freedomboneeee/src/freedombone-renew-cert

225 lines
7.6 KiB
Plaintext
Raw Normal View History

#!/bin/bash
2015-04-04 14:07:00 +02:00
#
# .---. . .
# | | |
# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
# | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
# ' ' --' --' -' - -' ' ' -' -' -' ' - --'
#
# Freedom in the Cloud
#
# A script for renewing SSL/TLS certificates
# License
# =======
#
2016-10-31 17:24:49 +01:00
# Copyright (C) 2015-2016 Bob Mottram <bob@freedombone.net>
#
# This program is free software: you can redistribute it and/or modify
2016-02-13 23:09:27 +01:00
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
2016-02-13 23:09:27 +01:00
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
2016-02-13 23:09:27 +01:00
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
2015-11-27 12:42:16 +01:00
PROJECT_NAME='freedombone'
2015-11-27 17:52:23 +01:00
export TEXTDOMAIN=${PROJECT_NAME}-renew-cert
2015-11-27 12:42:16 +01:00
export TEXTDOMAINDIR="/usr/share/locale"
HOSTNAME=
PROVIDER='startssl'
2015-11-17 23:21:40 +01:00
DH_KEYLENGTH=2048
LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
2016-01-02 14:14:56 +01:00
INSTALL_DIR=/root/build
function show_help {
echo ''
2015-12-08 17:22:48 +01:00
echo $"${PROJECT_NAME}-renew-cert -h [hostname] -p [provider]"
echo ''
2015-11-27 16:29:43 +01:00
echo $'Makes it easier to renew a ssl/tls certificate for a website'
echo ''
2015-11-27 16:29:43 +01:00
echo $' --help Show help'
echo $' -h --hostname [name] Hostname'
echo $' -p --provider [name] eg. startssl/letsencrypt'
echo ''
exit 0
}
2015-11-17 23:21:40 +01:00
function renew_letsencrypt {
if [ ! -f /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem ]; then
2015-11-27 16:29:43 +01:00
echo $"Adding Let's Encrypt certificate"
2015-11-17 23:21:40 +01:00
else
2015-11-27 16:29:43 +01:00
echo $"Renewing Let's Encrypt certificate"
2016-01-02 14:14:56 +01:00
fi
${PROJECT_NAME}-addcert -e $HOSTNAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
if [ ! "$?" = "0" ]; then
echo $"Unable to add Let's encrypt certificate"
exit 6328
2015-11-04 11:29:22 +01:00
fi
2015-11-17 23:21:40 +01:00
# Ensure that links are in place
ln -s /etc/letsencrypt/live/${HOSTNAME}/privkey.pem /etc/ssl/private/${HOSTNAME}.key
ln -s /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem /etc/ssl/certs/${HOSTNAME}.pem
2015-12-10 16:31:56 +01:00
${PROJECT_NAME}-pin-cert $HOSTNAME remove
2015-11-04 11:10:18 +01:00
}
function renew_startssl {
2015-11-27 16:29:43 +01:00
echo $'Renewing StartSSL certificate'
if [ -s /etc/ssl/certs/$HOSTNAME.new.crt ]; then
if ! grep -q "-BEGIN CERTIFICATE-" /etc/ssl/certs/$HOSTNAME.new.crt; then
2015-11-27 16:29:43 +01:00
echo $'/etc/ssl/certs/$HOSTNAME.new.crt does not contain a public key'
return
fi
cp /etc/ssl/certs/$HOSTNAME.new.crt /etc/ssl/certs/$HOSTNAME.crt
if [ ! -d /etc/ssl/roots ]; then
mkdir /etc/ssl/roots
fi
if [ ! -d /etc/ssl/chains ]; then
mkdir /etc/ssl/chains
fi
# download intermediate certs
wget "http://www.startssl.com/certs/ca.pem" --output-document="/etc/ssl/roots/startssl-root.ca"
wget "http://www.startssl.com/certs/sub.class1.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class1.server.ca.pem"
wget "http://www.startssl.com/certs/sub.class2.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class2.server.ca.pem"
wget "http://www.startssl.com/certs/sub.class3.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class3.server.ca.pem"
ln -s "/etc/ssl/roots/startssl-root.ca" "/etc/ssl/roots/$HOSTNAME-root.ca"
ln -s "/etc/ssl/chains/startssl-sub.class1.server.ca.pem" "/etc/ssl/chains/$HOSTNAME.ca"
cp "/etc/ssl/certs/$HOSTNAME.crt" "/etc/ssl/certs/$HOSTNAME.crt+chain+root"
test -e "/etc/ssl/chains/$HOSTNAME.ca" && cat "/etc/ssl/chains/$HOSTNAME.ca" >> "/etc/ssl/certs/$HOSTNAME.crt+chain+root"
