public bool BuildForInstall() { var selfSignedSsl = false; if (!Ssl) { if (Helpers.ReadQuestion("Do you want to generate a self-signed SSL certificate?")) { Directory.CreateDirectory($"/bitwarden/ssl/self/{Domain}/"); Console.WriteLine("Generating self signed SSL certificate."); Ssl = selfSignedSsl = true; Helpers.Exec("openssl req -x509 -newkey rsa:4096 -sha256 -nodes -days 365 " + $"-keyout /bitwarden/ssl/self/{Domain}/private.key " + $"-out /bitwarden/ssl/self/{Domain}/certificate.crt " + $"-subj \"/C=US/ST=New York/L=New York/O=8bit Solutions LLC/OU=Bitwarden/CN={Domain}\""); } } if (LetsEncrypt) { Directory.CreateDirectory($"/bitwarden/letsencrypt/live/{Domain}/"); Helpers.Exec($"openssl dhparam -out /bitwarden/letsencrypt/live/{Domain}/dhparam.pem 2048"); } Console.WriteLine("Generating key for IdentityServer."); Directory.CreateDirectory("/bitwarden/identity/"); Helpers.Exec("openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout identity.key " + "-out identity.crt -subj \"/CN=Bitwarden IdentityServer\" -days 10950"); Helpers.Exec("openssl pkcs12 -export -out /bitwarden/identity/identity.pfx -inkey identity.key " + $"-in identity.crt -certfile identity.crt -passout pass:{IdentityCertPassword}"); Console.WriteLine(); return(selfSignedSsl); }
public void BuildForInstall() { if (_context.Stub) { _context.Config.Ssl = true; _context.Install.Trusted = true; _context.Install.SelfSignedCert = false; _context.Install.DiffieHellman = false; _context.Install.IdentityCertPassword = "******"; return; } _context.Config.Ssl = _context.Config.SslManagedLetsEncrypt; if (!_context.Config.Ssl) { var skipSSL = _context.Parameters.ContainsKey("skip-ssl") && (_context.Parameters["skip-ssl"] == "true" || _context.Parameters["skip-ssl"] == "1"); if (!skipSSL) { _context.Config.Ssl = Helpers.ReadQuestion("Do you have a SSL certificate to use?"); if (_context.Config.Ssl) { Directory.CreateDirectory($"/bitwarden/ssl/{_context.Install.Domain}/"); var message = "Make sure 'certificate.crt' and 'private.key' are provided in the \n" + "appropriate directory before running 'start' (see docs for info)."; Helpers.ShowBanner(_context, "NOTE", message); } else if (Helpers.ReadQuestion("Do you want to generate a self-signed SSL certificate?")) { Directory.CreateDirectory($"/bitwarden/ssl/self/{_context.Install.Domain}/"); Helpers.WriteLine(_context, "Generating self signed SSL certificate."); _context.Config.Ssl = true; _context.Install.Trusted = false; _context.Install.SelfSignedCert = true; Helpers.Exec("openssl req -x509 -newkey rsa:4096 -sha256 -nodes -days 36500 " + $"-keyout /bitwarden/ssl/self/{_context.Install.Domain}/private.key " + $"-out /bitwarden/ssl/self/{_context.Install.Domain}/certificate.crt " + $"-reqexts SAN -extensions SAN " + $"-config <(cat /usr/lib/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:{_context.Install.Domain}\nbasicConstraints=CA:true')) " + $"-subj \"/C=US/ST=California/L=Santa Barbara/O=Bitwarden Inc./OU=Bitwarden/CN={_context.Install.Domain}\""); } } } if (_context.Config.SslManagedLetsEncrypt) { _context.Install.Trusted = true; _context.Install.DiffieHellman = true; Directory.CreateDirectory($"/bitwarden/letsencrypt/live/{_context.Install.Domain}/"); Helpers.Exec($"openssl dhparam -out " + $"/bitwarden/letsencrypt/live/{_context.Install.Domain}/dhparam.pem 2048"); } else if (_context.Config.Ssl && !_context.Install.SelfSignedCert) { _context.Install.Trusted = Helpers.ReadQuestion("Is this a trusted SSL certificate " + "(requires ca.crt, see docs)?"); } Helpers.WriteLine(_context, "Generating key for IdentityServer."); _context.Install.IdentityCertPassword = Helpers.SecureRandomString(32, alpha: true, numeric: true); Directory.CreateDirectory("/bitwarden/identity/"); Helpers.Exec("openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout identity.key " + "-out identity.crt -subj \"/CN=Bitwarden IdentityServer\" -days 36500"); Helpers.Exec("openssl pkcs12 -export -out /bitwarden/identity/identity.pfx -inkey identity.key " + $"-in identity.crt -passout pass:{_context.Install.IdentityCertPassword}"); Helpers.WriteLine(_context); if (!