-
Bob Mottram authored
The guidelines on how to do this properly are just too confusing
Bob Mottram authoredThe guidelines on how to do this properly are just too confusing
Code owners
Assign users and groups as approvers for specific file changes. Learn more.
freedombone-renew-cert 7.64 KiB
#!/bin/bash
#
# .---. . .
# | | |
# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
# | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
# ' ' --' --' -' - -' ' ' -' -' -' ' - --'
#
# Freedom in the Cloud
#
# A script for renewing SSL/TLS certificates
# License
# =======
#
# Copyright (C) 2015-2016 Bob Mottram <bob@robotics.uk.to>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
PROJECT_NAME='freedombone'
export TEXTDOMAIN=${PROJECT_NAME}-renew-cert
export TEXTDOMAINDIR="/usr/share/locale"
HOSTNAME=
PROVIDER='startssl'
DH_KEYLENGTH=2048
LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
INSTALL_DIR=/root/build
function show_help {
echo ''
echo $"${PROJECT_NAME}-renew-cert -h [hostname] -p [provider]"
echo ''
echo $'Makes it easier to renew a ssl/tls certificate for a website'
echo ''
echo $' --help Show help'
echo $' -h --hostname [name] Hostname'
echo $' -p --provider [name] eg. startssl/letsencrypt'
echo ''
exit 0
}
function renew_letsencrypt {
if [ ! -f /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem ]; then
echo $"Adding Let's Encrypt certificate"
else
echo $"Renewing Let's Encrypt certificate"
fi
${PROJECT_NAME}-addcert -e $HOSTNAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
if [ ! "$?" = "0" ]; then
echo $"Unable to add Let's encrypt certificate"
exit 6328
fi
# Ensure that links are in place
ln -s /etc/letsencrypt/live/${HOSTNAME}/privkey.pem /etc/ssl/private/${HOSTNAME}.key
ln -s /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem /etc/ssl/certs/${HOSTNAME}.pem
${PROJECT_NAME}-pin-cert $HOSTNAME remove
}
function renew_startssl {
echo $'Renewing StartSSL certificate'
if [ -s /etc/ssl/certs/$HOSTNAME.new.crt ]; then
if ! grep -q "-BEGIN CERTIFICATE-" /etc/ssl/certs/$HOSTNAME.new.crt; then
echo $'/etc/ssl/certs/$HOSTNAME.new.crt does not contain a public key'
return
fi
cp /etc/ssl/certs/$HOSTNAME.new.crt /etc/ssl/certs/$HOSTNAME.crt
if [ ! -d /etc/ssl/roots ]; then
mkdir /etc/ssl/roots
fi
if [ ! -d /etc/ssl/chains ]; then
mkdir /etc/ssl/chains
fi
# download intermediate certs
wget "http://www.startssl.com/certs/ca.pem" --output-document="/etc/ssl/roots/startssl-root.ca"
wget "http://www.startssl.com/certs/sub.class1.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class1.server.ca.pem"
wget "http://www.startssl.com/certs/sub.class2.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class2.server.ca.pem"
wget "http://www.startssl.com/certs/sub.class3.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class3.server.ca.pem"
ln -s "/etc/ssl/roots/startssl-root.ca" "/etc/ssl/roots/$HOSTNAME-root.ca"
ln -s "/etc/ssl/chains/startssl-sub.class1.server.ca.pem" "/etc/ssl/chains/$HOSTNAME.ca"
cp "/etc/ssl/certs/$HOSTNAME.crt" "/etc/ssl/certs/$HOSTNAME.crt+chain+root"
test -e "/etc/ssl/chains/$HOSTNAME.ca" && cat "/etc/ssl/chains/$HOSTNAME.ca" >> "/etc/ssl/certs/$HOSTNAME.crt+chain+root"
test -e "/etc/ssl/roots/$HOSTNAME-root.ca" && cat "/etc/ssl/roots/$HOSTNAME-root.ca" >> "/etc/ssl/certs/$HOSTNAME.crt+chain+root"
