free
/
freedombone
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Check on dhparam creation

This commit is contained in:
Bob Mottram 2015-12-02 08:31:18 +00:00
parent 884a1cb2ed
commit 736ce5e2fb
2 changed files with 57 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

105
src/freedombone-addcert
View File

@ -130,10 +130,10 @@ shift
done done
if [ ! $HOSTNAME ]; then if [ ! $HOSTNAME ]; then
if [ ! $LETSENCRYPT_HOSTNAME ]; then if [ ! $LETSENCRYPT_HOSTNAME ]; then
echo $'No hostname specified' echo $'No hostname specified'
exit 5748 exit 5748
fi fi
fi fi
if ! which openssl > /dev/null ;then if ! which openssl > /dev/null ;then
@ -148,56 +148,56 @@ fi
if [ $LETSENCRYPT_HOSTNAME ]; then if [ $LETSENCRYPT_HOSTNAME ]; then
CERTFILE=$LETSENCRYPT_HOSTNAME CERTFILE=$LETSENCRYPT_HOSTNAME
if [ ! -d $INSTALL_DIR ]; then if [ ! -d $INSTALL_DIR ]; then
mkdir -p $INSTALL_DIR mkdir -p $INSTALL_DIR
fi fi
cd $INSTALL_DIR cd $INSTALL_DIR
# obtain the repo # obtain the repo
if [ ! -d $INSTALL_DIR/letsencrypt ]; then if [ ! -d $INSTALL_DIR/letsencrypt ]; then
git clone https://github.com/letsencrypt/letsencrypt git clone https://github.com/letsencrypt/letsencrypt
if [ ! -d $INSTALL_DIR/letsencrypt ]; then if [ ! -d $INSTALL_DIR/letsencrypt ]; then
exit 76283 exit 76283
fi fi
else else
cd $INSTALL_DIR/letsencrypt cd $INSTALL_DIR/letsencrypt
git stash git stash
git pull git pull
fi fi
cd $INSTALL_DIR/letsencrypt cd $INSTALL_DIR/letsencrypt
# TODO this requires user interaction - is there a non-interactive mode? # TODO this requires user interaction - is there a non-interactive mode?
./letsencrypt-auto certonly --server $LETSENCRYPT_SERVER --standalone -d $LETSENCRYPT_HOSTNAME ./letsencrypt-auto certonly --server $LETSENCRYPT_SERVER --standalone -d $LETSENCRYPT_HOSTNAME
if [ ! "$?" = "0" ]; then if [ ! "$?" = "0" ]; then
echo $"Failed to install letsencrypt for domain $LETSENCRYPT_HOSTNAME" echo $"Failed to install letsencrypt for domain $LETSENCRYPT_HOSTNAME"
exit 63216 exit 63216
fi fi
# replace some legacy filenames # replace some legacy filenames
if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt ]; then if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt ]; then
mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
fi fi
if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt ]; then if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt ]; then
mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
fi fi
sed -i "s|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem|g" /etc/nginx/sites-available/$LETSENCRYPT_HOSTNAME sed -i "s|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem|g" /etc/nginx/sites-available/$LETSENCRYPT_HOSTNAME
sed -i "s|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem|g" /etc/nginx/sites-available/$LETSENCRYPT_HOSTNAME sed -i "s|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem|g" /etc/nginx/sites-available/$LETSENCRYPT_HOSTNAME
# link the private key # link the private key
if [ -f /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key ]; then if [ -f /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key ]; then
if [ ! -f /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key.old ]; then if [ ! -f /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key.old ]; then
mv /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key.old mv /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key.old
fi fi
fi fi
ln -s /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/privkey.pem /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key ln -s /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/privkey.pem /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key
# link the public key # link the public key
if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem ]; then if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem ]; then
if [ ! -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem.old ]; then if [ ! -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem.old ]; then
mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem.old mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem.old
fi fi
fi fi
ln -s /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/fullchain.pem /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem ln -s /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/fullchain.pem /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
cp /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/fullchain.pem /etc/ssl/mycerts/${LETSENCRYPT_HOSTNAME}.pem cp /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/fullchain.pem /etc/ssl/mycerts/${LETSENCRYPT_HOSTNAME}.pem
else else
@ -217,10 +217,13 @@ fi
# generate DH params # generate DH params
if [ ! $NODH ]; then if [ ! $NODH ]; then
if [ ! -f /etc/ssl/certs/$CERTFILE.dhparam ]; then if [ ! -f /etc/ssl/certs/$CERTFILE.dhparam ]; then
openssl dhparam -check -text -dsaparam $DH_KEYLENGTH -out /etc/ssl/certs/$CERTFILE.dhparam openssl dhparam -check -text -dsaparam $DH_KEYLENGTH -out /etc/ssl/certs/$CERTFILE.dhparam
chmod 640 /etc/ssl/certs/$CERTFILE.dhparam if [ ! "$?" = "0" ]; then
fi exit 72428
fi
chmod 640 /etc/ssl/certs/$CERTFILE.dhparam
fi
fi fi
if [ -f /etc/init.d/nginx ]; then if [ -f /etc/init.d/nginx ]; then

3
src/freedombone-sec
View File

@ -372,6 +372,9 @@ function regenerate_dh_keys {
filename=/etc/ssl/certs/$(echo $file | awk -F '/etc/ssl/mycerts/' '{print $2}' | awk -F '.crt' '{print $1}').dhparam filename=/etc/ssl/certs/$(echo $file | awk -F '/etc/ssl/mycerts/' '{print $2}' | awk -F '.crt' '{print $1}').dhparam
if [ -f $filename ]; then if [ -f $filename ]; then
openssl dhparam -check -text -dsaparam $DH_KEYLENGTH -out $filename openssl dhparam -check -text -dsaparam $DH_KEYLENGTH -out $filename
if [ ! "$?" = "0" ]; then
exit 3674
fi
ctr=$((ctr + 1)) ctr=$((ctr + 1))
fi fi
fi fi