_context.Config.Ssl) { var message = "You are not using a SSL certificate. Bitwarden requires HTTPS to operate. \n" + "You must front your installation with a HTTPS proxy or the web vault (and \n" + "other Bitwarden apps) will not work properly."; Helpers.ShowBanner(_context, "WARNING", message, ConsoleColor.Yellow); } else if (_context.Config.Ssl && !_context.Install.Trusted) { var message = "You are using an untrusted SSL certificate. This certificate will not be \n" + "trusted by Bitwarden client applications. You must add this certificate to \n" + "the trusted store on each device or else you will receive errors when trying \n" + "to connect to your installation."; Helpers.ShowBanner(_context, "WARNING", message, ConsoleColor.Yellow); } }
public void BuildForInstall() { if (_context.Stub) { _context.Config.Ssl.Enable = true; _context.Install.Trusted = true; _context.Install.SelfSignedCert = false; _context.Install.DiffieHellman = false; _context.Install.IdentityCertPassword = "******"; return; } _context.Config.Ssl.Enable = _context.Config.Ssl.ManagedLetsEncrypt; if (!_context.Config.Ssl.Enable && _context.Install.Ssl == null) { _context.Config.Ssl.Enable = Helpers.ReadQuestion("Do you have a SSL certificate to use?"); if (_context.Config.Ssl.Enable) { Directory.CreateDirectory($"{_context.DestDir}/ssl/{_context.Install.Domain}/"); var message = "Make sure 'certificate.crt' and 'private.key' are provided in the \n" + "appropriate directory before running 'start' (see docs for info)."; Helpers.ShowBanner(_context, "NOTE", message); } else if (Helpers.ReadQuestion("Do you want to generate a self-signed SSL certificate?")) { Directory.CreateDirectory($"{_context.DestDir}/ssl/self/{_context.Install.Domain}/"); Helpers.WriteLine(_context, "Generating self signed SSL certificate."); _context.Config.Ssl.Enable = true; _context.Install.Trusted = false; _context.Install.SelfSignedCert = true; Helpers.Exec("openssl req -x509 -newkey rsa:4096 -sha256 -nodes -days 365 " + $"-keyout {_context.DestDir}/ssl/self/{_context.Install.Domain}/private.key " + $"-out {_context.DestDir}/ssl/self/{_context.Install.Domain}/certificate.crt " + $"-reqexts SAN -extensions SAN " + $"-config <(cat /usr/lib/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:{_context.Install.Domain}\nbasicConstraints=CA:true')) " + $"-subj \"/C=US/ST=Florida/L=Jacksonville/O=8bit Solutions LLC/OU=ByteGarden/CN={_context.Install.Domain}\""); } } if (_context.Config.Ssl?.ManagedLetsEncrypt ?? false) { _context.Install.Trusted = true; _context.Install.DiffieHellman = true; Directory.CreateDirectory($"{_context.DestDir}/letsencrypt/live/{_context.Install.Domain}/"); Helpers.Exec($"openssl dhparam -out " + $"{_context.DestDir}/letsencrypt/live/{_context.Install.Domain}/dhparam.pem 2048"); } else if (_context.Config.Ssl.Enable && !_context.Install.SelfSignedCert) { _context.Install.Trusted = Helpers.ReadQuestion("Is this a trusted SSL certificate " + "(requires ca.crt, see docs)?"); } GenerateIdentityCertificate(); Helpers.WriteLine(_context); if (!_context.Config.Ssl.Enable) { var message = "You are not using a SSL certificate. ByteGarden requires HTTPS to operate. \n" + "You must front your installation with a HTTPS proxy or the web vault (and \n" + "other ByteGarden apps) will not work properly."; Helpers.ShowBanner(_context, "WARNING", message, ConsoleColor.Yellow); } else if (_context.Config.Ssl.Enable && !_context.Install.Trusted) { var message = "You are using an untrusted SSL certificate. This certificate will not be \n" + "trusted by ByteGarden client applications. You must add this certificate to \n" + "the trusted store on each device or else you will receive errors when trying \n" + "to connect to your installation."; Helpers.ShowBanner(_context, "WARNING", message, ConsoleColor.Yellow); } }
