freedombone/src/freedombone-addcert

357 lines
11 KiB
Plaintext
Raw Normal View History

#!/bin/bash
2015-04-04 14:07:00 +02:00
#
# .---. . .
# | | |
# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
# | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
# ' ' --' --' -' - -' ' ' -' -' -' ' - --'
#
# Freedom in the Cloud
#
2016-01-27 10:54:02 +01:00
# Create self-signed or Let's Encrypt certificates on Debian
# License
# =======
#
2018-02-21 20:32:13 +01:00
# Copyright (C) 2015-2018 Bob Mottram <bob@freedombone.net>
#
# This program is free software: you can redistribute it and/or modify
2016-02-13 23:09:27 +01:00
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
2016-02-13 23:09:27 +01:00
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
2016-02-13 23:09:27 +01:00
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
2015-11-27 12:42:16 +01:00
PROJECT_NAME='freedombone'
2015-11-27 17:52:23 +01:00
export TEXTDOMAIN=${PROJECT_NAME}-addcert
2015-11-27 12:42:16 +01:00
export TEXTDOMAINDIR="/usr/share/locale"
CONFIGURATION_FILE=$HOME/${PROJECT_NAME}.cfg
COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt
2018-02-26 14:50:40 +01:00
UTILS_FILES="/usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-*"
2016-10-10 11:28:37 +02:00
for f in $UTILS_FILES
do
2018-02-26 14:50:40 +01:00
source "$f"
2016-10-10 11:28:37 +02:00
done
2016-06-30 15:59:43 +02:00
# Don't pin certs by default
PIN_CERTS=
HOSTNAME=
remove_cert=
2015-11-17 23:21:40 +01:00
LETSENCRYPT_HOSTNAME=
COUNTRY_CODE="US"
2017-09-26 23:47:19 +02:00
AREA="Apparent Free Speech Zone"
LOCATION="Freedomville"
ORGANISATION="Freedombone"
UNIT="Freedombone Unit"
2015-06-14 16:56:46 +02:00
EXTENSIONS=""
NODH=
2015-10-27 15:38:05 +01:00
DH_KEYLENGTH=2048
2015-11-17 23:21:40 +01:00
INSTALL_DIR=/root/build
LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
MY_EMAIL_ADDRESS=
function show_help {
2016-07-24 14:19:56 +02:00
echo ''
echo $"${PROJECT_NAME}-addcert -h [hostname] -c [country code] -a [area] -l [location]"
echo $' -o [organisation] -u [unit] --ca "" --nodh ""'
echo ''
echo $'Creates a self-signed certificate for the given hostname'
echo ''
echo $' --help Show help'
echo $' -h --hostname [name] Hostname'
echo $' -e --letsencrypt [hostname] Hostname to use with Lets Encrypt'
echo $' -r --rmletsencrypt [hostname] Remove a Lets Encrypt certificate'
echo $' -s --server [url] Lets Encrypt server URL'
echo $' -c --country [code] Optional country code (eg. US, GB, etc)'
echo $' -a --area [description] Optional area description'
echo $' -l --location [locn] Optional location name'
echo $' -o --organisation [name] Optional organisation name'
echo $' -u --unit [name] Optional unit name'
echo $' --email [address] Email address for letsencrypt'
echo $' --dhkey [bits] DH key length in bits'
echo $' --nodh "" Do not calculate DH params'
echo $' --ca "" Certificate authority cert'
2016-07-24 14:19:56 +02:00
echo ''
exit 0
}
2018-02-25 12:04:13 +01:00
while [ $# -gt 1 ]
do
2016-07-24 14:19:56 +02:00
key="$1"
2016-07-24 14:19:56 +02:00
case $key in
--help)
show_help
;;
-h|--hostname)
shift
HOSTNAME="$1"
;;
-e|--letsencrypt)
shift
LETSENCRYPT_HOSTNAME="$1"
;;
-r|--rmletsencrypt)
shift
LETSENCRYPT_HOSTNAME="$1"
remove_cert=1
;;
--email)
shift
MY_EMAIL_ADDRESS="$1"
;;
-s|--server)
shift
LETSENCRYPT_SERVER="$1"
;;
-c|--country)
shift
COUNTRY_CODE="$1"
;;
-a|--area)
shift
AREA="$1"
;;
-l|--location)
shift
LOCATION="$1"
;;
-o|--organisation)
shift
ORGANISATION="$1"
;;
-u|--unit)
shift
UNIT="$1"
;;
--ca)
shift
EXTENSIONS="-extensions v3_ca"
ORGANISATION="Freedombone-CA"
;;
--nodh)
shift
NODH="true"
;;
--dhkey)
shift
2018-02-26 14:50:40 +01:00
DH_KEYLENGTH="${1}"
;;
--pin)
shift
2018-02-26 14:50:40 +01:00
PIN_CERTS="${1}"
;;
*)
# unknown option
;;
2016-07-24 14:19:56 +02:00
esac
shift
done
2018-02-26 14:50:40 +01:00
if [ ! "$HOSTNAME" ]; then
if [ ! "$LETSENCRYPT_HOSTNAME" ]; then
