Config: Generate default HTTPS/TLS certificate on first startup #3509

Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-01-23 02:24:24 +00:00 · 2023-06-28 16:50:04 +02:00 · 2023-06-28 16:50:04 +02:00 · 8e43186454
commit 8e43186454
parent a6d3eee331
34 changed files with 141 additions and 170 deletions
--- a/scripts/dist/install-https.sh
+++ b/scripts/dist/install-https.sh
@ -5,7 +5,7 @@

 PATH="/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin:/scripts:$PATH"

-# Abort if not executed as root..
+# Abort if not executed as root.
 if [[ $(id -u) != "0" ]]; then
  echo "Usage: run ${0##*/} as root" 1>&2
  exit 1
@ -16,50 +16,40 @@ CONF_PATH="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )/openssl"
 CERTS_PATH="/etc/ssl/certs"
 KEY_PATH="/etc/ssl/private"

-# Check if keys and certificates already exist.
-if [ -f "$CERTS_PATH/photoprism.local.issuer.crt" ] && [ -f "$KEY_PATH/photoprism.local.pfx" ] && [ -f "$KEY_PATH/photoprism.me.pfx" ]; then
-    echo "Keys and certificates for photoprism.local already exist in ${KEY_PATH} and ${CERTS_PATH}."
+# Abort if files already exist.
+
+if [ -f "$CERTS_PATH/photoprism.issuer.crt" ] && [ -f "$KEY_PATH/photoprism.pfx" ]; then
+    echo "Certificate already exists in ${KEY_PATH} and ${CERTS_PATH}."
    exit 0
 fi

-echo "Creating local HTTPS keys and certificates in ${KEY_PATH} and ${CERTS_PATH}."
+echo "Creating keys and certificates in ${KEY_PATH} and ${CERTS_PATH}."

 mkdir -p "${CERTS_PATH}" "${KEY_PATH}"
 groupadd -f -r -g 116 ssl-cert 1>&2

 # Generate issuer (CA) certificate.

-echo "Generating issuer (CA) certificate..."
+echo "Generating self-signed issuer (CA) certificate..."

-openssl genrsa -out "$KEY_PATH/photoprism.local.issuer.key" 4096
+openssl genrsa -out "$KEY_PATH/photoprism.issuer.key" 4096

-openssl req -x509 -new -nodes -key "$KEY_PATH/photoprism.local.issuer.key" -sha256 -days 365 -out "$CERTS_PATH/photoprism.local.issuer.pem" -passin pass: -passout pass: -config "$CONF_PATH/ca.conf"
+openssl req -x509 -new -nodes -key "$KEY_PATH/photoprism.issuer.key" -sha256 -days 3650 -out "$CERTS_PATH/photoprism.issuer.pem" -passin pass: -passout pass: -config "$CONF_PATH/ca.conf"

-openssl x509 -outform der -in "$CERTS_PATH/photoprism.local.issuer.pem" -out "$CERTS_PATH/photoprism.local.issuer.crt"
+openssl x509 -outform der -in "$CERTS_PATH/photoprism.issuer.pem" -out "$CERTS_PATH/photoprism.issuer.crt"

 # Generate server certificates.

-echo "Generating certificate for photoprism.local..."
+echo "Generating self-signed tls certificate..."

-openssl genrsa -out "$KEY_PATH/photoprism.local.key" 4096
+openssl genrsa -out "$KEY_PATH/photoprism.key" 4096

-openssl req -new -config "$CONF_PATH/local-csr.conf" -key "$KEY_PATH/photoprism.local.key" -out "$CERTS_PATH/photoprism.local.csr"
+openssl req -new -config "$CONF_PATH/csr.conf" -key "$KEY_PATH/photoprism.key" -out "$CERTS_PATH/photoprism.csr"

-openssl x509 -req -in "$CERTS_PATH/photoprism.local.csr" -CA "$CERTS_PATH/photoprism.local.issuer.pem" -CAkey "$KEY_PATH/photoprism.local.issuer.key" -CAcreateserial \
-out "$CERTS_PATH/photoprism.local.crt" -days 365 -sha256 -extfile "$CONF_PATH/local.conf"
+openssl x509 -req -in "$CERTS_PATH/photoprism.csr" -CA "$CERTS_PATH/photoprism.issuer.pem" -CAkey "$KEY_PATH/photoprism.issuer.key" -CAcreateserial \
+-out "$CERTS_PATH/photoprism.crt" -days 3650 -sha256 -extfile "$CONF_PATH/ext.conf"

