Skip to content
Snippets Groups Projects
Commit 516519ba authored by Bob Mottram's avatar Bob Mottram
Browse files

Command for calculating DH params 

Avoid duplication
parent 736ce5e2
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
man/freedombone-dhparam.1.gz 0 → 100644
+ 0
0
View file @ 516519ba
File added
src/freedombone-addcert
+ 12
16
View file @ 516519ba
......@@ -154,18 +154,18 @@ if [ $LETSENCRYPT_HOSTNAME ]; then
cd $INSTALL_DIR
# obtain the repo
if [ ! -d $INSTALL_DIR/letsencrypt ]; then
if [ ! -d ${INSTALL_DIR}/letsencrypt ]; then
git clone https://github.com/letsencrypt/letsencrypt
if [ ! -d $INSTALL_DIR/letsencrypt ]; then
if [ ! -d ${INSTALL_DIR}/letsencrypt ]; then
exit 76283
fi
else
cd $INSTALL_DIR/letsencrypt
cd ${INSTALL_DIR}/letsencrypt
git stash
git pull
fi
cd $INSTALL_DIR/letsencrypt
cd ${INSTALL_DIR}/letsencrypt
# TODO this requires user interaction - is there a non-interactive mode?
./letsencrypt-auto certonly --server $LETSENCRYPT_SERVER --standalone -d $LETSENCRYPT_HOSTNAME
if [ ! "$?" = "0" ]; then
......@@ -206,23 +206,19 @@ else
CERTFILE="ca-$HOSTNAME"
fi
openssl req -x509 $EXTENSIONS -nodes -days 3650 -sha256 \
openssl req -x509 ${EXTENSIONS} -nodes -days 3650 -sha256 \
-subj "/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME" \
-newkey rsa:4096 -keyout /etc/ssl/private/$CERTFILE.key \
-out /etc/ssl/certs/$CERTFILE.crt
chmod 400 /etc/ssl/private/$CERTFILE.key
chmod 640 /etc/ssl/certs/$CERTFILE.crt
cp /etc/ssl/certs/$CERTFILE.crt /etc/ssl/mycerts
-newkey rsa:4096 -keyout /etc/ssl/private/${CERTFILE}.key \
-out /etc/ssl/certs/${CERTFILE}.crt
chmod 400 /etc/ssl/private/${CERTFILE}.key
chmod 640 /etc/ssl/certs/${CERTFILE}.crt
cp /etc/ssl/certs/${CERTFILE}.crt /etc/ssl/mycerts
fi
# generate DH params
if [ ! $NODH ]; then
if [ ! -f /etc/ssl/certs/$CERTFILE.dhparam ]; then
openssl dhparam -check -text -dsaparam $DH_KEYLENGTH -out /etc/ssl/certs/$CERTFILE.dhparam
if [ ! "$?" = "0" ]; then
exit 72428
fi
chmod 640 /etc/ssl/certs/$CERTFILE.dhparam
if [ ! -f /etc/ssl/certs/${CERTFILE}.dhparam ]; then
${PROJECT_NAME}-dhparam -h ${CERTFILE}
fi
fi
......
src/freedombone-dhparam 0 → 100755
+ 117
0
View file @ 516519ba
#!/bin/bash
#
# .---. . .
# | | |
# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
# | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
# ' ' --' --' -' - -' ' ' -' -' -' ' - --'
#
# Freedom in the Cloud
#
# Creates or re-calculates Diffie-Hellman parameters
# License
# =======
#
# Copyright (C) 2015 Bob Mottram <bob@robotics.uk.to>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
PROJECT_NAME='freedombone'
export TEXTDOMAIN=${PROJECT_NAME}-dhparam
export TEXTDOMAINDIR="/usr/share/locale"
HOSTNAME=
KEYLENGTH=2048
RECALCULATE="no"
function show_help {
echo ''
echo $"${PROJECT_NAME}-dhparam -h [hostname] -l [length in bits] --recalc [yes|no]"
echo ''
exit 0
}
function calc_dh {
openssl dhparam -check -text -dsaparam $KEYLENGTH -out ${1}
if [ ! "$?" = "0" ]; then
exit 3674
fi
chmod 640 ${1}
}
function regenerate_dh_keys {
for file in /etc/ssl/mycerts/*
do
if [[ -f $file ]]; then
filename=/etc/ssl/certs/$(echo $file | awk -F '/etc/ssl/mycerts/' '{print $2}' | awk -F '.crt' '{print $1}').dhparam
if [ -f $filename ]; then
calc_dh $filename
echo $"Recalculated DH params for $filename"
fi
fi
done
}
while [[ $# > 1 ]]
do
key="$1"
case $key in
--help)
show_help
;;
-h|--hostname)
shift
HOSTNAME="$1"
;;
-l|--dhkey)
shift
KEYLENGTH=${1}
;;
--recalc)
shift
RECALCULATE=${1}
;;
*)
# unknown option
;;
esac
