free
/
freedomboneeee
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

More preparation for letsencrypt

This commit is contained in:
Bob Mottram 2015-11-17 22:21:40 +00:00
parent b30d4219fe
commit f6358543fb
6 changed files with 256 additions and 104 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
man/freedombone-addcert.1.gz
View File

Binary file not shown.

157
src/freedombone
View File

@ -429,6 +429,9 @@ DH_KEYLENGTH=2048
# repo for atheros AR9271 wifi driver # repo for atheros AR9271 wifi driver
ATHEROS_WIFI_REPO='https://github.com/qca/open-ath9k-htc-firmware.git' ATHEROS_WIFI_REPO='https://github.com/qca/open-ath9k-htc-firmware.git'
LETSENCRYPT_ENABLED="no"
LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
function show_help { function show_help {
echo '' echo ''
echo 'freedombone -c [configuration file]' echo 'freedombone -c [configuration file]'
@ -788,6 +791,9 @@ function read_configuration {
fi fi
if [ -f $CONFIGURATION_FILE ]; then if [ -f $CONFIGURATION_FILE ]; then
if grep -q "LETSENCRYPT_SERVER" $CONFIGURATION_FILE; then
LETSENCRYPT_SERVER=$(grep "LETSENCRYPT_SERVER" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi
if grep -q "HUBZILLA_COMMIT" $CONFIGURATION_FILE; then if grep -q "HUBZILLA_COMMIT" $CONFIGURATION_FILE; then
HUBZILLA_COMMIT=$(grep "HUBZILLA_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') HUBZILLA_COMMIT=$(grep "HUBZILLA_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
fi fi
@ -1185,13 +1191,24 @@ function check_certificates {
if [ ! $1 ]; then if [ ! $1 ]; then
return return
fi fi
if [ ! -f /etc/ssl/private/$1.key ]; then if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
echo "Private certificate for $CHECK_HOSTNAME was not created" if [ ! -f /etc/ssl/private/$1.key ]; then
exit 63959 echo "Private certificate for $CHECK_HOSTNAME was not created"
fi exit 63959
if [ ! -f /etc/ssl/certs/$1.crt ]; then fi
echo "Public certificate for $CHECK_HOSTNAME was not created" if [ ! -f /etc/ssl/certs/$1.crt ]; then
exit 7679 echo "Public certificate for $CHECK_HOSTNAME was not created"
exit 7679
fi
else
if [ ! -f /etc/letsencrypt/live/${1}/privkey.pem ]; then
echo "Private certificate for $CHECK_HOSTNAME was not created"
exit 6282
fi
if [ ! -f /etc/letsencrypt/live/${1}/fullchain.pem ]; then
echo "Public certificate for $CHECK_HOSTNAME was not created"
exit 5328
fi
fi fi
if [ ! -f /etc/ssl/certs/$1.dhparam ]; then if [ ! -f /etc/ssl/certs/$1.dhparam ]; then
echo "DiffieHellman parameters for $CHECK_HOSTNAME were not created" echo "DiffieHellman parameters for $CHECK_HOSTNAME were not created"
@ -3072,9 +3089,14 @@ function restore_database {
echo ' rm -rf $USB_MOUNT' >> $script_name echo ' rm -rf $USB_MOUNT' >> $script_name
echo ' exit 683' >> $script_name echo ' exit 683' >> $script_name
echo ' fi' >> $script_name echo ' fi' >> $script_name
echo ' # Ensure that the bundled SSL cert is being used' >> $script_name echo ' if [ -d /etc/letsencrypt/live/${2} ]; then' >> $script_name
echo ' if [ -f /etc/ssl/certs/${2}.bundle.crt ]; then' >> $script_name echo ' ln -s /etc/letsencrypt/live/${2}/privkey.pem /etc/ssl/private/${2}.key' >> $script_name
echo ' sed -i "s|${2}.crt|${2}.bundle.crt|g" /etc/nginx/sites-available/${2}' >> $script_name echo ' ln -s /etc/letsencrypt/live/${2}/fullchain.pem /etc/ssl/certs/${2}.pem' >> $script_name
echo ' else' >> $script_name
echo ' # Ensure that the bundled SSL cert is being used' >> $script_name
echo ' if [ -f /etc/ssl/certs/${2}.bundle.crt ]; then' >> $script_name
echo ' sed -i "s|${2}.crt|${2}.bundle.crt|g" /etc/nginx/sites-available/${2}' >> $script_name
echo ' fi' >> $script_name
echo ' fi' >> $script_name echo ' fi' >> $script_name
echo ' fi' >> $script_name echo ' fi' >> $script_name
echo ' fi' >> $script_name echo ' fi' >> $script_name
@ -3698,6 +3720,10 @@ function create_restore_script {
echo " if [ -f /etc/ssl/certs/$WIKI_DOMAIN_NAME.bundle.crt ]; then" >> /usr/bin/$RESTORE_SCRIPT_NAME echo " if [ -f /etc/ssl/certs/$WIKI_DOMAIN_NAME.bundle.crt ]; then" >> /usr/bin/$RESTORE_SCRIPT_NAME
echo " sed -i 's|$WIKI_DOMAIN_NAME.crt|$WIKI_DOMAIN_NAME.bundle.crt|g' /etc/nginx/sites-available/$WIKI_DOMAIN_NAME" >> /usr/bin/$RESTORE_SCRIPT_NAME echo " sed -i 's|$WIKI_DOMAIN_NAME.crt|$WIKI_DOMAIN_NAME.bundle.crt|g' /etc/nginx/sites-available/$WIKI_DOMAIN_NAME" >> /usr/bin/$RESTORE_SCRIPT_NAME
echo ' fi' >> /usr/bin/$RESTORE_SCRIPT_NAME echo ' fi' >> /usr/bin/$RESTORE_SCRIPT_NAME
echo " if [ -d /etc/letsencrypt/live/${WIKI_DOMAIN_NAME} ]; then" >> /usr/bin/$RESTORE_SCRIPT_NAME
echo " ln -s /etc/letsencrypt/live/${WIKI_DOMAIN_NAME}/privkey.pem /etc/ssl/private/${WIKI_DOMAIN_NAME}.key" >> /usr/bin/$RESTORE_SCRIPT_NAME
echo " ln -s /etc/letsencrypt/live/${WIKI_DOMAIN_NAME}/fullchain.pem /etc/ssl/certs/${WIKI_DOMAIN_NAME}.pem" >> /usr/bin/$RESTORE_SCRIPT_NAME
echo ' fi' >> /usr/bin/$RESTORE_SCRIPT_NAME
echo 'fi' >> /usr/bin/$RESTORE_SCRIPT_NAME echo 'fi' >> /usr/bin/$RESTORE_SCRIPT_NAME
echo '' >> /usr/bin/$RESTORE_SCRIPT_NAME echo '' >> /usr/bin/$RESTORE_SCRIPT_NAME
@ -3739,7 +3765,10 @@ function create_restore_script {
echo ' fi' >> /usr/bin/$RESTORE_SCRIPT_NAME echo ' fi' >> /usr/bin/$RESTORE_SCRIPT_NAME
echo ' fi' >> /usr/bin/$RESTORE_SCRIPT_NAME echo ' fi' >> /usr/bin/$RESTORE_SCRIPT_NAME
echo ' done' >> /usr/bin/$RESTORE_SCRIPT_NAME echo ' done' >> /usr/bin/$RESTORE_SCRIPT_NAME
echo " if [ -d /etc/letsencrypt/live/${FULLBLOG_DOMAIN_NAME} ]; then" >> /usr/bin/$RESTORE_SCRIPT_NAME
echo " ln -s /etc/letsencrypt/live/${FULLBLOG_DOMAIN_NAME}/privkey.pem /etc/ssl/private/${FULLBLOG_DOMAIN_NAME}.key" >> /usr/bin/$RESTORE_SCRIPT_NAME
echo " ln -s /etc/letsencrypt/live/${FULLBLOG_DOMAIN_NAME}/fullchain.pem /etc/ssl/certs/${FULLBLOG_DOMAIN_NAME}.pem" >> /usr/bin/$RESTORE_SCRIPT_NAME
echo ' fi' >> /usr/bin/$RESTORE_SCRIPT_NAME
echo 'fi' >> /usr/bin/$RESTORE_SCRIPT_NAME echo 'fi' >> /usr/bin/$RESTORE_SCRIPT_NAME
echo '' >> /usr/bin/$RESTORE_SCRIPT_NAME echo '' >> /usr/bin/$RESTORE_SCRIPT_NAME
@ -4822,9 +4851,14 @@ function restore_database_from_friend {
echo ' if [ ! "$?" = "0" ]; then' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME echo ' if [ ! "$?" = "0" ]; then' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
echo ' exit 683' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME echo ' exit 683' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
echo ' fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME echo ' fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
echo ' # Ensure that the bundled SSL cert is being used' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME echo ' if [ -d /etc/letsencrypt/live/${2} ]; then' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
echo ' if [ -f /etc/ssl/certs/${2}.bundle.crt ]; then' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME echo ' ln -s /etc/letsencrypt/live/${2}/privkey.pem /etc/ssl/private/${2}.key' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
echo ' sed -i "s|${2}.crt|${2}.bundle.crt|g" /etc/nginx/sites-available/${2}' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME echo ' ln -s /etc/letsencrypt/live/${2}/fullchain.pem /etc/ssl/certs/${2}.pem' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
echo ' else' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
echo ' # Ensure that the bundled SSL cert is being used' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
echo ' if [ -f /etc/ssl/certs/${2}.bundle.crt ]; then' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
echo ' sed -i "s|${2}.crt|${2}.bundle.crt|g" /etc/nginx/sites-available/${2}' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
echo ' fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
echo ' fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME echo ' fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