-openssl pkcs12 -export -in "$CERTS_PATH/photoprism.local.crt" -inkey "$KEY_PATH/photoprism.local.key" -out "$KEY_PATH/photoprism.local.pfx" -passin pass: -passout pass:
-
-echo "Generating certificate for photoprism.me..."
-
-openssl genrsa -out "$KEY_PATH/photoprism.me.key" 4096
-
-openssl req -new -config "$CONF_PATH/me-csr.conf" -key "$KEY_PATH/photoprism.me.key" -out "$CERTS_PATH/photoprism.me.csr"
-
-openssl x509 -req -in "$CERTS_PATH/photoprism.me.csr" -CA "$CERTS_PATH/photoprism.local.issuer.pem" -CAkey "$KEY_PATH/photoprism.local.issuer.key" -CAcreateserial \
-out "$CERTS_PATH/photoprism.me.crt" -days 365 -sha256 -extfile "$CONF_PATH/me.conf"
-
-openssl pkcs12 -export -in "$CERTS_PATH/photoprism.me.crt" -inkey "$KEY_PATH/photoprism.me.key" -out "$KEY_PATH/photoprism.me.pfx" -passin pass: -passout pass:
+openssl pkcs12 -export -in "$CERTS_PATH/photoprism.crt" -inkey "$KEY_PATH/photoprism.key" -out "$KEY_PATH/photoprism.pfx" -passin pass: -passout pass:

 # Change key permissions.

@ -73,4 +63,4 @@ chmod -R u=rwX,g=rX,o-rwx "$KEY_PATH"
 echo "Running 'update-ca-certificates'..."
 update-ca-certificates

-echo "Done."
+echo "Enjoy!"
--- a/scripts/dist/openssl/ca.conf
+++ b/scripts/dist/openssl/ca.conf
@ -8,7 +8,7 @@ prompt = no
 C = DE
 ST = Berlin
 L = Berlin
-O = Local HTTPS
+O = PhotoPrism
 OU = Self-Hosted
-emailAddress = hello@photoprism.local
-CN = photoprism.local
+emailAddress = hello@photoprism.app
+CN = PhotoPrism
--- a/scripts/dist/openssl/csr.conf
+++ b/scripts/dist/openssl/csr.conf
@ -0,0 +1,17 @@
+[req]
+default_bits = 4096
+prompt = no
+default_md = sha256
+x509_extensions = v3_req
+distinguished_name = dn
+
+[dn]
+C = DE
+ST = Berlin
+L = Berlin
+O = PhotoPrism
+OU = Self-Hosted
+emailAddress = hello@photoprism.app
+CN = PhotoPrism
+
+[v3_req]
--- a/scripts/dist/openssl/ext.conf
+++ b/scripts/dist/openssl/ext.conf
@ -1,8 +1,3 @@
 authorityKeyIdentifier=keyid,issuer
 basicConstraints=CA:FALSE
-keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
-subjectAltName = @alt_names
-
-[alt_names]
-DNS.1 = *.photoprism.me
-DNS.2 = photoprism.me
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
--- a/scripts/dist/openssl/local-csr.conf
+++ b/scripts/dist/openssl/local-csr.conf
@ -1,25 +0,0 @@
-[req]
-default_bits = 4096
-prompt = no
-default_md = sha256
-x509_extensions = v3_req
-distinguished_name = dn
-
-[dn]
-C = DE
-ST = Berlin
-L = Berlin
-O = PhotoPrism
-OU = Self-Hosted
-emailAddress = hello@photoprism.local
-CN = photoprism.local
-
-[v3_req]
-subjectAltName = @alt_names
-
-[SAN]
-subjectAltName = @alt_names
-
-[alt_names]
-DNS.1 = *.photoprism.local
-DNS.2 = photoprism.local
--- a/scripts/dist/openssl/local.conf
+++ b/scripts/dist/openssl/local.conf
@ -1,8 +0,0 @@
-authorityKeyIdentifier=keyid,issuer
-basicConstraints=CA:FALSE
-keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
-subjectAltName = @alt_names
-
-[alt_names]
-DNS.1 = *.photoprism.local
-DNS.2 = photoprism.local
--- a/scripts/dist/openssl/me-csr.conf
+++ b/scripts/dist/openssl/me-csr.conf
@ -1,25 +0,0 @@
-[req]
-default_bits = 4096
-prompt = no
-default_md = sha256
-x509_extensions = v3_req
-distinguished_name = dn
-
-[dn]
-C = DE
-ST = Berlin
-L = Berlin
-O = PhotoPrism
-OU = Self-Hosted
-emailAddress = hello@photoprism.local
-CN = photoprism.me
-
-[v3_req]
-subjectAltName = @alt_names
-
-[SAN]
-subjectAltName = @alt_names
-
-[alt_names]
-DNS.1 = *.photoprism.me
-DNS.2 = photoprism.me