freedombone-renew-cert

#!/bin/bash
#  _____               _           _
# |   __|___ ___ ___ _| |___ _____| |_ ___ ___ ___
# |   __|  _| -_| -_| . | . |     | . | . |   | -_|
# |__|  |_| |___|___|___|___|_|_|_|___|___|_|_|___|
#
#                              Freedom in the Cloud
#
# A script for renewing SSL/TLS certificates
#
# License
# =======
#
# Copyright (C) 2015-2019 Bob Mottram <bob@freedombone.net>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

PROJECT_NAME='freedombone'

export TEXTDOMAIN=${PROJECT_NAME}-renew-cert
export TEXTDOMAINDIR="/usr/share/locale"

HOSTNAME=
PROVIDER='startssl'
DH_KEYLENGTH=2048
LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
INSTALL_DIR=/root/build
NONINTERACTIVE='no'

function show_help {
    echo ''
    echo $"${PROJECT_NAME}-renew-cert -h [hostname] -p [provider]"
    echo ''
    echo $'Makes it easier to renew a ssl/tls certificate for a website'
    echo ''
    echo $'     --help                    Show help'
    echo $'     --noninteractive [yes|no] Whether this is called from a noninteractive script'
    echo $'  -h --hostname [name]         Hostname'
    echo $'  -p --provider [name]         eg. startssl/letsencrypt'
    echo ''
    exit 0
}

function renew_letsencrypt {
    if [ ! -f /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem ]; then
        echo $"Adding Let's Encrypt certificate"
    else
        echo $"Renewing Let's Encrypt certificate"
    fi

    if ! ${PROJECT_NAME}-addcert -e $HOSTNAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH; then
        echo $"Unable to add Let's encrypt certificate"
        exit 63
    fi

    # Ensure that links are in place
    ln -s /etc/letsencrypt/live/${HOSTNAME}/privkey.pem /etc/ssl/private/${HOSTNAME}.key
    ln -s /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem /etc/ssl/certs/${HOSTNAME}.pem

    ${PROJECT_NAME}-pin-cert $HOSTNAME remove
}

function renew_startssl {
    echo $'Renewing StartSSL certificate'
    if [ -s /etc/ssl/certs/$HOSTNAME.new.crt ]; then
        if ! grep -q "-BEGIN CERTIFICATE-" /etc/ssl/certs/$HOSTNAME.new.crt; then
            echo $'/etc/ssl/certs/$HOSTNAME.new.crt does not contain a public key'
            return
        fi

        cp /etc/ssl/certs/$HOSTNAME.new.crt /etc/ssl/certs/$HOSTNAME.crt

        if [ ! -d /etc/ssl/roots ]; then
            mkdir /etc/ssl/roots
        fi
        if [ ! -d /etc/ssl/chains ]; then
            mkdir /etc/ssl/chains
        fi

        # download intermediate certs
        wget "http://www.startssl.com/certs/ca.pem" --output-document="/etc/ssl/roots/startssl-root.ca"
        wget "http://www.startssl.com/certs/sub.class1.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class1.server.ca.pem"
        wget "http://www.startssl.com/certs/sub.class2.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class2.server.ca.pem"
        wget "http://www.startssl.com/certs/sub.class3.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class3.server.ca.pem"
        ln -s "/etc/ssl/roots/startssl-root.ca" "/etc/ssl/roots/$HOSTNAME-root.ca"
        ln -s "/etc/ssl/chains/startssl-sub.class1.server.ca.pem" "/etc/ssl/chains/$HOSTNAME.ca"
        cp "/etc/ssl/certs/$HOSTNAME.crt" "/etc/ssl/certs/$HOSTNAME.crt+chain+root"
        test -e "/etc/ssl/chains/$HOSTNAME.ca" && cat "/etc/ssl/chains/$HOSTNAME.ca" >> "/etc/ssl/certs/$HOSTNAME.crt+chain+root"
        test -e "/etc/ssl/roots/$HOSTNAME-root.ca" && cat "/etc/ssl/roots/$HOSTNAME-root.ca" >> "/etc/ssl/certs/$HOSTNAME.crt+chain+root"

        # remove the password from the private cert
        openssl rsa -in /etc/ssl/private/$HOSTNAME.key -out /etc/ssl/private/$HOSTNAME.new.key
        cp /etc/ssl/private/$HOSTNAME.new.key /etc/ssl/private/$HOSTNAME.key
        rm /etc/ssl/private/$HOSTNAME.new.key

        # bundle the cert
        cat /etc/ssl/certs/$HOSTNAME.crt /etc/ssl/chains/startssl-sub.class1.server.ca.pem > /etc/ssl/certs/$HOSTNAME.bundle.crt

