diff --git a/Makefile b/Makefile
index 2d84336905ffb0da39217584b89c84c4c40f28fd..5dc07d6c41ced9b25300ccbbe08f33e7c2ad65d6 100644
--- a/Makefile
+++ b/Makefile
@@ -19,6 +19,7 @@ install:
install -m 755 src/${APP}-addcert ${DESTDIR}${PREFIX}/bin
install -m 755 src/${APP}-addlist ${DESTDIR}${PREFIX}/bin
install -m 755 src/${APP}-addemail ${DESTDIR}${PREFIX}/bin
+ install -m 755 src/${APP}-renew-cert ${DESTDIR}${PREFIX}/bin
mkdir -m 755 -p ${DESTDIR}${PREFIX}/share/man/man1
install -m 644 man/${APP}.1.gz ${DESTDIR}${PREFIX}/share/man/man1
install -m 644 man/${APP}-prep.1.gz ${DESTDIR}${PREFIX}/share/man/man1
@@ -29,6 +30,7 @@ install:
install -m 644 man/${APP}-addcert.1.gz ${DESTDIR}${PREFIX}/share/man/man1
install -m 644 man/${APP}-addlist.1.gz ${DESTDIR}${PREFIX}/share/man/man1
install -m 644 man/${APP}-addemail.1.gz ${DESTDIR}${PREFIX}/share/man/man1
+ install -m 644 man/${APP}-renew-cert.1.gz ${DESTDIR}${PREFIX}/share/man/man1
uninstall:
rm -f ${PREFIX}/share/man/man1/${APP}.1.gz
rm -f ${PREFIX}/share/man/man1/${APP}-prep.1.gz
@@ -39,6 +41,7 @@ uninstall:
rm -f ${PREFIX}/share/man/man1/${APP}-addcert.1.gz
rm -f ${PREFIX}/share/man/man1/${APP}-addlist.1.gz
rm -f ${PREFIX}/share/man/man1/${APP}-addemail.1.gz
+ rm -f ${PREFIX}/share/man/man1/${APP}-renew-cert.1.gz
rm -rf ${PREFIX}/share/${APP}
rm -f ${PREFIX}/bin/${APP}
rm -f ${PREFIX}/bin/${APP}-prep
@@ -49,6 +52,7 @@ uninstall:
rm -f ${PREFIX}/bin/${APP}-addcert
rm -f ${PREFIX}/bin/${APP}-addlist
rm -f ${PREFIX}/bin/${APP}-addemail
+ rm -f ${PREFIX}/bin/${APP}-renew-cert
clean:
rm -f \#* \.#* debian/*.substvars debian/*.log
rm -fr deb.* debian/${APP}
diff --git a/debian/source/include-binaries b/debian/source/include-binaries
index 56c3b6c7fb90aaed721dbebb8f2f27fba2963ada..410b25149832c490df236d1508c4b78744f8f0b6 100644
--- a/debian/source/include-binaries
+++ b/debian/source/include-binaries
@@ -7,3 +7,4 @@ man/freedombone-sec.1.gz
man/freedombone-addcert.1.gz
man/freedombone-addlist.1.gz
man/freedombone-addemail.1.gz
+man/freedombone-renew-cert.1.gz
diff --git a/man/freedombone-renew-cert.1.gz b/man/freedombone-renew-cert.1.gz
new file mode 100644
index 0000000000000000000000000000000000000000..2a25a24f664ea7f36c48e4341da7f0e4cfea0045
Binary files /dev/null and b/man/freedombone-renew-cert.1.gz differ
diff --git a/src/freedombone-renew-cert b/src/freedombone-renew-cert
new file mode 100755
index 0000000000000000000000000000000000000000..9a8a84d2f4f8ab7d88f498d47a6bbb386e2e28fd
--- /dev/null
+++ b/src/freedombone-renew-cert
@@ -0,0 +1,177 @@
+#!/bin/bash
+# A script for renewing SSL/TLS certificates
+
+# License
+# =======
+#
+# Copyright (C) 2015 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+HOSTNAME=
+PROVIDER='startssl'
+
+function show_help {
+ echo ''
+ echo 'freedombone-renew-cert -h [hostname] -p [provider]'
+ echo ''
+ echo 'Makes it easier to renew a ssl/tls certificate for a website'
+ echo ''
+ echo ' --help Show help'
+ echo ' -h --hostname [name] Hostname'
+ echo ' -p --provider [name] eg. startssl'
+ echo ''
+ exit 0
+}
+
+function renew_startssl {
+ echo 'Renewing StartSSL certificate'
+ if [ -s /etc/ssl/certs/$HOSTNAME.new.crt ]; then
+ if ! grep -q "-BEGIN CERTIFICATE-" /etc/ssl/certs/$HOSTNAME.new.crt; then
+ echo '/etc/ssl/certs/$HOSTNAME.new.crt does not contain a public key'
+ return
+ fi
+
+ cp /etc/ssl/certs/$HOSTNAME.new.crt /etc/ssl/certs/$HOSTNAME.crt
+
+ if [ ! -d /etc/ssl/roots ]; then
+ mkdir /etc/ssl/roots
+ fi
+ if [ ! -d /etc/ssl/chains ]; then
+ mkdir /etc/ssl/chains
+ fi
+
+ # download intermediate certs
+ wget "http://www.startssl.com/certs/ca.pem" --output-document="/etc/ssl/roots/startssl-root.ca"
+ wget "http://www.startssl.com/certs/sub.class1.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class1.server.ca.pem"
