Adjust create_certificate script and adjust default wendzelnntpd.conf

create_certificate

@@ -10,7 +10,26 @@ if [ "$USER" != "root" ]; then
     exit
 fi
 
+function usage {
+    echo ""
+    echo "Creates certificates for WendzelNNTPd selfsigned or via LetsEncrypt for production usage"
+    echo ""
+    echo "usage: ./create_certificate --environment localhost | letsencrypt --email string --domain string "
+    echo ""
+    echo "  --environment string    context for generating certificates (localhost or letsnecrypt are allowed values) "
+    echo "  --email string          only needed if letsencrypt is used"
+    echo "                          (example: [email protected])"
+    echo "  --domain string         only needed if letsencrypt is used; specify domain under which your wendzelnntpd server is reachable"
+    echo "                          (example: test.de)"
+    echo ""
+}
+
 while [ $# -gt 0 ]; do
+    if [[ $1 == "--help" ]]; then
+        usage
+        exit
+    fi
+
     if [[ $1 == "--"* ]]; then
         v="${1/--/}"
         declare "$v"="$2"
@@ -52,7 +71,7 @@ if [[ -z $environment || "$environment" = "local" ]]; then
         -out "/usr/local/etc/ssl/server.crt"
 
     echo "Finished ..."
-    echo "You can find certificate at: /usr/local/etc/ssl/server.crt, key: /usr/local/etc/ssl/server.crt, CA certificate: /usr/local/etc/ssl/ca.crt"
+    echo "You can find certificate at: /usr/local/etc/ssl/server.crt, key: /usr/local/etc/ssl/server.key, CA certificate: /usr/local/etc/ssl/ca.crt"
     echo
 elif [ "$environment" = "letsencrypt" ]; then
     echo "Environment is set to local. Certificates are generated now via LetsEncrypt certbot..."
@@ -70,8 +89,15 @@ elif [ "$environment" = "letsencrypt" ]; then
     fi
 
     echo "Generating certificates..."
-    certbot certonly --standalone -n --agree-tos --email $email --domains $domain
+    certbot certonly --standalone -n --agree-tos --email $email --domains $domain --cert-name wendzelnntpd
 
+    ln -sf /etc/letsencrypt/live/wendzelnntpd/fullchain.pem /usr/local/etc/ssl/server.crt
+    ln -sf /etc/letsencrypt/live/wendzelnntpd/privkey.pem /usr/local/etc/ssl/server.key
+    ln -sf /etc/letsencrypt/live/wendzelnntpd/chain.pem /usr/local/etc/ssl/ca.crt
+
+    echo "Finished ..."
+    echo "You can find certificate at: /usr/local/etc/ssl/server.crt, key: /usr/local/etc/ssl/server.key, CA certificate: /usr/local/etc/ssl/ca.crt"
+    echo
 else
     echo "Unknown environment for script generation provided..."
     echo "Stopping script."

docs/install.tex

@@ -32,6 +32,17 @@ \section{Linux/*nix/BSD}
 ...
 \end{verbatim}
 
+If you want to generate SSL certificates you can use the helper script:
+\begin{verbatim}
+	$ sudo ./create_certificate \
+		--environment letsencrypt \
+		--email <YOUR-EMAIL> \\
+		--domain <YOUR-DOMAIN>
+\end{verbatim}
+For the parameter -{}-environment \textit{local} is also a valid value. Then the certificate is generated only for usage on localhost and is self-signed. After generating the certificate you have to adjust \textit{wendzelnntpd.conf} (check Section \ref{network-settings}) to activate TLS (configuration option \textit{enable-tls})). The paths for certificate and server key can stay as they are. 
+
+~
+
 To install WendzelNNTPd on your system, you need superuser access. Run \textbf{make install} to install it to the default location \textit{/usr/local/*}.
 
