Setup.dll -domain $DOMAIN -letsencrypt $LETS_ENCRYPT -db_pass $DATABASE_PASSWORD
 
 echo -e "\nSetup complete"
diff --git a/util/Setup/Program.cs b/util/Setup/Program.cs
index 559cb7ad1..85aebca18 100644
--- a/util/Setup/Program.cs
+++ b/util/Setup/Program.cs
@@ -14,6 +14,7 @@ namespace Setup
         private static string _url = null;
         private static string _identityCertPassword = null;
         private static bool _ssl = false;
+        private static bool _selfSignedSsl = false;
         private static bool _letsEncrypt = false;
 
         public static void Main(string[] args)
@@ -27,10 +28,24 @@ namespace Setup
                 _parameters["letsencrypt"].ToLowerInvariant() == "y" : false;
             _ssl = _letsEncrypt || (_parameters.ContainsKey("ssl") ?
                 _parameters["ssl"].ToLowerInvariant() == "y" : false);
-            _url = _ssl ? $"https://{_domain}" : $"http://{_domain}";
-            _identityCertPassword = Helpers.SecureRandomString(32, alpha: true, numeric: true);
 
+            _ssl = _letsEncrypt;
+            if(!_letsEncrypt)
+            {
+                Console.Write("Are you using your own SSL certificate? (y/n): ");
+                _ssl = Console.ReadLine().ToLowerInvariant() == "y";
+
+                if(_ssl)
+                {
+                    Console.WriteLine("Make sure 'certificate.crt' and 'private.key' are provided in the " +
+                        "appropriate directory (see setup instructions).");
+                }
+            }
+
+            _identityCertPassword = Helpers.SecureRandomString(32, alpha: true, numeric: true);
             MakeCerts();
+
+            _url = _ssl ? $"https://{_domain}" : $"http://{_domain}";
             BuildNginxConfig();
             BuildEnvironmentFiles();
             BuildAppSettingsFiles();
@@ -38,6 +53,29 @@ namespace Setup
 
         private static void MakeCerts()
         {
+            if(!_ssl)
+            {
+                Console.Write("Do you want to generate a self signed SSL certificate? (y/n): ");
+                if(Console.ReadLine().ToLowerInvariant() == "y")
+                {
+                    Directory.CreateDirectory($"/bitwarden/ssl/self/{_domain}/");
+                    Console.WriteLine("Generating self signed SSL certificate.");
+                    _ssl = _selfSignedSsl = true;
+                    Exec("openssl req -x509 -newkey rsa:4096 -sha256 -nodes -days 365 " +
+                        $"-keyout /bitwarden/ssl/self/{_domain}/private.key " +
+                        $"-out /bitwarden/ssl/self/{_domain}/certificate.crt " +
+                        $"-subj \"/C=US/ST=New York/L=New York/O=8bit Solutions LLC/OU=bitwarden/CN={_domain}\"");
+                }
+            }
+
+            if(_letsEncrypt)
+            {
+                Directory.CreateDirectory($"/bitwarden/letsencrypt/live/{_domain}/");
+                Console.WriteLine("Generating DH ephemeral parameter.");
+                Exec($"openssl dhparam -out /bitwarden/letsencrypt/live/{_domain}/dhparam.pem 2048");
+            }
+
+            Console.WriteLine("Generating key for IdentityServer.");
             Directory.CreateDirectory("/bitwarden/identity/");
             Exec("openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout identity.key " +
                 "-out identity.crt -subj \"/CN=bitwarden IdentityServer\" -days 10950");
@@ -54,12 +92,27 @@ namespace Setup
                 "ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:" +
                 "AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:@STRENGTH";
 
-            var dh = _letsEncrypt ||
-                (_parameters.ContainsKey("ssl_dh") ? _parameters["ssl_dh"].ToLowerInvariant() == "y" : false);
-            var trusted = _letsEncrypt ||
-                (_parameters.ContainsKey("ssl_trusted") ? _parameters["ssl_trusted"].ToLowerInvariant() == "y" : false);
-            var certPath = _letsEncrypt ? $"/etc/letsencrypt/live/{_domain}" : $"/etc/certificates/{_domain}";
+            var dh = _letsEncrypt;
+            if(_ssl && !_selfSignedSsl && !_letsEncrypt)
+            {
+                Console.Write("Use Diffie Hellman ephemeral parameters for SSL (requires dhparam.pem)? (y/n): ");
+                dh = Console.ReadLine().ToLowerInvariant() == "y";
+            }
 