+ wget "http://www.startssl.com/certs/sub.class2.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class2.server.ca.pem"
+ wget "http://www.startssl.com/certs/sub.class3.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class3.server.ca.pem"
+ ln -s "/etc/ssl/roots/startssl-root.ca" "/etc/ssl/roots/$HOSTNAME-root.ca"
+ ln -s "/etc/ssl/chains/startssl-sub.class1.server.ca.pem" "/etc/ssl/chains/$HOSTNAME.ca"
+ cp "/etc/ssl/certs/$HOSTNAME.crt" "/etc/ssl/certs/$HOSTNAME.crt+chain+root"
+ test -e "/etc/ssl/chains/$HOSTNAME.ca" && cat "/etc/ssl/chains/$HOSTNAME.ca" >> "/etc/ssl/certs/$HOSTNAME.crt+chain+root"
+ test -e "/etc/ssl/roots/$HOSTNAME-root.ca" && cat "/etc/ssl/roots/$HOSTNAME-root.ca" >> "/etc/ssl/certs/$HOSTNAME.crt+chain+root"
+
+ # remove the password from the private cert
+ openssl rsa -in /etc/ssl/private/$HOSTNAME.key -out /etc/ssl/private/$HOSTNAME.new.key
+ cp /etc/ssl/private/$HOSTNAME.new.key /etc/ssl/private/$HOSTNAME.key
+ shred -zu /etc/ssl/private/$HOSTNAME.new.key
+
+ # bundle the cert
+ cat /etc/ssl/certs/$HOSTNAME.crt /etc/ssl/chains/startssl-sub.class1.server.ca.pem > /etc/ssl/certs/$HOSTNAME.bundle.crt
+
+ # add it to mycerts
+ cp /etc/ssl/certs/$HOSTNAME.bundle.crt /etc/ssl/mycerts
+ cat /etc/ssl/mycerts/*.crt > /etc/ssl/freedombone-bundle.crt
+ tar -czvf /etc/ssl/freedombone-certs.tar.gz /etc/ssl/mycerts/*.crt
+
+ # create backups
+ if [ ! -d /etc/ssl/backups ]; then
+ mkdir /etc/ssl/backups
+ fi
+ if [ ! -d /etc/ssl/backups/certs ]; then
+ mkdir /etc/ssl/backups/certs
+ fi
+ if [ ! -d /etc/ssl/backups/private ]; then
+ mkdir /etc/ssl/backups/private
+ fi
+ cp /etc/ssl/certs/$HOSTNAME* /etc/ssl/backups/certs/
+ cp /etc/ssl/private/$HOSTNAME* /etc/ssl/backups/private/
+ chmod -R 400 /etc/ssl/backups/certs/*
+ chmod -R 400 /etc/ssl/backups/private/*
+
+ rm /etc/ssl/certs/$HOSTNAME.new.crt
+ rm /etc/ssl/requests/$HOSTNAME.csr
+ echo 'Certificate installed'
+ service nginx restart
+ return
+ fi
+
+ if [ -f /etc/ssl/requests/$HOSTNAME.csr ]; then
+ echo 'Certificate request already created:'
+ echo ''
+ cat /etc/ssl/requests/$HOSTNAME.csr
+ echo ''
+ echo "Save the requested public key to /etc/ssl/certs/$HOSTNAME.new.crt"
+ echo 'then run this command again.'
+ echo ''
+ return
+ fi
+ openssl genrsa -out /etc/ssl/private/$HOSTNAME.new.key 2048
+ chown root:ssl-cert /etc/ssl/private/$HOSTNAME.new.key
+ chmod 440 /etc/ssl/private/$HOSTNAME.new.key
+ if [ ! -d /etc/ssl/requests ]; then
+ mkdir /etc/ssl/requests
+ fi
+ openssl req -new -sha256 -key /etc/ssl/private/$HOSTNAME.new.key -out /etc/ssl/requests/$HOSTNAME.csr
+ echo ''
+ cat /etc/ssl/requests/$HOSTNAME.csr
+ echo ''
+ echo 'On the StartSSL site select Certificates Wizard then'
+ echo 'Web server SSL/TLS Certificate. You can then click on "skip"'
+ echo 'and then copy and paste the above certificate request into the text'
+ echo 'entry box. You may now need to wait a few hours for a confirmation'
+ echo 'email indicating that the new certificate was created.'
+ echo ''
+ echo 'Once you have retrieved the new public certificate paste it to:'
+ echo "/etc/ssl/certs/$HOSTNAME.new.crt then run this command again."
+ echo ''
+}
+
+while [[ $# > 1 ]]
+do
+key="$1"
+
+case $key in
+ --help)
+ show_help
+ ;;
+ -h|--hostname)
+ shift
+ HOSTNAME="$1"
+ ;;
+ -p|--provider)
+ shift
+ PROVIDER="$1"
+ ;;
+ *)
+ # unknown option
+ ;;
+esac
+shift
+done
+
+if [ ! $HOSTNAME ]; then
+ echo 'No hostname specified'
+ exit 5748
+fi
+
+if ! which openssl > /dev/null ;then
+ echo "$0: openssl is not installed, exiting" 1>&2
+ exit 5689
+fi
+
+# check that the web site exists
+if [ ! -f /etc/nginx/sites-available/$HOSTNAME ]; then
+ echo "/etc/nginx/sites-available/$HOSTNAME does not exist"
+ return 7598
+fi
+
+if [[ $PROVIDER == 'startssl' || $PROVIDER == 'StartSSL' ]]; then
+ renew_startssl
+else
+ echo "$PROVIDER is not currently supported"
+fi
+
+exit 0