        # add it to mycerts
        cp /etc/ssl/certs/$HOSTNAME.bundle.crt /etc/ssl/mycerts
        cat /etc/ssl/mycerts/*.crt > /etc/ssl/${PROJECT_NAME}-bundle.crt
        tar -czvf /etc/ssl/${PROJECT_NAME}-certs.tar.gz /etc/ssl/mycerts/*.crt

        # create backups
        if [ ! -d /etc/ssl/backups ]; then
            mkdir /etc/ssl/backups
        fi
        if [ ! -d /etc/ssl/backups/certs ]; then
            mkdir /etc/ssl/backups/certs
        fi
        if [ ! -d /etc/ssl/backups/private ]; then
            mkdir /etc/ssl/backups/private
        fi
        cp /etc/ssl/certs/$HOSTNAME* /etc/ssl/backups/certs/
        cp /etc/ssl/private/$HOSTNAME* /etc/ssl/backups/private/
        chmod -R 400 /etc/ssl/backups/certs/*
        chmod -R 400 /etc/ssl/backups/private/*

        rm /etc/ssl/certs/$HOSTNAME.new.crt
        rm /etc/ssl/requests/$HOSTNAME.csr

        # update your site to include the bundle
        sed -i "s|$HOSTNAME.crt|$HOSTNAME.bundle.crt|g" /etc/nginx/sites-available/$HOSTNAME

        echo $'Certificate installed'
        fuser -k 80/tcp
        fuser -k 443/tcp
        systemctl restart nginx
        return
    fi

    if [ -f /etc/ssl/requests/$HOSTNAME.csr ]; then
        echo $'Certificate request already created:'
        echo ''
        cat /etc/ssl/requests/$HOSTNAME.csr
        echo ''
        echo $"Save the requested public key to /etc/ssl/certs/$HOSTNAME.new.crt"
        echo $'then run this command again.'
        echo ''
        return
    fi
    openssl genrsa -out /etc/ssl/private/$HOSTNAME.new.key 2048
    chown root:ssl-cert /etc/ssl/private/$HOSTNAME.new.key
    chmod 440 /etc/ssl/private/$HOSTNAME.new.key
    if [ ! -d /etc/ssl/requests ]; then
        mkdir /etc/ssl/requests
    fi
    openssl req -new -sha256 -key /etc/ssl/private/$HOSTNAME.new.key -out /etc/ssl/requests/$HOSTNAME.csr
    echo ''
    cat /etc/ssl/requests/$HOSTNAME.csr
    echo ''
    echo $'On the StartSSL site select Certificates Wizard then'
    echo $'Web server SSL/TLS Certificate. You can then click on "skip"'
    echo $'and then copy and paste the above certificate request into the text'
    echo $'entry box. You may now need to wait a few hours for a confirmation'
    echo $'email indicating that the new certificate was created.'
    echo ''
    echo $'Once you have retrieved the new public certificate paste it to:'
    echo $"/etc/ssl/certs/$HOSTNAME.new.crt then run this command again."
    echo ''

    ${PROJECT_NAME}-pin-cert $HOSTNAME remove
}

while [ $# -gt 1 ]
do
key="$1"

case $key in
    --help)
    show_help
    ;;
    -h|--hostname)
    shift
    HOSTNAME="$1"
    ;;
    --noninteractive)
    shift
    NONINTERACTIVE="$1"
    ;;
    -p|--provider)
    shift
    PROVIDER="$1"
    ;;
    *)
    # unknown option
    ;;
esac
shift
done

if [ ! "$HOSTNAME" ]; then
    echo $'No hostname specified'
    exit 57
fi

if ! which openssl > /dev/null ;then
    echo $"$0: openssl is not installed, exiting" 1>&2
    exit 56
fi

# check that the web site exists
curr_host=$(cat /etc/hostname)
if [[ "$HOSTNAME" != "chat.${curr_host}" ]]; then
    if [ ! -f "/etc/nginx/sites-available/$HOSTNAME" ]; then
        if [[ "$NONINTERACTIVE" == 'no' ]]; then
            echo $"/etc/nginx/sites-available/$HOSTNAME does not exist"
        fi
        exit 75
    fi
fi

if [[ $PROVIDER == 'startssl' || $PROVIDER == 'StartSSL' ]]; then
    renew_startssl
else
    if [[ $PROVIDER == 'letsencrypt' ]]; then
        renew_letsencrypt
    else
        echo $"$PROVIDER is not currently supported"
    fi
fi

exit 0