From 1000297af03696e6865620066f0e4784e3ced0ce Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Wed, 26 Oct 2016 16:10:46 +0100 Subject: [PATCH] Improve letsencrypt certs --- src/freedombone-app-xmpp | 7 +++++ src/freedombone-utils-web | 63 ++++++++++++++++++++++++++++----------- 2 files changed, 52 insertions(+), 18 deletions(-) diff --git a/src/freedombone-app-xmpp b/src/freedombone-app-xmpp index a2701558..f77907c6 100755 --- a/src/freedombone-app-xmpp +++ b/src/freedombone-app-xmpp @@ -308,6 +308,13 @@ function install_xmpp_main { if [[ $(app_is_installed xmpp_main) == "1" ]]; then return fi + + # obtain a cert for the default domain + if [ ! -f /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem ]; then + echo $'Obtaining certificate for the main domain' + create_site_certificate ${DEFAULT_DOMAIN_NAME} 'yes' + fi + apt-get -yq install lua-sec lua-bitop apt-get -yq install prosody prosody-modules mercurial diff --git a/src/freedombone-utils-web b/src/freedombone-utils-web index e2c0d5e4..c04c80ff 100755 --- a/src/freedombone-utils-web +++ b/src/freedombone-utils-web @@ -187,6 +187,43 @@ function check_certificates { fi } +function cert_exists { + cert_type='dhparam' + if [ $2 ]; then + cert_type="$2" + fi + if [ -f /etc/ssl/certs/${1}.${cert_type} ]; then + echo "1" + else + echo "0" + fi +} + +function create_self_signed_cert { + ${PROJECT_NAME}-addcert -h ${SITE_DOMAIN_NAME} --dhkey ${DH_KEYLENGTH} + function_check check_certificates + check_certificates ${SITE_DOMAIN_NAME} +} + +function create_letsencrypt_cert { + ${PROJECT_NAME}-addcert -e ${SITE_DOMAIN_NAME} -s ${LETSENCRYPT_SERVER} --dhkey ${DH_KEYLENGTH} --email ${MY_EMAIL_ADDRESS} + if [ ! "$?" = "0" ]; then + if [[ ${NO_SELF_SIGNED} == 'no' ]]; then + echo $"Lets Encrypt failed for ${SITE_DOMAIN_NAME}, so try making a self-signed cert" + ${PROJECT_NAME}-addcert -h ${SITE_DOMAIN_NAME} --dhkey ${DH_KEYLENGTH} + function_check check_certificates + check_certificates ${SITE_DOMAIN_NAME} + else + echo $"Lets Encrypt failed for $SITE_DOMAIN_NAME" + exit 682529 + fi + return + fi + + function_check check_certificates + check_certificates ${SITE_DOMAIN_NAME} 'yes' +} + function create_site_certificate { SITE_DOMAIN_NAME="$1" @@ -197,26 +234,16 @@ function create_site_certificate { fi if [[ $ONION_ONLY == "no" ]]; then - if [ ! -f /etc/ssl/certs/${SITE_DOMAIN_NAME}.dhparam ]; then + if [[ $(cert_exists) == "0" ]]; then if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then - ${PROJECT_NAME}-addcert -h ${SITE_DOMAIN_NAME} --dhkey ${DH_KEYLENGTH} - function_check check_certificates - check_certificates ${SITE_DOMAIN_NAME} + create_self_signed_cert else - ${PROJECT_NAME}-addcert -e ${SITE_DOMAIN_NAME} -s ${LETSENCRYPT_SERVER} --dhkey ${DH_KEYLENGTH} --email ${MY_EMAIL_ADDRESS} - if [ ! "$?" = "0" ]; then - if [[ ${NO_SELF_SIGNED} == 'no' ]]; then - echo $"Lets Encrypt failed for ${SITE_DOMAIN_NAME}, so try making a self-signed cert" - ${PROJECT_NAME}-addcert -h ${SITE_DOMAIN_NAME} --dhkey ${DH_KEYLENGTH} - function_check check_certificates - check_certificates ${SITE_DOMAIN_NAME} - else - echo $"Lets Encrypt failed for $SITE_DOMAIN_NAME" - exit 682529 - fi - else - function_check check_certificates - check_certificates ${SITE_DOMAIN_NAME} 'yes' + create_letsencrypt_cert + fi + else + if [[ $LETSENCRYPT_ENABLED == "yes" ]]; then + if [[ $(cert_exists pem) == "0" ]]; then + create_letsencrypt_cert fi fi fi