📚 Improved SSL configuration for production environment 🎉

2025-06-10 13:10:17 +02:00
parent 61d3612978
commit a4a293a744
4 changed files with 165 additions and 314 deletions
--- a/backend/Fix-SSL-Browser.ps1
+++ b/backend/Fix-SSL-Browser.ps1
@ -1,165 +0,0 @@
 # MYP SSL Browser-Kompatibilitäts-Fix
 # Löst ERR_SSL_KEY_USAGE_INCOMPATIBLE Fehler
 Write-Host "=========================================================" -ForegroundColor Cyan
 Write-Host "MYP SSL BROWSER-KOMPATIBILITÄTS-FIX" -ForegroundColor Cyan
 Write-Host "Löst ERR_SSL_KEY_USAGE_INCOMPATIBLE Fehler" -ForegroundColor Cyan
 Write-Host "=========================================================" -ForegroundColor Cyan
 Write-Host ""
 # Prüfe ob SSL-Verzeichnis existiert
 if (!(Test-Path "ssl")) {
    Write-Host "Erstelle SSL-Verzeichnis..." -ForegroundColor Yellow
    New-Item -ItemType Directory -Path "ssl" | Out-Null
 }
 # Backup existierender Zertifikate
 if (Test-Path "ssl\cert.pem") {
    Write-Host "Erstelle Backup der alten Zertifikate..." -ForegroundColor Yellow
    if (!(Test-Path "ssl\backup")) {
        New-Item -ItemType Directory -Path "ssl\backup" | Out-Null
    }
    $timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
    Copy-Item "ssl\cert.pem" "ssl\backup\cert_backup_$timestamp.pem" -ErrorAction SilentlyContinue
    Copy-Item "ssl\key.pem" "ssl\backup\key_backup_$timestamp.pem" -ErrorAction SilentlyContinue
    Write-Host "Backup erstellt." -ForegroundColor Green
 }
 # Prüfe ob OpenSSL verfügbar ist
 try {
    $null = & openssl version 2>$null
    Write-Host "OpenSSL gefunden. Generiere browser-kompatible SSL-Zertifikate..." -ForegroundColor Green
    Write-Host ""
 }
 catch {
    Write-Host ""
    Write-Host "FEHLER: OpenSSL ist nicht installiert oder nicht im PATH!" -ForegroundColor Red
    Write-Host ""
    Write-Host "Bitte installiere OpenSSL:" -ForegroundColor Yellow
    Write-Host "1. Lade OpenSSL für Windows herunter: https://slproweb.com/products/Win32OpenSSL.html" -ForegroundColor White
    Write-Host "2. Oder verwende das bestehende SSL-Modul mit Python" -ForegroundColor White
    Write-Host ""
    Write-Host "Alternative: Manueller Fix mit vorbereiteten Zertifikaten..." -ForegroundColor Yellow
    Write-Host ""
    Read-Host "Drücke Enter zum Beenden"
    exit 1
 }
 # Erstelle browser-kompatible OpenSSL-Konfiguration
 $openssl_config = @"
 [req]
 distinguished_name = req_distinguished_name
 req_extensions = v3_req
 prompt = no
 [req_distinguished_name]
 C = DE
 ST = Baden-Wuerttemberg
 L = Stuttgart
 O = Mercedes-Benz AG
 OU = MYP Druckerverwaltung
 CN = m040tbaraspi001
 [v3_req]
 basicConstraints = critical, CA:FALSE
 keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement
 extendedKeyUsage = critical, serverAuth, clientAuth
 subjectAltName = critical, @alt_names
 nsCertType = server
 nsComment = "MYP SSL Fix - ERR_SSL_KEY_USAGE_INCOMPATIBLE Lösung"
 [alt_names]
 DNS.1 = localhost
 DNS.2 = *.localhost
 DNS.3 = m040tbaraspi001
 DNS.4 = m040tbaraspi001.local
 DNS.5 = m040tbaraspi001.de040.corpintra.net
 DNS.6 = *.de040.corpintra.net
 IP.1 = 127.0.0.1
 IP.2 = ::1
 IP.3 = 0.0.0.0
 "@
 # Schreibe OpenSSL-Konfiguration
 $openssl_config | Out-File -FilePath "ssl\openssl_browser_fix.conf" -Encoding UTF8
 Write-Host "OpenSSL-Konfiguration erstellt." -ForegroundColor Green
 try {
    # Generiere Private Key
    Write-Host "Generiere Private Key (RSA 2048)..." -ForegroundColor Yellow
    & openssl genrsa -out "ssl\key.pem" 2048 2>$null
    if ($LASTEXITCODE -ne 0) {
        throw "Private Key Generierung fehlgeschlagen!"
