Command for renewing SSL/TLS certificates

Makefile

@@ -19,6 +19,7 @@ install:
 	install -m 755 src/${APP}-addcert ${DESTDIR}${PREFIX}/bin
 	install -m 755 src/${APP}-addlist ${DESTDIR}${PREFIX}/bin
 	install -m 755 src/${APP}-addemail ${DESTDIR}${PREFIX}/bin
+	install -m 755 src/${APP}-renew-cert ${DESTDIR}${PREFIX}/bin
 	mkdir -m 755 -p ${DESTDIR}${PREFIX}/share/man/man1
 	install -m 644 man/${APP}.1.gz ${DESTDIR}${PREFIX}/share/man/man1
 	install -m 644 man/${APP}-prep.1.gz ${DESTDIR}${PREFIX}/share/man/man1
@@ -29,6 +30,7 @@ install:
 	install -m 644 man/${APP}-addcert.1.gz ${DESTDIR}${PREFIX}/share/man/man1
 	install -m 644 man/${APP}-addlist.1.gz ${DESTDIR}${PREFIX}/share/man/man1
 	install -m 644 man/${APP}-addemail.1.gz ${DESTDIR}${PREFIX}/share/man/man1
+	install -m 644 man/${APP}-renew-cert.1.gz ${DESTDIR}${PREFIX}/share/man/man1
 uninstall:
 	rm -f ${PREFIX}/share/man/man1/${APP}.1.gz
 	rm -f ${PREFIX}/share/man/man1/${APP}-prep.1.gz
@@ -39,6 +41,7 @@ uninstall:
 	rm -f ${PREFIX}/share/man/man1/${APP}-addcert.1.gz
 	rm -f ${PREFIX}/share/man/man1/${APP}-addlist.1.gz
 	rm -f ${PREFIX}/share/man/man1/${APP}-addemail.1.gz
+	rm -f ${PREFIX}/share/man/man1/${APP}-renew-cert.1.gz
 	rm -rf ${PREFIX}/share/${APP}
 	rm -f ${PREFIX}/bin/${APP}
 	rm -f ${PREFIX}/bin/${APP}-prep
@@ -49,6 +52,7 @@ uninstall:
 	rm -f ${PREFIX}/bin/${APP}-addcert
 	rm -f ${PREFIX}/bin/${APP}-addlist
 	rm -f ${PREFIX}/bin/${APP}-addemail
+	rm -f ${PREFIX}/bin/${APP}-renew-cert
 clean:
 	rm -f \#* \.#* debian/*.substvars debian/*.log
 	rm -fr deb.* debian/${APP}

debian/source/include-binaries

@@ -7,3 +7,4 @@ man/freedombone-sec.1.gz
 man/freedombone-addcert.1.gz
 man/freedombone-addlist.1.gz
 man/freedombone-addemail.1.gz
+man/freedombone-renew-cert.1.gz