echo $'No hostname specified'
exit 5748
2016-07-24 14:19:56 +02:00
fi
fi
if ! which openssl > /dev/null ;then
2016-07-24 14:19:56 +02:00
echo $"$0: openssl is not installed, exiting" 1>&2
exit 5689
fi
2015-12-12 11:55:16 +01:00
CERTFILE=$HOSTNAME
function remove_cert_letsencrypt {
CERTFILE=$LETSENCRYPT_HOSTNAME
# disable the site if needed
2018-02-26 14:50:40 +01:00
if [ -f "/etc/nginx/sites-available/${LETSENCRYPT_HOSTNAME}" ]; then
if grep -q "443" "/etc/nginx/sites-available/${LETSENCRYPT_HOSTNAME}"; then
nginx_dissite "${LETSENCRYPT_HOSTNAME}"
fi
fi
# remove the cert
2018-02-26 14:50:40 +01:00
rm -rf "/etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}*"
rm -rf "/etc/letsencrypt/archive/${LETSENCRYPT_HOSTNAME}*"
rm "/etc/letsencrypt/renewal/${LETSENCRYPT_HOSTNAME}.conf"
# restart the web server
systemctl restart nginx
}
2015-12-12 11:55:16 +01:00
function add_cert_letsencrypt {
2016-07-24 14:19:56 +02:00
CERTFILE=$LETSENCRYPT_HOSTNAME
# obtain the email address for the admin user
2018-02-26 14:50:40 +01:00
if [ ! "$MY_EMAIL_ADDRESS" ]; then
if [ -f "$CONFIGURATION_FILE" ]; then
2016-10-13 12:31:28 +02:00
read_config_param MY_EMAIL_ADDRESS
2016-08-08 11:29:52 +02:00
fi
fi
2018-02-26 14:50:40 +01:00
if [ ! "$MY_EMAIL_ADDRESS" ]; then
if [ -f "$COMPLETION_FILE" ]; then
if grep -q "Admin user:" "$COMPLETION_FILE"; then
2016-10-16 20:50:56 +02:00
function_check get_completion_param
ADMIN_USER=$(get_completion_param "Admin user")
if [ ${#ADMIN_USER} -eq 0 ]; then
exit 463732
fi
MY_EMAIL_ADDRESS=$ADMIN_USER@$HOSTNAME
fi
2016-08-08 11:29:52 +02:00
fi
fi
2016-06-30 15:59:43 +02:00
2016-10-20 20:05:27 +02:00
if [ ! -f /usr/bin/certbot ]; then
apt-get -yq -t stretch-backports install certbot
2017-06-21 22:16:19 +02:00
groupadd ssl-cert
2016-10-20 20:05:27 +02:00
if [ ! -f /usr/bin/certbot ]; then
echo $'LetsEncrypt certbot failed to install'
exit 762830
fi
2016-07-24 14:19:56 +02:00
fi
2016-06-30 15:59:43 +02:00
2016-07-24 14:19:56 +02:00
# stop the web server
systemctl stop nginx
2016-06-30 15:59:43 +02:00
2017-05-19 23:03:45 +02:00
chgrp -R root /etc/letsencrypt
chmod -R 777 /etc/letsencrypt
2018-02-26 14:50:40 +01:00
if ! certbot certonly -n --server "$LETSENCRYPT_SERVER" --standalone -d "$LETSENCRYPT_HOSTNAME" --renew-by-default --agree-tos --email "$MY_EMAIL_ADDRESS"; then
echo $"Failed to install letsencrypt for domain $LETSENCRYPT_HOSTNAME"
2017-05-19 23:15:23 +02:00
echo $'Also see https://letsencrypt.status.io to check for any service outages'
2017-05-19 23:03:45 +02:00
chgrp -R ssl-cert /etc/letsencrypt
2017-05-28 15:31:55 +02:00
chmod -R 600 /etc/letsencrypt
2017-05-19 23:03:45 +02:00
chmod -R g=rX /etc/letsencrypt
chown -R root:ssl-cert /etc/letsencrypt
systemctl start nginx
exit 63216
2016-07-24 14:19:56 +02:00
fi
# replace some legacy filenames
2018-02-26 14:50:40 +01:00
if [ -f "/etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt" ]; then
# shellcheck disable=SC2086
mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
2016-07-24 14:19:56 +02:00
fi
2018-02-26 14:50:40 +01:00
if [ -f "/etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt" ]; then
# shellcheck disable=SC2086
mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
2016-07-24 14:19:56 +02:00
fi
2018-02-26 14:50:40 +01:00
sed -i "s|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem|g" "/etc/nginx/sites-available/$LETSENCRYPT_HOSTNAME"
sed -i "s|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem|g" "/etc/nginx/sites-available/$LETSENCRYPT_HOSTNAME"
2016-07-24 14:19:56 +02:00
# link the private key
2018-02-26 14:50:40 +01:00
if [ -f "/etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key" ]; then
if [ ! -f "/etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key.old" ]; then
# shellcheck disable=SC2086
mv /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key.old
else
2018-02-26 14:50:40 +01:00