    }
    Write-Host "Private Key generiert." -ForegroundColor Green
    # Generiere browser-kompatibles Zertifikat
    Write-Host "Generiere browser-kompatibles Zertifikat..." -ForegroundColor Yellow
    & openssl req -new -x509 -key "ssl\key.pem" -out "ssl\cert.pem" -days 365 -config "ssl\openssl_browser_fix.conf" -extensions v3_req -sha256 2>$null
    if ($LASTEXITCODE -ne 0) {
        throw "Zertifikat-Generierung fehlgeschlagen!"
    }
    Write-Host "Browser-kompatibles Zertifikat generiert." -ForegroundColor Green
    # Aufräumen
    Remove-Item "ssl\openssl_browser_fix.conf" -ErrorAction SilentlyContinue
    # Validierung
    Write-Host ""
    Write-Host "=========================================================" -ForegroundColor Cyan
    Write-Host "BROWSER-KOMPATIBILITÄTS-VALIDIERUNG" -ForegroundColor Cyan
    Write-Host "=========================================================" -ForegroundColor Cyan
    Write-Host "Prüfe Zertifikat-Extensions..." -ForegroundColor Yellow
    $cert_info = & openssl x509 -in "ssl\cert.pem" -noout -text 2>$null
    $checks = @(
        @{ Name = "Digital Signature"; Pattern = "Digital Signature" },
        @{ Name = "Key Encipherment"; Pattern = "Key Encipherment" },
        @{ Name = "TLS Web Server Authentication"; Pattern = "TLS Web Server Authentication" },
        @{ Name = "Subject Alternative Name"; Pattern = "Subject Alternative Name" },
        @{ Name = "CA:FALSE"; Pattern = "CA:FALSE" }
    )
    foreach ($check in $checks) {
        if ($cert_info -match $check.Pattern) {
            Write-Host "✅ $($check.Name)" -ForegroundColor Green
        } else {
            Write-Host "❌ $($check.Name)" -ForegroundColor Red
        }
    }
    Write-Host ""
    Write-Host "=========================================================" -ForegroundColor Green
    Write-Host "SSL-FIX ERFOLGREICH ABGESCHLOSSEN!" -ForegroundColor Green
    Write-Host "=========================================================" -ForegroundColor Green
    Write-Host ""
    Write-Host "Nächste Schritte:" -ForegroundColor Cyan
    Write-Host "1. Browser-Cache vollständig leeren:" -ForegroundColor White
    Write-Host "   - Chrome/Edge: Strg+Shift+Del, 'Gesamte Zeit', alle Optionen" -ForegroundColor Gray
    Write-Host "   - Firefox: Strg+Shift+Del, 'Alles' auswählen" -ForegroundColor Gray
    Write-Host ""
    Write-Host "2. MYP-Anwendung neu starten" -ForegroundColor White
    Write-Host ""
    Write-Host "3. https://localhost:5000 aufrufen" -ForegroundColor White
    Write-Host ""
    Write-Host "4. Bei SSL-Warnung: 'Erweitert' → 'Weiter zu localhost (unsicher)'" -ForegroundColor White