# remove the password from the private cert
openssl rsa -in /etc/ssl/private/$HOSTNAME.key -out /etc/ssl/private/$HOSTNAME.new.key
cp /etc/ssl/private/$HOSTNAME.new.key /etc/ssl/private/$HOSTNAME.key
shred -zu /etc/ssl/private/$HOSTNAME.new.key
# bundle the cert
cat /etc/ssl/certs/$HOSTNAME.crt /etc/ssl/chains/startssl-sub.class1.server.ca.pem > /etc/ssl/certs/$HOSTNAME.bundle.crt
# add it to mycerts
cp /etc/ssl/certs/$HOSTNAME.bundle.crt /etc/ssl/mycerts
cat /etc/ssl/mycerts/*.crt > /etc/ssl/${PROJECT_NAME}-bundle.crt
tar -czvf /etc/ssl/${PROJECT_NAME}-certs.tar.gz /etc/ssl/mycerts/*.crt
# create backups
if [ ! -d /etc/ssl/backups ]; then
mkdir /etc/ssl/backups
fi
if [ ! -d /etc/ssl/backups/certs ]; then
mkdir /etc/ssl/backups/certs
fi
if [ ! -d /etc/ssl/backups/private ]; then
mkdir /etc/ssl/backups/private
fi
cp /etc/ssl/certs/$HOSTNAME* /etc/ssl/backups/certs/
cp /etc/ssl/private/$HOSTNAME* /etc/ssl/backups/private/
chmod -R 400 /etc/ssl/backups/certs/*
chmod -R 400 /etc/ssl/backups/private/*
rm /etc/ssl/certs/$HOSTNAME.new.crt
rm /etc/ssl/requests/$HOSTNAME.csr
# update your site to include the bundle
sed -i "s|$HOSTNAME.crt|$HOSTNAME.bundle.crt|g" /etc/nginx/sites-available/$HOSTNAME
echo $'Certificate installed'
service nginx restart
return
fi
if [ -f /etc/ssl/requests/$HOSTNAME.csr ]; then
echo $'Certificate request already created:'
echo ''
cat /etc/ssl/requests/$HOSTNAME.csr
echo ''
echo $"Save the requested public key to /etc/ssl/certs/$HOSTNAME.new.crt"
echo $'then run this command again.'
echo ''
return
fi
openssl genrsa -out /etc/ssl/private/$HOSTNAME.new.key 2048
chown root:ssl-cert /etc/ssl/private/$HOSTNAME.new.key
chmod 440 /etc/ssl/private/$HOSTNAME.new.key
if [ ! -d /etc/ssl/requests ]; then
mkdir /etc/ssl/requests
fi
openssl req -new -sha256 -key /etc/ssl/private/$HOSTNAME.new.key -out /etc/ssl/requests/$HOSTNAME.csr
echo ''
cat /etc/ssl/requests/$HOSTNAME.csr
echo ''
echo $'On the StartSSL site select Certificates Wizard then'
echo $'Web server SSL/TLS Certificate. You can then click on "skip"'
echo $'and then copy and paste the above certificate request into the text'
echo $'entry box. You may now need to wait a few hours for a confirmation'
echo $'email indicating that the new certificate was created.'
echo ''
echo $'Once you have retrieved the new public certificate paste it to:'
echo $"/etc/ssl/certs/$HOSTNAME.new.crt then run this command again."
echo ''
${PROJECT_NAME}-pin-cert $HOSTNAME remove
}
while [[ $# > 1 ]]
do
key="$1"
case $key in
--help)
show_help
;;
-h|--hostname)
shift
HOSTNAME="$1"
;;
-p|--provider)
shift
PROVIDER="$1"
;;
*)
# unknown option
;;
esac
shift
done
if [ ! $HOSTNAME ]; then
echo $'No hostname specified'
exit 5748
fi
if ! which openssl > /dev/null ;then
echo $"$0: openssl is not installed, exiting" 1>&2
exit 5689
fi
# check that the web site exists
if [ ! -f /etc/nginx/sites-available/$HOSTNAME ]; then
echo $"/etc/nginx/sites-available/$HOSTNAME does not exist"
exit 7598
fi
if [[ $PROVIDER == 'startssl' || $PROVIDER == 'StartSSL' ]]; then
renew_startssl
else
if [[ $PROVIDER == 'letsencrypt' ]]; then
renew_letsencrypt
else
echo $"$PROVIDER is not currently supported"
fi
fi
exit 0