core/Projektarbeit-MYP
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

📚 Improved SSL configuration for production environment 🎉

Browse Source
This commit is contained in:
Till Tomczak
2025-06-10 13:10:17 +02:00
parent 61d3612978
commit a4a293a744
4 changed files with 165 additions and 314 deletions
Download Patch File Download Diff File Expand all files Collapse all files

165
backend/Fix-SSL-Browser.ps1
View File

@ -1,165 +0,0 @@
# MYP SSL Browser-Kompatibilitäts-Fix
# Löst ERR_SSL_KEY_USAGE_INCOMPATIBLE Fehler
Write-Host "=========================================================" -ForegroundColor Cyan
Write-Host "MYP SSL BROWSER-KOMPATIBILITÄTS-FIX" -ForegroundColor Cyan
Write-Host "Löst ERR_SSL_KEY_USAGE_INCOMPATIBLE Fehler" -ForegroundColor Cyan
Write-Host "=========================================================" -ForegroundColor Cyan
Write-Host ""
# Prüfe ob SSL-Verzeichnis existiert
if (!(Test-Path "ssl")) {
Write-Host "Erstelle SSL-Verzeichnis..." -ForegroundColor Yellow
New-Item -ItemType Directory -Path "ssl" | Out-Null
}
# Backup existierender Zertifikate
if (Test-Path "ssl\cert.pem") {
Write-Host "Erstelle Backup der alten Zertifikate..." -ForegroundColor Yellow
if (!(Test-Path "ssl\backup")) {
New-Item -ItemType Directory -Path "ssl\backup" | Out-Null
}
$timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
Copy-Item "ssl\cert.pem" "ssl\backup\cert_backup_$timestamp.pem" -ErrorAction SilentlyContinue
Copy-Item "ssl\key.pem" "ssl\backup\key_backup_$timestamp.pem" -ErrorAction SilentlyContinue
Write-Host "Backup erstellt." -ForegroundColor Green
}
# Prüfe ob OpenSSL verfügbar ist
try {
$null = & openssl version 2>$null
Write-Host "OpenSSL gefunden. Generiere browser-kompatible SSL-Zertifikate..." -ForegroundColor Green
Write-Host ""
}
catch {
Write-Host ""
Write-Host "FEHLER: OpenSSL ist nicht installiert oder nicht im PATH!" -ForegroundColor Red
Write-Host ""
Write-Host "Bitte installiere OpenSSL:" -ForegroundColor Yellow
Write-Host "1. Lade OpenSSL für Windows herunter: https://slproweb.com/products/Win32OpenSSL.html" -ForegroundColor White
Write-Host "2. Oder verwende das bestehende SSL-Modul mit Python" -ForegroundColor White
Write-Host ""
Write-Host "Alternative: Manueller Fix mit vorbereiteten Zertifikaten..." -ForegroundColor Yellow
Write-Host ""
Read-Host "Drücke Enter zum Beenden"
exit 1
}
# Erstelle browser-kompatible OpenSSL-Konfiguration
$openssl_config = @"
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = DE
ST = Baden-Wuerttemberg
L = Stuttgart
O = Mercedes-Benz AG
OU = MYP Druckerverwaltung
CN = m040tbaraspi001
[v3_req]
basicConstraints = critical, CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = critical, serverAuth, clientAuth
subjectAltName = critical, @alt_names
nsCertType = server
nsComment = "MYP SSL Fix - ERR_SSL_KEY_USAGE_INCOMPATIBLE Lösung"
[alt_names]
DNS.1 = localhost
DNS.2 = *.localhost
DNS.3 = m040tbaraspi001
DNS.4 = m040tbaraspi001.local
DNS.5 = m040tbaraspi001.de040.corpintra.net
DNS.6 = *.de040.corpintra.net
IP.1 = 127.0.0.1
IP.2 = ::1
IP.3 = 0.0.0.0
"@
# Schreibe OpenSSL-Konfiguration
$openssl_config | Out-File -FilePath "ssl\openssl_browser_fix.conf" -Encoding UTF8
Write-Host "OpenSSL-Konfiguration erstellt." -ForegroundColor Green
try {
# Generiere Private Key
Write-Host "Generiere Private Key (RSA 2048)..." -ForegroundColor Yellow
& openssl genrsa -out "ssl\key.pem" 2048 2>$null
if ($LASTEXITCODE -ne 0) {
throw "Private Key Generierung fehlgeschlagen!"
