free
/
freedomboneeee
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Include backup pin for certificates

This commit is contained in:
Bob Mottram 2016-08-08 20:23:27 +01:00
parent 019c3ba542
commit ec9395fcec
No known key found for this signature in database
GPG Key ID: 0452CC7CEA982E38
1 changed files with 9 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/freedombone-pin-cert
View File

@ -35,10 +35,16 @@ export TEXTDOMAINDIR="/usr/share/locale"
DOMAIN_NAME=$1 DOMAIN_NAME=$1
KEY_FILENAME=/etc/ssl/private/${DOMAIN_NAME}.key KEY_FILENAME=/etc/ssl/private/${DOMAIN_NAME}.key
BACKUP_KEY_FILENAME=/etc/ssl/certs/${DOMAIN_NAME}.pem
SITE_FILENAME=/etc/nginx/sites-available/${DOMAIN_NAME} SITE_FILENAME=/etc/nginx/sites-available/${DOMAIN_NAME}
if [ ! -f "$KEY_FILENAME" ]; then if [ ! -f "$KEY_FILENAME" ]; then
echo $"No certificate found for $DOMAIN_NAME" echo $"No private key certificate found for $DOMAIN_NAME"
exit 1
fi
if [ ! -f "$BACKUP_KEY_FILENAME" ]; then
echo $"No fullchain certificate found for $DOMAIN_NAME"
exit 1 exit 1
fi fi
@ -47,8 +53,9 @@ if [ ! -f "$SITE_FILENAME" ]; then
fi fi
KEY_HASH=$(openssl rsa -in $KEY_FILENAME -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64) KEY_HASH=$(openssl rsa -in $KEY_FILENAME -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)
BACKUP_KEY_HASH=$(openssl rsa -in $BACKUP_KEY_FILENAME -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)
PIN_HEADER="add_header Public-Key-Pins 'pin-sha256=\"${KEY_HASH}\"; max-age=5184000; includeSubDomains';" PIN_HEADER="add_header Public-Key-Pins 'pin-sha256=\"${KEY_HASH}\"; pin-sha256=\"${BACKUP_KEY_HASH}\"; max-age=5184000; includeSubDomains';"
if ! grep -q "add_header Public-Key-Pins" $SITE_FILENAME; then if ! grep -q "add_header Public-Key-Pins" $SITE_FILENAME; then
sed -i "/ssl_ciphers.*/a $PIN_HEADER" $SITE_FILENAME sed -i "/ssl_ciphers.*/a $PIN_HEADER" $SITE_FILENAME
else else