private static void Install() { var outputDir = _parameters.ContainsKey("out") ? _parameters["out"].ToLowerInvariant() : "/etc/bitwarden"; var domain = _parameters.ContainsKey("domain") ? _parameters["domain"].ToLowerInvariant() : "localhost"; var letsEncrypt = _parameters.ContainsKey("letsencrypt") ? _parameters["letsencrypt"].ToLowerInvariant() == "y" : false; if (!ValidateInstallation()) { return; } var ssl = letsEncrypt; if (!letsEncrypt) { ssl = Helpers.ReadQuestion("Do you have a SSL certificate to use?"); if (ssl) { Directory.CreateDirectory($"/bitwarden/ssl/{domain}/"); var message = "Make sure 'certificate.crt' and 'private.key' are provided in the \n" + "appropriate directory before running 'start' (see docs for info)."; Helpers.ShowBanner("NOTE", message); } } var identityCertPassword = Helpers.SecureRandomString(32, alpha: true, numeric: true); var certBuilder = new CertBuilder(domain, identityCertPassword, letsEncrypt, ssl); var selfSignedSsl = certBuilder.BuildForInstall(); ssl = certBuilder.Ssl; // Ssl prop can get flipped during the build var sslTrusted = letsEncrypt; var sslDiffieHellman = letsEncrypt; if (ssl && !selfSignedSsl && !letsEncrypt) { sslDiffieHellman = Helpers.ReadQuestion("Use Diffie Hellman ephemeral parameters for SSL " + "(requires dhparam.pem, see docs)?"); sslTrusted = Helpers.ReadQuestion("Is this a trusted SSL certificate (requires ca.crt, see docs)?"); } if (!ssl) { var message = "You are not using a SSL certificate. Bitwarden requires HTTPS to operate. \n" + "You must front your installation with a HTTPS proxy. The web vault (and \n" + "other Bitwarden apps) will not work properly without HTTPS."; Helpers.ShowBanner("WARNING", message, ConsoleColor.Yellow); } else if (ssl && !sslTrusted) { var message = "You are using an untrusted SSL certificate. This certificate will not be \n" + "trusted by Bitwarden client applications. You must add this certificate to \n" + "the trusted store on each device or else you will receive errors when trying \n" + "to connect to your installation."; Helpers.ShowBanner("WARNING", message, ConsoleColor.Yellow); } var url = $"https://{domain}"; int httpPort = default(int), httpsPort = default(int); if (Helpers.ReadQuestion("Do you want to use the default ports for HTTP (80) and HTTPS (443)?")) { httpPort = 80; if (ssl) { httpsPort = 443; } } else if (ssl) { httpsPort = 443; if (int.TryParse(Helpers.ReadInput("HTTPS port").Trim(), out httpsPort) && httpsPort != 443) { url += (":" + httpsPort); } else { Console.WriteLine("Using default port."); } } else { httpPort = 80; if (!int.TryParse(Helpers.ReadInput("HTTP port").Trim(), out httpPort) && httpPort != 80) { Console.WriteLine("Using default port."); } } if (Helpers.ReadQuestion("Is your installation behind a reverse proxy?")) { if (Helpers.ReadQuestion("Do you use the default HTTPS port (443) on your reverse proxy?")) { url = $"https://{domain}"; } else { if (int.TryParse(Helpers.ReadInput("Proxy HTTPS port").Trim(), out var httpsReversePort) && httpsReversePort != 443) { url += (":" + httpsReversePort); } else { Console.WriteLine("Using default port."); url = $"https://{domain}"; } } } else if (!ssl) { Console.WriteLine("ERROR: You must use a reverse proxy if not using SSL."); return; } var push = Helpers.ReadQuestion("Do you want to use push notifications?"); var nginxBuilder = new NginxConfigBuilder(domain, url, ssl, selfSignedSsl, letsEncrypt, sslTrusted, sslDiffieHellman); nginxBuilder.BuildForInstaller(); var environmentFileBuilder = new EnvironmentFileBuilder { DatabasePassword = Helpers.SecureRandomString(32), Domain = domain, IdentityCertPassword = identityCertPassword, InstallationId = _installationId, InstallationKey = _installationKey, OutputDirectory = outputDir, Push = push, Url = url }; environmentFileBuilder.BuildForInstaller(); var appIdBuilder = new AppIdBuilder(url); appIdBuilder.Build(); var dockerComposeBuilder = new DockerComposeBuilder(_hostOs, _webVersion, _coreVersion); dockerComposeBuilder.BuildForInstaller(httpPort, httpsPort); }