echo ' fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME echo ' fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
echo ' fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME echo ' fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
@ -5402,6 +5436,10 @@ function restore_from_friend {
echo " if [ -f /etc/ssl/certs/$WIKI_DOMAIN_NAME.bundle.crt ]; then" >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME echo " if [ -f /etc/ssl/certs/$WIKI_DOMAIN_NAME.bundle.crt ]; then" >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
echo " sed -i 's|$WIKI_DOMAIN_NAME.crt|$WIKI_DOMAIN_NAME.bundle.crt|g' /etc/nginx/sites-available/$WIKI_DOMAIN_NAME" >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME echo " sed -i 's|$WIKI_DOMAIN_NAME.crt|$WIKI_DOMAIN_NAME.bundle.crt|g' /etc/nginx/sites-available/$WIKI_DOMAIN_NAME" >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
echo ' fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME echo ' fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
echo " if [ -d /etc/letsencrypt/live/${WIKI_DOMAIN_NAME} ]; then" >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
echo " ln -s /etc/letsencrypt/live/${WIKI_DOMAIN_NAME}/privkey.pem /etc/ssl/private/${WIKI_DOMAIN_NAME}.key" >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
echo " ln -s /etc/letsencrypt/live/${WIKI_DOMAIN_NAME}/fullchain.pem /etc/ssl/certs/${WIKI_DOMAIN_NAME}.pem" >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
echo ' fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
echo 'fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME echo 'fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
echo '' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME echo '' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
@ -5440,6 +5478,10 @@ function restore_from_friend {
echo '/$USERNAME/blog/uncategorized/post ' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME echo '/$USERNAME/blog/uncategorized/post ' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
echo ' fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME echo ' fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
echo ' done' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME echo ' done' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
echo " if [ -d /etc/letsencrypt/live/${FULLBLOG_DOMAIN_NAME} ]; then" >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
echo " ln -s /etc/letsencrypt/live/${FULLBLOG_DOMAIN_NAME}/privkey.pem /etc/ssl/private/${FULLBLOG_DOMAIN_NAME}.key" >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
echo " ln -s /etc/letsencrypt/live/${FULLBLOG_DOMAIN_NAME}/fullchain.pem /etc/ssl/certs/${FULLBLOG_DOMAIN_NAME}.pem" >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
echo ' fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
echo 'fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME echo 'fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
echo '' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME echo '' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
@ -7128,7 +7170,11 @@ function configure_imap_client_certs {
fi fi
# make a CA cert # make a CA cert
if [ ! -f /etc/ssl/private/ca-$DEFAULT_DOMAIN_NAME.key ]; then if [ ! -f /etc/ssl/private/ca-$DEFAULT_DOMAIN_NAME.key ]; then
freedombone-addcert -h $DEFAULT_DOMAIN_NAME --ca "" --dhkey $DH_KEYLENGTH if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
freedombone-addcert -h $DEFAULT_DOMAIN_NAME --ca "" --dhkey $DH_KEYLENGTH
else
freedombone-addcert -e $DEFAULT_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
fi
fi fi
# CA configuration # CA configuration
echo '[ ca ]' > /etc/ssl/dovecot-ca.cnf echo '[ ca ]' > /etc/ssl/dovecot-ca.cnf
@ -8142,44 +8188,6 @@ function install_web_server {
echo 'install_web_server' >> $COMPLETION_FILE echo 'install_web_server' >> $COMPLETION_FILE
