Przeglądaj źródła

More preparation for letsencrypt

Bob Mottram 9 lat temu
rodzic
commit
f6358543fb

BIN
man/freedombone-addcert.1.gz Wyświetl plik


+ 96
- 61
src/freedombone Wyświetl plik

@@ -429,6 +429,9 @@ DH_KEYLENGTH=2048
429 429
 # repo for atheros AR9271 wifi driver
430 430
 ATHEROS_WIFI_REPO='https://github.com/qca/open-ath9k-htc-firmware.git'
431 431
 
432
+LETSENCRYPT_ENABLED="no"
433
+LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
434
+
432 435
 function show_help {
433 436
   echo ''
434 437
   echo 'freedombone -c [configuration file]'
@@ -788,6 +791,9 @@ function read_configuration {
788 791
   fi
789 792
 
790 793
   if [ -f $CONFIGURATION_FILE ]; then
794
+      if grep -q "LETSENCRYPT_SERVER" $CONFIGURATION_FILE; then
795
+          LETSENCRYPT_SERVER=$(grep "LETSENCRYPT_SERVER" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
796
+      fi
791 797
       if grep -q "HUBZILLA_COMMIT" $CONFIGURATION_FILE; then
792 798
           HUBZILLA_COMMIT=$(grep "HUBZILLA_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
793 799
       fi
@@ -1185,13 +1191,24 @@ function check_certificates {
1185 1191
   if [ ! $1 ]; then
1186 1192
       return
1187 1193
   fi
1188
-  if [ ! -f /etc/ssl/private/$1.key ]; then
1189
-      echo "Private certificate for $CHECK_HOSTNAME was not created"
1190
-      exit 63959
1191
-  fi
1192
-  if [ ! -f /etc/ssl/certs/$1.crt ]; then
1193
-      echo "Public certificate for $CHECK_HOSTNAME was not created"
1194
-      exit 7679
1194
+  if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
1195
+      if [ ! -f /etc/ssl/private/$1.key ]; then
1196
+          echo "Private certificate for $CHECK_HOSTNAME was not created"
1197
+          exit 63959
1198
+      fi
1199
+      if [ ! -f /etc/ssl/certs/$1.crt ]; then
1200
+          echo "Public certificate for $CHECK_HOSTNAME was not created"
1201
+          exit 7679
1202
+      fi
1203
+  else
1204
+      if [ ! -f /etc/letsencrypt/live/${1}/privkey.pem ]; then
1205
+          echo "Private certificate for $CHECK_HOSTNAME was not created"
1206
+          exit 6282
1207
+      fi
1208
+      if [ ! -f /etc/letsencrypt/live/${1}/fullchain.pem ]; then
1209
+          echo "Public certificate for $CHECK_HOSTNAME was not created"
1210
+          exit 5328
1211
+      fi
1195 1212
   fi
1196 1213
   if [ ! -f /etc/ssl/certs/$1.dhparam ]; then
1197 1214
       echo "Diffie–Hellman parameters for $CHECK_HOSTNAME were not created"
@@ -3072,9 +3089,14 @@ function restore_database {
3072 3089
   echo '            rm -rf $USB_MOUNT' >> $script_name
3073 3090
   echo '            exit 683' >> $script_name
3074 3091
   echo '          fi' >> $script_name
3075
-  echo '          # Ensure that the bundled SSL cert is being used' >> $script_name
3076
-  echo '          if [ -f /etc/ssl/certs/${2}.bundle.crt ]; then' >> $script_name
3077
-  echo '            sed -i "s|${2}.crt|${2}.bundle.crt|g" /etc/nginx/sites-available/${2}' >> $script_name
3092
+  echo '          if [ -d /etc/letsencrypt/live/${2} ]; then' >> $script_name
3093
+  echo '            ln -s /etc/letsencrypt/live/${2}/privkey.pem /etc/ssl/private/${2}.key' >> $script_name
3094
+  echo '            ln -s /etc/letsencrypt/live/${2}/fullchain.pem /etc/ssl/certs/${2}.pem' >> $script_name
3095
+  echo '          else' >> $script_name
3096
+  echo '            # Ensure that the bundled SSL cert is being used' >> $script_name
3097
+  echo '            if [ -f /etc/ssl/certs/${2}.bundle.crt ]; then' >> $script_name
3098
+  echo '              sed -i "s|${2}.crt|${2}.bundle.crt|g" /etc/nginx/sites-available/${2}' >> $script_name
3099
+  echo '            fi' >> $script_name
3078 3100
   echo '          fi' >> $script_name
3079 3101
   echo '        fi' >> $script_name
3080 3102
   echo '      fi' >> $script_name
@@ -3698,6 +3720,10 @@ function create_restore_script {
3698 3720
   echo "  if [ -f /etc/ssl/certs/$WIKI_DOMAIN_NAME.bundle.crt ]; then" >> /usr/bin/$RESTORE_SCRIPT_NAME
3699 3721
   echo "    sed -i 's|$WIKI_DOMAIN_NAME.crt|$WIKI_DOMAIN_NAME.bundle.crt|g' /etc/nginx/sites-available/$WIKI_DOMAIN_NAME" >> /usr/bin/$RESTORE_SCRIPT_NAME
3700 3722
   echo '  fi' >> /usr/bin/$RESTORE_SCRIPT_NAME
3723
+  echo "  if [ -d /etc/letsencrypt/live/${WIKI_DOMAIN_NAME} ]; then" >> /usr/bin/$RESTORE_SCRIPT_NAME
3724
+  echo "      ln -s /etc/letsencrypt/live/${WIKI_DOMAIN_NAME}/privkey.pem /etc/ssl/private/${WIKI_DOMAIN_NAME}.key" >> /usr/bin/$RESTORE_SCRIPT_NAME
3725
+  echo "      ln -s /etc/letsencrypt/live/${WIKI_DOMAIN_NAME}/fullchain.pem /etc/ssl/certs/${WIKI_DOMAIN_NAME}.pem" >> /usr/bin/$RESTORE_SCRIPT_NAME
3726
+  echo '  fi' >> /usr/bin/$RESTORE_SCRIPT_NAME
3701 3727
   echo 'fi' >> /usr/bin/$RESTORE_SCRIPT_NAME
3702 3728
   echo '' >> /usr/bin/$RESTORE_SCRIPT_NAME
3703 3729
 
