From f6358543fb47bd002370deb71ca8660e78663deb Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Tue, 17 Nov 2015 22:21:40 +0000 Subject: [PATCH] More preparation for letsencrypt --- man/freedombone-addcert.1.gz | Bin 580 -> 639 bytes src/freedombone | 157 +++++++++++++++++++++-------------- src/freedombone-addcert | 137 +++++++++++++++++++++++------- src/freedombone-controlpanel | 34 +++++++- src/freedombone-renew-cert | 30 +++++-- src/freedombone-sec | 2 +- 6 files changed, 256 insertions(+), 104 deletions(-) diff --git a/man/freedombone-addcert.1.gz b/man/freedombone-addcert.1.gz index 1fb9de8655b7251b0a510d8d1240d9e54c34f0ab..3efbd4111182cbe442998c8f290cd2c0ecd93d99 100644 GIT binary patch literal 639 zcmV-_0)YJ=iwFP@L`zlx1ASB5Zqq;zefL+4{8EsxLy8b3LWradN!8pGCsYvnuwIYt zRqb7CXC27jGfoq=QCuuP*mF5^&e_>;HHOq8CZ>#y#y}*AMC+gne)kj1%oZ-+cR%{z z^ZWg|4%USBf?z6iEehZB!e|WstUn$4UK`x+0Qx}Es>(rXEJ%yODV;%qj!;Xx;{?YE zi!>mWX-uGLRH>4}A%W3wgRv6&Fe>^vn=hi2xiM)1#Ak#bd=HjXJBJ&CbXhsq=rqcmE*4<$scjY z<)|~4gVGQyM@>STgxNS-Vcy-p`%XX`kWrtHLmaw|J87aorsWyLhTwIXDKF% zrBFp%qEOV@@VBh0S7w}tjZRf|7Uq*Q_MB*C@f_J=Y210OMU8)gR#CQW*JR69Nw#cN zL@3WFW9uzO zi_T~<>cO!8`Ra1`;c6cpC|4pi_n-%ZX>cj;>%1Ine>4SW Z?7QwU?(LU}cj;5V;Cuv2Y2ob6=xqRj ze?R@j!Isg!U=J{@tO6mTWC6kLWH}4O5Z#XuCcw(-#z9UNltt;ZDS)xcL)L}C3_7IF zwUQ1Q$iNk*TACww^6hrDPOg(-{;-5yN$iZQ@g712J4LN=b`OfOE+SzkeNX>Y!LB0T zLzD4;1Us^YG@4J57Iv-C&VPkj`G9*5M^m^Gw1HGR?h=MF-_Y3><6KsZ_eYUev*hyb zdcC<`-3H>a^XQ$(=S&_Z;Yx%;Kcaz?{^&@yO(t_c&dt8@=n7hv1%l?W5a6HxPC0HC( zI4-m++cZ*C$EoDfs`wv8v1V?OPpg~FU~-eJo~-WW=+)~dCRC--xXwo}<%MD`bv2Zz zG!GX1s+;DS9{n(xTo=8tUl`fG(8gk)*$Aj=Py`H;dI>Af}YUlAQBr0Pj;uKUzx3X~j|d5IOoFqST7@d>zl%^D)dO z?=H?}=NE_QRJ$6vyUsC8m*JWE+Lrb7@k^H5MR`NtHyJmV51&zQ$ZnC7n?u!COvi^~ S^0)M~m-r1bq1v021ONb%KPI36 diff --git a/src/freedombone b/src/freedombone index 60fe84c7..465daadf 100755 --- a/src/freedombone +++ b/src/freedombone @@ -429,6 +429,9 @@ DH_KEYLENGTH=2048 # repo for atheros AR9271 wifi driver ATHEROS_WIFI_REPO='https://github.com/qca/open-ath9k-htc-firmware.git' +LETSENCRYPT_ENABLED="no" +LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory' + function show_help { echo '' echo 'freedombone -c [configuration file]' @@ -788,6 +791,9 @@ function read_configuration { fi if [ -f $CONFIGURATION_FILE ]; then + if grep -q "LETSENCRYPT_SERVER" $CONFIGURATION_FILE; then + LETSENCRYPT_SERVER=$(grep "LETSENCRYPT_SERVER" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi if grep -q "HUBZILLA_COMMIT" $CONFIGURATION_FILE; then HUBZILLA_COMMIT=$(grep "HUBZILLA_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') fi @@ -1185,13 +1191,24 @@ function check_certificates { if [ ! $1 ]; then return fi - if [ ! -f /etc/ssl/private/$1.key ]; then - echo "Private certificate for $CHECK_HOSTNAME was not created" - exit 63959 - fi - if [ ! -f /etc/ssl/certs/$1.crt ]; then - echo "Public certificate for $CHECK_HOSTNAME was not created" - exit 7679 + if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then + if [ ! -f /etc/ssl/private/$1.key ]; then + echo "Private certificate for $CHECK_HOSTNAME was not created" + exit 63959 + fi + if [ ! -f /etc/ssl/certs/$1.crt ]; then + echo "Public certificate for $CHECK_HOSTNAME was not created" + exit 7679 + fi + else + if [ ! -f /etc/letsencrypt/live/${1}/privkey.pem ]; then + echo "Private certificate for $CHECK_HOSTNAME was not created" + exit 6282 + fi + if [ ! -f /etc/letsencrypt/live/${1}/fullchain.pem ]; then + echo "Public certificate for $CHECK_HOSTNAME was not created" + exit 5328 + fi fi if [ ! -f /etc/ssl/certs/$1.dhparam ]; then echo "Diffie–Hellman parameters for $CHECK_HOSTNAME were not created" @@ -3072,9 +3089,14 @@ function restore_database { echo ' rm -rf $USB_MOUNT' >> $script_name echo ' exit 683' >> $script_name echo ' fi' >> $script_name - echo ' # Ensure that the bundled SSL cert is being used' >> $script_name - echo ' if [ -f /etc/ssl/certs/${2}.bundle.crt ]; then' >> $script_name - echo ' sed -i "s|${2}.crt|${2}.bundle.crt|g" /etc/nginx/sites-available/${2}' >> $script_name + echo ' if [ -d /etc/letsencrypt/live/${2} ]; then' >> $script_name + echo ' ln -s /etc/letsencrypt/live/${2}/privkey.pem /etc/ssl/private/${2}.key' >> $script_name + echo ' ln -s /etc/letsencrypt/live/${2}/fullchain.pem /etc/ssl/certs/${2}.pem' >> $script_name + echo ' else' >> $script_name + echo ' # Ensure that the bundled SSL cert is being used' >> $script_name + echo ' if [ -f /etc/ssl/certs/${2}.bundle.crt ]; then' >> $script_name + echo ' sed -i "s|${2}.crt|${2}.bundle.crt|g" /etc/nginx/sites-available/${2}' >> $script_name + echo ' fi' >> $script_name echo ' fi' >> $script_name echo ' fi' >> $script_name echo ' fi' >> $script_name @@ -3698,6 +3720,10 @@ function create_restore_script { echo " if [ -f /etc/ssl/certs/$WIKI_DOMAIN_NAME.bundle.crt ]; then" >> /usr/bin/$RESTORE_SCRIPT_NAME echo " sed -i 's|$WIKI_DOMAIN_NAME.crt|$WIKI_DOMAIN_NAME.bundle.crt|g' /etc/nginx/sites-available/$WIKI_DOMAIN_NAME" >> /usr/bin/$RESTORE_SCRIPT_NAME echo ' fi' >> /usr/bin/$RESTORE_SCRIPT_NAME + echo " if [ -d /etc/letsencrypt/live/${WIKI_DOMAIN_NAME} ]; then" >> /usr/bin/$RESTORE_SCRIPT_NAME + echo " ln -s /etc/letsencrypt/live/${WIKI_DOMAIN_NAME}/privkey.pem /etc/ssl/private/${WIKI_DOMAIN_NAME}.key" >> /usr/bin/$RESTORE_SCRIPT_NAME + echo " ln -s /etc/letsencrypt/live/${WIKI_DOMAIN_NAME}/fullchain.pem /etc/ssl/certs/${WIKI_DOMAIN_NAME}.pem" >> /usr/bin/$RESTORE_SCRIPT_NAME + echo ' fi' >> /usr/bin/$RESTORE_SCRIPT_NAME echo 'fi' >> /usr/bin/$RESTORE_SCRIPT_NAME echo '' >> /usr/bin/$RESTORE_SCRIPT_NAME @@ -3739,7 +3765,10 @@ function create_restore_script { echo ' fi' >> /usr/bin/$RESTORE_SCRIPT_NAME echo ' fi' >> /usr/bin/$RESTORE_SCRIPT_NAME echo ' done' >> /usr/bin/$RESTORE_SCRIPT_NAME - + echo " if [ -d /etc/letsencrypt/live/${FULLBLOG_DOMAIN_NAME} ]; then" >> /usr/bin/$RESTORE_SCRIPT_NAME + echo " ln -s /etc/letsencrypt/live/${FULLBLOG_DOMAIN_NAME}/privkey.pem /etc/ssl/private/${FULLBLOG_DOMAIN_NAME}.key" >> /usr/bin/$RESTORE_SCRIPT_NAME + echo " ln -s /etc/letsencrypt/live/${FULLBLOG_DOMAIN_NAME}/fullchain.pem /etc/ssl/certs/${FULLBLOG_DOMAIN_NAME}.pem" >> /usr/bin/$RESTORE_SCRIPT_NAME + echo ' fi' >> /usr/bin/$RESTORE_SCRIPT_NAME echo 'fi' >> /usr/bin/$RESTORE_SCRIPT_NAME echo '' >> /usr/bin/$RESTORE_SCRIPT_NAME @@ -4822,9 +4851,14 @@ function restore_database_from_friend { echo ' if [ ! "$?" = "0" ]; then' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME echo ' exit 683' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME echo ' fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME - echo ' # Ensure that the bundled SSL cert is being used' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME - echo ' if [ -f /etc/ssl/certs/${2}.bundle.crt ]; then' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME - echo ' sed -i "s|${2}.crt|${2}.bundle.crt|g" /etc/nginx/sites-available/${2}' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME + echo ' if [ -d /etc/letsencrypt/live/${2} ]; then' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME + echo ' ln -s /etc/letsencrypt/live/${2}/privkey.pem /etc/ssl/private/${2}.key' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME + echo ' ln -s /etc/letsencrypt/live/${2}/fullchain.pem /etc/ssl/certs/${2}.pem' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME + echo ' else' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME + echo ' # Ensure that the bundled SSL cert is being used' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME + echo ' if [ -f /etc/ssl/certs/${2}.bundle.crt ]; then' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME + echo ' sed -i "s|${2}.crt|${2}.bundle.crt|g" /etc/nginx/sites-available/${2}' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME + echo ' fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME echo ' fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME echo ' fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME echo ' fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME @@ -5402,6 +5436,10 @@ function restore_from_friend { echo " if [ -f /etc/ssl/certs/$WIKI_DOMAIN_NAME.bundle.crt ]; then" >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME echo " sed -i 's|$WIKI_DOMAIN_NAME.crt|$WIKI_DOMAIN_NAME.bundle.crt|g' /etc/nginx/sites-available/$WIKI_DOMAIN_NAME" >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME echo ' fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME + echo " if [ -d /etc/letsencrypt/live/${WIKI_DOMAIN_NAME} ]; then" >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME + echo " ln -s /etc/letsencrypt/live/${WIKI_DOMAIN_NAME}/privkey.pem /etc/ssl/private/${WIKI_DOMAIN_NAME}.key" >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME + echo " ln -s /etc/letsencrypt/live/${WIKI_DOMAIN_NAME}/fullchain.pem /etc/ssl/certs/${WIKI_DOMAIN_NAME}.pem" >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME + echo ' fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME echo 'fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME echo '' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME @@ -5440,6 +5478,10 @@ function restore_from_friend { echo '/$USERNAME/blog/uncategorized/post ' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME echo ' fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME echo ' done' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME + echo " if [ -d /etc/letsencrypt/live/${FULLBLOG_DOMAIN_NAME} ]; then" >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME + echo " ln -s /etc/letsencrypt/live/${FULLBLOG_DOMAIN_NAME}/privkey.pem /etc/ssl/private/${FULLBLOG_DOMAIN_NAME}.key" >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME + echo " ln -s /etc/letsencrypt/live/${FULLBLOG_DOMAIN_NAME}/fullchain.pem /etc/ssl/certs/${FULLBLOG_DOMAIN_NAME}.pem" >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME + echo ' fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME echo 'fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME echo '' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME @@ -7128,7 +7170,11 @@ function configure_imap_client_certs { fi # make a CA cert if [ ! -f /etc/ssl/private/ca-$DEFAULT_DOMAIN_NAME.key ]; then - freedombone-addcert -h $DEFAULT_DOMAIN_NAME --ca "" --dhkey $DH_KEYLENGTH + if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then + freedombone-addcert -h $DEFAULT_DOMAIN_NAME --ca "" --dhkey $DH_KEYLENGTH + else + freedombone-addcert -e $DEFAULT_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH + fi fi # CA configuration echo '[ ca ]' > /etc/ssl/dovecot-ca.cnf @@ -8142,44 +8188,6 @@ function install_web_server { echo 'install_web_server' >> $COMPLETION_FILE } -function install_letsencrypt { - if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - if grep -Fxq "install_letsencrypt" $COMPLETION_FILE; then - return - fi - #apt-get -y install python-pip git - #pip install -U setuptools - #pip install --upgrade cffi - cd $INSTALL_DIR - - # This is experimental developer preview and I hope at some stage - # there will be a debian package for it. - - # obtain the repo - if [ ! -d $INSTALL_DIR/letsencrypt ]; then - git clone https://github.com/letsencrypt/letsencrypt - if [ ! -d $INSTALL_DIR/letsencrypt ]; then - exit 76283 - fi - else - cd $INSTALL_DIR/letsencrypt - git stash - git pull - fi - - cd $INSTALL_DIR/letsencrypt - # TODO this requires user interaction - is there a non-interactive mode? - ./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory certonly - if [ ! "$?" = "0" ]; then - echo 'Failed to install letsencrypt' - exit 63216 - fi - - echo 'install_letsencrypt' >> $COMPLETION_FILE -} - function configure_php { sed -i "s/memory_limit = 128M/memory_limit = ${MAX_PHP_MEMORY}M/g" /etc/php5/fpm/php.ini sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g' /etc/php5/fpm/php.ini @@ -8591,7 +8599,11 @@ quit" > $INSTALL_DIR/batch.sql configure_php if [ ! -f /etc/ssl/certs/$OWNCLOUD_DOMAIN_NAME.dhparam ]; then - freedombone-addcert -h $OWNCLOUD_DOMAIN_NAME --dhkey $DH_KEYLENGTH + if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then + freedombone-addcert -h $OWNCLOUD_DOMAIN_NAME --dhkey $DH_KEYLENGTH + else + freedombone-addcert -e $OWNCLOUD_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH + fi check_certificates $OWNCLOUD_DOMAIN_NAME fi @@ -8840,7 +8852,11 @@ quit" > $INSTALL_DIR/batch.sql configure_php if [ ! -f /etc/ssl/certs/$GIT_DOMAIN_NAME.dhparam ]; then - freedombone-addcert -h $GIT_DOMAIN_NAME --dhkey $DH_KEYLENGTH + if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then + freedombone-addcert -h $GIT_DOMAIN_NAME --dhkey $DH_KEYLENGTH + else + freedombone-addcert -e $GIT_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH + fi check_certificates $GIT_DOMAIN_NAME fi @@ -9298,7 +9314,11 @@ function install_wiki { rm -rf /var/www/$WIKI_DOMAIN_NAME/htdocs fi if [ ! -f /etc/ssl/certs/$WIKI_DOMAIN_NAME.dhparam ]; then - freedombone-addcert -h $WIKI_DOMAIN_NAME --dhkey $DH_KEYLENGTH + if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then + freedombone-addcert -h $WIKI_DOMAIN_NAME --dhkey $DH_KEYLENGTH + else + freedombone-addcert -e $WIKI_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH + fi check_certificates $WIKI_DOMAIN_NAME fi @@ -9582,7 +9602,11 @@ function install_blog { chown -R www-data:www-data /var/www/$FULLBLOG_DOMAIN_NAME/htdocs if [ ! -f /etc/ssl/certs/$FULLBLOG_DOMAIN_NAME.dhparam ]; then - freedombone-addcert -h $FULLBLOG_DOMAIN_NAME --dhkey $DH_KEYLENGTH + if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then + freedombone-addcert -h $FULLBLOG_DOMAIN_NAME --dhkey $DH_KEYLENGTH + else + freedombone-addcert -e $FULLBLOG_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH + fi check_certificates $FULLBLOG_DOMAIN_NAME fi @@ -9948,7 +9972,11 @@ quit" > $INSTALL_DIR/batch.sql configure_php if [ ! -f /etc/ssl/certs/$MICROBLOG_DOMAIN_NAME.dhparam ]; then - freedombone-addcert -h $MICROBLOG_DOMAIN_NAME --dhkey $DH_KEYLENGTH + if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then + freedombone-addcert -h $MICROBLOG_DOMAIN_NAME --dhkey $DH_KEYLENGTH + else + freedombone-addcert -e $MICROBLOG_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH + fi check_certificates $MICROBLOG_DOMAIN_NAME fi @@ -10244,7 +10272,11 @@ quit" > $INSTALL_DIR/batch.sql configure_php if [ ! -f /etc/ssl/certs/$HUBZILLA_DOMAIN_NAME.dhparam ]; then - freedombone-addcert -h $HUBZILLA_DOMAIN_NAME --dhkey $DH_KEYLENGTH + if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then + freedombone-addcert -h $HUBZILLA_DOMAIN_NAME --dhkey $DH_KEYLENGTH + else + freedombone-addcert -e $HUBZILLA_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH + fi check_certificates $HUBZILLA_DOMAIN_NAME fi @@ -10569,7 +10601,11 @@ function install_mediagoblin { echo '}' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME if [ ! -f /etc/ssl/certs/$MEDIAGOBLIN_DOMAIN_NAME.dhparam ]; then - freedombone-addcert -h $MEDIAGOBLIN_DOMAIN_NAME --dhkey $DH_KEYLENGTH + if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then + freedombone-addcert -h $MEDIAGOBLIN_DOMAIN_NAME --dhkey $DH_KEYLENGTH + else + freedombone-addcert -e $MEDIAGOBLIN_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH + fi check_certificates $MEDIAGOBLIN_DOMAIN_NAME fi @@ -11401,7 +11437,6 @@ encrypt_all_email import_email script_for_attaching_usb_drive install_web_server -#install_letsencrypt configure_firewall_for_web_server install_owncloud install_owncloud_music_app diff --git a/src/freedombone-addcert b/src/freedombone-addcert index bbf1fc26..73f83eb9 100755 --- a/src/freedombone-addcert +++ b/src/freedombone-addcert @@ -29,6 +29,7 @@ # along with this program. If not, see . HOSTNAME= +LETSENCRYPT_HOSTNAME= COUNTRY_CODE="US" AREA="Free Speech Zone" LOCATION="Freedomville" @@ -37,6 +38,8 @@ UNIT="Freedombone Unit" EXTENSIONS="" NODH= DH_KEYLENGTH=2048 +INSTALL_DIR=/root/build +LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory' function show_help { echo '' @@ -45,16 +48,18 @@ function show_help { echo '' echo 'Creates a self-signed certificate for the given