shift
done
if [[ $RECALCULATE == "yes" || $RECALCULATE == "y" ]]; then
regenerate_dh_keys
exit 0
fi
if [ ! $HOSTNAME ]; then
echo $'No hostname specified'
exit 5728
fi
if ! which openssl > /dev/null ;then
echo $"$0: openssl is not installed, exiting" 1>&2
exit 5689
fi
if [ ! -d /etc/ssl/mycerts ]; then
mkdir -p /etc/ssl/mycerts
fi
calc_dh /etc/ssl/certs/$HOSTNAME.dhparam
systemctl reload nginx
exit 0
src/freedombone-sec
+ 49
63
View file @ 516519ba
......@@ -225,10 +225,10 @@ function interactive_setup {
if [ $SSL_CIPHERS ]; then
data=$(tempfile 2>/dev/null)
trap "rm -f $data" 0 1 2 5 15
dialog --backtitle "Freedombone Security Configuration" \
--form "\nWeb/IMAP Ciphers:" 10 95 2 \
"Protocols:" 1 1 "$SSL_PROTOCOLS" 1 15 90 90 \
"Ciphers:" 2 1 "$SSL_CIPHERS" 2 15 90 512 \
dialog --backtitle $"Freedombone Security Configuration" \
--form $"\nWeb/IMAP Ciphers:" 10 95 2 \
$"Protocols:" 1 1 "$SSL_PROTOCOLS" 1 15 90 90 \
$"Ciphers:" 2 1 "$SSL_CIPHERS" 2 15 90 512 \
2> $data
sel=$?
case $sel in
......@@ -242,12 +242,12 @@ function interactive_setup {
data=$(tempfile 2>/dev/null)
trap "rm -f $data" 0 1 2 5 15
if [ $SSH_HOST_KEY_ALGORITHMS ]; then
dialog --backtitle "Freedombone Security Configuration" \
--form "\nSecure Shell Ciphers:" 13 95 4 \
"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
"Host key algorithms:" 4 1 "$SSH_HOST_KEY_ALGORITHMS" 4 15 90 512 \
dialog --backtitle $"Freedombone Security Configuration" \
--form $"\nSecure Shell Ciphers:" 13 95 4 \
$"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
$"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
$"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
$"Host key algorithms:" 4 1 "$SSH_HOST_KEY_ALGORITHMS" 4 15 90 512 \
2> $data
sel=$?
case $sel in
......@@ -259,11 +259,11 @@ function interactive_setup {
255) exit 0;;
esac
else
dialog --backtitle "Freedombone Security Configuration" \
--form "\nSecure Shell Ciphers:" 11 95 3 \
"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
dialog --backtitle $"Freedombone Security Configuration" \
--form $"\nSecure Shell Ciphers:" 11 95 3 \
$"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
$"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
$"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
2> $data
sel=$?
case $sel in
......@@ -276,14 +276,14 @@ function interactive_setup {
fi
if [[ $SSH_PASSWORDS == "yes" ]]; then
dialog --title "SSH Passwords" \
--backtitle "Freedombone Security Configuration" \
--yesno "\nAllow SSH login using passwords?" 7 60
dialog --title $"SSH Passwords" \
--backtitle $"Freedombone Security Configuration" \
--yesno $"\nAllow SSH login using passwords?" 7 60
else
dialog --title "SSH Passwords" \
--backtitle "Freedombone Security Configuration" \
dialog --title $"SSH Passwords" \
--backtitle $"Freedombone Security Configuration" \
--defaultno \
--yesno "\nAllow SSH login using passwords?" 7 60
--yesno $"\nAllow SSH login using passwords?" 7 60
fi
sel=$?
case $sel in
......@@ -295,10 +295,10 @@ function interactive_setup {
if [ $XMPP_CIPHERS ]; then
data=$(tempfile 2>/dev/null)
trap "rm -f $data" 0 1 2 5 15
dialog --backtitle "Freedombone Security Configuration" \
--form "\nXMPP Ciphers:" 10 95 2 \
"Ciphers:" 1 1 "$XMPP_CIPHERS" 1 15 90 512 \
"ECC Curve:" 2 1 "$XMPP_ECC_CURVE" 2 15 50 50 \
dialog --backtitle $"Freedombone Security Configuration" \
--form $"\nXMPP Ciphers:" 10 95 2 \
$"Ciphers:" 1 1 "$XMPP_CIPHERS" 1 15 90 512 \
$"ECC Curve:" 2 1 "$XMPP_ECC_CURVE" 2 15 50 50 \
2> $data
sel=$?