@@ -3739,7 +3765,10 @@ function create_restore_script {
3739 3765
   echo '      fi' >> /usr/bin/$RESTORE_SCRIPT_NAME
3740 3766
   echo '    fi' >> /usr/bin/$RESTORE_SCRIPT_NAME
3741 3767
   echo '  done' >> /usr/bin/$RESTORE_SCRIPT_NAME
3742
-
3768
+  echo "  if [ -d /etc/letsencrypt/live/${FULLBLOG_DOMAIN_NAME} ]; then" >> /usr/bin/$RESTORE_SCRIPT_NAME
3769
+  echo "      ln -s /etc/letsencrypt/live/${FULLBLOG_DOMAIN_NAME}/privkey.pem /etc/ssl/private/${FULLBLOG_DOMAIN_NAME}.key" >> /usr/bin/$RESTORE_SCRIPT_NAME
3770
+  echo "      ln -s /etc/letsencrypt/live/${FULLBLOG_DOMAIN_NAME}/fullchain.pem /etc/ssl/certs/${FULLBLOG_DOMAIN_NAME}.pem" >> /usr/bin/$RESTORE_SCRIPT_NAME
3771
+  echo '  fi' >> /usr/bin/$RESTORE_SCRIPT_NAME  
3743 3772
   echo 'fi' >> /usr/bin/$RESTORE_SCRIPT_NAME
3744 3773
   echo '' >> /usr/bin/$RESTORE_SCRIPT_NAME
3745 3774
 
@@ -4822,9 +4851,14 @@ function restore_database_from_friend {
4822 4851
   echo '          if [ ! "$?" = "0" ]; then' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
4823 4852
   echo '            exit 683' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
4824 4853
   echo '          fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
4825
-  echo '          # Ensure that the bundled SSL cert is being used' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
4826
-  echo '          if [ -f /etc/ssl/certs/${2}.bundle.crt ]; then' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
4827
-  echo '            sed -i "s|${2}.crt|${2}.bundle.crt|g" /etc/nginx/sites-available/${2}' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
4854
+  echo '          if [ -d /etc/letsencrypt/live/${2} ]; then' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
4855
+  echo '              ln -s /etc/letsencrypt/live/${2}/privkey.pem /etc/ssl/private/${2}.key' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
4856
+  echo '              ln -s /etc/letsencrypt/live/${2}/fullchain.pem /etc/ssl/certs/${2}.pem' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
4857
+  echo '          else' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME  
4858
+  echo '              # Ensure that the bundled SSL cert is being used' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
4859
+  echo '              if [ -f /etc/ssl/certs/${2}.bundle.crt ]; then' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
4860
+  echo '                  sed -i "s|${2}.crt|${2}.bundle.crt|g" /etc/nginx/sites-available/${2}' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
4861
+  echo '              fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
4828 4862
   echo '          fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
4829 4863
   echo '        fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
4830 4864
   echo '      fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
@@ -5402,6 +5436,10 @@ function restore_from_friend {
5402 5436
   echo "  if [ -f /etc/ssl/certs/$WIKI_DOMAIN_NAME.bundle.crt ]; then" >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
5403 5437
   echo "    sed -i 's|$WIKI_DOMAIN_NAME.crt|$WIKI_DOMAIN_NAME.bundle.crt|g' /etc/nginx/sites-available/$WIKI_DOMAIN_NAME" >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
5404 5438
   echo '  fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
5439
+  echo "  if [ -d /etc/letsencrypt/live/${WIKI_DOMAIN_NAME} ]; then" >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
5440
+  echo "      ln -s /etc/letsencrypt/live/${WIKI_DOMAIN_NAME}/privkey.pem /etc/ssl/private/${WIKI_DOMAIN_NAME}.key" >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
5441
+  echo "      ln -s /etc/letsencrypt/live/${WIKI_DOMAIN_NAME}/fullchain.pem /etc/ssl/certs/${WIKI_DOMAIN_NAME}.pem" >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
5442
+  echo '  fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
5405 5443
   echo 'fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
5406 5444
   echo '' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
5407 5445
 
@@ -5440,6 +5478,10 @@ function restore_from_friend {
5440 5478
   echo '/$USERNAME/blog/uncategorized/post ' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
5441 5479
   echo '    fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
5442 5480
   echo '  done' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
5481
+  echo "  if [ -d /etc/letsencrypt/live/${FULLBLOG_DOMAIN_NAME} ]; then" >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
5482
+  echo "      ln -s /etc/letsencrypt/live/${FULLBLOG_DOMAIN_NAME}/privkey.pem /etc/ssl/private/${FULLBLOG_DOMAIN_NAME}.key" >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
5483
+  echo "      ln -s /etc/letsencrypt/live/${FULLBLOG_DOMAIN_NAME}/fullchain.pem /etc/ssl/certs/${FULLBLOG_DOMAIN_NAME}.pem" >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
5484
+  echo '  fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
5443 5485
   echo 'fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
5444 5486
   echo '' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
5445 5487
 
@@ -7128,7 +7170,11 @@ function configure_imap_client_certs {
7128 7170
   fi
7129 7171
   # make a CA cert
7130 7172
   if [ ! -f /etc/ssl/private/ca-$DEFAULT_DOMAIN_NAME.key ]; then
7131
-      freedombone-addcert -h $DEFAULT_DOMAIN_NAME --ca "" --dhkey $DH_KEYLENGTH
7173
+      if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
7174
+          freedombone-addcert -h $DEFAULT_DOMAIN_NAME --ca "" --dhkey $DH_KEYLENGTH
7175
+      else
7176
+          freedombone-addcert -e $DEFAULT_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
7177
+      fi
7132 7178
   fi
7133 7179
   # CA configuration
7134 7180
   echo '[ ca ]' > /etc/ssl/dovecot-ca.cnf
@@ -8142,44 +8188,6 @@ function install_web_server {
8142 8188
   echo 'install_web_server' >> $COMPLETION_FILE
8143 8189
 }
8144 8190
 
