💾 Archived View for caseyrichins.online › logs › 2023-06-09_gemini-client-certificates.gmi captured on 2024-03-21 at 15:00:29. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-12-28)

-=-=-=-=-=-=-

Client Certificates in Gemini

Published June 10, 2023

It's been longer than I had anticipated since my last entry, I am surprised that my last entry was almost 3 months ago. My first tutorial is a continued work in progress and I remain steadfast in my desire to write more and eventually write daily. Blog posts may not be daily but I would like to write daily for content to be contributed to this capsule. Since my last entry, I've been browsing gemini and even Gopher much more than the general http web.

A major project that I've been working on is making the ultimate terminal computer using a Raspberry Pi 400. This can be thought have as a more modern dumb terminal but much more capable. While there is a window manager in the form of i3, all the applications are terminal based. I plan to do a write on it in the future when I've completed it but for now you'll have to contend with your imaginations as to what I could possibly be running. Well lynx is my web browser and neomutt is my email client so that should give you come clues when I say that every app used is a terminal app.

With those updates out of the way lets get to the heart of this post. I recently sat down and took the time to figure out how to get client certificates to work with amfora and molly brown. I couldn't figure out how the has that is in the example configuration was generated to grant access to the configured space. I'm happy to report that I've been able to figure it out and now I'm documenting this for anyone else that may be working through on this themselves.

Generating the Certificate

If you have not already, you'll want to generate a certificate. This certificate will be a self-signed certificate, no need to pay for one or have it signed by a certificate authority. The self-signed certificate will provide the same amount of security and same level of identification that a signed certificate would provide. These steps assume you're using a debian based distro with Amfora

1. Generate the certificate and set your desired userid for the CN field. To make it recognizable from other certificates you'll also want to set the name of the pem files. This generated certificate will be valid for 5 years.

openssl req -new -subj "/CN=username" -x509 -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 \
-days 1825 -nodes -out $HOME/.config/amfora/cert.pem -keyout $HOME/.config/amfora/key.pem

2. Generate the HEX encoded SHA256 fingerprint from your generated certificate, save this as you'll need it for later when you install it on the molly brown server as an authorized key.

 grep -v ^- $HOME/.config/amfora/cert.pem  | base64 -d | sha256sum

Configuring Amfora

To use the certificate within the Amfora browser you need to configure it by editing the $HOME/.config/amfora/config.toml file. Inside this file you'll find a [auth.certs] and [auth.keys] sections where you will configure your certificate to be recognized. The configuration should look similar to that of what is below.

[auth.certs]
# Client certificates
# Set domain name equal to path to client cert
# "example.com" = 'mycert.crt'
"astrobotany.mozz.us" = '~/.config/amfora/cert.pem'
"caseyrichins.online" = '~/.config/amfora/cert.pem'

[auth.keys]
# Client certificate keys
# Set domain name equal to path to key for the client cert above
# "example.com" = 'mycert.key'
"astrobotany.mozz.us" = '~/.config/amfora/key.pem'
"caseyrichins.online" = '~/.config/amfora/key.pem'

Now as you can see above you can define several certificates per host domain you wish to authenticate to and now hopefully understand why it would be best to give your certificate a unique name to identify it within the amfora configuration.

Save the file and restart Amfora if it is running. You should now be able to authenticate to your configured domain.

Configuring the molly brown server

If you would like to create a privately accessible location on your server, as is the heart of the post, follow the instructions below to configure molly brown to accept the client certificate. If the certificate fingerprint is not configured on the server the certificate presented to the server will be denied.

Open the /etc/molly.conf file and add the fingerprint of each client certificate you would like to authorize to authenticate. Restart molly brown server to load the new configuration.

[CertificateZones]
"^/secure-zone-1/" = [
	"d146953386694266175d10be3617427dfbeb751d1805d36b3c7aedd9de02d9af",
	"786257797c871bf617e0b60acf7a7dfaf195289d8b08d1df5ed0e316092f0c8d",
]
#"^/secure-zone-2/" = [
#	"d146953386694266175d10be3617427dfbeb751d1805d36b3c7aedd9de02d9af",
#	"786257797c871bf617e0b60acf7a7dfaf195289d8b08d1df5ed0e316092f0c8d",
#]

If all goes well you should be able to access this secure space with your certificate but if you have a unapproved or no certificate, access should be denied. Keep in mind that there may be undiscovered bugs in the molly brown code so if you expect to store sensitive data on this server, restrict access with an approbate firewall configuration.

-----------------------------------------------------------------------

Endnotes

https://github.com/makew0rld/amfora/wiki/Client-Certificates

https://tildegit.org/solderpunk/gemcert

https://stackoverflow.com/questions/65743539/how-to-properly-compute-the-fingerprint-of-a-certificate

Mission Logs

Home