225 lines
7.6 KiB
Bash
Executable File
225 lines
7.6 KiB
Bash
Executable File
#!/bin/bash
|
|
#
|
|
# .---. . .
|
|
# | | |
|
|
# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
|
|
# | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
|
|
# ' ' --' --' -' - -' ' ' -' -' -' ' - --'
|
|
#
|
|
# Freedom in the Cloud
|
|
#
|
|
# A script for renewing SSL/TLS certificates
|
|
|
|
# License
|
|
# =======
|
|
#
|
|
# Copyright (C) 2015-2016 Bob Mottram <bob@robotics.uk.to>
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU Affero General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU Affero General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU Affero General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
PROJECT_NAME='freedombone'
|
|
|
|
export TEXTDOMAIN=${PROJECT_NAME}-renew-cert
|
|
export TEXTDOMAINDIR="/usr/share/locale"
|
|
|
|
HOSTNAME=
|
|
PROVIDER='startssl'
|
|
DH_KEYLENGTH=2048
|
|
LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
|
|
INSTALL_DIR=/root/build
|
|
|
|
function show_help {
|
|
echo ''
|
|
echo $"${PROJECT_NAME}-renew-cert -h [hostname] -p [provider]"
|
|
echo ''
|
|
echo $'Makes it easier to renew a ssl/tls certificate for a website'
|
|
echo ''
|
|
echo $' --help Show help'
|
|
echo $' -h --hostname [name] Hostname'
|
|
echo $' -p --provider [name] eg. startssl/letsencrypt'
|
|
echo ''
|
|
exit 0
|
|
}
|
|
|
|
function renew_letsencrypt {
|
|
if [ ! -f /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem ]; then
|
|
echo $"Adding Let's Encrypt certificate"
|
|
else
|
|
echo $"Renewing Let's Encrypt certificate"
|
|
fi
|
|
|
|
${PROJECT_NAME}-addcert -e $HOSTNAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
|
|
if [ ! "$?" = "0" ]; then
|
|
echo $"Unable to add Let's encrypt certificate"
|
|
exit 6328
|
|
fi
|
|
|
|
# Ensure that links are in place
|
|
ln -s /etc/letsencrypt/live/${HOSTNAME}/privkey.pem /etc/ssl/private/${HOSTNAME}.key
|
|
ln -s /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem /etc/ssl/certs/${HOSTNAME}.pem
|
|
|
|
${PROJECT_NAME}-pin-cert $HOSTNAME
|
|
}
|
|
|
|
function renew_startssl {
|
|
echo $'Renewing StartSSL certificate'
|
|
if [ -s /etc/ssl/certs/$HOSTNAME.new.crt ]; then
|
|
if ! grep -q "-BEGIN CERTIFICATE-" /etc/ssl/certs/$HOSTNAME.new.crt; then
|
|
echo $'/etc/ssl/certs/$HOSTNAME.new.crt does not contain a public key'
|
|
return
|
|
fi
|
|
|
|
cp /etc/ssl/certs/$HOSTNAME.new.crt /etc/ssl/certs/$HOSTNAME.crt
|
|
|
|
if [ ! -d /etc/ssl/roots ]; then
|
|
mkdir /etc/ssl/roots
|
|
fi
|
|
if [ ! -d /etc/ssl/chains ]; then
|
|
mkdir /etc/ssl/chains
|
|
fi
|
|
|
|
# download intermediate certs
|
|
wget "http://www.startssl.com/certs/ca.pem" --output-document="/etc/ssl/roots/startssl-root.ca"
|
|
wget "http://www.startssl.com/certs/sub.class1.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class1.server.ca.pem"
|
|
wget "http://www.startssl.com/certs/sub.class2.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class2.server.ca.pem"
|
|
wget "http://www.startssl.com/certs/sub.class3.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class3.server.ca.pem"
|
|
ln -s "/etc/ssl/roots/startssl-root.ca" "/etc/ssl/roots/$HOSTNAME-root.ca"
|
|
ln -s "/etc/ssl/chains/startssl-sub.class1.server.ca.pem" "/etc/ssl/chains/$HOSTNAME.ca"
|
|
cp "/etc/ssl/certs/$HOSTNAME.crt" "/etc/ssl/certs/$HOSTNAME.crt+chain+root"
|
|
test -e "/etc/ssl/chains/$HOSTNAME.ca" && cat "/etc/ssl/chains/$HOSTNAME.ca" >> "/etc/ssl/certs/$HOSTNAME.crt+chain+root"
|
|
test -e "/etc/ssl/roots/$HOSTNAME-root.ca" && cat "/etc/ssl/roots/$HOSTNAME-root.ca" >> "/etc/ssl/certs/$HOSTNAME.crt+chain+root"
|
|
|
|