case $sel in
......@@ -309,10 +309,10 @@ function interactive_setup {
esac
fi
dialog --title "Final Confirmation" \
--backtitle "Freedombone Security Configuration" \
dialog --title $"Final Confirmation" \
--backtitle $"Freedombone Security Configuration" \
--defaultno \
--yesno "\nPlease confirm that you wish your security settings to be changed?\n\nWARNING: any mistakes made in the security settings could compromise your system, so be extra careful when answering 'yes'." 12 60
--yesno $"\nPlease confirm that you wish your security settings to be changed?\n\nWARNING: any mistakes made in the security settings could compromise your system, so be extra careful when answering 'yes'." 12 60
sel=$?
case $sel in
1) clear
......@@ -365,21 +365,7 @@ function regenerate_dh_keys {
3) DH_KEYLENGTH=4096;;
esac
ctr=0
for file in /etc/ssl/mycerts/*
do
if [[ -f $file ]]; then
filename=/etc/ssl/certs/$(echo $file | awk -F '/etc/ssl/mycerts/' '{print $2}' | awk -F '.crt' '{print $1}').dhparam
if [ -f $filename ]; then
openssl dhparam -check -text -dsaparam $DH_KEYLENGTH -out $filename
if [ ! "$?" = "0" ]; then
exit 3674
fi
ctr=$((ctr + 1))
fi
fi
done
echo $"$ctr dhparam certificates were regenerated"
${PROJECT_NAME}-dhparam --recalc yes -l ${DH_KEYLENGTH}
fi
}
......@@ -387,9 +373,9 @@ function renew_startssl {
renew_domain=
data=$(tempfile 2>/dev/null)
trap "rm -f $data" 0 1 2 5 15
dialog --title "Renew a StartSSL certificate" \
--backtitle "Freedombone Security Settings" \
--inputbox "Enter the domain name" 8 60 2>$data
dialog --title $"Renew a StartSSL certificate" \
--backtitle $"Freedombone Security Settings" \
--inputbox $"Enter the domain name" 8 60 2>$data
sel=$?
case $sel in
0)
......@@ -402,24 +388,24 @@ function renew_startssl {
fi
if [[ $renew_domain == "http"* ]]; then
dialog --title "Renew a StartSSL certificate" \
--msgbox "Don't include the https://" 6 40
dialog --title $"Renew a StartSSL certificate" \
--msgbox $"Don't include the https://" 6 40
return
fi
if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then
dialog --title "Renew a StartSSL certificate" \
--msgbox "An existing certificate for $renew_domain was not found" 6 40
dialog --title $"Renew a StartSSL certificate" \
--msgbox $"An existing certificate for $renew_domain was not found" 6 40
return
fi
if [[ $renew_domain != *"."* ]]; then
dialog --title "Renew a StartSSL certificate" \
--msgbox "Invalid domain name: $renew_domain" 6 40
dialog --title $"Renew a StartSSL certificate" \
--msgbox $"Invalid domain name: $renew_domain" 6 40
return
fi
freedombone-renew-cert -h $renew_domain -p startssl
${PROJECT_NAME}-renew-cert -h $renew_domain -p startssl
exit 0
}
......@@ -428,9 +414,9 @@ function renew_letsencrypt {
renew_domain=
data=$(tempfile 2>/dev/null)
trap "rm -f $data" 0 1 2 5 15
dialog --title "Renew a Let's Encrypt certificate" \
--backtitle "Freedombone Security Settings" \
--inputbox "Enter the domain name" 8 60 2>$data
dialog --title $"Renew a Let's Encrypt certificate" \
--backtitle $"Freedombone Security Settings" \
--inputbox $"Enter the domain name" 8 60 2>$data
sel=$?
case $sel in
0)
......@@ -443,24 +429,24 @@ function renew_letsencrypt {
fi
if [[ $renew_domain == "http"* ]]; then
dialog --title "Renew a Let's Encrypt certificate" \
--msgbox "Don't include the https://" 6 40
dialog --title $"Renew a Let's Encrypt certificate" \
--msgbox $"Don't include the https://" 6 40
return
fi
if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then
dialog --title "Renew a Let's Encrypt certificate" \
--msgbox "An existing certificate for $renew_domain was not found" 6 40
dialog --title $"Renew a Let's Encrypt certificate" \
--msgbox $"An existing certificate for $renew_domain was not found" 6 40
return
fi
if [[ $renew_domain != *"."* ]]; then
dialog --title "Renew a Let's Encrypt certificate" \
--msgbox "Invalid domain name: $renew_domain" 6 40
dialog --title $"Renew a Let's Encrypt certificate" \
--msgbox $"Invalid domain name: $renew_domain" 6 40
return
fi
freedombone-renew-cert -h $renew_domain -p 'letsencrypt'
${PROJECT_NAME}-renew-cert -h $renew_domain -p 'letsencrypt'
exit 0
}
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment