🇬🇧 Pwic.wiki server running on Python and SQLite
🦜 Welcome Demo page Features Install procedure Support
🔍
⭐ Special ⏰ History 📤 Email 🖨️ Print 💾 MD 💾 ODT
📌
1. Introduction 2. Generation of the certificates 2.1. Free self-signed certificates 2.2. Free by Let's Encrypt 2.3. Paid by commercial companies 3. Enable HTTPS in Pwic.wiki 3.1. Without a reverse proxy server 3.2. With a reverse proxy server 4. Open your firewall

Related pages: 🇫🇷 Configurer HTTPS

1. Introduction

HTTPS means that your connection to Pwic.wiki is encrypted for any role. The proof is that you have a padlock in the address bar. The problem is that issuing a certificate should be done with trust, else the user gets a warning telling that the identity of the website cannot be verified.

It is very important to avoid that your passwords are stolen. On a local network, it is very easy to intercept the passwords if you don't use a secured connection. On the Internet, it is a bit different but the risk is exactly the same. Even if the most critical tasks in Pwic.wiki can be done from shell only (that is encrypted by default), it is not a reason to not secure your connections.

There are several possibilities to obtain a certificate:

Also Pwic.wiki's configuration matters: is it running behind a reverse proxy server or not?

2. Generation of the certificates

2.1. Free self-signed certificates

This kind of certificate is definitely the cheapest way to do quick and dirty stuff for debugging purposes. At no moment these certificates can be recognized for a public use because you can sign any website of your choice.

The following script is available for Linux on which OpenSSL is installed. It has been designed by Mr.Buttons on the excellent forum StackOverflow and adapted by us to integrate with Pwic.wiki's code base. Save the following script in the file pwic_cert.py:

from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives.asymmetric import rsa from cryptography import x509 from cryptography.x509.oid import NameOID from cryptography.hazmat.primitives import hashes import datetime from os.path import isdir from pwic_lib import PwicConst, PwicLib # Helpers def _ssl_input(topic: str, sample: str) -> str: print('%s (ex: %s) : ' % (topic, sample), end='') return input() # Check the database if not isdir(PwicConst.DB): print('Error: the database is not created yet') exit() # Private key key = rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=default_backend()) with open(PwicConst.PRIVATE_KEY, 'wb') as f: f.write(key.private_bytes(encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption())) # Public key issuer = x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, _ssl_input('ISO code of the country on 2 characters', 'FR')), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, _ssl_input('Full country', 'France')), x509.NameAttribute(NameOID.LOCALITY_NAME, _ssl_input('Your town', 'Paris')), x509.NameAttribute(NameOID.ORGANIZATION_NAME, _ssl_input('Your organization', 'Pwic.wiki')), x509.NameAttribute(NameOID.COMMON_NAME, _ssl_input('Common name', 'Pwic.wiki')), ]) hosts = PwicLib.list(_ssl_input('Your hosts separated by space', 'www.your.tld')) if len(hosts) == 0: exit() cert = x509.CertificateBuilder() \ .subject_name(issuer) \ .issuer_name(issuer) \ .public_key(key.public_key()) \ .serial_number(x509.random_serial_number()) \ .not_valid_before(datetime.datetime.utcnow()) \ .not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=365 * 5)) \ .add_extension(x509.SubjectAlternativeName([x509.DNSName(h) for h in hosts]), critical=False) \ .sign(key, hashes.SHA256(), default_backend()) with open(PwicConst.PUBLIC_KEY, 'wb') as f: f.write(cert.public_bytes(serialization.Encoding.PEM)) # Final output print('\nThe certificates are generated:') print('- Private key: ' + PwicConst.PRIVATE_KEY) print('- Public key: ' + PwicConst.PUBLIC_KEY)

After running this script with the command python3 pwic_cert.py, two output files are saved in the directory db/. The files are valid for the next 5 years and contain very precise information.

2.2. Free by Let's Encrypt

Let's Encrypt in an Internet initiative that offers free certificates that are recognized everywhere in the world. The procedure is a bit complex because you need to prove that you own your domain. In other words, Pwic.wiki must be configured for HTTP already.

We use the script that is proposed by diafygi because it is open source, simple and auditable. Download the script and follow the instructions of its readme file. If you have no reverse proxy, then you should edit Pwic.wiki's custom code PwicExtension.load_custom_routes so that Let's Encrypt can access the cryptographic files in a special static folder. Beware to not expose your private keys in this folder.

At the end, you read this kind of output:

python3 acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir . > ./signed_chain.crt Parsing account key... Parsing CSR... Found domains: pwic.wiki Getting directory... Directory found! Registering account... Registered! Account ID: https://acme-staging-v02.api.letsencrypt.org/acme/acct/00000000 Creating new order... Order created! Verifying pwic.wiki... pwic.wiki verified! Signing certificate... Certificate signed!

The output files are domain.key and signed_chain.crt. The certificate expires after 90 days.

2.3. Paid by commercial companies

These certificates have a high value but also a high cost (tens of bucks per year). It is certainly not the cheapest way to obtain HTTPS if you are running a small website.

Simply check the website of the authorities and their resellers to know more about the various opportunities to certify your domain.

3. Enable HTTPS in Pwic.wiki

The files .key and .crt should be moved respectively to the locations given by the variables PwicConst.PRIVATE_KEY and PwicConst.PUBLIC_KEY defined in the file pwic_lib.py.

Update the option base_url to use HTTPS by running python3 pwic_admin.py set-env base_url https://your-site.tld for example.

3.1. Without a reverse proxy server

This is the default behavior: Pwic.wiki is listening on the address 0.0.0.0 or :: and serves all the requests.

The option https needs to be enabled with the command: python3 pwic_admin.py set-env https X.

3.2. With a reverse proxy server

The interest of using a reverse proxy server is explained in our technical FAQ.

In this situation, Pwic.wiki communicates with the reverse proxy server on a restricted local network and you don't need HTTPS. On the contrary, the reverse proxy server handles the secure connections with the external world and it needs your certificate. Refer to the documentation of your reverse proxy server to achieve the configuration.

4. Open your firewall

The last step consists in restarting Pwic.wiki and your reverse proxy server (if needed).

Also adapt the NAT rules of your firewall: HTTP runs on the port 80 and HTTPS on the port 443 by default.

Revision #1 was last modified by gitbra
on 2023-12-11 at 00:00:00 — d3b40b63f504a449

🔝 Top of the page 🔝