kopia lustrzana https://github.com/alecmuffett/eotk
chore: update docs
rodzic
e4a4ca429f
commit
4b15162096
|
@ -13,7 +13,7 @@ EV certificate from Digicert.
|
|||
* onion scratch-directory name changes:
|
||||
* was: `projects.d/tweep.d/abcdefghijklmnopqrstuvwxyza-v3.d/port-80.sock`
|
||||
* now: `projects.d/tweep.d/abcdefghijklmnopqrst-v3.d/port-80.sock`
|
||||
* :warning: this means that some scratch directories may be are remade,
|
||||
* :warning: this means that some scratch directories may be are remade,
|
||||
so a full restart is advisable after updating
|
||||
* https certificate path-name changes
|
||||
* was: HTTPS certificate files used the full onion address
|
||||
|
@ -22,8 +22,8 @@ EV certificate from Digicert.
|
|||
PROJECTNAME:
|
||||
* `/projects.d/PROJECTNAME.d/ssl.d/ONIONADDRFIRST20CHAR-v3.onion.cert`
|
||||
* `/projects.d/PROJECTNAME.d/ssl.d/ONIONADDRFIRST20CHAR-v3.onion.pem`
|
||||
* :warning: this means that you will need to rename pre-existing certificate
|
||||
`cert` and `pem` files after you update and reconfigure;
|
||||
* :warning: this means that you will need to rename pre-existing certificate
|
||||
`cert` and `pem` files after you update and reconfigure;
|
||||
* :warning: **if you fail to do this you will experience "self-signed certificate" warnings**
|
||||
* if you are using 'multi' certificates (such as some Digicert EV) where a
|
||||
single certificate contains all SubjectAltNames for 2+ onion
|
||||
|
@ -40,6 +40,7 @@ If you have any issues, please reach out to @alecmuffett on Twitter, or log an i
|
|||
|
||||
## Primary Supported Platforms
|
||||
|
||||
* k8s >= 1.21 on Ubuntu 22.04
|
||||
* Ubuntu 20.04LTS, Latest Updates
|
||||
* OSX Mojave with Homebrew, Latest Updates
|
||||
* Raspbian Stretch/Stretch-Lite, Latest Updates
|
||||
|
@ -55,6 +56,7 @@ NB: bugs should be reported through `Issues`, above.
|
|||
|
||||
### EOTK In the News
|
||||
|
||||
* Oct 2022 [Reddit Onion Service Launch](https://www.reddit.com/r/redditsecurity/comments/yd6hqg/reddit_onion_service_launch/)
|
||||
* Apr 2021 [The Intercept launches onionsite using EOTK](https://theintercept.com/2021/04/28/tor-browser-onion/)
|
||||
* Oct 2020 [Brave browser launches onionsite using EOTK](https://brave.com/new-onion-service/)
|
||||
* Oct 2019 [BBC News launches 'dark web' Tor mirror](https://www.bbc.co.uk/news/technology-50150981)
|
||||
|
|
|
@ -70,7 +70,7 @@ After installation, you can do:
|
|||
* `./eotk start wikipedia`
|
||||
* `./eotk maps -a` # and connect to one of the onions you've created
|
||||
|
||||
Be aware that you will suffer from HTTPS certificate errors
|
||||
Be aware that you will suffer from HTTPS certificate errors
|
||||
until you buy a HTTPS certificate.
|
||||
|
||||
# Creating HTTPS Certificates for Testing & Development
|
||||
|
@ -97,6 +97,9 @@ certificates. You can [install that certificate into your local copy
|
|||
of Tor Browser](/docs.d/ADDING-A-ROOT-CERTIFICATE-TO-TOR-BROWSER.md);
|
||||
of course it will not work for anyone else.
|
||||
|
||||
Your `mkcert` root cert will be located at `~/.local/share/mkcert/rootCA.pem`
|
||||
for the user that ran `mkcert`.
|
||||
|
||||
## Visit `/hello-onion/` URLs
|
||||
|
||||
The old solution was/is much more manual: EOTK will use OpenSSL to
|
||||
|
@ -120,19 +123,19 @@ See below.
|
|||
|
||||
# Buying a HTTPS Certificate from a Certificate Authority
|
||||
|
||||
If you choose to buy an Onion HTTPS certificate from (e.g.) HARICA,
|
||||
If you choose to buy an Onion HTTPS certificate from (e.g.) HARICA,
|
||||
what will happen, and what will you need to do?
|
||||
|
||||
## You will need to create a CSR (Certificate Signing Request)
|
||||
|
||||
I chose to buy:
|
||||
|
||||
* a Server Certificate
|
||||
* a Server Certificate
|
||||
* with Domain-Level (DV) Trust
|
||||
* with a reasonable duration
|
||||
* using the in-browser generated CSR
|
||||
* using the in-browser generated CSR
|
||||
* using the ECDSA algorithm at 256 bits
|
||||
* **important:** remember the password!