src/freedombone-renew-cert

@@ -0,0 +1,177 @@
+#!/bin/bash
+# A script for renewing SSL/TLS certificates
+
+# License
+# =======
+#
+# Copyright (C) 2015 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+HOSTNAME=
+PROVIDER='startssl'
+
+function show_help {
+    echo ''
+    echo 'freedombone-renew-cert -h [hostname] -p [provider]'
+    echo ''
+    echo 'Makes it easier to renew a ssl/tls certificate for a website'
+    echo ''
+    echo '     --help                  Show help'
+    echo '  -h --hostname [name]       Hostname'
+    echo '  -p --provider [name]       eg. startssl'
+    echo ''
+    exit 0
+}
+
+function renew_startssl {
+    echo 'Renewing StartSSL certificate'
+    if [ -s /etc/ssl/certs/$HOSTNAME.new.crt ]; then
+        if ! grep -q "-BEGIN CERTIFICATE-" /etc/ssl/certs/$HOSTNAME.new.crt; then
+            echo '/etc/ssl/certs/$HOSTNAME.new.crt does not contain a public key'
+            return
+        fi
+
+        cp /etc/ssl/certs/$HOSTNAME.new.crt /etc/ssl/certs/$HOSTNAME.crt
+
+        if [ ! -d /etc/ssl/roots ]; then
+            mkdir /etc/ssl/roots
+        fi
+        if [ ! -d /etc/ssl/chains ]; then
+            mkdir /etc/ssl/chains
+        fi
+
+        # download intermediate certs
+        wget "http://www.startssl.com/certs/ca.pem" --output-document="/etc/ssl/roots/startssl-root.ca"
+        wget "http://www.startssl.com/certs/sub.class1.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class1.server.ca.pem"
+        wget "http://www.startssl.com/certs/sub.class2.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class2.server.ca.pem"
+        wget "http://www.startssl.com/certs/sub.class3.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class3.server.ca.pem"
+        ln -s "/etc/ssl/roots/startssl-root.ca" "/etc/ssl/roots/$HOSTNAME-root.ca"
+        ln -s "/etc/ssl/chains/startssl-sub.class1.server.ca.pem" "/etc/ssl/chains/$HOSTNAME.ca"
+        cp "/etc/ssl/certs/$HOSTNAME.crt" "/etc/ssl/certs/$HOSTNAME.crt+chain+root"
+        test -e "/etc/ssl/chains/$HOSTNAME.ca" && cat "/etc/ssl/chains/$HOSTNAME.ca" >> "/etc/ssl/certs/$HOSTNAME.crt+chain+root"
+        test -e "/etc/ssl/roots/$HOSTNAME-root.ca" && cat "/etc/ssl/roots/$HOSTNAME-root.ca" >> "/etc/ssl/certs/$HOSTNAME.crt+chain+root"
+
+        # remove the password from the private cert
+        openssl rsa -in /etc/ssl/private/$HOSTNAME.key -out /etc/ssl/private/$HOSTNAME.new.key
+        cp /etc/ssl/private/$HOSTNAME.new.key /etc/ssl/private/$HOSTNAME.key
+        shred -zu /etc/ssl/private/$HOSTNAME.new.key
+
+        # bundle the cert
+        cat /etc/ssl/certs/$HOSTNAME.crt /etc/ssl/chains/startssl-sub.class1.server.ca.pem > /etc/ssl/certs/$HOSTNAME.bundle.crt
+
+        # add it to mycerts
+        cp /etc/ssl/certs/$HOSTNAME.bundle.crt /etc/ssl/mycerts
+        cat /etc/ssl/mycerts/*.crt > /etc/ssl/freedombone-bundle.crt
+        tar -czvf /etc/ssl/freedombone-certs.tar.gz /etc/ssl/mycerts/*.crt
+
+        # create backups
+        if [ ! -d /etc/ssl/backups ]; then
+            mkdir /etc/ssl/backups
+        fi
+        if [ ! -d /etc/ssl/backups/certs ]; then
+            mkdir /etc/ssl/backups/certs
+        fi
+        if [ ! -d /etc/ssl/backups/private ]; then
+            mkdir /etc/ssl/backups/private
+        fi
+        cp /etc/ssl/certs/$HOSTNAME* /etc/ssl/backups/certs/
+        cp /etc/ssl/private/$HOSTNAME* /etc/ssl/backups/private/
+        chmod -R 400 /etc/ssl/backups/certs/*
+        chmod -R 400 /etc/ssl/backups/private/*
+
+        rm /etc/ssl/certs/$HOSTNAME.new.crt
+        rm /etc/ssl/requests/$HOSTNAME.csr
+        echo 'Certificate installed'
+        service nginx restart
+        return
+    fi
+
+    if [ -f /etc/ssl/requests/$HOSTNAME.csr ]; then
+        echo 'Certificate request already created:'
+        echo ''
+        cat /etc/ssl/requests/$HOSTNAME.csr
+        echo ''
+        echo "Save the requested public key to /etc/ssl/certs/$HOSTNAME.new.crt"
+        echo 'then run this command again.'
+        echo ''
+        return
+    fi
+    openssl genrsa -out /etc/ssl/private/$HOSTNAME.new.key 2048
+    chown root:ssl-cert /etc/ssl/private/$HOSTNAME.new.key
+    chmod 440 /etc/ssl/private/$HOSTNAME.new.key
+    if [ ! -d /etc/ssl/requests ]; then
+        mkdir /etc/ssl/requests
+    fi
+    openssl req -new -sha256 -key /etc/ssl/private/$HOSTNAME.new.key -out /etc/ssl/requests/$HOSTNAME.csr
+    echo ''
+    cat /etc/ssl/requests/$HOSTNAME.csr
+    echo ''
+    echo 'On the StartSSL site select Certificates Wizard then'
+    echo 'Web server SSL/TLS Certificate. You can then click on "skip"'
+    echo 'and then copy and paste the above certificate request into the text'
+    echo 'entry box. You may now need to wait a few hours for a confirmation'
+    echo 'email indicating that the new certificate was created.'
+    echo ''
+    echo 'Once you have retrieved the new public certificate paste it to:'
+    echo "/etc/ssl/certs/$HOSTNAME.new.crt then run this command again."
+    echo ''
+}
+
+while [[ $# > 1 ]]
+do
+key="$1"
+
+case $key in
+    --help)
+    show_help
+    ;;
+    -h|--hostname)
+    shift
+    HOSTNAME="$1"
+    ;;
+    -p|--provider)
+    shift
+    PROVIDER="$1"
+    ;;
+    *)
+    # unknown option
+    ;;
+esac
+shift
+done
+
+if [ ! $HOSTNAME ]; then
+    echo 'No hostname specified'
+    exit 5748
+fi
+
+if ! which openssl > /dev/null ;then
+    echo "$0: openssl is not installed, exiting" 1>&2
+    exit 5689
+fi
+
+# check that the web site exists
+if [ ! -f /etc/nginx/sites-available/$HOSTNAME ]; then
+    echo "/etc/nginx/sites-available/$HOSTNAME does not exist"
+    return 7598
+fi
+
+if [[ $PROVIDER == 'startssl' || $PROVIDER == 'StartSSL' ]]; then
+    renew_startssl
+else
+    echo "$PROVIDER is not currently supported"
+fi
+
+exit 0