Why do we need an SSL certificate miner?
The WAF module can only listen on HTTP but it needs the SSL Terminating module to be able to listen on HTTPS as well. This module can do this only if it has the SSL certificates of the domains at its disposal.
BitNinja has such a cert miner by default however this module in some cases might be unable to detect the SSL certs. In which case you need to make a new cert miner.
Required ports
Also, make sure that your certs are not password protected.
Where are your certs are located?
In order to make a working cert miner, you need to know where is the cert of each domain is located.
We will need the private key and the cert file and the name of the domain.
The cert file locations are diverse, they differ by, web server by, operating system or by the control panel.
For example, the /etc/ssl/certs/ directory is the most common however on Direct Admin the cert are located at /usr/local/directadmin/data/users/<insert domain name here>/domains/.
On Amazon Linux servers the certs are located at /etc/pki/tls/
What does a cert miner do?
You need to combine the private keys and the cert file of each domain hosted on your server into a .pem file and name the .pem file after the domain. The pem file needs to be located at /opt/bitninja-ssl-termination/etc/haproxy/certs/
You also need to create the /opt/bitninja-ssl-termination/etc/haproxy/cert-list.lst and include the full path for each .pem file created in the previous step. It’s also required to include the domain name itself and the domain name with www. and the *. in front of the domain in order to use the cert for the subdomains.
It might be easier to just show an example for this:
/opt/bitninja-ssl-termination/etc/haproxy/certs/example.pem example www.example *.example
Now we just have to implement a script that does just that.
This is required to make sure the .pem files are always up to date and include the newly added certs too.
Template
#!/bin/bash
#create the cert-list.lst file
echo > /opt/bitninja-ssl-termination/etc/haproxy/cert-list.lst
#gather the domain names where we have the cert files
# an example for one of the cert locations is /etc/letsencrypt/live/example.com/cert.pem
for i in ` ls -F <location of every cert>/*/cert.pem | awk -F "/" {'print $5'}| sed 's/\.[.]*$//'` ;
#from now on $i will mean all the domains names
do
#combine the privatekey file and the cert file into the pem file pay attention to the files name
cat <location of every cert>/$i/privkey.pem <location of every cert>/$i/cert.pem > /opt/bitninja-ssl-termination/etc/haproxy/certs/$i.pem
#add the location of all the generated pemfiles to the cert-list.ls file
echo "/opt/bitninja-ssl-termination/etc/haproxy/certs/$i.pem $i www.$i *.$i" >> /opt/bitninja-ssl-termination/etc/haproxy/cert-list.lst
done
#remove empty lines if you want :)
sed -i '/^$/d' /opt/bitninja-ssl-termination/etc/haproxy/cert-list.lst- Locate the cert and private key of each domain. And include the location in the script as shown above
e.g.: nano cert_miner.sh - Make the script executable by issuing this command
e.g.:chmod +x cert_miner.sh - Run the script.
e.g.: ./cert_miner.sh - Test if the correct files are created with the correct names and contents
- Add the script to the crontab. You can generate the cronjob easily with this online tool.
Set as default cert miner
You can use your own cert miner as the default certificate miner instead of the ConfigParser module.
If you follow the below guide, then your script will run automatically when the agent starts up, and when the SslTerminating module is reloaded.
This feature accepts:
- BASH scripts only
- Scripts owned by the ROOT user only
- Scripts with an .sh extension only
Please see the video guide on the setting here and see the text guide below the video.
- Create your script (or move it) under the
/etc/bitninja/SslTerminating/cert_miners/directory.
You can move the script with the mv command like this:
mv /current/location/of/script.sh /etc/bitninja/SslTerminating/cert_miners/script.sh - Open the /etc/bitninja/SslTerminating/config.ini file with your preferred text editor.
e.g.:nano /etc/bitninja/SslTerminating/config.ini - Remove the semicolons from the ;useConfigParserModule=0 line. So it looks like this:
useConfigParserModule=0 - Remove the semicolon from the ;allowCertListFileEdition=0 line and change the value to 1. So it looks like this:
allowCertListFileEdition=1 - Exit the editor and save the changes.
e.g.: in nano press ctrl +X then Y then enter - Restart BitNinja with the
service bitninja restartcommand.
Script (examples)
In these scripts, we assume that the cert and private key files are located in the same directories with each domain.
DirectAdmin
#!/bin/bash
echo > /opt/bitninja-ssl-termination/etc/haproxy/cert-list.lst
for i in `ls /usr/local/directadmin/data/users/*/domains/* | grep ".key" | awk -F "/" {'print $9'} | sed 's/\.^.]*$//'` ;
do
cat /usr/local/directadmin/data/users/*/domains/"$i".key /usr/local/directadmin/data/users/*/domains/"$i".cert > /opt/bitninja-ssl-termination/etc/haproxy/certs/"$i".pem
echo "/opt/bitninja-ssl-termination/etc/haproxy/certs/$i.pem $i www.$i *.$i" >> /opt/bitninja-ssl-termination/etc/haproxy/cert-list.lst
done
Let’s encrypt
#!/bin/bash
echo > /opt/bitninja-ssl-termination/etc/haproxy/cert-list.lst
for i in ` ls -F /etc/letsencrypt/live/*/cert.pem | awk -F "/" {'print $5'}| sed 's/\.[.]*$//'` ;
do
cat /etc/letsencrypt/live/$i/privkey.pem /etc/letsencrypt/live/$i/cert.pem > /opt/bitninja-ssl-termination/etc/haproxy/certs/$i.pem
echo "/opt/bitninja-ssl-termination/etc/haproxy/certs/$i.pem $i www.$i *.$i" >> /opt/bitninja-ssl-termination/etc/haproxy/cert-list.lst
done
#remove empty lines
sed -i '/^$/d' /opt/bitninja-ssl-termination/etc/haproxy/cert-list.lst