test -e "/etc/ssl/roots/$HOSTNAME-root.ca" && cat "/etc/ssl/roots/$HOSTNAME-root.ca" >> "/etc/ssl/certs/$HOSTNAME.crt+chain+root"
# remove the password from the private cert
openssl rsa -in /etc/ssl/private/$HOSTNAME.key -out /etc/ssl/private/$HOSTNAME.new.key
cp /etc/ssl/private/$HOSTNAME.new.key /etc/ssl/private/$HOSTNAME.key
shred -zu /etc/ssl/private/$HOSTNAME.new.key
# bundle the cert
cat /etc/ssl/certs/$HOSTNAME.crt /etc/ssl/chains/startssl-sub.class1.server.ca.pem > /etc/ssl/certs/$HOSTNAME.bundle.crt
# add it to mycerts
cp /etc/ssl/certs/$HOSTNAME.bundle.crt /etc/ssl/mycerts
2015-12-08 17:22:48 +01:00
cat /etc/ssl/mycerts/*.crt > /etc/ssl/${PROJECT_NAME}-bundle.crt
tar -czvf /etc/ssl/${PROJECT_NAME}-certs.tar.gz /etc/ssl/mycerts/*.crt
# create backups
if [ ! -d /etc/ssl/backups ]; then
mkdir /etc/ssl/backups
fi
if [ ! -d /etc/ssl/backups/certs ]; then
mkdir /etc/ssl/backups/certs
fi
if [ ! -d /etc/ssl/backups/private ]; then
mkdir /etc/ssl/backups/private
fi
cp /etc/ssl/certs/$HOSTNAME* /etc/ssl/backups/certs/
cp /etc/ssl/private/$HOSTNAME* /etc/ssl/backups/private/
chmod -R 400 /etc/ssl/backups/certs/*
chmod -R 400 /etc/ssl/backups/private/*
rm /etc/ssl/certs/$HOSTNAME.new.crt
rm /etc/ssl/requests/$HOSTNAME.csr
# update your site to include the bundle
sed -i "s|$HOSTNAME.crt|$HOSTNAME.bundle.crt|g" /etc/nginx/sites-available/$HOSTNAME
2015-11-27 16:29:43 +01:00
echo $'Certificate installed'
2017-06-01 14:01:37 +02:00
systemctl restart nginx
return
fi
if [ -f /etc/ssl/requests/$HOSTNAME.csr ]; then
2015-11-27 16:29:43 +01:00
echo $'Certificate request already created:'
echo ''
cat /etc/ssl/requests/$HOSTNAME.csr
echo ''
2015-11-27 16:29:43 +01:00
echo $"Save the requested public key to /etc/ssl/certs/$HOSTNAME.new.crt"
echo $'then run this command again.'
echo ''
return
fi
openssl genrsa -out /etc/ssl/private/$HOSTNAME.new.key 2048
chown root:ssl-cert /etc/ssl/private/$HOSTNAME.new.key
chmod 440 /etc/ssl/private/$HOSTNAME.new.key
if [ ! -d /etc/ssl/requests ]; then
mkdir /etc/ssl/requests
fi
openssl req -new -sha256 -key /etc/ssl/private/$HOSTNAME.new.key -out /etc/ssl/requests/$HOSTNAME.csr
echo ''
cat /etc/ssl/requests/$HOSTNAME.csr
echo ''
2015-11-27 16:29:43 +01:00
echo $'On the StartSSL site select Certificates Wizard then'
echo $'Web server SSL/TLS Certificate. You can then click on "skip"'
echo $'and then copy and paste the above certificate request into the text'
echo $'entry box. You may now need to wait a few hours for a confirmation'
echo $'email indicating that the new certificate was created.'
echo ''
2015-11-27 16:29:43 +01:00
echo $'Once you have retrieved the new public certificate paste it to:'
echo $"/etc/ssl/certs/$HOSTNAME.new.crt then run this command again."
echo ''
2015-12-10 16:31:56 +01:00
${PROJECT_NAME}-pin-cert $HOSTNAME remove
}
while [[ $# > 1 ]]
do
key="$1"
case $key in
--help)
show_help
;;
-h|--hostname)
shift
HOSTNAME="$1"
;;
-p|--provider)
shift
PROVIDER="$1"
;;
*)
# unknown option
;;
esac
shift
done
if [ ! $HOSTNAME ]; then
2015-11-27 16:29:43 +01:00
echo $'No hostname specified'
exit 5748
fi
if ! which openssl > /dev/null ;then
2015-11-27 16:29:43 +01:00
echo $"$0: openssl is not installed, exiting" 1>&2
exit 5689
fi
# check that the web site exists
if [ ! -f /etc/nginx/sites-available/$HOSTNAME ]; then
2015-11-27 16:29:43 +01:00
echo $"/etc/nginx/sites-available/$HOSTNAME does not exist"
2015-04-03 19:26:48 +02:00
exit 7598
fi
if [[ $PROVIDER == 'startssl' || $PROVIDER == 'StartSSL' ]]; then
renew_startssl
else
2015-11-04 11:29:22 +01:00
if [[ $PROVIDER == 'letsencrypt' ]]; then
renew_letsencrypt
else
2015-11-27 16:29:43 +01:00
echo $"$PROVIDER is not currently supported"
2015-11-04 11:29:22 +01:00
fi
fi
exit 0