} }
function install_letsencrypt {
if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
fi
if grep -Fxq "install_letsencrypt" $COMPLETION_FILE; then
return
fi
#apt-get -y install python-pip git
#pip install -U setuptools
#pip install --upgrade cffi
cd $INSTALL_DIR
# This is experimental developer preview and I hope at some stage
# there will be a debian package for it.
# obtain the repo
if [ ! -d $INSTALL_DIR/letsencrypt ]; then
git clone https://github.com/letsencrypt/letsencrypt
if [ ! -d $INSTALL_DIR/letsencrypt ]; then
exit 76283
fi
else
cd $INSTALL_DIR/letsencrypt
git stash
git pull
fi
cd $INSTALL_DIR/letsencrypt
# TODO this requires user interaction - is there a non-interactive mode?
./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory certonly
if [ ! "$?" = "0" ]; then
echo 'Failed to install letsencrypt'
exit 63216
fi
echo 'install_letsencrypt' >> $COMPLETION_FILE
}
function configure_php { function configure_php {
sed -i "s/memory_limit = 128M/memory_limit = ${MAX_PHP_MEMORY}M/g" /etc/php5/fpm/php.ini sed -i "s/memory_limit = 128M/memory_limit = ${MAX_PHP_MEMORY}M/g" /etc/php5/fpm/php.ini
sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g' /etc/php5/fpm/php.ini sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g' /etc/php5/fpm/php.ini
@ -8591,7 +8599,11 @@ quit" > $INSTALL_DIR/batch.sql
configure_php configure_php
if [ ! -f /etc/ssl/certs/$OWNCLOUD_DOMAIN_NAME.dhparam ]; then if [ ! -f /etc/ssl/certs/$OWNCLOUD_DOMAIN_NAME.dhparam ]; then
freedombone-addcert -h $OWNCLOUD_DOMAIN_NAME --dhkey $DH_KEYLENGTH if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
freedombone-addcert -h $OWNCLOUD_DOMAIN_NAME --dhkey $DH_KEYLENGTH
else
freedombone-addcert -e $OWNCLOUD_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
fi
check_certificates $OWNCLOUD_DOMAIN_NAME check_certificates $OWNCLOUD_DOMAIN_NAME
fi fi
@ -8840,7 +8852,11 @@ quit" > $INSTALL_DIR/batch.sql
configure_php configure_php
if [ ! -f /etc/ssl/certs/$GIT_DOMAIN_NAME.dhparam ]; then if [ ! -f /etc/ssl/certs/$GIT_DOMAIN_NAME.dhparam ]; then
freedombone-addcert -h $GIT_DOMAIN_NAME --dhkey $DH_KEYLENGTH if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
freedombone-addcert -h $GIT_DOMAIN_NAME --dhkey $DH_KEYLENGTH
else
freedombone-addcert -e $GIT_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
fi
check_certificates $GIT_DOMAIN_NAME check_certificates $GIT_DOMAIN_NAME
fi fi
@ -9298,7 +9314,11 @@ function install_wiki {
rm -rf /var/www/$WIKI_DOMAIN_NAME/htdocs rm -rf /var/www/$WIKI_DOMAIN_NAME/htdocs
fi fi
if [ ! -f /etc/ssl/certs/$WIKI_DOMAIN_NAME.dhparam ]; then if [ ! -f /etc/ssl/certs/$WIKI_DOMAIN_NAME.dhparam ]; then
freedombone-addcert -h $WIKI_DOMAIN_NAME --dhkey $DH_KEYLENGTH if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
freedombone-addcert -h $WIKI_DOMAIN_NAME --dhkey $DH_KEYLENGTH
else
