badssl.com icon indicating copy to clipboard operation
badssl.com copied to clipboard

Published 20 hours ago verified publisher icon chromium

Makefile deployment does not work

Open HvR-Netronome opened this issue 6 years ago • 3 comments

Followed the instructions and successfully was able to badssl.test running in a docker container.

Instructions on how to the deploy a badssl server however seems to be a it lacking.

However want to deploy badssl.com to a local machine for internal testing so used make deploy with a VM as target.

As it stands Makefile creates the site and rsync everything over to the VM, it doesn't perform any kind nginx setup.

Followed the steps in the makefile it uses for the docker setup: Copying the keys Symlinking the badssl directory to /var/www/html Adding the badssl conf file to nginx.conf

When I attempt to start nginx I run into keys mismatch error: nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/keys/leaf-main.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch) nginx: configuration file /etc/nginx/nginx.conf test failed

HvR-Netronome avatar Aug 08 '18 14:08 HvR-Netronome

Could you give us a bit more information? My first guess is that you're trying building and running the prod setup, which expects you to have the leaf key for the real badssl.com server.

lgarron avatar Aug 08 '18 15:08 lgarron

Hi Iggaron.

Think you are correct.

So is the deploy option is only for deployment of the real badssl.com server.

In the README do they then mean that the docker container should be running in the created VM?

I have zero nginx knowledge and experience but from what I observed is that all request to the IP address of either the VM or machine that the docker container image of badssl is running on will resolve to the default "Welcome to nginx" page instead of the badssl main page.

EDIT: Just to maybe clear things up, my goal is deploy a badssl server on our internal network and route traffic to it instead of badssl.com

HvR-Netronome avatar Aug 10 '18 15:08 HvR-Netronome

I have a goal to migrate the production server to a container as well, which I think would simplify this quite a bit. For now, it's a little complicated to set up. For prod, the Makefile handles setting up the site rather than the server.

The initial server setup is:

  1. Make a server instance with Ubuntu 16.04 (we use Google Compute Engine currently)
  2. SSH into the server
  3. sudo apt-get update && sudo apt-get install -y build-essential git libffi-dev make nginx ruby ruby-dev
  4. sudo gem install jekyll

Then, we clone the repo and copy in an overlay that includes all the private keys and such.

To deploy the site itself:

  1. Copy the contents of the repo+overlay to the server under `~/badssl/
  2. SSH into the server
  3. cd badssl
  4. make certs-prod
  5. make jekyll-prod
  6. sudo make install
  7. sudo chgrp -R www-data badssl/
  8. sudo nginx -t ; sudo service nginx reload

That's a little complicated, but it lets us maintain the separate private keys outside the public repository for our publicly-trusted certificates.

For an internal BadSSL server, if you are willing to ask users to install the root cert (which you would want to freshly generate and keep the private key secure, as it is a root certificate!) then you could use the included Dockerfile and make test to build the image and start serving it. If you want the test server to serve for "badssl.com", you can change

https://github.com/chromium/badssl.com/blob/7898f27f47087d9e3bdc25663684fe7912856006/Makefile#L3

To set the TEST_DOMAIN to badssl.com, and then the test server will behave mostly identical to the production server (note, some certificates won't work with the test server, such as the EV cert).

christhompson avatar Aug 10 '18 16:08 christhompson