v1.0.1

Merge pull request #42 from balena-io/prevent-root-ca-signing-vpn-ca
vpn: Remove BALENA_ROOT_CA from the VPN trust chain
2025-06-25 02:29:16 +00:00 · 2019-03-20 11:24:21 +02:00 · 2019-03-20 09:22:11 +00:00 · 2019-03-20 09:13:19 +00:00 · 2019-03-15 17:29:55 +02:00 · 2019-03-15 15:28:08 +00:00
6 changed files with 27 additions and 13 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -4,6 +4,16 @@ All notable changes to this project will be documented in this file
 automatically by Versionist. DO NOT EDIT THIS FILE MANUALLY!
 This project adheres to [Semantic Versioning](http://semver.org/).
 # v1.0.1
 ## (2019-03-20)
 * vpn: Remove BALENA_ROOT_CA from the VPN trust chain [Rich Bayliss]
 # v1.0.0
 ## (2019-03-15)
 * tags: Pin the image tags for the service stack [Rich Bayliss]
 # v0.2.2
 ## (2019-03-08)
--- a/2
+++ b/2
@ -1 +1 @@
-0.2.2
+1.0.1
--- a/compose/versions
+++ b/compose/versions
@ -0,0 +1,5 @@
 export OPENBALENA_API_VERSION_TAG=v0.11.8
 export OPENBALENA_DB_VERSION_TAG=v2.0.3
 export OPENBALENA_REGISTRY_VERSION_TAG=v2.5.0
 export OPENBALENA_S3_VERSION_TAG=v2.5.0
 export OPENBALENA_VPN_VERSION_TAG=v8.10.0
--- a/scripts/compose
+++ b/scripts/compose
@ -11,6 +11,12 @@ echo_bold() {
  printf "\\033[1m%s\\033[0m\\n" "$@"
 }
 VERSIONS_FILE="${BASE_DIR}/compose/versions"
 if [ ! -f "$VERSIONS_FILE" ]; then
  echo_bold "No service versions defined in ${VERSIONS_FILE}"
  exit 1
 fi
 ENV_FILE="${CONFIG_DIR}/activate"
 if [ ! -f "$ENV_FILE" ]; then
  echo_bold 'No configuration found; please create one first with: ./scripts/quickstart'
@ -19,7 +25,7 @@ if [ ! -f "$ENV_FILE" ]; then
 fi
 # shellcheck source=/dev/null
-source "${ENV_FILE}"; docker-compose \
+source "${VERSIONS_FILE}"; source "${ENV_FILE}"; docker-compose \
  --project-name 'openbalena' \
  -f "${BASE_DIR}/compose/services.yml" \
  -f "${CONFIG_DIR}/docker-compose.yml" \
--- a/scripts/gen-vpn-certs
+++ b/scripts/gen-vpn-certs
@ -32,14 +32,9 @@ if [ ! -f $VPN_CA ] || [ ! -f $VPN_CRT ] || [ ! -f $VPN_KEY ] || [ ! -f $VPN_DH
  rm -f $VPN_CA $VPN_CRT $VPN_DH $VPN_KEY
-  # generate VPN sub-CA
+  # generate VPN CA
  "$easyrsa_bin" --pki-dir="${VPN_PKI}" init-pki &>/dev/null
-  "$easyrsa_bin" --pki-dir="${VPN_PKI}" --days="${CA_EXPIRY_DAYS}" --req-cn="vpn-ca.${CN}" build-ca nopass subca 2>/dev/null
+  "$easyrsa_bin" --pki-dir="${VPN_PKI}" --days="${CA_EXPIRY_DAYS}" --req-cn="vpn-ca.${CN}" build-ca nopass 2>/dev/null
  # import sub-CA CSR into root PKI, sign, and copy back to vpn PKI
  "$easyrsa_bin" --pki-dir="${ROOT_PKI}" import-req "${VPN_PKI}/reqs/ca.req" "vpn-ca" 2>/dev/null
  "$easyrsa_bin" --pki-dir="${ROOT_PKI}" sign-req ca "vpn-ca" 2>/dev/null
  cp "${ROOT_PKI}/issued/vpn-ca.crt" "${VPN_PKI}/ca.crt"