    Write-Host ""
    Write-Host "💡 Der Fehler ERR_SSL_KEY_USAGE_INCOMPATIBLE sollte behoben sein!" -ForegroundColor Green
    Write-Host ""
    Write-Host "Zertifikat gespeichert in: ssl\cert.pem" -ForegroundColor Gray
    Write-Host "Private Key gespeichert in: ssl\key.pem" -ForegroundColor Gray
    Write-Host ""
 } catch {
    Write-Host ""
    Write-Host "FEHLER: $_" -ForegroundColor Red
    Write-Host ""
    Write-Host "Mögliche Lösungen:" -ForegroundColor Yellow
    Write-Host "1. OpenSSL neu installieren und dem PATH hinzufügen" -ForegroundColor White
    Write-Host "2. PowerShell als Administrator ausführen" -ForegroundColor White
    Write-Host "3. Prüfe Schreibberechtigungen im ssl-Verzeichnis" -ForegroundColor White
    Write-Host ""
 }
 Read-Host "Drücke Enter zum Beenden" 
--- a/backend/app_production.py
+++ b/backend/app_production.py
@ -27,6 +27,9 @@ sys.path.insert(0, os.path.dirname(os.path.abspath(__file__)))
 # Import der Haupt-App
 from app import app, app_logger
 # Flask-Imports für Request-Handling
 from flask import request, redirect
 # SSL und Sicherheits-Imports
 from utils.ssl_config import ensure_ssl_certificates, get_ssl_context
--- a/backend/regenerate_ssl.bat
+++ b/backend/regenerate_ssl.bat
@ -1,131 +0,0 @@
@echo off
 echo =========================================================
 echo MYP SSL BROWSER-KOMPATIBILITAETS-FIX
 echo Loest ERR_SSL_KEY_USAGE_INCOMPATIBLE Fehler
 echo =========================================================
 echo.
 REM Pruefe ob SSL-Verzeichnis existiert
 if not exist "ssl" (
    echo Erstelle SSL-Verzeichnis...
    mkdir ssl
 )
 REM Losche alte Zertifikate
 if exist "ssl\cert.pem" (
    echo Erstelle Backup der alten Zertifikate...
    if not exist "ssl\backup" mkdir ssl\backup
    copy "ssl\cert.pem" "ssl\backup\cert_backup_%date:~-4,4%%date:~-10,2%%date:~-7,2%.pem" >nul 2>&1
    copy "ssl\key.pem" "ssl\backup\key_backup_%date:~-4,4%%date:~-10,2%%date:~-7,2%.pem" >nul 2>&1
    echo Backup erstellt.
 )
 REM Pruefe ob OpenSSL verfuegbar ist
 openssl version >nul 2>&1
 if errorlevel 1 (
    echo.
    echo FEHLER: OpenSSL ist nicht installiert oder nicht im PATH!
    echo.
    echo Bitte installiere OpenSSL:
    echo 1. Lade OpenSSL fuer Windows herunter: https://slproweb.com/products/Win32OpenSSL.html
    echo 2. Oder verwende das bestehende SSL-Modul mit Python
    echo.
    echo Alternative: Verwende das Python-basierte SSL-Fix Tool:
    echo    python -c "from utils.ssl_config import ensure_ssl_certificates; ensure_ssl_certificates('.', True)"
    echo.
    pause
    exit /b 1
 )
 echo OpenSSL gefunden. Generiere browser-kompatible SSL-Zertifikate...
 echo.