hostname' echo '' - echo ' --help Show help' - echo ' -h --hostname [name] Hostname' - echo ' -c --country [code] Optional country code (eg. US, GB, etc)' - echo ' -a --area [description] Optional area description' - echo ' -l --location [locn] Optional location name' - echo ' -o --organisation [name] Optional organisation name' - echo ' -u --unit [name] Optional unit name' - echo ' --dhkey [bits] DH key length in bits' - echo ' --nodh "" Do not calculate DH params' - echo ' --ca "" Certificate authority cert' + echo ' --help Show help' + echo ' -h --hostname [name] Hostname' + echo ' -e --letsencrypt [hostname] Hostname to use with Lets Encrypt' + echo ' -s --server [url] Lets Encrypt server URL' + echo ' -c --country [code] Optional country code (eg. US, GB, etc)' + echo ' -a --area [description] Optional area description' + echo ' -l --location [locn] Optional location name' + echo ' -o --organisation [name] Optional organisation name' + echo ' -u --unit [name] Optional unit name' + echo ' --dhkey [bits] DH key length in bits' + echo ' --nodh "" Do not calculate DH params' + echo ' --ca "" Certificate authority cert' echo '' exit 0 } @@ -71,6 +76,14 @@ case $key in shift HOSTNAME="$1" ;; + -e|--letsencrypt) + shift + LETSENCRYPT_HOSTNAME="$1" + ;; + -s|--server) + shift + LETSENCRYPT_SERVER="$1" + ;; -c|--country) shift COUNTRY_CODE="$1" @@ -112,8 +125,10 @@ shift done if [ ! $HOSTNAME ]; then - echo 'No hostname specified' - exit 5748 + if [ ! $LETSENCRYPT_HOSTNAME ]; then + echo 'No hostname specified' + exit 5748 + fi fi if ! which openssl > /dev/null ;then @@ -121,34 +136,94 @@ if ! which openssl > /dev/null ;then exit 5689 fi -CERTFILE=$HOSTNAME -if [[ $ORGANISATION == "Freedombone-CA" ]]; then - CERTFILE="ca-$HOSTNAME" +if [ ! -d /etc/ssl/mycerts ]; then + mkdir /etc/ssl/mycerts fi -openssl req -x509 $EXTENSIONS -nodes -days 3650 -sha256 \ +if [ $LETSENCRYPT_HOSTNAME ]; then + CERTFILE=$LETSENCRYPT_HOSTNAME + + if [ ! -d $INSTALL_DIR ]; then + mkdir -p $INSTALL_DIR + fi + cd $INSTALL_DIR + + # obtain the repo + if [ ! -d $INSTALL_DIR/letsencrypt ]; then + git clone https://github.com/letsencrypt/letsencrypt + if [ ! -d $INSTALL_DIR/letsencrypt ]; then + exit 76283 + fi + else + cd $INSTALL_DIR/letsencrypt + git stash + git pull + fi + + cd $INSTALL_DIR/letsencrypt + # TODO this requires user interaction - is there a non-interactive mode? + ./letsencrypt-auto certonly --server $LETSENCRYPT_SERVER --standalone -d $LETSENCRYPT_HOSTNAME + if [ ! "$?" = "0" ]; then + echo "Failed to install letsencrypt for domain $LETSENCRYPT_HOSTNAME" + exit 63216 + fi + + # replace some legacy filenames + if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt ]; then + mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem + fi + if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt ]; then + mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem + fi + sed -i "s|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem|g" /etc/nginx/sites-available/$LETSENCRYPT_HOSTNAME + sed -i "s|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem|g" /etc/nginx/sites-available/$LETSENCRYPT_HOSTNAME + + # link the private key + if [ -f /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key ]; then + if [ ! -f /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key.old ]; then + mv /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key.old + fi + fi + ln -s /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/privkey.pem /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key + + # link the public key + if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem ]; then + if [ ! -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem.old ]; then + mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem.old + fi + fi + ln -s /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/fullchain.pem /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem + + cp /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/fullchain.pem /etc/ssl/mycerts/${LETSENCRYPT_HOSTNAME}.pem +else + CERTFILE=$HOSTNAME + if [[ $ORGANISATION == "Freedombone-CA" ]]; then + CERTFILE="ca-$HOSTNAME" + fi + + openssl req -x509 $EXTENSIONS -nodes -days 3650 -sha256 \ -subj "/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME" \ -newkey rsa:4096 -keyout /etc/ssl/private/$CERTFILE.key \ -out /etc/ssl/certs/$CERTFILE.crt -if [ ! $NODH ]; then - openssl dhparam -check -text -5 $DH_KEYLENGTH -out /etc/ssl/certs/$CERTFILE.dhparam + chmod 400 /etc/ssl/private/$CERTFILE.key + chmod 640 /etc/ssl/certs/$CERTFILE.crt + cp /etc/ssl/certs/$CERTFILE.crt /etc/ssl/mycerts +fi + +# generate DH params +if [ ! $NODH ]; then + if [ ! -f /etc/ssl/certs/$CERTFILE.dhparam ]; then + openssl dhparam -check -text -5 $DH_KEYLENGTH -out /etc/ssl/certs/$CERTFILE.dhparam + chmod 640 /etc/ssl/certs/$CERTFILE.dhparam + fi fi -chmod 400 /etc/ssl/private/$CERTFILE.key -chmod 640 /etc/ssl/certs/$CERTFILE.crt -chmod 640 /etc/ssl/certs/$CERTFILE.dhparam if [ -f /etc/init.d/nginx ]; then - /etc/init.d/nginx reload + /etc/init.d/nginx reload fi -# add the public certificate to a separate directory -# so that we can redistribute it easily -if [ ! -d /etc/ssl/mycerts ]; then - mkdir /etc/ssl/mycerts -fi -cp /etc/ssl/certs/$CERTFILE.crt /etc/ssl/mycerts - # Create a bundle of your certificates -cat /etc/ssl/mycerts/*.crt > /etc/ssl/freedombone-bundle.crt -tar -czvf /etc/ssl/freedombone-certs.tar.gz /etc/ssl/mycerts/*.crt +cat /etc/ssl/mycerts/*.crt /etc/ssl/mycerts/*.pem > /etc/ssl/freedombone-bundle.crt +tar -czvf /etc/ssl/freedombone-certs.tar.gz /etc/ssl/mycerts/*.crt /etc/ssl/mycerts/*.pem + exit 0 diff --git a/src/freedombone-controlpanel b/src/freedombone-controlpanel index f92a9428..47a41cbd 100755 --- a/src/freedombone-controlpanel +++ b/src/freedombone-controlpanel @@ -521,6 +521,30 @@ function reset_tripwire { any_key } +function hubzilla_renew_cert { + dialog --title "Renew SSL certificate" \ + --backtitle "Freedombone Control Panel" \ + --yesno "\nThis will renew a letsencrypt certificate. Select 'yes' to continue" 16 60 + sel=$? + case $sel in + 1) return;; + 255) return;; + esac + HUBZILLA_DOMAIN_NAME=$(cat $COMPLETION_FILE | grep "Hubzilla domain" | awk -F ':' '{print $2}') + if [ ! -d /var/www/$HUBZILLA_DOMAIN_NAME/htdocs ]; then + dialog --title "Renew SSL certificate" \ + --msgbox "Hubzilla install directory not found" 6 40 + return + fi + freedombone-renew-cert -h $HUBZILLA_DOMAIN_NAME -p 'letsencrypt' + if [ ! "$?" = "0" ]; then + any_key + else + dialog --title "Renew SSL certificate" \ + --msgbox "Hubzilla certificate has been renewed" 6 40 + fi +} + function hubzilla_restore { dialog --title "Restore hubzilla from USB backup" \ --backtitle "Freedombone Control Panel" \ @@ -542,7 +566,7 @@ function hubzilla_channel_directory_server { return fi HUBZILLA_DOMAIN_NAME=$(cat $COMPLETION_FILE | grep "Hubzilla domain" | awk -F ':' '{print $2}') - if [ ! -d /var/www/$HUBZILLA_DOMAIN_NAME ]; then + if [ ! -d /var/www/$HUBZILLA_DOMAIN_NAME/htdocs ]; then dialog --title "Hubzilla channel directory server" \ --msgbox "Hubzilla install directory not found" 6 40 return @@ -713,10 +737,11 @@ function menu_hubzilla { trap "rm -f $data" 0 1 2 5 15 dialog --backtitle "Freedombone Control Panel" \ --title "Hubzilla" \ - --radiolist "Choose an operation:" 12 70 3 \ + --radiolist "Choose an operation:" 13 70 4 \ 1 "Restore from usb backup" off \ 2 "Set channel directory server" off \ - 3 "Back to main menu" on 2> $data + 3 "Renew SSL certificate" off \ + 4 "Back to main menu" on 2> $data sel=$? case $sel in 1) break;; @@ -725,7 +750,8 @@ function menu_hubzilla { case $(cat $data) in 1) hubzilla_restore;; 2) hubzilla_channel_directory_server;; - 3) break;; + 3) hubzilla_renew_cert;; + 4) break;; esac done } diff --git a/src/freedombone-renew-cert b/src/freedombone-renew-cert index 796ce6f6..46cda431 100755 --- a/src/freedombone-renew-cert +++ b/src/freedombone-renew-cert @@ -30,6 +30,8 @@ HOSTNAME= PROVIDER='startssl' +DH_KEYLENGTH=2048 +LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory' function show_help { echo '' @@ -44,14 +46,28 @@ function show_help { exit 0 } -function renew_startssl { - echo "Renewing Let's Encrypt certificate" - letsencrypt renew \ - --cert-path /etc/ssl/certs/$HOSTNAME.crt \ - --key-path /etc/ssl/private/$HOSTNAME.key - if [ ! "$?" = "0" ]; then - echo "Unable to renew Let's encrypt certificate" +function renew_letsencrypt { + if [ ! -f /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem ]; then + echo "Adding Let's Encrypt certificate" + freedombone-addcert -e $HOSTNAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH + if [ ! "$?" = "0" ]; then + echo "Unable to add Let's encrypt certificate" + exit 6328 + fi + else + echo "Renewing Let's Encrypt certificate" + letsencrypt renew \ + --cert-path /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem \ + --key-path /etc/letsencrypt/live/${HOSTNAME}/privkey.pem + if [ ! "$?" = "0" ]; then + echo "Unable to renew Let's encrypt certificate" + exit 2624 + fi fi + + # Ensure that links are in place + ln -s /etc/letsencrypt/live/${HOSTNAME}/privkey.pem /etc/ssl/private/${HOSTNAME}.key + ln -s /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem /etc/ssl/certs/${HOSTNAME}.pem } function renew_startssl { diff --git a/src/freedombone-sec b/src/freedombone-sec index 8fd18857..1c2eeb5e 100755 --- a/src/freedombone-sec +++ b/src/freedombone-sec @@ -452,7 +452,7 @@ function renew_letsencrypt { return fi - freedombone-renew-cert -h $renew_domain -p letsencrypt + freedombone-renew-cert -h $renew_domain -p 'letsencrypt' exit 0 }