freedombone-addcert -e $WIKI_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
fi
check_certificates $WIKI_DOMAIN_NAME check_certificates $WIKI_DOMAIN_NAME
fi fi
@ -9582,7 +9602,11 @@ function install_blog {
chown -R www-data:www-data /var/www/$FULLBLOG_DOMAIN_NAME/htdocs chown -R www-data:www-data /var/www/$FULLBLOG_DOMAIN_NAME/htdocs
if [ ! -f /etc/ssl/certs/$FULLBLOG_DOMAIN_NAME.dhparam ]; then if [ ! -f /etc/ssl/certs/$FULLBLOG_DOMAIN_NAME.dhparam ]; then
freedombone-addcert -h $FULLBLOG_DOMAIN_NAME --dhkey $DH_KEYLENGTH if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
freedombone-addcert -h $FULLBLOG_DOMAIN_NAME --dhkey $DH_KEYLENGTH
else
freedombone-addcert -e $FULLBLOG_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
fi
check_certificates $FULLBLOG_DOMAIN_NAME check_certificates $FULLBLOG_DOMAIN_NAME
fi fi
@ -9948,7 +9972,11 @@ quit" > $INSTALL_DIR/batch.sql
configure_php configure_php
if [ ! -f /etc/ssl/certs/$MICROBLOG_DOMAIN_NAME.dhparam ]; then if [ ! -f /etc/ssl/certs/$MICROBLOG_DOMAIN_NAME.dhparam ]; then
freedombone-addcert -h $MICROBLOG_DOMAIN_NAME --dhkey $DH_KEYLENGTH if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
freedombone-addcert -h $MICROBLOG_DOMAIN_NAME --dhkey $DH_KEYLENGTH
else
freedombone-addcert -e $MICROBLOG_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
fi
check_certificates $MICROBLOG_DOMAIN_NAME check_certificates $MICROBLOG_DOMAIN_NAME
fi fi
@ -10244,7 +10272,11 @@ quit" > $INSTALL_DIR/batch.sql
configure_php configure_php
if [ ! -f /etc/ssl/certs/$HUBZILLA_DOMAIN_NAME.dhparam ]; then if [ ! -f /etc/ssl/certs/$HUBZILLA_DOMAIN_NAME.dhparam ]; then
freedombone-addcert -h $HUBZILLA_DOMAIN_NAME --dhkey $DH_KEYLENGTH if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
freedombone-addcert -h $HUBZILLA_DOMAIN_NAME --dhkey $DH_KEYLENGTH
else
freedombone-addcert -e $HUBZILLA_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
fi
check_certificates $HUBZILLA_DOMAIN_NAME check_certificates $HUBZILLA_DOMAIN_NAME
fi fi
@ -10569,7 +10601,11 @@ function install_mediagoblin {
echo '}' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo '}' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
if [ ! -f /etc/ssl/certs/$MEDIAGOBLIN_DOMAIN_NAME.dhparam ]; then if [ ! -f /etc/ssl/certs/$MEDIAGOBLIN_DOMAIN_NAME.dhparam ]; then
freedombone-addcert -h $MEDIAGOBLIN_DOMAIN_NAME --dhkey $DH_KEYLENGTH if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
freedombone-addcert -h $MEDIAGOBLIN_DOMAIN_NAME --dhkey $DH_KEYLENGTH
else
freedombone-addcert -e $MEDIAGOBLIN_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
fi
check_certificates $MEDIAGOBLIN_DOMAIN_NAME check_certificates $MEDIAGOBLIN_DOMAIN_NAME
fi fi
@ -11401,7 +11437,6 @@ encrypt_all_email
import_email import_email
script_for_attaching_usb_drive script_for_attaching_usb_drive
install_web_server install_web_server
#install_letsencrypt