 \begin{verbatim}

wendzelnntpd.conf

@@ -33,17 +33,17 @@ database-password mypass
     port		119
     listen	    127.0.0.1
     ;; configure SSL server certificate
-    ;tls-server-certificate "/usr/local/etc/ssl/server.crt"
+    tls-server-certificate "/usr/local/etc/ssl/server.crt"
     ;; configure SSL private key
-    ;tls-server-key "/usr/local/etc/ssl/server.key"
+    tls-server-key "/usr/local/etc/ssl/server.key"
     ;; configure SSL CA certificate
-    ;tls-ca-certificate "/usr/local/etc/ssl/ca.crt"
+    tls-ca-certificate "/usr/local/etc/ssl/ca.crt"
     ;; configure TLS ciphers for TLSv1.3
-    ;tls-cipher-suites "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
+    tls-cipher-suites "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
     ;; configure TLS ciphers for TLSv1.1 and TLSv1.2
-    ;tls-ciphers "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
+    tls-ciphers "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
     ;; configure allowed TLS version (1.0-1.3)
-    ;tls-version "1.2-1.3"
+    tls-version "1.2-1.3"
     ;; possibility to force the client to authenticate with client certificate (none | optional | require)
     ;tls-verify-client "required"
     ;; define depth for checking client certificate
@@ -59,17 +59,17 @@ database-password mypass
     port		119
     listen	    ::1
     ;; configure SSL server certificate
-    ;tls-server-certificate "/usr/local/etc/ssl/server.crt"
+    tls-server-certificate "/usr/local/etc/ssl/server.crt"
     ;; configure SSL private key
-    ;tls-server-key "/usr/local/etc/ssl/server.key"
+    tls-server-key "/usr/local/etc/ssl/server.key"
     ;; configure SSL CA certificate
-    ;tls-ca-certificate "/usr/local/etc/ssl/ca.crt"
+    tls-ca-certificate "/usr/local/etc/ssl/ca.crt"
     ;; configure TLS ciphers for TLSv1.3
-    ;tls-cipher-suites "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
+    tls-cipher-suites "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
     ;; configure TLS ciphers for TLSv1.1 and TLSv1.2
-    ;tls-ciphers "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
+    tls-ciphers "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
     ;; configure allowed TLS version (1.0-1.3)
-    ;tls-version "1.2-1.3"
+    tls-version "1.2-1.3"
     ;; possibility to force the client to authenticate with client certificate (none | optional | require)
     ;tls-verify-client "required"
     ;; define depth for checking client certificate
@@ -85,17 +85,17 @@ database-password mypass
     port		563
     listen	    127.0.0.1
     ;; configure SSL server certificate (required)
-    ;tls-server-certificate "/usr/local/etc/ssl/server.crt"
+    tls-server-certificate "/usr/local/etc/ssl/server.crt"
     ;; configure SSL private key (required)
-    ;tls-server-key "/usr/local/etc/ssl/server.key"
+    tls-server-key "/usr/local/etc/ssl/server.key"
     ;; configure SSL CA certificate (required)
-    ;tls-ca-certificate "/usr/local/etc/ssl/ca.crt"
+    tls-ca-certificate "/usr/local/etc/ssl/ca.crt"
     ;; configure TLS ciphers for TLSv1.3
-    ;tls-cipher-suites "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
+    tls-cipher-suites "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
     ;; configure TLS ciphers for TLSv1.1 and TLSv1.2
-    ;tls-ciphers "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
+    tls-ciphers "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
     ;; configure allowed TLS version (1.0-1.3)
-    ;tls-version "1.2-1.3"
+    tls-version "1.2-1.3"
     ;; possibility to force the client to authenticate with client certificate (none | optional | require)
     ;tls-verify-client "required"
     ;; define depth for checking client certificate
@@ -111,17 +111,17 @@ database-password mypass
     port		563
     listen	    ::1
     ;; configure SSL server certificate
-    ;tls-server-certificate "/usr/local/etc/ssl/server.crt"
+    tls-server-certificate "/usr/local/etc/ssl/server.crt"
     ;; configure SSL private key
-    ;tls-server-key "/usr/local/etc/ssl/server.key"
+    tls-server-key "/usr/local/etc/ssl/server.key"
     ;; configure SSL CA certificate
-    ;tls-ca-certificate "/usr/local/etc/ssl/ca.crt"
+    tls-ca-certificate "/usr/local/etc/ssl/ca.crt"
     ;; configure TLS ciphers for TLSv1.3
-    ;tls-cipher-suites "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
+    tls-cipher-suites "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
     ;; configure TLS ciphers for TLSv1.1 and TLSv1.2
-    ;tls-ciphers "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
+    tls-ciphers "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
     ;; configure allowed TLS version (1.0-1.3)
-    ;tls-version "1.2-1.3"
+    tls-version "1.2-1.3"
     ;; possibility to force the client to authenticate with client certificate (none | optional | require)
     ;tls-verify-client "required"
     ;; define depth for checking client certificate