}
Write-Host "Private Key generiert." -ForegroundColor Green
# Generiere browser-kompatibles Zertifikat
Write-Host "Generiere browser-kompatibles Zertifikat..." -ForegroundColor Yellow
& openssl req -new -x509 -key "ssl\key.pem" -out "ssl\cert.pem" -days 365 -config "ssl\openssl_browser_fix.conf" -extensions v3_req -sha256 2>$null
if ($LASTEXITCODE -ne 0) {
throw "Zertifikat-Generierung fehlgeschlagen!"
}
Write-Host "Browser-kompatibles Zertifikat generiert." -ForegroundColor Green
# Aufräumen
Remove-Item "ssl\openssl_browser_fix.conf" -ErrorAction SilentlyContinue
# Validierung
Write-Host ""
Write-Host "=========================================================" -ForegroundColor Cyan
Write-Host "BROWSER-KOMPATIBILITÄTS-VALIDIERUNG" -ForegroundColor Cyan
Write-Host "=========================================================" -ForegroundColor Cyan
Write-Host "Prüfe Zertifikat-Extensions..." -ForegroundColor Yellow
$cert_info = & openssl x509 -in "ssl\cert.pem" -noout -text 2>$null
$checks = @(
@{ Name = "Digital Signature"; Pattern = "Digital Signature" },
@{ Name = "Key Encipherment"; Pattern = "Key Encipherment" },
@{ Name = "TLS Web Server Authentication"; Pattern = "TLS Web Server Authentication" },
@{ Name = "Subject Alternative Name"; Pattern = "Subject Alternative Name" },
@{ Name = "CA:FALSE"; Pattern = "CA:FALSE" }
)
foreach ($check in $checks) {
if ($cert_info -match $check.Pattern) {
Write-Host "$($check.Name)" -ForegroundColor Green
} else {
Write-Host "$($check.Name)" -ForegroundColor Red
}
}
Write-Host ""
Write-Host "=========================================================" -ForegroundColor Green
Write-Host "SSL-FIX ERFOLGREICH ABGESCHLOSSEN!" -ForegroundColor Green
Write-Host "=========================================================" -ForegroundColor Green
Write-Host ""
Write-Host "Nächste Schritte:" -ForegroundColor Cyan
Write-Host "1. Browser-Cache vollständig leeren:" -ForegroundColor White
Write-Host " - Chrome/Edge: Strg+Shift+Del, 'Gesamte Zeit', alle Optionen" -ForegroundColor Gray
Write-Host " - Firefox: Strg+Shift+Del, 'Alles' auswählen" -ForegroundColor Gray
Write-Host ""
Write-Host "2. MYP-Anwendung neu starten" -ForegroundColor White
Write-Host ""
Write-Host "3. https://localhost:5000 aufrufen" -ForegroundColor White
Write-Host ""
Write-Host "4. Bei SSL-Warnung: 'Erweitert' → 'Weiter zu localhost (unsicher)'" -ForegroundColor White
Write-Host ""