configure_firewall_for_web_server configure_firewall_for_web_server
install_owncloud install_owncloud
install_owncloud_music_app install_owncloud_music_app

137
src/freedombone-addcert
View File

@ -29,6 +29,7 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
HOSTNAME= HOSTNAME=
LETSENCRYPT_HOSTNAME=
COUNTRY_CODE="US" COUNTRY_CODE="US"
AREA="Free Speech Zone" AREA="Free Speech Zone"
LOCATION="Freedomville" LOCATION="Freedomville"
@ -37,6 +38,8 @@ UNIT="Freedombone Unit"
EXTENSIONS="" EXTENSIONS=""
NODH= NODH=
DH_KEYLENGTH=2048 DH_KEYLENGTH=2048
INSTALL_DIR=/root/build
LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
function show_help { function show_help {
echo '' echo ''
@ -45,16 +48,18 @@ function show_help {
echo '' echo ''
echo 'Creates a self-signed certificate for the given hostname' echo 'Creates a self-signed certificate for the given hostname'
echo '' echo ''
echo ' --help Show help' echo ' --help Show help'
echo ' -h --hostname [name] Hostname' echo ' -h --hostname [name] Hostname'
echo ' -c --country [code] Optional country code (eg. US, GB, etc)' echo ' -e --letsencrypt [hostname] Hostname to use with Lets Encrypt'
echo ' -a --area [description] Optional area description' echo ' -s --server [url] Lets Encrypt server URL'
echo ' -l --location [locn] Optional location name' echo ' -c --country [code] Optional country code (eg. US, GB, etc)'
echo ' -o --organisation [name] Optional organisation name' echo ' -a --area [description] Optional area description'
echo ' -u --unit [name] Optional unit name' echo ' -l --location [locn] Optional location name'
echo ' --dhkey [bits] DH key length in bits' echo ' -o --organisation [name] Optional organisation name'
echo ' --nodh "" Do not calculate DH params' echo ' -u --unit [name] Optional unit name'
echo ' --ca "" Certificate authority cert' echo ' --dhkey [bits] DH key length in bits'
echo ' --nodh "" Do not calculate DH params'
echo ' --ca "" Certificate authority cert'
echo '' echo ''
exit 0 exit 0
} }
@ -71,6 +76,14 @@ case $key in
shift shift
HOSTNAME="$1" HOSTNAME="$1"
;; ;;
-e|--letsencrypt)
shift
LETSENCRYPT_HOSTNAME="$1"
;;
-s|--server)
shift
LETSENCRYPT_SERVER="$1"
;;
-c|--country) -c|--country)
shift shift
COUNTRY_CODE="$1" COUNTRY_CODE="$1"
@ -112,8 +125,10 @@ shift
done done
if [ ! $HOSTNAME ]; then if [ ! $HOSTNAME ]; then
echo 'No hostname specified' if [ ! $LETSENCRYPT_HOSTNAME ]; then
exit 5748 echo 'No hostname specified'
exit 5748
fi
fi fi
if ! which openssl > /dev/null ;then if ! which openssl > /dev/null ;then
@ -121,34 +136,94 @@ if ! which openssl > /dev/null ;then
exit 5689 exit 5689
fi fi
CERTFILE=$HOSTNAME if [ ! -d /etc/ssl/mycerts ]; then
if [[ $ORGANISATION == "Freedombone-CA" ]]; then mkdir /etc/ssl/mycerts
CERTFILE="ca-$HOSTNAME"
fi fi
openssl req -x509 $EXTENSIONS -nodes -days 3650 -sha256 \ if [ $LETSENCRYPT_HOSTNAME ]; then
