use new selfsignedcert if no lnd tls.cert present

home.admin/config.scripts/blitz.web.sh

@@ -201,11 +201,27 @@ EOF
   sudo apt-get install -y python3-jinja2
   sudo -H python3 -m pip install j2cli
 
-  # use LND cert by default
-  sudo ln -sf /mnt/hdd/lnd/tls.cert /mnt/hdd/app-data/nginx/tls.cert
-  sudo ln -sf /mnt/hdd/lnd/tls.key /mnt/hdd/app-data/nginx/tls.key
-  sudo ln -sf /mnt/hdd/lnd/tls.cert /mnt/hdd/app-data/nginx/tor_tls.cert
-  sudo ln -sf /mnt/hdd/lnd/tls.key /mnt/hdd/app-data/nginx/tor_tls.key
+  if [ -f /mnt/hdd/app-data/nginx/tls.cert ];then
+    if [ -f /mnt/hdd/lnd/tls.cert ]; then
+      # use LND cert by default
+      sudo ln -sf /mnt/hdd/lnd/tls.cert /mnt/hdd/app-data/nginx/tls.cert
+      sudo ln -sf /mnt/hdd/lnd/tls.key /mnt/hdd/app-data/nginx/tls.key
+      sudo ln -sf /mnt/hdd/lnd/tls.cert /mnt/hdd/app-data/nginx/tor_tls.cert
+      sudo ln -sf /mnt/hdd/lnd/tls.key /mnt/hdd/app-data/nginx/tor_tls.key
+    else 
+      # create a self-signed cert if the LND cert is not present
+      /home/admin/config.scripts/internet.selfsignedcert.sh   
+  
+      sudo ln -sf /mnt/hdd/app-data/selfsignedcert/selfsigned.cert \
+                  /mnt/hdd/app-data/nginx/tls.cert
+      sudo ln -sf /mnt/hdd/app-data/selfsignedcert/selfsigned.key \
+                  /mnt/hdd/app-data/nginx/tls.key
+      sudo ln -sf /mnt/hdd/app-data/selfsignedcert/selfsigned.cert \
+                  /mnt/hdd/app-data/nginx/tor_tls.cert
+      sudo ln -sf /mnt/hdd/app-data/selfsignedcert/selfsigned.key \
+                  /mnt/hdd/app-data/nginx/tor_tls.key
+    fi
+  fi
 
   # config
   sudo cp /home/admin/assets/blitzweb.conf /etc/nginx/sites-available/blitzweb.conf

home.admin/config.scripts/internet.selfsignedcert.sh

@@ -1,41 +1,33 @@
+#!/bin/bash
+
 # script to create a self-signed SSL certificate
 
-echo ""
-echo "***"
-echo "installing Nginx"
-echo "***"
-echo ""
-sudo apt-get install -y nginx
-sudo /etc/init.d/nginx start 2>/dev/null
+sudo -u bitcoin mkdir /mnt/hdd/app-data/selfsignedcert
+cd /mnt/hdd/app-data/selfsignedcert || exit 1
 
-# Only generate if there is none. Or Electrum will not connect if the cert changed.
-if [ -f /etc/ssl/certs/localhost.crt ] ; then
-  echo "A self-signed certificate is already present" 
-else
-  echo ""
-  echo "***"
-  echo "Create a self signed SSL certificate"
-  echo "***"
-  echo ""
-  
-  #https://www.humankode.com/ssl/create-a-selfsigned-certificate-for-nginx-in-5-minutes
-  #https://stackoverflow.com/questions/8075274/is-it-possible-making-openssl-skipping-the-country-common-name-prompts
-  echo "
+echo "# Create a self signed SSL certificate"
+localip=$(ip addr | grep 'state UP' -A2 | egrep -v 'docker0|veth' | grep 'eth0\|wlan0\|enp0' | tail -n1 | awk '{print $2}' | cut -f1 -d'/')
+
+sudo -u bitcoin openssl genrsa -out selfsigned.key 2048
+#https://www.humankode.com/ssl/create-a-selfsigned-certificate-for-nginx-in-5-minutes
+#https://stackoverflow.com/questions/8075274/is-it-possible-making-openssl-skipping-the-country-common-name-prompts
+
+echo "
 [req]
 prompt             = no
 default_bits       = 2048
-default_keyfile    = localhost.key
+default_keyfile    = selfsigned.key
 distinguished_name = req_distinguished_name
 req_extensions     = req_ext
 x509_extensions    = v3_ca
 
 [req_distinguished_name]
 C = US
-ST = California
-L = Los Angeles
-O = Our Company Llc
+ST = Texas
+L = Lightning Network
+O = RaspiBlitz
 #OU = Org Unit Name
-CN = Our Company Llc
+CN = RaspiBlitz
 #emailAddress = info@example.com
 
 [req_ext]
@@ -47,9 +39,8 @@ subjectAltName = @alt_names
 [alt_names]
 DNS.1   = localhost
 DNS.2   = 127.0.0.1
-" | tee localhost.conf
+DNS.3   = $localip
+" | sudo -u bitcoin tee localhost.conf
 
-  openssl req -x509 -nodes -days 1825 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config localhost.conf
-  sudo mv localhost.crt /etc/ssl/certs/localhost.crt
-  sudo mv localhost.key /etc/ssl/private/localhost.key
-fi
+sudo -u bitcoin openssl req -new -x509 -sha256 -key selfsigned.key \
+    -out selfsigned.cert -days 3650 -config localhost.conf