rm -f "/etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key"
fi
2016-07-24 14:19:56 +02:00
fi
2018-02-26 14:50:40 +01:00
if [ -L "/etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key" ]; then
rm "/etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key"
2017-02-20 18:57:41 +01:00
fi
2018-02-26 14:50:40 +01:00
ln -s "/etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/privkey.pem" "/etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key"
2016-06-30 15:59:43 +02:00
2016-07-24 14:19:56 +02:00
# link the public key
2018-02-26 14:50:40 +01:00
if [ -f "/etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem" ]; then
if [ ! -f "/etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem.old" ]; then
# shellcheck disable=SC2086
mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem.old
else
2018-02-26 14:50:40 +01:00
rm -f "/etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem"
fi
2016-07-24 14:19:56 +02:00
fi
2018-02-26 14:50:40 +01:00
if [ -L "/etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem" ]; then
rm "/etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem"
2017-02-20 18:57:41 +01:00
fi
2018-02-26 14:50:40 +01:00
ln -s "/etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/fullchain.pem" "/etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem"
2016-06-30 15:59:43 +02:00
2018-02-26 14:50:40 +01:00
cp "/etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/fullchain.pem" "/etc/ssl/mycerts/${LETSENCRYPT_HOSTNAME}.pem"
2016-06-30 15:59:43 +02:00
2016-10-27 23:51:21 +02:00
update_default_domain
# this group can be used to assign read permissions for
# application user accounts
chgrp -R ssl-cert /etc/letsencrypt
2017-05-28 15:31:55 +02:00
chmod -R 600 /etc/letsencrypt
chmod -R g=rX /etc/letsencrypt
chown -R root:ssl-cert /etc/letsencrypt
2018-02-26 14:50:40 +01:00
nginx_ensite "${LETSENCRYPT_HOSTNAME}"
2016-07-24 14:19:56 +02:00
systemctl start nginx
2016-06-30 15:59:43 +02:00
2018-02-26 14:50:40 +01:00
if [ "$PIN_CERTS" ]; then
if ! "${PROJECT_NAME}-pin-cert" "$LETSENCRYPT_HOSTNAME"; then
echo $"Certificate for $LETSENCRYPT_HOSTNAME could not be pinned"
exit 62878
fi
2016-07-24 14:19:56 +02:00
fi
2015-12-12 11:55:16 +01:00
}
function add_cert_selfsigned {
2018-02-26 14:50:40 +01:00
if [[ "$ORGANISATION" == "Freedombone-CA" ]]; then
CERTFILE="ca-$HOSTNAME"
2016-07-24 14:19:56 +02:00
fi
2018-03-04 12:38:02 +01:00
# shellcheck disable=SC2086
openssl req -x509 ${EXTENSIONS} -nodes -days 3650 -sha256 \
-subj "/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME" \
2018-02-26 14:50:40 +01:00
-newkey rsa:2048 -keyout "/etc/ssl/private/${CERTFILE}.key" \
-out "/etc/ssl/certs/${CERTFILE}.crt"
chmod 400 "/etc/ssl/private/${CERTFILE}.key"
chmod 640 "/etc/ssl/certs/${CERTFILE}.crt"
if [ "$PIN_CERTS" ]; then
if ! "${PROJECT_NAME}-pin-cert" "$CERTFILE"; then
echo $"Certificate for $CERTFILE could not be pinned"
exit 62879
fi
2016-07-24 14:19:56 +02:00
fi
2015-12-12 11:55:16 +01:00
}
2015-12-12 11:55:16 +01:00
function generate_dh_params {
2018-02-26 14:50:40 +01:00
if [ ! "$NODH" ]; then
if [ ! -f "/etc/ssl/certs/${CERTFILE}.dhparam" ]; then
"${PROJECT_NAME}-dhparam" -h "${CERTFILE}" --fast yes
fi
2016-07-24 14:19:56 +02:00
fi
2015-12-12 11:55:16 +01:00
}
2015-12-12 11:55:16 +01:00
function restart_web_server {
2016-07-24 14:19:56 +02:00
if [ -f /etc/init.d/nginx ]; then
/etc/init.d/nginx reload
2016-07-24 14:19:56 +02:00
fi
2015-12-12 11:55:16 +01:00
}
function create_cert {
2018-02-26 14:50:40 +01:00
if [ "$remove_cert" ]; then
remove_cert_letsencrypt
return
fi
2018-02-26 14:50:40 +01:00
if [ "$LETSENCRYPT_HOSTNAME" ]; then
add_cert_letsencrypt
2016-07-24 14:19:56 +02:00
else
add_cert_selfsigned
2016-07-24 14:19:56 +02:00
fi
2015-12-12 11:55:16 +01:00
}
2015-12-12 11:55:16 +01:00
create_cert
generate_dh_params
restart_web_server
2015-11-17 23:21:40 +01:00
exit 0