More preparation for letsencrypt

src/freedombone

@@ -429,6 +429,9 @@ DH_KEYLENGTH=2048
 # repo for atheros AR9271 wifi driver
 ATHEROS_WIFI_REPO='https://github.com/qca/open-ath9k-htc-firmware.git'
 
+LETSENCRYPT_ENABLED="no"
+LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
+
 function show_help {
   echo ''
   echo 'freedombone -c [configuration file]'
@@ -788,6 +791,9 @@ function read_configuration {
   fi
 
   if [ -f $CONFIGURATION_FILE ]; then
+      if grep -q "LETSENCRYPT_SERVER" $CONFIGURATION_FILE; then
+          LETSENCRYPT_SERVER=$(grep "LETSENCRYPT_SERVER" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+      fi
       if grep -q "HUBZILLA_COMMIT" $CONFIGURATION_FILE; then
           HUBZILLA_COMMIT=$(grep "HUBZILLA_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
       fi
@@ -1185,13 +1191,24 @@ function check_certificates {
   if [ ! $1 ]; then
       return
   fi
-  if [ ! -f /etc/ssl/private/$1.key ]; then
-      echo "Private certificate for $CHECK_HOSTNAME was not created"
-      exit 63959
-  fi
-  if [ ! -f /etc/ssl/certs/$1.crt ]; then
-      echo "Public certificate for $CHECK_HOSTNAME was not created"
-      exit 7679
+  if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
+      if [ ! -f /etc/ssl/private/$1.key ]; then
+          echo "Private certificate for $CHECK_HOSTNAME was not created"
+          exit 63959
+      fi
+      if [ ! -f /etc/ssl/certs/$1.crt ]; then
+          echo "Public certificate for $CHECK_HOSTNAME was not created"
+          exit 7679
+      fi
+  else
+      if [ ! -f /etc/letsencrypt/live/${1}/privkey.pem ]; then
+          echo "Private certificate for $CHECK_HOSTNAME was not created"
+          exit 6282
+      fi
+      if [ ! -f /etc/letsencrypt/live/${1}/fullchain.pem ]; then
+          echo "Public certificate for $CHECK_HOSTNAME was not created"
+          exit 5328
+      fi
   fi
   if [ ! -f /etc/ssl/certs/$1.dhparam ]; then
       echo "Diffie–Hellman parameters for $CHECK_HOSTNAME were not created"
@@ -3072,9 +3089,14 @@ function restore_database {
   echo '            rm -rf $USB_MOUNT' >> $script_name
   echo '            exit 683' >> $script_name
   echo '          fi' >> $script_name
-  echo '          # Ensure that the bundled SSL cert is being used' >> $script_name
-  echo '          if [ -f /etc/ssl/certs/${2}.bundle.crt ]; then' >> $script_name
-  echo '            sed -i "s|${2}.crt|${2}.bundle.crt|g" /etc/nginx/sites-available/${2}' >> $script_name
+  echo '          if [ -d /etc/letsencrypt/live/${2} ]; then' >> $script_name
+  echo '            ln -s /etc/letsencrypt/live/${2}/privkey.pem /etc/ssl/private/${2}.key' >> $script_name
+  echo '            ln -s /etc/letsencrypt/live/${2}/fullchain.pem /etc/ssl/certs/${2}.pem' >> $script_name
+  echo '          else' >> $script_name
+  echo '            # Ensure that the bundled SSL cert is being used' >> $script_name
+  echo '            if [ -f /etc/ssl/certs/${2}.bundle.crt ]; then' >> $script_name
+  echo '              sed -i "s|${2}.crt|${2}.bundle.crt|g" /etc/nginx/sites-available/${2}' >> $script_name
+  echo '            fi' >> $script_name
   echo '          fi' >> $script_name
   echo '        fi' >> $script_name
   echo '      fi' >> $script_name
@@ -3698,6 +3720,10 @@ function create_restore_script {
   echo "  if [ -f /etc/ssl/certs/$WIKI_DOMAIN_NAME.bundle.crt ]; then" >> /usr/bin/$RESTORE_SCRIPT_NAME
   echo "    sed -i 's|$WIKI_DOMAIN_NAME.crt|$WIKI_DOMAIN_NAME.bundle.crt|g' /etc/nginx/sites-available/$WIKI_DOMAIN_NAME" >> /usr/bin/$RESTORE_SCRIPT_NAME
   echo '  fi' >> /usr/bin/$RESTORE_SCRIPT_NAME
+  echo "  if [ -d /etc/letsencrypt/live/${WIKI_DOMAIN_NAME} ]; then" >> /usr/bin/$RESTORE_SCRIPT_NAME
+  echo "      ln -s /etc/letsencrypt/live/${WIKI_DOMAIN_NAME}/privkey.pem /etc/ssl/private/${WIKI_DOMAIN_NAME}.key" >> /usr/bin/$RESTORE_SCRIPT_NAME
+  echo "      ln -s /etc/letsencrypt/live/${WIKI_DOMAIN_NAME}/fullchain.pem /etc/ssl/certs/${WIKI_DOMAIN_NAME}.pem" >> /usr/bin/$RESTORE_SCRIPT_NAME
+  echo '  fi' >> /usr/bin/$RESTORE_SCRIPT_NAME
   echo 'fi' >> /usr/bin/$RESTORE_SCRIPT_NAME
   echo '' >> /usr/bin/$RESTORE_SCRIPT_NAME
 