8145
-function install_letsencrypt {
8146
-  if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
8147
-      return
8148
-  fi
8149
-  if grep -Fxq "install_letsencrypt" $COMPLETION_FILE; then
8150
-      return
8151
-  fi
8152
-  #apt-get -y install python-pip git
8153
-  #pip install -U setuptools
8154
-  #pip install --upgrade cffi
8155
-  cd $INSTALL_DIR
8156
-
8157
-  # This is experimental developer preview and I hope at some stage
8158
-  # there will be a debian package for it.
8159
-
8160
-  # obtain the repo
8161
-  if [ ! -d $INSTALL_DIR/letsencrypt ]; then
8162
-      git clone https://github.com/letsencrypt/letsencrypt
8163
-      if [ ! -d $INSTALL_DIR/letsencrypt ]; then
8164
-          exit 76283
8165
-      fi
8166
-  else
8167
-      cd $INSTALL_DIR/letsencrypt
8168
-      git stash
8169
-      git pull
8170
-  fi
8171
-
8172
-  cd $INSTALL_DIR/letsencrypt
8173
-  # TODO this requires user interaction - is there a non-interactive mode?
8174
-  ./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory certonly
8175
-  if [ ! "$?" = "0" ]; then
8176
-      echo 'Failed to install letsencrypt'
8177
-      exit 63216
8178
-  fi
8179
-
8180
-  echo 'install_letsencrypt' >> $COMPLETION_FILE
8181
-}
8182
-
8183 8191
 function configure_php {
8184 8192
   sed -i "s/memory_limit = 128M/memory_limit = ${MAX_PHP_MEMORY}M/g" /etc/php5/fpm/php.ini
8185 8193
   sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g' /etc/php5/fpm/php.ini
@@ -8591,7 +8599,11 @@ quit" > $INSTALL_DIR/batch.sql
8591 8599
   configure_php
8592 8600
 
8593 8601
   if [ ! -f /etc/ssl/certs/$OWNCLOUD_DOMAIN_NAME.dhparam ]; then
8594
-      freedombone-addcert -h $OWNCLOUD_DOMAIN_NAME --dhkey $DH_KEYLENGTH
8602
+      if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
8603
+          freedombone-addcert -h $OWNCLOUD_DOMAIN_NAME --dhkey $DH_KEYLENGTH
8604
+      else
8605
+          freedombone-addcert -e $OWNCLOUD_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
8606
+      fi
8595 8607
       check_certificates $OWNCLOUD_DOMAIN_NAME
8596 8608
   fi
8597 8609
 
@@ -8840,7 +8852,11 @@ quit" > $INSTALL_DIR/batch.sql
8840 8852
   configure_php
8841 8853
 
8842 8854
   if [ ! -f /etc/ssl/certs/$GIT_DOMAIN_NAME.dhparam ]; then
8843
-      freedombone-addcert -h $GIT_DOMAIN_NAME --dhkey $DH_KEYLENGTH
8855
+      if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
8856
+          freedombone-addcert -h $GIT_DOMAIN_NAME --dhkey $DH_KEYLENGTH
8857
+      else
8858
+          freedombone-addcert -e $GIT_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
8859
+      fi
8844 8860
       check_certificates $GIT_DOMAIN_NAME
8845 8861
   fi
8846 8862
 
@@ -9298,7 +9314,11 @@ function install_wiki {
9298 9314
       rm -rf /var/www/$WIKI_DOMAIN_NAME/htdocs
9299 9315
   fi
9300 9316
   if [ ! -f /etc/ssl/certs/$WIKI_DOMAIN_NAME.dhparam ]; then
9301
-      freedombone-addcert -h $WIKI_DOMAIN_NAME --dhkey $DH_KEYLENGTH
9317
+      if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
9318
+          freedombone-addcert -h $WIKI_DOMAIN_NAME --dhkey $DH_KEYLENGTH
9319
+      else
9320
+          freedombone-addcert -e $WIKI_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
9321
+      fi
9302 9322
       check_certificates $WIKI_DOMAIN_NAME
9303 9323
   fi
9304 9324
 
@@ -9582,7 +9602,11 @@ function install_blog {
9582 9602
   chown -R www-data:www-data /var/www/$FULLBLOG_DOMAIN_NAME/htdocs
9583 9603
 
9584 9604
   if [ ! -f /etc/ssl/certs/$FULLBLOG_DOMAIN_NAME.dhparam ]; then
9585
-      freedombone-addcert -h $FULLBLOG_DOMAIN_NAME --dhkey $DH_KEYLENGTH
9605
+      if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
9606
+          freedombone-addcert -h $FULLBLOG_DOMAIN_NAME --dhkey $DH_KEYLENGTH
9607
+      else
9608
+          freedombone-addcert -e $FULLBLOG_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
9609
+      fi
9586 9610
       check_certificates $FULLBLOG_DOMAIN_NAME
9587 9611
   fi
9588 9612
 
@@ -9948,7 +9972,11 @@ quit" > $INSTALL_DIR/batch.sql
9948 9972
   configure_php
9949 9973
 
