Use dummy ACME cert initially; Reload nginx immediately before ACME issuance (#928)

* Only inject cert if exists * Generate a temporary self-signed cert until ACME issues one * Fix typo * Update omnibus/cookbooks/firezone/recipes/nginx.rb Co-authored-by: Gabi <gabriel@firezone.dev> Signed-off-by: Jamil <jamilbk@users.noreply.github.com> * Restart nginx immediately * Remove redundant logic * Use execute * Update docs with note Signed-off-by: Jamil <jamilbk@users.noreply.github.com> Co-authored-by: Gabi <gabriel@firezone.dev>
2026-01-27 18:18:55 +00:00 · 2022-08-22 21:42:14 -07:00
parent e4de365d14
commit 0900a9fd86
5 changed files with 34 additions and 5 deletions
--- a/docs/docs/administer/security-considerations.md
+++ b/docs/docs/administer/security-considerations.md
@@ -16,7 +16,8 @@ Shown below is a table of ports used by Firezone services.

 | Service | Default port | Listen address | Description |
 | ------ | --------- | ------- | --------- |
-| Nginx | `80` `443` | `all` | Public HTTP(S) port for administering Firezone and facilitating authentication. |
+| Nginx | `443` | `all` | Public HTTPS port for administering Firezone and facilitating authentication. |
+| Nginx | `80` | `all` | Public HTTP port used for ACME. Disabled when ACME is disabled. |
 | WireGuard | `51820` | `all` | Public WireGuard port used for VPN sessions. |
 | Postgresql | `15432` | `127.0.0.1` | Local-only port used for bundled Postgresql server. |
 | Phoenix | `13000` | `127.0.0.1` | Local-only port used by upstream elixir app server. |
--- a/omnibus/cookbooks/firezone/recipes/acme.rb
+++ b/omnibus/cookbooks/firezone/recipes/acme.rb
@@ -65,6 +65,12 @@ if node['firezone']['ssl']['acme']['enabled'] && !node['firezone']['ssl']['certi
    ACME
  end

+  # Pick up any nginx conf changes that may have happened during this Chef run
+  execute 'Reload Nginx' do
+    notifies :reload, 'component_runit_service[nginx]', :immediately
+    command 'echo "reloading nginx..."'
+  end
+
  execute 'ACME issue' do
    # Command returns 0: Cert was issued
    # Command returns 2: Skipping because renewal isn't needed
--- a/omnibus/cookbooks/firezone/recipes/nginx.rb
+++ b/omnibus/cookbooks/firezone/recipes/nginx.rb
@@ -64,7 +64,8 @@ template 'redirect.conf' do
    server_name: URI.parse(node['firezone']['external_url']).host,
    acme_www_root: "#{node['firezone']['var_directory']}/nginx/acme_root",
    rate_limiting_zone_name: node['firezone']['nginx']['rate_limiting_zone_name'],
-    ipv6: node['firezone']['nginx']['ipv6']
+    ipv6: node['firezone']['nginx']['ipv6'],
+    acme: node['firezone']['ssl']['acme']
  )
 end

@@ -74,6 +75,7 @@ if node['firezone']['nginx']['enabled']
    action :enable
    subscribes :restart, 'template[nginx.conf]'
    subscribes :restart, 'template[phoenix.nginx.conf]'
+    subscribes :restart, 'template[redirect.conf]'
    subscribes :restart, 'template[acme.conf]'
  end
 else
--- a/omnibus/cookbooks/firezone/recipes/phoenix.rb
+++ b/omnibus/cookbooks/firezone/recipes/phoenix.rb
@@ -27,6 +27,10 @@ include_recipe 'firezone::acme'
 include_recipe 'firezone::ssl'
 include_recipe 'firezone::wireguard'

+fqdn = URI.parse(node['firezone']['external_url']).host
+acme_cert = "#{node['firezone']['var_directory']}/ssl/acme/#{fqdn}.fullchain"
+acme_key = "#{node['firezone']['var_directory']}/ssl/acme/#{fqdn}.key"
+
 [node['firezone']['phoenix']['log_directory'],
 "#{node['firezone']['var_directory']}/phoenix/run"].each do |dir|
  directory dir do
@@ -37,8 +41,22 @@ include_recipe 'firezone::wireguard'
  end
 end

+if node['firezone']['ssl']['acme']['enabled']
+  # Generate a temporary cert until ACME issues one so that nginx can be restarted
+  openssl_x509_certificate acme_cert do
+    common_name fqdn
+    org node['firezone']['ssl']['company_name']
+    org_unit node['firezone']['ssl']['organizational_unit_name']
+    country node['firezone']['ssl']['country_name']
+    key_length 2048
+    expire 3650
+    owner 'root'
+    group 'root'
+    mode '0644'
+  end
+end
+
 template 'phoenix.nginx.conf' do
-  fqdn = URI.parse(node['firezone']['external_url']).host
  path "#{node['firezone']['nginx']['directory']}/sites-enabled/phoenix"
  source 'phoenix.nginx.conf.erb'
  owner node['firezone']['user']
@@ -53,8 +71,8 @@ template 'phoenix.nginx.conf' do
            app_directory: node['firezone']['app_directory'],
            acme: {
              'enabled' => node['firezone']['ssl']['acme']['enabled'],
-              'certificate' => "#{node['firezone']['var_directory']}/ssl/acme/#{fqdn}.fullchain",
-              'certificate_key' => "#{node['firezone']['var_directory']}/ssl/acme/#{fqdn}.key"
+              'certificate' => acme_cert,
+              'certificate_key' => acme_key
            })
 end

--- a/omnibus/cookbooks/firezone/templates/redirect.conf.erb
+++ b/omnibus/cookbooks/firezone/templates/redirect.conf.erb
@@ -1,3 +1,4 @@
+<% if @acme['enabled'] -%>
 server {
  listen 80 default_server;
  <% if @ipv6 -%>
@@ -10,3 +11,4 @@ server {
    alias <%= @acme_www_root %>/.well-known/acme-challenge/;
  }
 }
+<% end -%>