 REM Erstelle browser-kompatible OpenSSL-Konfiguration
 echo [req] > ssl\openssl_browser_fix.conf
 echo distinguished_name = req_distinguished_name >> ssl\openssl_browser_fix.conf
 echo req_extensions = v3_req >> ssl\openssl_browser_fix.conf
 echo prompt = no >> ssl\openssl_browser_fix.conf
 echo. >> ssl\openssl_browser_fix.conf
 echo [req_distinguished_name] >> ssl\openssl_browser_fix.conf
 echo C = DE >> ssl\openssl_browser_fix.conf
 echo ST = Baden-Wuerttemberg >> ssl\openssl_browser_fix.conf
 echo L = Stuttgart >> ssl\openssl_browser_fix.conf
 echo O = Mercedes-Benz AG >> ssl\openssl_browser_fix.conf
 echo OU = MYP Druckerverwaltung >> ssl\openssl_browser_fix.conf
 echo CN = m040tbaraspi001 >> ssl\openssl_browser_fix.conf
 echo. >> ssl\openssl_browser_fix.conf
 echo [v3_req] >> ssl\openssl_browser_fix.conf
 echo basicConstraints = critical, CA:FALSE >> ssl\openssl_browser_fix.conf
 echo keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement >> ssl\openssl_browser_fix.conf
 echo extendedKeyUsage = critical, serverAuth, clientAuth >> ssl\openssl_browser_fix.conf
 echo subjectAltName = critical, @alt_names >> ssl\openssl_browser_fix.conf
 echo nsCertType = server >> ssl\openssl_browser_fix.conf
 echo nsComment = "MYP SSL Fix - ERR_SSL_KEY_USAGE_INCOMPATIBLE Loesung" >> ssl\openssl_browser_fix.conf
 echo. >> ssl\openssl_browser_fix.conf
 echo [alt_names] >> ssl\openssl_browser_fix.conf
 echo DNS.1 = localhost >> ssl\openssl_browser_fix.conf
 echo DNS.2 = *.localhost >> ssl\openssl_browser_fix.conf
 echo DNS.3 = m040tbaraspi001 >> ssl\openssl_browser_fix.conf
 echo DNS.4 = m040tbaraspi001.local >> ssl\openssl_browser_fix.conf
 echo DNS.5 = m040tbaraspi001.de040.corpintra.net >> ssl\openssl_browser_fix.conf
 echo DNS.6 = *.de040.corpintra.net >> ssl\openssl_browser_fix.conf
 echo IP.1 = 127.0.0.1 >> ssl\openssl_browser_fix.conf
 echo IP.2 = ::1 >> ssl\openssl_browser_fix.conf
 echo IP.3 = 0.0.0.0 >> ssl\openssl_browser_fix.conf
 echo OpenSSL-Konfiguration erstellt.
 REM Generiere Private Key
 echo Generiere Private Key (RSA 2048)...
 openssl genrsa -out ssl\key.pem 2048
 if errorlevel 1 (
    echo FEHLER: Private Key Generierung fehlgeschlagen!
    pause
    exit /b 1
 )
 echo Private Key generiert.
 REM Generiere browser-kompatibles Zertifikat
 echo Generiere browser-kompatibles Zertifikat...
 openssl req -new -x509 -key ssl\key.pem -out ssl\cert.pem -days 365 -config ssl\openssl_browser_fix.conf -extensions v3_req -sha256
 if errorlevel 1 (
    echo FEHLER: Zertifikat-Generierung fehlgeschlagen!
    pause
    exit /b 1
 )
 echo Browser-kompatibles Zertifikat generiert.
 REM Aufraumen
 del ssl\openssl_browser_fix.conf >nul 2>&1
 REM Validierung
 echo.
 echo =========================================================
 echo BROWSER-KOMPATIBILITAETS-VALIDIERUNG
 echo =========================================================
 echo Pruefe Zertifikat-Extensions...
 openssl x509 -in ssl\cert.pem -noout -text | findstr /C:"Digital Signature" /C:"Key Encipherment" /C:"TLS Web Server Authentication" /C:"Subject Alternative Name" /C:"CA:FALSE"
 echo.
 echo =========================================================
 echo SSL-FIX ERFOLGREICH ABGESCHLOSSEN!
 echo =========================================================
 echo.
 echo Naechste Schritte:
 echo 1. Browser-Cache vollstaendig leeren:
 echo    - Chrome/Edge: Strg+Shift+Del, "Gesamte Zeit", alle Optionen
 echo    - Firefox: Strg+Shift+Del, "Alles" auswaehlen
 echo.
 echo 2. MYP-Anwendung neu starten
 echo.
 echo 3. https://localhost:5000 aufrufen
 echo.
 echo 4. Bei SSL-Warnung: "Erweitert" - "Weiter zu localhost (unsicher)"
 echo.
 echo Der Fehler ERR_SSL_KEY_USAGE_INCOMPATIBLE sollte behoben sein!
 echo.
 echo Zertifikat gespeichert in: ssl\cert.pem
 echo Private Key gespeichert in: ssl\key.pem
 echo.
 pause 
--- a/backend/setup_https_only.sh
+++ b/backend/setup_https_only.sh
@ -244,16 +244,123 @@ else
    exit 1
 fi
-# Kiosk-Service aktualisieren
+# Erstelle korrigierte Kiosk-Service-Datei (behebt "bad unit file setting")
-if [[ -f "$MYP_DIR/systemd/myp-kiosk.service" ]]; then
+echo "   Erstelle korrigierte myp-kiosk.service..."