9950 9974
   if [ ! -f /etc/ssl/certs/$MICROBLOG_DOMAIN_NAME.dhparam ]; then
9951
-      freedombone-addcert -h $MICROBLOG_DOMAIN_NAME --dhkey $DH_KEYLENGTH
9975
+      if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
9976
+          freedombone-addcert -h $MICROBLOG_DOMAIN_NAME --dhkey $DH_KEYLENGTH
9977
+      else
9978
+          freedombone-addcert -e $MICROBLOG_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
9979
+      fi
9952 9980
       check_certificates $MICROBLOG_DOMAIN_NAME
9953 9981
   fi
9954 9982
 
@@ -10244,7 +10272,11 @@ quit" > $INSTALL_DIR/batch.sql
10244 10272
   configure_php
10245 10273
 
10246 10274
   if [ ! -f /etc/ssl/certs/$HUBZILLA_DOMAIN_NAME.dhparam ]; then
10247
-      freedombone-addcert -h $HUBZILLA_DOMAIN_NAME --dhkey $DH_KEYLENGTH
10275
+      if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
10276
+          freedombone-addcert -h $HUBZILLA_DOMAIN_NAME --dhkey $DH_KEYLENGTH
10277
+      else
10278
+          freedombone-addcert -e $HUBZILLA_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
10279
+      fi
10248 10280
       check_certificates $HUBZILLA_DOMAIN_NAME
10249 10281
   fi
10250 10282
 
@@ -10569,7 +10601,11 @@ function install_mediagoblin {
10569 10601
   echo '}' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
10570 10602
 
10571 10603
   if [ ! -f /etc/ssl/certs/$MEDIAGOBLIN_DOMAIN_NAME.dhparam ]; then
10572
-      freedombone-addcert -h $MEDIAGOBLIN_DOMAIN_NAME --dhkey $DH_KEYLENGTH
10604
+      if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
10605
+          freedombone-addcert -h $MEDIAGOBLIN_DOMAIN_NAME --dhkey $DH_KEYLENGTH
10606
+      else
10607
+          freedombone-addcert -e $MEDIAGOBLIN_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
10608
+      fi
10573 10609
       check_certificates $MEDIAGOBLIN_DOMAIN_NAME
10574 10610
   fi
10575 10611
 
@@ -11401,7 +11437,6 @@ encrypt_all_email
11401 11437
 import_email
11402 11438
 script_for_attaching_usb_drive
11403 11439
 install_web_server
11404
-#install_letsencrypt
11405 11440
 configure_firewall_for_web_server
11406 11441
 install_owncloud
11407 11442
 install_owncloud_music_app

+ 105
- 30
src/freedombone-addcert Wyświetl plik

@@ -29,6 +29,7 @@
29 29
 # along with this program. If not, see <http://www.gnu.org/licenses/>.
30 30
 
31 31
 HOSTNAME=
32
+LETSENCRYPT_HOSTNAME=
32 33
 COUNTRY_CODE="US"
33 34
 AREA="Free Speech Zone"
34 35
 LOCATION="Freedomville"
@@ -37,6 +38,8 @@ UNIT="Freedombone Unit"
37 38
 EXTENSIONS=""
38 39
 NODH=
39 40
 DH_KEYLENGTH=2048
41
+INSTALL_DIR=/root/build
42
+LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
40 43
 