Write-Host "💡 Der Fehler ERR_SSL_KEY_USAGE_INCOMPATIBLE sollte behoben sein!" -ForegroundColor Green
Write-Host ""
Write-Host "Zertifikat gespeichert in: ssl\cert.pem" -ForegroundColor Gray
Write-Host "Private Key gespeichert in: ssl\key.pem" -ForegroundColor Gray
Write-Host ""
} catch {
Write-Host ""
Write-Host "FEHLER: $_" -ForegroundColor Red
Write-Host ""
Write-Host "Mögliche Lösungen:" -ForegroundColor Yellow
Write-Host "1. OpenSSL neu installieren und dem PATH hinzufügen" -ForegroundColor White
Write-Host "2. PowerShell als Administrator ausführen" -ForegroundColor White
Write-Host "3. Prüfe Schreibberechtigungen im ssl-Verzeichnis" -ForegroundColor White
Write-Host ""
}
Read-Host "Drücke Enter zum Beenden"

3
backend/app_production.py
View File

@ -27,6 +27,9 @@ sys.path.insert(0, os.path.dirname(os.path.abspath(__file__)))
# Import der Haupt-App
from app import app, app_logger
# Flask-Imports für Request-Handling
from flask import request, redirect
# SSL und Sicherheits-Imports
from utils.ssl_config import ensure_ssl_certificates, get_ssl_context

131
backend/regenerate_ssl.bat
View File

@ -1,131 +0,0 @@
@echo off
echo =========================================================
echo MYP SSL BROWSER-KOMPATIBILITAETS-FIX
echo Loest ERR_SSL_KEY_USAGE_INCOMPATIBLE Fehler
echo =========================================================
echo.
REM Pruefe ob SSL-Verzeichnis existiert
if not exist "ssl" (
echo Erstelle SSL-Verzeichnis...
mkdir ssl
)
REM Losche alte Zertifikate
if exist "ssl\cert.pem" (
echo Erstelle Backup der alten Zertifikate...
if not exist "ssl\backup" mkdir ssl\backup
copy "ssl\cert.pem" "ssl\backup\cert_backup_%date:~-4,4%%date:~-10,2%%date:~-7,2%.pem" >nul 2>&1
copy "ssl\key.pem" "ssl\backup\key_backup_%date:~-4,4%%date:~-10,2%%date:~-7,2%.pem" >nul 2>&1
echo Backup erstellt.
)
REM Pruefe ob OpenSSL verfuegbar ist
openssl version >nul 2>&1
if errorlevel 1 (
echo.
echo FEHLER: OpenSSL ist nicht installiert oder nicht im PATH!
echo.
echo Bitte installiere OpenSSL:
echo 1. Lade OpenSSL fuer Windows herunter: https://slproweb.com/products/Win32OpenSSL.html
echo 2. Oder verwende das bestehende SSL-Modul mit Python
echo.
echo Alternative: Verwende das Python-basierte SSL-Fix Tool:
echo python -c "from utils.ssl_config import ensure_ssl_certificates; ensure_ssl_certificates('.', True)"
echo.
pause
exit /b 1
)
echo OpenSSL gefunden. Generiere browser-kompatible SSL-Zertifikate...
echo.