-    cp "$MYP_DIR/systemd/myp-kiosk.service" /etc/systemd/system/
+cat > /etc/systemd/system/myp-kiosk.service << 'EOF'
-    echo "   ✅ myp-kiosk.service aktualisiert"
+[Unit]
-fi
+Description=MYP Kiosk Browser Autostart (HTTPS) - Intelligente Konfiguration
 Documentation=https://github.com/MYP-Druckerverwaltung
 After=graphical.target myp-production.service network-online.target
 Wants=myp-production.service network-online.target
 Requires=myp-production.service
 StartLimitBurst=3
 StartLimitInterval=300
 [Service]
 Type=simple
 User=root
 Group=root
 Environment=DISPLAY=:0
 Environment=HOME=/root
 Environment=XDG_RUNTIME_DIR=/run/user/0
 WorkingDirectory=/root
 # Intelligenter Pre-Start Check
 ExecStartPre=/bin/bash -c '\
 echo "=== MYP Kiosk-Service startet $(date) ==="; \
 \
 # Prüfe X11 Display \
 if ! DISPLAY=:0 xset q >/dev/null 2>&1; then \
    echo "⚠️ X11 nicht verfügbar - Kiosk-Modus wird übersprungen"; \
    exit 0; \
 fi; \
 \
 # Warte auf HTTPS-Backend \
 echo "🔍 Warte auf HTTPS Backend..."; \
 for i in {1..60}; do \
    if curl -k -s --connect-timeout 2 --max-time 3 https://localhost >/dev/null 2>&1; then \
        echo "✅ HTTPS Backend erreichbar"; \
        break; \
    fi; \
    echo "⏳ Warte auf Backend... ($i/60)"; \
    sleep 2; \
 done; \
 '
 # Intelligenter Kiosk-Start
 ExecStart=/bin/bash -c '\
 echo "🚀 Starte Kiosk-Modus"; \
 \
 # Browser finden \
 BROWSER=""; \
 if command -v chromium >/dev/null 2>&1; then \
    BROWSER="chromium"; \
 elif command -v chromium-browser >/dev/null 2>&1; then \
    BROWSER="chromium-browser"; \
 elif command -v firefox >/dev/null 2>&1; then \
    BROWSER="firefox"; \
 else \
    echo "❌ Kein Browser gefunden"; \
    exit 1; \
 fi; \
 \
 # Intelligente URL-Ermittlung \
 if curl -k -s --connect-timeout 2 --max-time 3 "https://m040tbaraspi001.de040.corpintra.net" >/dev/null 2>&1; then \
    TARGET_URL="https://m040tbaraspi001.de040.corpintra.net"; \
 elif curl -k -s --connect-timeout 2 --max-time 3 "https://localhost:443" >/dev/null 2>&1; then \
    TARGET_URL="https://localhost:443"; \
 else \
    TARGET_URL="https://localhost"; \
 fi; \
 \
 echo "🌐 Browser: $BROWSER"; \
 echo "🔗 URL: $TARGET_URL"; \
 \
 # Display-Setup \
 DISPLAY=:0 xset s off 2>/dev/null || true; \
 DISPLAY=:0 xset -dpms 2>/dev/null || true; \
 \
 # Browser-spezifische Args \
 if [[ "$BROWSER" == "chromium"* ]]; then \
    ARGS="--kiosk --no-sandbox --disable-dev-shm-usage --ignore-certificate-errors --disable-web-security"; \
 else \
    ARGS="--kiosk"; \
 fi; \
 \
 # Browser starten \
 export DISPLAY=:0; \
 exec $BROWSER $ARGS "$TARGET_URL" 2>/dev/null; \
 '
 # Service-Konfiguration
 Restart=always
 RestartSec=10
 TimeoutStartSec=60
 TimeoutStopSec=10
 KillMode=mixed
 # Logging
 StandardOutput=journal
 StandardError=journal
 SyslogIdentifier=myp-kiosk
 [Install]
 WantedBy=graphical.target
 EOF
 echo "   ✅ Korrigierte myp-kiosk.service erstellt"
 # Services aktivieren
 systemctl daemon-reload
 systemctl enable myp-production
-systemctl enable myp-kiosk
+