41 44
 function show_help {
42 45
     echo ''
@@ -45,16 +48,18 @@ function show_help {
45 48
     echo ''
46 49
     echo 'Creates a self-signed certificate for the given hostname'
47 50
     echo ''
48
-    echo '     --help                  Show help'
49
-    echo '  -h --hostname [name]       Hostname'
50
-    echo '  -c --country [code]        Optional country code (eg. US, GB, etc)'
51
-    echo '  -a --area [description]    Optional area description'
52
-    echo '  -l --location [locn]       Optional location name'
53
-    echo '  -o --organisation [name]   Optional organisation name'
54
-    echo '  -u --unit [name]           Optional unit name'
55
-    echo '     --dhkey [bits]          DH key length in bits'
56
-    echo '     --nodh ""               Do not calculate DH params'
57
-    echo '     --ca ""                 Certificate authority cert'
51
+    echo '     --help                   Show help'
52
+    echo '  -h --hostname [name]        Hostname'
53
+    echo '  -e --letsencrypt [hostname] Hostname to use with Lets Encrypt'
54
+    echo '  -s --server [url]           Lets Encrypt server URL'
55
+    echo '  -c --country [code]         Optional country code (eg. US, GB, etc)'
56
+    echo '  -a --area [description]     Optional area description'
57
+    echo '  -l --location [locn]        Optional location name'
58
+    echo '  -o --organisation [name]    Optional organisation name'
59
+    echo '  -u --unit [name]            Optional unit name'
60
+    echo '     --dhkey [bits]           DH key length in bits'
61
+    echo '     --nodh ""                Do not calculate DH params'
62
+    echo '     --ca ""                  Certificate authority cert'
58 63
     echo ''
59 64
     exit 0
60 65
 }
@@ -71,6 +76,14 @@ case $key in
71 76
     shift
72 77
     HOSTNAME="$1"
73 78
     ;;
79
+    -e|--letsencrypt)
80
+    shift
81
+    LETSENCRYPT_HOSTNAME="$1"
82
+    ;;
83
+    -s|--server)
84
+    shift
85
+    LETSENCRYPT_SERVER="$1"
86
+    ;;
74 87
     -c|--country)
75 88
     shift
76 89
     COUNTRY_CODE="$1"
@@ -112,8 +125,10 @@ shift
112 125
 done
113 126
 
114 127
 if [ ! $HOSTNAME ]; then
115
-    echo 'No hostname specified'
116
-    exit 5748
128
+	if [ ! $LETSENCRYPT_HOSTNAME ]; then
129
+        echo 'No hostname specified'
130
+        exit 5748
131
+	fi
117 132
 fi
118 133
 
119 134
 if ! which openssl > /dev/null ;then
@@ -121,34 +136,94 @@ if ! which openssl > /dev/null ;then
121 136
     exit 5689
122 137
 fi
123 138
 
124
-CERTFILE=$HOSTNAME
125
-if [[ $ORGANISATION == "Freedombone-CA" ]]; then
126
-    CERTFILE="ca-$HOSTNAME"
139
+if [ ! -d /etc/ssl/mycerts ]; then
140
+    mkdir /etc/ssl/mycerts
127 141
 fi
128 142
 
129
-openssl req -x509 $EXTENSIONS -nodes -days 3650 -sha256 \
143
+if [ $LETSENCRYPT_HOSTNAME ]; then
144
+    CERTFILE=$LETSENCRYPT_HOSTNAME
145
+
146
+	if [ ! -d $INSTALL_DIR ]; then
147
+		mkdir -p $INSTALL_DIR
148
+	fi
149
+	cd $INSTALL_DIR
150
+
151
+	# obtain the repo
152
+	if [ ! -d $INSTALL_DIR/letsencrypt ]; then
153
+		git clone https://github.com/letsencrypt/letsencrypt
154
+		if [ ! -d $INSTALL_DIR/letsencrypt ]; then
155
+			exit 76283
156
+		fi
157
+	else
158
+		cd $INSTALL_DIR/letsencrypt
159
+		git stash
160
+		git pull
161
+	fi
162
+
163
+	cd $INSTALL_DIR/letsencrypt
164
+	# TODO this requires user interaction - is there a non-interactive mode?
165
+	./letsencrypt-auto certonly --server $LETSENCRYPT_SERVER --standalone -d $LETSENCRYPT_HOSTNAME
166
+	if [ ! "$?" = "0" ]; then
167
+		echo "Failed to install letsencrypt for domain $LETSENCRYPT_HOSTNAME"
168
+		exit 63216
169
+	fi
170
+
171
+	# replace some legacy filenames
172
+	if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt ]; then
173
+		mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
174
+	fi
175
+	if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt ]; then
176
+		mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
177
+	fi
178
+	sed -i "s|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem|g" /etc/nginx/sites-available/$LETSENCRYPT_HOSTNAME
179
+	sed -i "s|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem|g" /etc/nginx/sites-available/$LETSENCRYPT_HOSTNAME
180
+  
181
+	# link the private key
182
+	if [ -f /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key ]; then
183
+		if [ ! -f /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key.old ]; then
184
+			mv /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key.old
185
+		fi
186
+	fi
187
+	ln -s /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/privkey.pem /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key
188
+
189
+	# link the public key
190
+	if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem ]; then
191
+		if [ ! -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem.old ]; then
192
+			mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem.old
193
+		fi
194
+	fi
195
+	ln -s /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/fullchain.pem /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
196
+
197
+    cp /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/fullchain.pem /etc/ssl/mycerts/${LETSENCRYPT_HOSTNAME}.pem
198
+else
199
+    CERTFILE=$HOSTNAME
200
+    if [[ $ORGANISATION == "Freedombone-CA" ]]; then
201
+        CERTFILE="ca-$HOSTNAME"
202
+    fi
203
+
204
+    openssl req -x509 $EXTENSIONS -nodes -days 3650 -sha256 \
130 205
         -subj "/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME" \
131 206
         -newkey rsa:4096 -keyout /etc/ssl/private/$CERTFILE.key \
132 207
         -out /etc/ssl/certs/$CERTFILE.crt
133
-if [ ! $NODH ]; then
134
-    openssl dhparam -check -text -5 $DH_KEYLENGTH -out /etc/ssl/certs/$CERTFILE.dhparam
208
+    chmod 400 /etc/ssl/private/$CERTFILE.key
209
+    chmod 640 /etc/ssl/certs/$CERTFILE.crt
210
+    cp /etc/ssl/certs/$CERTFILE.crt /etc/ssl/mycerts
135 211
 fi
136
-chmod 400 /etc/ssl/private/$CERTFILE.key
137
-chmod 640 /etc/ssl/certs/$CERTFILE.crt
138
-chmod 640 /etc/ssl/certs/$CERTFILE.dhparam
139 212
 
