#!/bin/bash # # .---. . . # | | | # |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. # | | (.-' (.-' ( | ( )| | | | )( )| | (.-' # ' ' --' --' -' - -' ' ' -' -' -' ' - --' # # Freedom in the Cloud # # A script for creating self-signed certificates on Debian # License # ======= # # Copyright (C) 2015 Bob Mottram # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . PROJECT_NAME='freedombone' export TEXTDOMAIN=$PROJECT_NAME export TEXTDOMAINDIR="/usr/share/locale" HOSTNAME= LETSENCRYPT_HOSTNAME= COUNTRY_CODE="US" AREA="Free Speech Zone" LOCATION="Freedomville" ORGANISATION="Freedombone" UNIT="Freedombone Unit" EXTENSIONS="" NODH= DH_KEYLENGTH=2048 INSTALL_DIR=/root/build LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory' function show_help { echo '' echo 'freedombone-addcert -h [hostname] -c [country code] -a [area] -l [location]' echo ' -o [organisation] -u [unit] --ca "" --nodh ""' echo '' echo 'Creates a self-signed certificate for the given hostname' echo '' echo ' --help Show help' echo ' -h --hostname [name] Hostname' echo ' -e --letsencrypt [hostname] Hostname to use with Lets Encrypt' echo ' -s --server [url] Lets Encrypt server URL' echo ' -c --country [code] Optional country code (eg. US, GB, etc)' echo ' -a --area [description] Optional area description' echo ' -l --location [locn] Optional location name' echo ' -o --organisation [name] Optional organisation name' echo ' -u --unit [name] Optional unit name' echo ' --dhkey [bits] DH key length in bits' echo ' --nodh "" Do not calculate DH params' echo ' --ca "" Certificate authority cert' echo '' exit 0 } while [[ $# > 1 ]] do key="$1" case $key in --help) show_help ;; -h|--hostname) shift HOSTNAME="$1" ;; -e|--letsencrypt) shift LETSENCRYPT_HOSTNAME="$1" ;; -s|--server) shift LETSENCRYPT_SERVER="$1" ;; -c|--country) shift COUNTRY_CODE="$1" ;; -a|--area) shift AREA="$1" ;; -l|--location) shift LOCATION="$1" ;; -o|--organisation) shift ORGANISATION="$1" ;; -u|--unit) shift UNIT="$1" ;; --ca) shift EXTENSIONS="-extensions v3_ca" ORGANISATION="Freedombone-CA" ;; --nodh) shift NODH="true" ;; --dhkey) shift DH_KEYLENGTH=${1} ;; *) # unknown option ;; esac shift done if [ ! $HOSTNAME ]; then if [ ! $LETSENCRYPT_HOSTNAME ]; then echo 'No hostname specified' exit 5748 fi fi if ! which openssl > /dev/null ;then echo "$0: openssl is not installed, exiting" 1>&2 exit 5689 fi if [ ! -d /etc/ssl/mycerts ]; then mkdir /etc/ssl/mycerts fi if [ $LETSENCRYPT_HOSTNAME ]; then CERTFILE=$LETSENCRYPT_HOSTNAME if [ ! -d $INSTALL_DIR ]; then mkdir -p $INSTALL_DIR fi cd $INSTALL_DIR # obtain the repo if [ ! -d $INSTALL_DIR/letsencrypt ]; then git clone https://github.com/letsencrypt/letsencrypt if [ ! -d $INSTALL_DIR/letsencrypt ]; then exit 76283 fi else cd $INSTALL_DIR/letsencrypt git stash git pull fi cd $INSTALL_DIR/letsencrypt # TODO this requires user interaction - is there a non-interactive mode? ./letsencrypt-auto certonly --server $LETSENCRYPT_SERVER --standalone -d $LETSENCRYPT_HOSTNAME if [ ! "$?" = "0" ]; then echo "Failed to install letsencrypt for domain $LETSENCRYPT_HOSTNAME" exit 63216 fi # replace some legacy filenames if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt ]; then mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem fi if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt ]; then mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem fi sed -i "s|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem|g" /etc/nginx/sites-available/$LETSENCRYPT_HOSTNAME sed -i "s|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem|g" /etc/nginx/sites-available/$LETSENCRYPT_HOSTNAME # link the private key if [ -f /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key ]; then if [ ! -f /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key.old ]; then mv /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key.old fi fi ln -s /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/privkey.pem /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key # link the public key if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem ]; then if [ ! -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem.old ]; then mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem.old fi fi ln -s /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/fullchain.pem /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem cp /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/fullchain.pem /etc/ssl/mycerts/${LETSENCRYPT_HOSTNAME}.pem else CERTFILE=$HOSTNAME if [[ $ORGANISATION == "Freedombone-CA" ]]; then CERTFILE="ca-$HOSTNAME" fi openssl req -x509 $EXTENSIONS -nodes -days 3650 -sha256 \ -subj "/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME" \ -newkey rsa:4096 -keyout /etc/ssl/private/$CERTFILE.key \ -out /etc/ssl/certs/$CERTFILE.crt chmod 400 /etc/ssl/private/$CERTFILE.key chmod 640 /etc/ssl/certs/$CERTFILE.crt cp /etc/ssl/certs/$CERTFILE.crt /etc/ssl/mycerts fi # generate DH params if [ ! $NODH ]; then if [ ! -f /etc/ssl/certs/$CERTFILE.dhparam ]; then openssl dhparam -check -text -5 $DH_KEYLENGTH -out /etc/ssl/certs/$CERTFILE.dhparam chmod 640 /etc/ssl/certs/$CERTFILE.dhparam fi fi if [ -f /etc/init.d/nginx ]; then /etc/init.d/nginx reload fi # Create a bundle of your certificates cat /etc/ssl/mycerts/*.crt /etc/ssl/mycerts/*.pem > /etc/ssl/freedombone-bundle.crt tar -czvf /etc/ssl/freedombone-certs.tar.gz /etc/ssl/mycerts/*.crt /etc/ssl/mycerts/*.pem exit 0