 # Kiosk nur aktivieren wenn graphical.target verfügbar
 if systemctl list-unit-files --type=target | grep -q "graphical.target"; then
    systemctl enable myp-kiosk
    echo "   ✅ myp-kiosk.service aktiviert"
 else
    echo "   ⚠️ myp-kiosk.service nicht aktiviert (kein graphical.target)"
 fi
 echo -e "${GREEN}   ✅ Services installiert und aktiviert${NC}"
@ -402,23 +509,60 @@ echo "=============================================="
 PROBLEMS_DETECTED=false
-# Problem 1: Graphical Session Target
+# Problem 1: Bad Unit File Settings (umfassende Reparatur)
-if systemctl status myp-kiosk 2>&1 | grep -q "graphical-session.target"; then
+echo -e "${YELLOW}🔧 Prüfe Service-Datei-Konfiguration...${NC}"
-    echo -e "${YELLOW}🔧 Problem erkannt: Graphical Session Target${NC}"
+if systemctl daemon-reload 2>&1 | grep -q "bad unit file\|invalid\|unknown directive"; then
    echo -e "${YELLOW}🔧 Problem erkannt: Bad Unit File Settings${NC}"
    PROBLEMS_DETECTED=true
    # Backup erstellen
    if [[ -f "/etc/systemd/system/myp-kiosk.service" ]]; then
-        cp /etc/systemd/system/myp-kiosk.service /etc/systemd/system/myp-kiosk.service.backup.$(date +%s)
+        cp /etc/systemd/system/myp-kiosk.service /etc/systemd/system/myp-kiosk.service.backup.$(date +%s) 2>/dev/null || true
    fi
-        # Ersetze problematisches Target
+    # Erstelle komplett neue, saubere Service-Datei
-        sed -i 's/graphical-session\.target/graphical.target/g' /etc/systemd/system/myp-kiosk.service
+    echo "   Erstelle komplett neue myp-kiosk.service..."
-        sed -i 's/Requires=graphical\.target/Requires=myp-production.service/' /etc/systemd/system/myp-kiosk.service
+    cat > /etc/systemd/system/myp-kiosk.service << 'KIOSK_EOF'
 [Unit]
 Description=MYP Kiosk Browser (HTTPS-Only)
 After=graphical.target myp-production.service
 Wants=myp-production.service
 [Service]
 Type=simple
 User=root
 Environment=DISPLAY=:0
 WorkingDirectory=/root
 ExecStartPre=/bin/bash -c 'if ! DISPLAY=:0 xset q >/dev/null 2>&1; then exit 0; fi'
 ExecStart=/bin/bash -c '\
 if curl -k -s --connect-timeout 2 https://localhost >/dev/null 2>&1; then \
  BROWSER="chromium"; \
  if ! command -v chromium >/dev/null 2>&1; then \
    BROWSER="firefox"; \
  fi; \
  URL="https://localhost"; \
  DISPLAY=:0 $BROWSER --kiosk --no-sandbox --ignore-certificate-errors "$URL" 2>/dev/null; \
 fi'
 Restart=always
 RestartSec=10
 [Install]
 WantedBy=graphical.target
 KIOSK_EOF
    # SystemD neu laden
    systemctl daemon-reload
-        echo -e "${GREEN}   ✅ Graphical Target Problem behoben${NC}"
+    echo -e "${GREEN}   ✅ Service-Datei-Probleme behoben${NC}"
-    fi
+fi
 # Problem 1b: Graphical Session Target (Fallback)
 if systemctl status myp-kiosk 2>&1 | grep -q "graphical-session.target\|not found\|bad unit"; then
    echo -e "${YELLOW}🔧 Problem erkannt: Service-Konfigurationsfehler${NC}"
    PROBLEMS_DETECTED=true
    # SystemD neu laden um Änderungen zu übernehmen
    systemctl daemon-reload
    echo -e "${GREEN}   ✅ Service-Konfiguration korrigiert${NC}"
 fi
 # Problem 2: Connection Refused