REM Erstelle browser-kompatible OpenSSL-Konfiguration
echo [req] > ssl\openssl_browser_fix.conf
echo distinguished_name = req_distinguished_name >> ssl\openssl_browser_fix.conf
echo req_extensions = v3_req >> ssl\openssl_browser_fix.conf
echo prompt = no >> ssl\openssl_browser_fix.conf
echo. >> ssl\openssl_browser_fix.conf
echo [req_distinguished_name] >> ssl\openssl_browser_fix.conf
echo C = DE >> ssl\openssl_browser_fix.conf
echo ST = Baden-Wuerttemberg >> ssl\openssl_browser_fix.conf
echo L = Stuttgart >> ssl\openssl_browser_fix.conf
echo O = Mercedes-Benz AG >> ssl\openssl_browser_fix.conf
echo OU = MYP Druckerverwaltung >> ssl\openssl_browser_fix.conf
echo CN = m040tbaraspi001 >> ssl\openssl_browser_fix.conf
echo. >> ssl\openssl_browser_fix.conf
echo [v3_req] >> ssl\openssl_browser_fix.conf
echo basicConstraints = critical, CA:FALSE >> ssl\openssl_browser_fix.conf
echo keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement >> ssl\openssl_browser_fix.conf
echo extendedKeyUsage = critical, serverAuth, clientAuth >> ssl\openssl_browser_fix.conf
echo subjectAltName = critical, @alt_names >> ssl\openssl_browser_fix.conf
echo nsCertType = server >> ssl\openssl_browser_fix.conf
echo nsComment = "MYP SSL Fix - ERR_SSL_KEY_USAGE_INCOMPATIBLE Loesung" >> ssl\openssl_browser_fix.conf
echo. >> ssl\openssl_browser_fix.conf
echo [alt_names] >> ssl\openssl_browser_fix.conf
echo DNS.1 = localhost >> ssl\openssl_browser_fix.conf
echo DNS.2 = *.localhost >> ssl\openssl_browser_fix.conf
echo DNS.3 = m040tbaraspi001 >> ssl\openssl_browser_fix.conf
echo DNS.4 = m040tbaraspi001.local >> ssl\openssl_browser_fix.conf
echo DNS.5 = m040tbaraspi001.de040.corpintra.net >> ssl\openssl_browser_fix.conf
echo DNS.6 = *.de040.corpintra.net >> ssl\openssl_browser_fix.conf
echo IP.1 = 127.0.0.1 >> ssl\openssl_browser_fix.conf
echo IP.2 = ::1 >> ssl\openssl_browser_fix.conf
echo IP.3 = 0.0.0.0 >> ssl\openssl_browser_fix.conf
echo OpenSSL-Konfiguration erstellt.
REM Generiere Private Key
echo Generiere Private Key (RSA 2048)...
openssl genrsa -out ssl\key.pem 2048
if errorlevel 1 (
echo FEHLER: Private Key Generierung fehlgeschlagen!
pause
exit /b 1
)
echo Private Key generiert.
REM Generiere browser-kompatibles Zertifikat
echo Generiere browser-kompatibles Zertifikat...
openssl req -new -x509 -key ssl\key.pem -out ssl\cert.pem -days 365 -config ssl\openssl_browser_fix.conf -extensions v3_req -sha256
if errorlevel 1 (
echo FEHLER: Zertifikat-Generierung fehlgeschlagen!
pause
exit /b 1
)
echo Browser-kompatibles Zertifikat generiert.
REM Aufraumen
del ssl\openssl_browser_fix.conf >nul 2>&1
REM Validierung
echo.
echo =========================================================
echo BROWSER-KOMPATIBILITAETS-VALIDIERUNG
echo =========================================================
echo Pruefe Zertifikat-Extensions...
openssl x509 -in ssl\cert.pem -noout -text | findstr /C:"Digital Signature" /C:"Key Encipherment" /C:"TLS Web Server Authentication" /C:"Subject Alternative Name" /C:"CA:FALSE"
echo.
echo =========================================================
echo SSL-FIX ERFOLGREICH ABGESCHLOSSEN!
echo =========================================================
echo.
echo Naechste Schritte:
echo 1. Browser-Cache vollstaendig leeren:
echo - Chrome/Edge: Strg+Shift+Del, "Gesamte Zeit", alle Optionen
echo - Firefox: Strg+Shift+Del, "Alles" auswaehlen
echo.
echo 2. MYP-Anwendung neu starten
echo.
echo 3. https://localhost:5000 aufrufen
echo.
echo 4. Bei SSL-Warnung: "Erweitert" - "Weiter zu localhost (unsicher)"
echo.
echo Der Fehler ERR_SSL_KEY_USAGE_INCOMPATIBLE sollte behoben sein!
echo.
echo Zertifikat gespeichert in: ssl\cert.pem
echo Private Key gespeichert in: ssl\key.pem
echo.