140
-if [ -f /etc/init.d/nginx ]; then
141
-  /etc/init.d/nginx reload
213
+# generate DH params
214
+if [ ! $NODH ]; then
215
+	if [ ! -f /etc/ssl/certs/$CERTFILE.dhparam ]; then
216
+		openssl dhparam -check -text -5 $DH_KEYLENGTH -out /etc/ssl/certs/$CERTFILE.dhparam
217
+		chmod 640 /etc/ssl/certs/$CERTFILE.dhparam
218
+	fi
142 219
 fi
143 220
 
144
-# add the public certificate to a separate directory
145
-# so that we can redistribute it easily
146
-if [ ! -d /etc/ssl/mycerts ]; then
147
-  mkdir /etc/ssl/mycerts
221
+if [ -f /etc/init.d/nginx ]; then
222
+    /etc/init.d/nginx reload
148 223
 fi
149
-cp /etc/ssl/certs/$CERTFILE.crt /etc/ssl/mycerts
150 224
 
151 225
 # Create a bundle of your certificates
152
-cat /etc/ssl/mycerts/*.crt > /etc/ssl/freedombone-bundle.crt
153
-tar -czvf /etc/ssl/freedombone-certs.tar.gz /etc/ssl/mycerts/*.crt
226
+cat /etc/ssl/mycerts/*.crt /etc/ssl/mycerts/*.pem > /etc/ssl/freedombone-bundle.crt
227
+tar -czvf /etc/ssl/freedombone-certs.tar.gz /etc/ssl/mycerts/*.crt /etc/ssl/mycerts/*.pem
228
+
154 229
 exit 0

+ 30
- 4
src/freedombone-controlpanel Wyświetl plik

@@ -521,6 +521,30 @@ function reset_tripwire {
521 521
   any_key
522 522
 }
523 523
 