+            var trusted = _letsEncrypt;
+            if(_ssl && !_selfSignedSsl && !_letsEncrypt)
+            {
+                Console.Write("Is this a trusted SSL certificate (requires ca.crt)? (y/n): ");
+                trusted = Console.ReadLine().ToLowerInvariant() == "y";
+            }
+
+            var sslPath = _letsEncrypt ? $"/etc/letsencrypt/live/{_domain}" :
+                _selfSignedSsl ? $"/etc/ssl/self/{_domain}" : $"/etc/ssl/{_domain}";
+            var certFile = _letsEncrypt ? "fullchain.pem" : "certificate.crt";
+            var keyFile = _letsEncrypt ? "privkey.pem" : "private.key";
+            var caFile = _letsEncrypt ? "fullchain.pem" : "ca.crt";
+
+            Console.WriteLine("Building nginx config.");
             using(var sw = File.CreateText("/bitwarden/nginx/default.conf"))
             {
                 sw.WriteLine($@"server {{
@@ -77,8 +130,8 @@ server {{
     listen [::]:443 ssl http2;
     server_name {_domain};
 
-    ssl_certificate {certPath}/fullchain.pem;
-    ssl_certificate_key {certPath}/privkey.pem;
+    ssl_certificate {sslPath}/{certFile};
+    ssl_certificate_key {sslPath}/{keyFile};
     
     ssl_session_timeout 30m;
     ssl_session_cache shared:SSL:20m;
@@ -88,7 +141,7 @@ server {{
                     {
                         sw.WriteLine($@"
     # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
-    ssl_dhparam {certPath}/dhparam.pem;");
+    ssl_dhparam {sslPath}/dhparam.pem;");
                     }
 
                     sw.WriteLine($@"
@@ -108,14 +161,17 @@ server {{
     ssl_stapling_verify on;
 
     ## verify chain of trust of OCSP response using Root CA and Intermediate certs
-    ssl_trusted_certificate {certPath}/fullchain.pem;
+    ssl_trusted_certificate {sslPath}/{caFile};
 
     resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=300s;");
                     }
 
                     sw.WriteLine($@"
-    # Headers
+    # This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack. 6 months age
+    add_header Strict-Transport-Security max-age=15768000;");
+                }
 
+                sw.WriteLine($@"
     # X-Frame-Options is to prevent from clickJacking attack
     add_header X-Frame-Options SAMEORIGIN;
 
@@ -128,11 +184,7 @@ server {{
     # This header controls what referrer information is shared
     add_header Referrer-Policy same-origin;
 
-    # This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack. 6 months age
-    add_header Strict-Transport-Security max-age=15768000;
-
     # Content-Security-Policy is set via meta tag on the website so it is not included here");
-                }
 
                 sw.WriteLine($@"
     location / {{
@@ -177,6 +229,7 @@ server {{
 
         private static void BuildEnvironmentFiles()
         {
+            Console.WriteLine("Building docker environment override files.");
             Directory.CreateDirectory("/bitwarden/docker/");
             var dbPass = _parameters.ContainsKey("db_pass") ? _parameters["db_pass"].ToLowerInvariant() : "REPLACE";
             var dbConnectionString = "Server=tcp:mssql,1433;Initial Catalog=vault;Persist Security Info=False;User ID=sa;" +
@@ -205,6 +258,7 @@ SA_PASSWORD={dbPass}");
 
         private static void BuildAppSettingsFiles()
         {
+            Console.WriteLine("Building app settings.");
             Directory.CreateDirectory("/bitwarden/web/");
             using(var sw = File.CreateText("/bitwarden/web/settings.js"))
             {
@@ -218,6 +272,7 @@ SA_PASSWORD={dbPass}");
 
         private static void BuildAppId()
         {
+            Console.WriteLine("Building FIDO U2F app id.");
             Directory.CreateDirectory("/bitwarden/web/");
             using(var sw = File.CreateText("/bitwarden/web/app-id.json"))
             {