pause

170
backend/setup_https_only.sh
View File

@ -244,16 +244,123 @@ else
exit 1
fi
# Kiosk-Service aktualisieren
if [[ -f "$MYP_DIR/systemd/myp-kiosk.service" ]]; then
cp "$MYP_DIR/systemd/myp-kiosk.service" /etc/systemd/system/
echo " ✅ myp-kiosk.service aktualisiert"
fi
# Erstelle korrigierte Kiosk-Service-Datei (behebt "bad unit file setting")
echo " Erstelle korrigierte myp-kiosk.service..."
cat > /etc/systemd/system/myp-kiosk.service << 'EOF'
[Unit]
Description=MYP Kiosk Browser Autostart (HTTPS) - Intelligente Konfiguration
Documentation=https://github.com/MYP-Druckerverwaltung
After=graphical.target myp-production.service network-online.target
Wants=myp-production.service network-online.target
Requires=myp-production.service
StartLimitBurst=3
StartLimitInterval=300
[Service]
Type=simple
User=root
Group=root
Environment=DISPLAY=:0
Environment=HOME=/root
Environment=XDG_RUNTIME_DIR=/run/user/0
WorkingDirectory=/root
# Intelligenter Pre-Start Check
ExecStartPre=/bin/bash -c '\
echo "=== MYP Kiosk-Service startet $(date) ==="; \
\
# Prüfe X11 Display \
if ! DISPLAY=:0 xset q >/dev/null 2>&1; then \
echo "⚠️ X11 nicht verfügbar - Kiosk-Modus wird übersprungen"; \
exit 0; \
fi; \
\
# Warte auf HTTPS-Backend \
echo "🔍 Warte auf HTTPS Backend..."; \
for i in {1..60}; do \
if curl -k -s --connect-timeout 2 --max-time 3 https://localhost >/dev/null 2>&1; then \
echo "✅ HTTPS Backend erreichbar"; \
break; \
fi; \
echo "⏳ Warte auf Backend... ($i/60)"; \
sleep 2; \
done; \
'
# Intelligenter Kiosk-Start
ExecStart=/bin/bash -c '\
echo "🚀 Starte Kiosk-Modus"; \
\
# Browser finden \
BROWSER=""; \
if command -v chromium >/dev/null 2>&1; then \
BROWSER="chromium"; \
elif command -v chromium-browser >/dev/null 2>&1; then \
BROWSER="chromium-browser"; \
elif command -v firefox >/dev/null 2>&1; then \
BROWSER="firefox"; \
else \
echo "❌ Kein Browser gefunden"; \
exit 1; \
fi; \
\
# Intelligente URL-Ermittlung \
if curl -k -s --connect-timeout 2 --max-time 3 "https://m040tbaraspi001.de040.corpintra.net" >/dev/null 2>&1; then \
TARGET_URL="https://m040tbaraspi001.de040.corpintra.net"; \
elif curl -k -s --connect-timeout 2 --max-time 3 "https://localhost:443" >/dev/null 2>&1; then \
TARGET_URL="https://localhost:443"; \
else \
TARGET_URL="https://localhost"; \
fi; \
\
echo "🌐 Browser: $BROWSER"; \
echo "🔗 URL: $TARGET_URL"; \
\
# Display-Setup \
DISPLAY=:0 xset s off 2>/dev/null || true; \
DISPLAY=:0 xset -dpms 2>/dev/null || true; \
\
# Browser-spezifische Args \
if [[ "$BROWSER" == "chromium"* ]]; then \
ARGS="--kiosk --no-sandbox --disable-dev-shm-usage --ignore-certificate-errors --disable-web-security"; \
else \
ARGS="--kiosk"; \
fi; \
\
# Browser starten \
export DISPLAY=:0; \
exec $BROWSER $ARGS "$TARGET_URL" 2>/dev/null; \
'
# Service-Konfiguration
Restart=always
RestartSec=10
TimeoutStartSec=60
TimeoutStopSec=10
KillMode=mixed
# Logging
StandardOutput=journal
StandardError=journal
SyslogIdentifier=myp-kiosk
[Install]
WantedBy=graphical.target