524
+function hubzilla_renew_cert {
525
+    dialog --title "Renew SSL certificate" \
526
+           --backtitle "Freedombone Control Panel" \
527
+           --yesno "\nThis will renew a letsencrypt certificate. Select 'yes' to continue" 16 60
528
+    sel=$?
529
+    case $sel in
530
+        1) return;;
531
+        255) return;;
532
+    esac
533
+    HUBZILLA_DOMAIN_NAME=$(cat $COMPLETION_FILE | grep "Hubzilla domain" | awk -F ':' '{print $2}')
534
+    if [ ! -d /var/www/$HUBZILLA_DOMAIN_NAME/htdocs ]; then
535
+       dialog --title "Renew SSL certificate" \
536
+              --msgbox "Hubzilla install directory not found" 6 40
537
+       return
538
+    fi
539
+    freedombone-renew-cert -h $HUBZILLA_DOMAIN_NAME -p 'letsencrypt'
540
+    if [ ! "$?" = "0" ]; then
541
+        any_key
542
+    else
543
+        dialog --title "Renew SSL certificate" \
544
+               --msgbox "Hubzilla certificate has been renewed" 6 40
545
+    fi
546
+}
547
+
524 548
 function hubzilla_restore {
525 549
     dialog --title "Restore hubzilla from USB backup" \
526 550
            --backtitle "Freedombone Control Panel" \
@@ -542,7 +566,7 @@ function hubzilla_channel_directory_server {
542 566
        return
543 567
     fi
544 568
     HUBZILLA_DOMAIN_NAME=$(cat $COMPLETION_FILE | grep "Hubzilla domain" | awk -F ':' '{print $2}')
545
-    if [ ! -d /var/www/$HUBZILLA_DOMAIN_NAME ]; then
569
+    if [ ! -d /var/www/$HUBZILLA_DOMAIN_NAME/htdocs ]; then
546 570
        dialog --title "Hubzilla channel directory server" \
547 571
               --msgbox "Hubzilla install directory not found" 6 40
548 572
        return
@@ -713,10 +737,11 @@ function menu_hubzilla {
713 737
         trap "rm -f $data" 0 1 2 5 15
714 738
         dialog --backtitle "Freedombone Control Panel" \
715 739
                --title "Hubzilla" \
716
-               --radiolist "Choose an operation:" 12 70 3 \
740
+               --radiolist "Choose an operation:" 13 70 4 \
717 741
                1 "Restore from usb backup" off \
718 742
                2 "Set channel directory server" off \
719
-               3 "Back to main menu" on 2> $data
743
+               3 "Renew SSL certificate" off \
744
+               4 "Back to main menu" on 2> $data
720 745
         sel=$?
721 746
         case $sel in
722 747
             1) break;;
@@ -725,7 +750,8 @@ function menu_hubzilla {
725 750
         case $(cat $data) in
726 751
             1) hubzilla_restore;;
727 752
             2) hubzilla_channel_directory_server;;
728
-            3) break;;
753
+            3) hubzilla_renew_cert;;
754
+            4) break;;
729 755
         esac
730 756
     done
731 757
 }

+ 23
- 7
src/freedombone-renew-cert Wyświetl plik

@@ -30,6 +30,8 @@
30 30
 
31 31
 HOSTNAME=
32 32
 PROVIDER='startssl'
33
+DH_KEYLENGTH=2048
34
+LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
33 35
 
34 36
 function show_help {
35 37
     echo ''
@@ -44,14 +46,28 @@ function show_help {
44 46
     exit 0
45 47
 }
46 48
 
47
-function renew_startssl {
48
-    echo "Renewing Let's Encrypt certificate"
49
-    letsencrypt renew \
50
-                --cert-path /etc/ssl/certs/$HOSTNAME.crt \
51
-                --key-path /etc/ssl/private/$HOSTNAME.key
52
-    if [ ! "$?" = "0" ]; then
53
-        echo "Unable to renew Let's encrypt certificate"
49
+function renew_letsencrypt {
50
+    if [ ! -f /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem ]; then
51
+        echo "Adding Let's Encrypt certificate"
52
+        freedombone-addcert -e $HOSTNAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
53
+        if [ ! "$?" = "0" ]; then
54
+            echo "Unable to add Let's encrypt certificate"
55
+            exit 6328
56
+        fi
57
+    else
58
+        echo "Renewing Let's Encrypt certificate"
59
+        letsencrypt renew \
60
+                    --cert-path /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem \
61
+                    --key-path /etc/letsencrypt/live/${HOSTNAME}/privkey.pem
62
+        if [ ! "$?" = "0" ]; then
63
+            echo "Unable to renew Let's encrypt certificate"
64
+            exit 2624
65
+        fi
54 66
     fi
67
+
68
+    # Ensure that links are in place
69
+    ln -s /etc/letsencrypt/live/${HOSTNAME}/privkey.pem /etc/ssl/private/${HOSTNAME}.key
70
+    ln -s /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem /etc/ssl/certs/${HOSTNAME}.pem
55 71
 }
56 72
 
57 73
 function renew_startssl {

+ 1
- 1
src/freedombone-sec Wyświetl plik

@@ -452,7 +452,7 @@ function renew_letsencrypt {
452 452
 	  return	  
453 453
   fi
454 454
 
455
-  freedombone-renew-cert -h $renew_domain -p letsencrypt
455
+  freedombone-renew-cert -h $renew_domain -p 'letsencrypt'
456 456
 
457 457
   exit 0
458 458
 }