iris-web icon indicating copy to clipboard operation
iris-web copied to clipboard
verified publisher icon dfir-iris

[BUG] Replacing Dev Certificates.

Open decyphertek-io opened this issue 2 years ago • 1 comments

Nginx doesnt load when certs are changed.

  • Current Instructions are vague.
  • DFIR IRIS Docs > Operations > Configurations > Certifications
  • IRIS is configured to use a self-signed certificate by default. This is suitable for testing only. To use your own certificate, you need to
    set the following environment variables:
  • KEY_FILENAME: The filename of the key file in the certificates/web_certificates directory at the root of the IRIS directory
  • CERT_FILENAME: The filename of the certificate file in the certificates/web_certificates directory at the root of the IRIS directory

Steps taken to change nginx cert:

$ vim ~/iris-web/.env
# I changed the following
# -- NGINX
SERVER_NAME=decyphertek
KEY_FILENAME=iris_prod_key.pem
CERT_FILENAME=iris_prod_cert.pem

$ openssl req -x509 -nodes -days 9999 -newkey rsa:2048 -keyout /home/core/.docker/iris-web/certificates/web_certificates
  /iris_prod_key.pem -out /home/core/.docker/iris-web/certificates/web_certificates/iris_prod_crt.pem -subj "/C=US/ST=Any
 /L=Anytown/O=decyphertek-io/OU=adminotaur/CN=decyphertek"

Issue: it fails,- I realized that docker compose references the rootCA

volumes:
  - ./certificates/rootCA/irisRootCACert.pem:/etc/irisRootCACert.pem:ro

Issue: script changing the all the certs: ( nginx fails to load )

  #!/bin/bash
  
  # Delete existing Root CA files
  rm -rf /home/core/.docker/iris-web/certificates/rootCA/*.pem
  rm -rf /home/core/.docker/iris-web/certificates/rootCA/*.srl
  rm -rf /home/core/.docker/iris-web/certificates/web_certificates/*.pem
  
  # Define Root CA certificate and key file paths
  ROOT_CA_CERT_FILE="/home/core/.docker/iris-web/certificates/rootCA/irisRootCACert.pem"
  ROOT_CA_KEY_FILE="/home/core/.docker/iris-web/certificates/rootCA/irisRootCAKey.pem"
  
  # Generate a new private key for the Root CA
  openssl genpkey -algorithm RSA -out "${ROOT_CA_KEY_FILE}"
  
  # Generate a self-signed Root CA certificate
  openssl req -x509 -new -key "${ROOT_CA_KEY_FILE}" -out "${ROOT_CA_CERT_FILE}" -days 3650 -subj "/CN=RootCA"
  
  # Define server certificate and key file paths
  SERVER_CERT_FILE="/home/core/.docker/iris-web/certificates/web_certificates/iris_prod_cert.pem"
  SERVER_KEY_FILE="/home/core/.docker/iris-web/certificates/web_certificates/iris_prod_key.pem"
  SERVER_CSR_FILE="/home/core/.docker/iris-web/certificates/web_certificates/iris_prod_csr.pem"
  
  # Generate a new private key for the server
  openssl genpkey -algorithm RSA -out "${SERVER_KEY_FILE}"
  
  # Generate a CSR for the server
  openssl req -new -key "${SERVER_KEY_FILE}" -out "${SERVER_CSR_FILE}" -subj "/C=US/ST=Any/L=Anytown
 /O=decyphertek-io/OU=adminotaur/CN=decyphertek"
  
  # Root CA signs the server certificate
  openssl x509 -req -in "${SERVER_CSR_FILE}" -CA "${ROOT_CA_CERT_FILE}" -CAkey "${ROOT_CA_KEY_FILE}" 
 -CAcreateserial -out "${SERVER_CERT_FILE}" -days 3650

Solution:

  • Provide better docs on how to update the nginx ssl certs.
  • Remove the complexity of having to build the image everytime.
  • I use nginx all the time and my implementation is simple and the above command works when key path added to default.conf

decyphertek-io avatar Dec 12 '23 20:12 decyphertek-io

Is there any progress on this? I am struggling to change the certificates on my instance also.

LPT6166676c avatar Jun 28 '24 11:06 LPT6166676c