# remove the password from the private cert
|
|
openssl rsa -in /etc/ssl/private/$HOSTNAME.key -out /etc/ssl/private/$HOSTNAME.new.key
|
|
cp /etc/ssl/private/$HOSTNAME.new.key /etc/ssl/private/$HOSTNAME.key
|
|
shred -zu /etc/ssl/private/$HOSTNAME.new.key
|
|
|
|
# bundle the cert
|
|
cat /etc/ssl/certs/$HOSTNAME.crt /etc/ssl/chains/startssl-sub.class1.server.ca.pem > /etc/ssl/certs/$HOSTNAME.bundle.crt
|
|
|
|
# add it to mycerts
|
|
cp /etc/ssl/certs/$HOSTNAME.bundle.crt /etc/ssl/mycerts
|
|
cat /etc/ssl/mycerts/*.crt > /etc/ssl/${PROJECT_NAME}-bundle.crt
|
|
tar -czvf /etc/ssl/${PROJECT_NAME}-certs.tar.gz /etc/ssl/mycerts/*.crt
|
|
|
|
# create backups
|
|
if [ ! -d /etc/ssl/backups ]; then
|
|
mkdir /etc/ssl/backups
|
|
fi
|
|
if [ ! -d /etc/ssl/backups/certs ]; then
|
|
mkdir /etc/ssl/backups/certs
|
|
fi
|
|
if [ ! -d /etc/ssl/backups/private ]; then
|
|
mkdir /etc/ssl/backups/private
|
|
fi
|
|
cp /etc/ssl/certs/$HOSTNAME* /etc/ssl/backups/certs/
|
|
cp /etc/ssl/private/$HOSTNAME* /etc/ssl/backups/private/
|
|
chmod -R 400 /etc/ssl/backups/certs/*
|
|
chmod -R 400 /etc/ssl/backups/private/*
|
|
|
|
rm /etc/ssl/certs/$HOSTNAME.new.crt
|
|
rm /etc/ssl/requests/$HOSTNAME.csr
|
|
|
|
# update your site to include the bundle
|
|
sed -i "s|$HOSTNAME.crt|$HOSTNAME.bundle.crt|g" /etc/nginx/sites-available/$HOSTNAME
|
|
|
|
echo $'Certificate installed'
|
|
service nginx restart
|
|
return
|
|
fi
|
|
|
|
if [ -f /etc/ssl/requests/$HOSTNAME.csr ]; then
|
|
echo $'Certificate request already created:'
|
|
echo ''
|
|
cat /etc/ssl/requests/$HOSTNAME.csr
|
|
echo ''
|
|
echo $"Save the requested public key to /etc/ssl/certs/$HOSTNAME.new.crt"
|
|
echo $'then run this command again.'
|
|
echo ''
|
|
return
|
|
fi
|
|
openssl genrsa -out /etc/ssl/private/$HOSTNAME.new.key 2048
|
|
chown root:ssl-cert /etc/ssl/private/$HOSTNAME.new.key
|
|
chmod 440 /etc/ssl/private/$HOSTNAME.new.key
|
|
if [ ! -d /etc/ssl/requests ]; then
|
|
mkdir /etc/ssl/requests
|
|
fi
|
|
openssl req -new -sha256 -key /etc/ssl/private/$HOSTNAME.new.key -out /etc/ssl/requests/$HOSTNAME.csr
|
|
echo ''
|
|
cat /etc/ssl/requests/$HOSTNAME.csr
|
|
echo ''
|
|
echo $'On the StartSSL site select Certificates Wizard then'
|
|
echo $'Web server SSL/TLS Certificate. You can then click on "skip"'
|
|
echo $'and then copy and paste the above certificate request into the text'
|
|
echo $'entry box. You may now need to wait a few hours for a confirmation'
|
|
echo $'email indicating that the new certificate was created.'
|
|
echo ''
|
|
echo $'Once you have retrieved the new public certificate paste it to:'
|
|
echo $"/etc/ssl/certs/$HOSTNAME.new.crt then run this command again."
|
|
echo ''
|
|
|
|
${PROJECT_NAME}-pin-cert $HOSTNAME
|
|
}
|
|
|
|
while [[ $# > 1 ]]
|
|
do
|
|
key="$1"
|
|
|
|
case $key in
|
|
--help)
|
|
show_help
|
|
;;
|
|
-h|--hostname)
|
|
shift
|
|
HOSTNAME="$1"
|
|
;;
|
|
-p|--provider)
|
|
shift
|
|
PROVIDER="$1"
|
|
;;
|
|
*)
|
|
# unknown option
|
|
;;
|
|
esac
|
|
shift
|
|
done
|
|
|
|
if [ ! $HOSTNAME ]; then
|
|
echo $'No hostname specified'
|
|
exit 5748
|
|
fi
|
|
|
|
if ! which openssl > /dev/null ;then
|
|
echo $"$0: openssl is not installed, exiting" 1>&2
|
|
exit 5689
|
|
fi
|
|
|
|
# check that the web site exists
|
|
if [ ! -f /etc/nginx/sites-available/$HOSTNAME ]; then
|
|
echo $"/etc/nginx/sites-available/$HOSTNAME does not exist"
|
|
exit 7598
|
|
fi
|
|
|
|
if [[ $PROVIDER == 'startssl' || $PROVIDER == 'StartSSL' ]]; then
|
|
renew_startssl
|
|
else
|
|
if [[ $PROVIDER == 'letsencrypt' ]]; then
|
|
renew_letsencrypt
|
|
else
|
|
echo $"$PROVIDER is not currently supported"
|
|
fi
|
|
fi
|
|
|
|
exit 0
|