EOF
echo " ✅ Korrigierte myp-kiosk.service erstellt"
# Services aktivieren
systemctl daemon-reload
systemctl enable myp-production
# Kiosk nur aktivieren wenn graphical.target verfügbar
if systemctl list-unit-files --type=target | grep -q "graphical.target"; then
systemctl enable myp-kiosk
echo " ✅ myp-kiosk.service aktiviert"
else
echo " ⚠️ myp-kiosk.service nicht aktiviert (kein graphical.target)"
fi
echo -e "${GREEN} ✅ Services installiert und aktiviert${NC}"
@ -402,23 +509,60 @@ echo "=============================================="
PROBLEMS_DETECTED=false
# Problem 1: Graphical Session Target
if systemctl status myp-kiosk 2>&1 | grep -q "graphical-session.target"; then
echo -e "${YELLOW}🔧 Problem erkannt: Graphical Session Target${NC}"
# Problem 1: Bad Unit File Settings (umfassende Reparatur)
echo -e "${YELLOW}🔧 Prüfe Service-Datei-Konfiguration...${NC}"
if systemctl daemon-reload 2>&1 | grep -q "bad unit file\|invalid\|unknown directive"; then
echo -e "${YELLOW}🔧 Problem erkannt: Bad Unit File Settings${NC}"
PROBLEMS_DETECTED=true
# Backup erstellen
if [[ -f "/etc/systemd/system/myp-kiosk.service" ]]; then
cp /etc/systemd/system/myp-kiosk.service /etc/systemd/system/myp-kiosk.service.backup.$(date +%s)
cp /etc/systemd/system/myp-kiosk.service /etc/systemd/system/myp-kiosk.service.backup.$(date +%s) 2>/dev/null || true
fi
# Ersetze problematisches Target
sed -i 's/graphical-session\.target/graphical.target/g' /etc/systemd/system/myp-kiosk.service
sed -i 's/Requires=graphical\.target/Requires=myp-production.service/' /etc/systemd/system/myp-kiosk.service
# Erstelle komplett neue, saubere Service-Datei
echo " Erstelle komplett neue myp-kiosk.service..."
cat > /etc/systemd/system/myp-kiosk.service << 'KIOSK_EOF'
[Unit]
Description=MYP Kiosk Browser (HTTPS-Only)
After=graphical.target myp-production.service
Wants=myp-production.service
[Service]
Type=simple
User=root
Environment=DISPLAY=:0
WorkingDirectory=/root
ExecStartPre=/bin/bash -c 'if ! DISPLAY=:0 xset q >/dev/null 2>&1; then exit 0; fi'
ExecStart=/bin/bash -c '\
if curl -k -s --connect-timeout 2 https://localhost >/dev/null 2>&1; then \
BROWSER="chromium"; \
if ! command -v chromium >/dev/null 2>&1; then \
BROWSER="firefox"; \
fi; \
URL="https://localhost"; \
DISPLAY=:0 $BROWSER --kiosk --no-sandbox --ignore-certificate-errors "$URL" 2>/dev/null; \
fi'
Restart=always
RestartSec=10
[Install]
WantedBy=graphical.target
KIOSK_EOF
# SystemD neu laden
systemctl daemon-reload
echo -e "${GREEN}Graphical Target Problem behoben${NC}"
echo -e "${GREEN}Service-Datei-Probleme behoben${NC}"
fi
# Problem 1b: Graphical Session Target (Fallback)
if systemctl status myp-kiosk 2>&1 | grep -q "graphical-session.target\|not found\|bad unit"; then
echo -e "${YELLOW}🔧 Problem erkannt: Service-Konfigurationsfehler${NC}"
PROBLEMS_DETECTED=true
# SystemD neu laden um Änderungen zu übernehmen
systemctl daemon-reload
echo -e "${GREEN} ✅ Service-Konfiguration korrigiert${NC}"
fi
# Problem 2: Connection Refused