|
||||
* **important:** remember the password!
|
||||
* **important:** download the private key!
|
||||
|
||||
The HARICA website provides an in-browser method of generating a CSR,
|
||||
|
@ -144,8 +147,8 @@ is offered, and keep it in a safe place.
|
|||
If you manually create the CSR on the server, you'll use the 'onionaddress.key' file generated by openssl.
|
||||
## You will need to prove ownership of the site, to the CA
|
||||
|
||||
For example: HARICA will tell you that you need to post
|
||||
a secret key at a particular URL on your onion site;
|
||||
For example: HARICA will tell you that you need to post
|
||||
a secret key at a particular URL on your onion site;
|
||||
the message will read something like:
|
||||
|
||||
> Place the file FILENAME to http://ONIONADDRESS.onion/.well-known/pki-validation/
|
||||
|
@ -174,21 +177,21 @@ HARICA has a process of validation which involves generating an onion-csr. You w
|
|||
|
||||
### Optional: what if you have multiple Onion addresses?
|
||||
|
||||
You can put multiple `path,value` strings into `ssl_proof_csv`, space-separated;
|
||||
You can put multiple `path,value` strings into `ssl_proof_csv`, space-separated;
|
||||
use trailing backslashes to put entries onto separate lines:
|
||||
|
||||
```
|
||||
set ssl_proof_csv \
|
||||
/.well-known/pki-validation/key1,value1 \
|
||||
/.well-known/pki-validation/key2,value2 \
|
||||
/.well-known/pki-validation/key3,value3
|
||||
/.well-known/pki-validation/key3,value3
|
||||
```
|
||||
|
||||
### Optional: what if your multiple "proof" URLs all have the SAME pathname?
|
||||
|
||||
The `ssl_proof_csv` hack works if all the proof URLs are
|
||||
different; but if Digicert (or whomever) were to give you the
|
||||
same pathname (e.g. `/.well-known/pki-validation/fileauth.txt`)
|
||||
different; but if Digicert (or whomever) were to give you the
|
||||
same pathname (e.g. `/.well-known/pki-validation/fileauth.txt`)
|
||||
for _all_ of the onions, what do you do?
|
||||
|
||||
Answer: you use "splicing". If you have onion addresses named
|
||||
|
@ -209,37 +212,82 @@ customise as necessary:
|
|||
...then when you next `eotk config` and `eotk nxreload`, that code
|
||||
should be spliced into the correct configuration for each onion.
|
||||
|
||||
### Optional: what if you need wildcards? What's the onion-csr process?
|
||||
|
||||
If using HARICA and you need to use wildcards because you have subdomains
|
||||
on your onion site, you'll need to generate an onion-csr as proof of ownership.
|
||||
To do this you'll need the provided CSR nonce and Harica's [onion-csr](https://github.com/HARICA-official/onion-csr) tool
|
||||
pointed at the directory containing the hostname and hs_ed25519_public and secret key
|
||||
files. This should generate a CSR. Note, a Dockerfile is provided to mount
|
||||
your onion secrets directory in to generate.
|
||||
|
||||
|
||||
## You will need to install the certificates for your project
|
||||
|
||||
For each certificate, HARICA will offer you several files to download;
|
||||
download the "PEM Bundle" file and copy it to your EOTK server.
|
||||
For each certificate, HARICA will offer you several files to download;
|
||||
download the "PEM Bundle" file and copy it to your EOTK server.
|
||||
Also: copy the `privateKey.pem` file (mentioned above) to the EOTK server.
|
||||
|
||||
Next, change Directory into `~/eotk/projects.d/PROJECTNAME.d/ssl.d`;
|
||||
Next, change Directory into `~/eotk/projects.d/PROJECTNAME.d/ssl.d`;
|
||||
you should see your development certificates, which will look like:
|
||||
|
||||
**This section updated for v3 onion addresses**
|
||||
|
||||
```
|
||||
$ ls
|
||||
ONIONADDRESS.onion.cert
|
||||
ONIONADDRESS.onion.pem
|
||||
ONIONADDRESS[:20]-v3.cert
|
||||
ONIONADDRESS[:20]-v3.pem
|
||||
```
|
||||
|
||||
There are two steps to installation:
|
||||
|
||||
Step 1: copy the PEM Bundle file from HARICA, on top of `ONIONADDRESS.onion.cert`
|
||||
Step 1: copy the PEM Bundle file from HARICA, on top of `ONIONADDRESSTRUNCATED-v3.cert`
|
||||
|
||||
Step 2: unlock and extract (or rename) the private key, by doing:
|
||||
|
||||
`openssl ec -in privateKey.pem -out ONIONADDRESS.onion.pem`
|
||||
`openssl ec -in privateKey.pem -out ONIONADDRESSTRUNCATED-v3.pem`
|
||||
|
||||
...and typing in the password that you chose during the CSR setup, earlier;
|
||||
if you chose to use RSA as the algorithm, you will need to use
|
||||
...and typing in the password that you chose during the CSR setup, earlier;
|
||||
if you chose to use RSA as the algorithm, you will need to use
|
||||
`openssl rsa ...` instead.