CERTFILE=$LETSENCRYPT_HOSTNAME
if [ ! -d $INSTALL_DIR ]; then
mkdir -p $INSTALL_DIR
fi
cd $INSTALL_DIR
# obtain the repo
if [ ! -d $INSTALL_DIR/letsencrypt ]; then
git clone https://github.com/letsencrypt/letsencrypt
if [ ! -d $INSTALL_DIR/letsencrypt ]; then
exit 76283
fi
else
cd $INSTALL_DIR/letsencrypt
git stash
git pull
fi
cd $INSTALL_DIR/letsencrypt
# TODO this requires user interaction - is there a non-interactive mode?
./letsencrypt-auto certonly --server $LETSENCRYPT_SERVER --standalone -d $LETSENCRYPT_HOSTNAME
if [ ! "$?" = "0" ]; then
echo "Failed to install letsencrypt for domain $LETSENCRYPT_HOSTNAME"
exit 63216
fi
# replace some legacy filenames
if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt ]; then
mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
fi
if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt ]; then
mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
fi
sed -i "s|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem|g" /etc/nginx/sites-available/$LETSENCRYPT_HOSTNAME
sed -i "s|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem|g" /etc/nginx/sites-available/$LETSENCRYPT_HOSTNAME
# link the private key
if [ -f /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key ]; then
if [ ! -f /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key.old ]; then
mv /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key.old
fi
fi
ln -s /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/privkey.pem /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key
# link the public key
if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem ]; then
if [ ! -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem.old ]; then
mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem.old
fi
fi
ln -s /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/fullchain.pem /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
cp /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/fullchain.pem /etc/ssl/mycerts/${LETSENCRYPT_HOSTNAME}.pem
else
CERTFILE=$HOSTNAME
if [[ $ORGANISATION == "Freedombone-CA" ]]; then
CERTFILE="ca-$HOSTNAME"
fi
openssl req -x509 $EXTENSIONS -nodes -days 3650 -sha256 \
-subj "/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME" \ -subj "/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME" \
-newkey rsa:4096 -keyout /etc/ssl/private/$CERTFILE.key \ -newkey rsa:4096 -keyout /etc/ssl/private/$CERTFILE.key \
-out /etc/ssl/certs/$CERTFILE.crt -out /etc/ssl/certs/$CERTFILE.crt
if [ ! $NODH ]; then chmod 400 /etc/ssl/private/$CERTFILE.key
openssl dhparam -check -text -5 $DH_KEYLENGTH -out /etc/ssl/certs/$CERTFILE.dhparam chmod 640 /etc/ssl/certs/$CERTFILE.crt
cp /etc/ssl/certs/$CERTFILE.crt /etc/ssl/mycerts
fi
# generate DH params
if [ ! $NODH ]; then
if [ ! -f /etc/ssl/certs/$CERTFILE.dhparam ]; then
openssl dhparam -check -text -5 $DH_KEYLENGTH -out /etc/ssl/certs/$CERTFILE.dhparam
chmod 640 /etc/ssl/certs/$CERTFILE.dhparam
fi
fi fi
chmod 400 /etc/ssl/private/$CERTFILE.key
chmod 640 /etc/ssl/certs/$CERTFILE.crt
chmod 640 /etc/ssl/certs/$CERTFILE.dhparam
if [ -f /etc/init.d/nginx ]; then if [ -f /etc/init.d/nginx ]; then
/etc/init.d/nginx reload /etc/init.d/nginx reload
fi fi
# add the public certificate to a separate directory
# so that we can redistribute it easily
if [ ! -d /etc/ssl/mycerts ]; then
mkdir /etc/ssl/mycerts
fi
cp /etc/ssl/certs/$CERTFILE.crt /etc/ssl/mycerts
# Create a bundle of your certificates # Create a bundle of your certificates
cat /etc/ssl/mycerts/*.crt > /etc/ssl/freedombone-bundle.crt cat /etc/ssl/mycerts/*.crt /etc/ssl/mycerts/*.pem > /etc/ssl/freedombone-bundle.crt
tar -czvf /etc/ssl/freedombone-certs.tar.gz /etc/ssl/mycerts/*.crt tar -czvf /etc/ssl/freedombone-certs.tar.gz /etc/ssl/mycerts/*.crt /etc/ssl/mycerts/*.pem
exit 0 exit 0

34
src/freedombone-controlpanel
View File

@ -521,6 +521,30 @@ function reset_tripwire {
any_key any_key
} }
function hubzilla_renew_cert {
dialog --title "Renew SSL certificate" \
--backtitle "Freedombone Control Panel" \
--yesno "\nThis will renew a letsencrypt certificate. Select 'yes' to continue" 16 60
sel=$?