  # generate and sign vpn server certificate
  "$easyrsa_bin" --pki-dir="${VPN_PKI}" --days="${CRT_EXPIRY_DAYS}" build-server-full "vpn.${CN}" nopass 2>/dev/null
@ -48,8 +43,6 @@ if [ ! -f $VPN_CA ] || [ ! -f $VPN_CRT ] || [ ! -f $VPN_KEY ] || [ ! -f $VPN_DH
  "$easyrsa_bin" --pki-dir="${VPN_PKI}" --keysize=2048 gen-dh 2>/dev/null
  # update indexes and generate CRLs
  "$easyrsa_bin" --pki-dir="${ROOT_PKI}" update-db 2>/dev/null
  "$easyrsa_bin" --pki-dir="${VPN_PKI}" update-db 2>/dev/null
  "$easyrsa_bin" --pki-dir="${ROOT_PKI}" gen-crl 2>/dev/null
  "$easyrsa_bin" --pki-dir="${VPN_PKI}" gen-crl 2>/dev/null
 fi
--- a/scripts/make-env
+++ b/scripts/make-env
@ -12,7 +12,7 @@ usage() {
  echo "  JWT_CRT    Path to Token Auth certificate"
  echo "  JWT_KEY    Path to Token Auth private key"
  echo "  JWT_KID    Path to KeyID for the Token Auth certificate"
-  echo "  VPN_CA     Path to the VPN sub-CA certificate"
+  echo "  VPN_CA     Path to the VPN CA certificate"
  echo "  VPN_CRT    Path to the VPN server certificate"
  echo "  VPN_KEY    Path to the VPN server private key"
  echo "  VPN_DH     Path to the VPN server Diffie Hellman parameters"
@ -83,7 +83,7 @@ export OPENBALENA_TOKEN_AUTH_PUB=$(b64file "$JWT_CRT")
 export OPENBALENA_TOKEN_AUTH_KEY=$(b64file "$JWT_KEY")
 export OPENBALENA_TOKEN_AUTH_KID=$(b64file "$JWT_KID")
 export OPENBALENA_VPN_CA=$(b64file "$VPN_CA")
-export OPENBALENA_VPN_CA_CHAIN=$(b64file "$ROOT_CA" "$VPN_CA")
+export OPENBALENA_VPN_CA_CHAIN=$(b64file "$VPN_CA")
 export OPENBALENA_VPN_CONFIG=$(b64encode "$VPN_CONFIG")
 export OPENBALENA_VPN_SERVER_CRT=$(b64file "$VPN_CRT")
 export OPENBALENA_VPN_SERVER_KEY=$(b64file "$VPN_KEY")
Author	SHA1	Message	Date
Resin CI	35ab5300e6	v1.0.1	2019-03-20 11:24:21 +02:00
Rich Bayliss	fd031ad3a4	Merge pull request #42 from balena-io/prevent-root-ca-signing-vpn-ca vpn: Remove BALENA_ROOT_CA from the VPN trust chain	2019-03-20 09:22:11 +00:00
Rich Bayliss	95d53993bc	vpn: Remove BALENA_ROOT_CA from the VPN trust chain The VPN CA shouldn't need to be signed by the same CA that the HAproxy service certificate is signed by. By removing this chain we are able to use a different CA for the HTTPS services without impacting on the VPN service. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>	2019-03-20 09:13:19 +00:00
Resin CI	1721728794	v1.0.0	2019-03-15 17:29:55 +02:00
Rich Bayliss	061440f109	Merge pull request #43 from balena-io/pin-service-tags tags: Pin the image tags for the service stack	2019-03-15 15:28:08 +00:00
Rich Bayliss	2f0fb27145	tags: Pin the image tags for the service stack In order to have concrete releases of openBalena we should pin each service to a given version. This PR is the start of this and marks the first version of openBalena with known service tags. Change-type: major Signed-off-by: Rich Bayliss <rich@balena.io>	2019-03-15 15:14:57 +00:00