|
||||
|
||||
If you manually created the CSR, then rename the 'onionaddress.key' file
|
||||
the CSR generated to 'onionaddress.onion.pem'.
|
||||
the CSR generated to 'ONIONADDRESSTRUNCATED-v3.pem'.
|
||||
|
||||
Then: change directory back to the EOTK directory,
|
||||
## You will need to add the 2015 CA cert for HARICA
|
||||
|
||||
https://chris.partridge.tech/2022/untrusted-harica-onion-certificates/
|
||||
|
||||
Append this certificate to the end of your HARICA issued certs to resolve their
|
||||
2021 root CA not being broadly available in OS device trust stores.
|
||||
|
||||
```
|
||||
Subject: CN=HARICA TLS ECC Root CA 2021,O=Hellenic Academic and Research Institutions CA,C=GR
|
||||
Issuer: CN=Hellenic Academic and Research Institutions ECC RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDezCCAwGgAwIBAgIQcWAnyIV6c1Qt71FsHC7rDzAKBggqhkjOPQQDAzCBqjEL
|
||||
MAkGA1UEBhMCR1IxDzANBgNVBAcTBkF0aGVuczFEMEIGA1UEChM7SGVsbGVuaWMg
|
||||
QWNhZGVtaWMgYW5kIFJlc2VhcmNoIEluc3RpdHV0aW9ucyBDZXJ0LiBBdXRob3Jp
|
||||
dHkxRDBCBgNVBAMTO0hlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0
|
||||
aXR1dGlvbnMgRUNDIFJvb3RDQSAyMDE1MB4XDTIxMDkwMjA3NDQzN1oXDTI5MDgz
|
||||
MTA3NDQzNlowbDELMAkGA1UEBhMCR1IxNzA1BgNVBAoMLkhlbGxlbmljIEFjYWRl
|
||||
bWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgQ0ExJDAiBgNVBAMMG0hBUklD
|
||||
QSBUTFMgRUNDIFJvb3QgQ0EgMjAyMTB2MBAGByqGSM49AgEGBSuBBAAiA2IABDgI
|
||||
/rGgltJ6rK9JOtDA4MM7KKrxcm1lAEeIhPyaJmuqS7psBAqIXhfyVYf8MLA04jRY
|
||||
VxqEU+kw2anylnTDUR9YSTHMmE5gEYd103KUkE+bECUqqHgtvpBBWJAVcqeht6OC
|
||||
AScwggEjMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUtCILgpkkAQ6cu+QO
|
||||
/b/7lyCTmSowTwYIKwYBBQUHAQEEQzBBMD8GCCsGAQUFBzAChjNodHRwOi8vcmVw
|
||||
by5oYXJpY2EuZ3IvY2VydHMvSGFyaWNhRUNDUm9vdENBMjAxNS5jcnQwEQYDVR0g
|
||||
BAowCDAGBgRVHSAAMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATA9BgNV
|
||||
HR8ENjA0MDKgMKAuhixodHRwOi8vY3JsLmhhcmljYS5nci9IYXJpY2FFQ0NSb290
|
||||
Q0EyMDE1LmNybDAdBgNVHQ4EFgQUyRtTgRL+BNUW0aq8mm+3oJUZbsowDgYDVR0P
|
||||
AQH/BAQDAgGGMAoGCCqGSM49BAMDA2gAMGUCMQCPc45gQV6pCkMR4px3k+YnF0Mo
|
||||
DpXQ0+0lWz7fnplqgHn+qHmoKrE5Y/bcWucG6QQCMB/DIYjUTGAl5j07G7ZIuK3Q
|
||||
ehx68VPXTwvJ9tLbh9A9SkiBmJGpiHL7Rzfxa5CptQ==
|
||||
-----END CERTIFICATE-----
|
||||
```
|
||||
|
||||
Then: change directory back to the EOTK directory,
|
||||
and do `eotk nxreload projectname`, and test it.
|
||||
|
||||
# Configuring Start-On-Boot, And Logfile Compression
|
||||
|
@ -477,7 +525,7 @@ contributory factor to this issue.
|
|||
|
||||
## OnionBalance And Load-Balancing
|
||||
|
||||
*NEW FOR 2019:*
|
||||
*NEW FOR 2019:*
|
||||
OnionBalance as-of June 2019 is an flaky piece of software which is
|
||||
hard to run on modern Linux because an stale python crypto library;
|
||||
more than 90% of Onion sites will not practically need it - or, not
|
||||
|
|
Ładowanie…
Reference in New Issue