case $sel in
1) return;;
255) return;;
esac
HUBZILLA_DOMAIN_NAME=$(cat $COMPLETION_FILE | grep "Hubzilla domain" | awk -F ':' '{print $2}')
if [ ! -d /var/www/$HUBZILLA_DOMAIN_NAME/htdocs ]; then
dialog --title "Renew SSL certificate" \
--msgbox "Hubzilla install directory not found" 6 40
return
fi
freedombone-renew-cert -h $HUBZILLA_DOMAIN_NAME -p 'letsencrypt'
if [ ! "$?" = "0" ]; then
any_key
else
dialog --title "Renew SSL certificate" \
--msgbox "Hubzilla certificate has been renewed" 6 40
fi
}
function hubzilla_restore { function hubzilla_restore {
dialog --title "Restore hubzilla from USB backup" \ dialog --title "Restore hubzilla from USB backup" \
--backtitle "Freedombone Control Panel" \ --backtitle "Freedombone Control Panel" \
@ -542,7 +566,7 @@ function hubzilla_channel_directory_server {
return return
fi fi
HUBZILLA_DOMAIN_NAME=$(cat $COMPLETION_FILE | grep "Hubzilla domain" | awk -F ':' '{print $2}') HUBZILLA_DOMAIN_NAME=$(cat $COMPLETION_FILE | grep "Hubzilla domain" | awk -F ':' '{print $2}')
if [ ! -d /var/www/$HUBZILLA_DOMAIN_NAME ]; then if [ ! -d /var/www/$HUBZILLA_DOMAIN_NAME/htdocs ]; then
dialog --title "Hubzilla channel directory server" \ dialog --title "Hubzilla channel directory server" \
--msgbox "Hubzilla install directory not found" 6 40 --msgbox "Hubzilla install directory not found" 6 40
return return
@ -713,10 +737,11 @@ function menu_hubzilla {
trap "rm -f $data" 0 1 2 5 15 trap "rm -f $data" 0 1 2 5 15
dialog --backtitle "Freedombone Control Panel" \ dialog --backtitle "Freedombone Control Panel" \
--title "Hubzilla" \ --title "Hubzilla" \
--radiolist "Choose an operation:" 12 70 3 \ --radiolist "Choose an operation:" 13 70 4 \
1 "Restore from usb backup" off \ 1 "Restore from usb backup" off \
2 "Set channel directory server" off \ 2 "Set channel directory server" off \
3 "Back to main menu" on 2> $data 3 "Renew SSL certificate" off \
4 "Back to main menu" on 2> $data
sel=$? sel=$?
case $sel in case $sel in
1) break;; 1) break;;
@ -725,7 +750,8 @@ function menu_hubzilla {
case $(cat $data) in case $(cat $data) in
1) hubzilla_restore;; 1) hubzilla_restore;;
2) hubzilla_channel_directory_server;; 2) hubzilla_channel_directory_server;;
3) break;; 3) hubzilla_renew_cert;;
4) break;;
esac esac
done done
} }

30
src/freedombone-renew-cert
View File

@ -30,6 +30,8 @@
HOSTNAME= HOSTNAME=
PROVIDER='startssl' PROVIDER='startssl'
DH_KEYLENGTH=2048
LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
function show_help { function show_help {
echo '' echo ''
@ -44,14 +46,28 @@ function show_help {
exit 0 exit 0
} }
function renew_startssl { function renew_letsencrypt {
echo "Renewing Let's Encrypt certificate" if [ ! -f /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem ]; then
letsencrypt renew \ echo "Adding Let's Encrypt certificate"
--cert-path /etc/ssl/certs/$HOSTNAME.crt \ freedombone-addcert -e $HOSTNAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
--key-path /etc/ssl/private/$HOSTNAME.key if [ ! "$?" = "0" ]; then
if [ ! "$?" = "0" ]; then echo "Unable to add Let's encrypt certificate"
echo "Unable to renew Let's encrypt certificate" exit 6328
fi
else
echo "Renewing Let's Encrypt certificate"
letsencrypt renew \
--cert-path /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem \
--key-path /etc/letsencrypt/live/${HOSTNAME}/privkey.pem
if [ ! "$?" = "0" ]; then
echo "Unable to renew Let's encrypt certificate"
exit 2624
fi
fi fi
# Ensure that links are in place
ln -s /etc/letsencrypt/live/${HOSTNAME}/privkey.pem /etc/ssl/private/${HOSTNAME}.key
ln -s /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem /etc/ssl/certs/${HOSTNAME}.pem
} }
function renew_startssl { function renew_startssl {

2
src/freedombone-sec
View File

@ -452,7 +452,7 @@ function renew_letsencrypt {
return return
fi fi
freedombone-renew-cert -h $renew_domain -p letsencrypt freedombone-renew-cert -h $renew_domain -p 'letsencrypt'
exit 0 exit 0
} }