@@ -3739,7 +3765,10 @@ function create_restore_script {
   echo '      fi' >> /usr/bin/$RESTORE_SCRIPT_NAME
   echo '    fi' >> /usr/bin/$RESTORE_SCRIPT_NAME
   echo '  done' >> /usr/bin/$RESTORE_SCRIPT_NAME
-
+  echo "  if [ -d /etc/letsencrypt/live/${FULLBLOG_DOMAIN_NAME} ]; then" >> /usr/bin/$RESTORE_SCRIPT_NAME
+  echo "      ln -s /etc/letsencrypt/live/${FULLBLOG_DOMAIN_NAME}/privkey.pem /etc/ssl/private/${FULLBLOG_DOMAIN_NAME}.key" >> /usr/bin/$RESTORE_SCRIPT_NAME
+  echo "      ln -s /etc/letsencrypt/live/${FULLBLOG_DOMAIN_NAME}/fullchain.pem /etc/ssl/certs/${FULLBLOG_DOMAIN_NAME}.pem" >> /usr/bin/$RESTORE_SCRIPT_NAME
+  echo '  fi' >> /usr/bin/$RESTORE_SCRIPT_NAME  
   echo 'fi' >> /usr/bin/$RESTORE_SCRIPT_NAME
   echo '' >> /usr/bin/$RESTORE_SCRIPT_NAME
 
@@ -4822,9 +4851,14 @@ function restore_database_from_friend {
   echo '          if [ ! "$?" = "0" ]; then' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
   echo '            exit 683' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
   echo '          fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
-  echo '          # Ensure that the bundled SSL cert is being used' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
-  echo '          if [ -f /etc/ssl/certs/${2}.bundle.crt ]; then' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
-  echo '            sed -i "s|${2}.crt|${2}.bundle.crt|g" /etc/nginx/sites-available/${2}' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
+  echo '          if [ -d /etc/letsencrypt/live/${2} ]; then' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
+  echo '              ln -s /etc/letsencrypt/live/${2}/privkey.pem /etc/ssl/private/${2}.key' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
+  echo '              ln -s /etc/letsencrypt/live/${2}/fullchain.pem /etc/ssl/certs/${2}.pem' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
+  echo '          else' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME  
+  echo '              # Ensure that the bundled SSL cert is being used' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
+  echo '              if [ -f /etc/ssl/certs/${2}.bundle.crt ]; then' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
+  echo '                  sed -i "s|${2}.crt|${2}.bundle.crt|g" /etc/nginx/sites-available/${2}' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
+  echo '              fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
   echo '          fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
   echo '        fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
   echo '      fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
@@ -5402,6 +5436,10 @@ function restore_from_friend {
   echo "  if [ -f /etc/ssl/certs/$WIKI_DOMAIN_NAME.bundle.crt ]; then" >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
   echo "    sed -i 's|$WIKI_DOMAIN_NAME.crt|$WIKI_DOMAIN_NAME.bundle.crt|g' /etc/nginx/sites-available/$WIKI_DOMAIN_NAME" >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
   echo '  fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
+  echo "  if [ -d /etc/letsencrypt/live/${WIKI_DOMAIN_NAME} ]; then" >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
+  echo "      ln -s /etc/letsencrypt/live/${WIKI_DOMAIN_NAME}/privkey.pem /etc/ssl/private/${WIKI_DOMAIN_NAME}.key" >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
+  echo "      ln -s /etc/letsencrypt/live/${WIKI_DOMAIN_NAME}/fullchain.pem /etc/ssl/certs/${WIKI_DOMAIN_NAME}.pem" >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
+  echo '  fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
   echo 'fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
   echo '' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
 
@@ -5440,6 +5478,10 @@ function restore_from_friend {
   echo '/$USERNAME/blog/uncategorized/post ' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
   echo '    fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
   echo '  done' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
+  echo "  if [ -d /etc/letsencrypt/live/${FULLBLOG_DOMAIN_NAME} ]; then" >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
+  echo "      ln -s /etc/letsencrypt/live/${FULLBLOG_DOMAIN_NAME}/privkey.pem /etc/ssl/private/${FULLBLOG_DOMAIN_NAME}.key" >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
+  echo "      ln -s /etc/letsencrypt/live/${FULLBLOG_DOMAIN_NAME}/fullchain.pem /etc/ssl/certs/${FULLBLOG_DOMAIN_NAME}.pem" >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
+  echo '  fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
   echo 'fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
   echo '' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
 
@@ -7128,7 +7170,11 @@ function configure_imap_client_certs {
   fi
   # make a CA cert
   if [ ! -f /etc/ssl/private/ca-$DEFAULT_DOMAIN_NAME.key ]; then
-      freedombone-addcert -h $DEFAULT_DOMAIN_NAME --ca "" --dhkey $DH_KEYLENGTH
+      if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
+          freedombone-addcert -h $DEFAULT_DOMAIN_NAME --ca "" --dhkey $DH_KEYLENGTH
+      else
+          freedombone-addcert -e $DEFAULT_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
+      fi
   fi
   # CA configuration
   echo '[ ca ]' > /etc/ssl/dovecot-ca.cnf
@@ -8142,44 +8188,6 @@ function install_web_server {
   echo 'install_web_server' >> $COMPLETION_FILE
 }
 
-function install_letsencrypt {
-  if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
-      return
-  fi
-  if grep -Fxq "install_letsencrypt" $COMPLETION_FILE; then
-      return
-  fi
-  #apt-get -y install python-pip git
-  #pip install -U setuptools
-  #pip install --upgrade cffi
-  cd $INSTALL_DIR
-
-  # This is experimental developer preview and I hope at some stage
-  # there will be a debian package for it.
-
-  # obtain the repo
-  if [ ! -d $INSTALL_DIR/letsencrypt ]; then
-      git clone https://github.com/letsencrypt/letsencrypt
-      if [ ! -d $INSTALL_DIR/letsencrypt ]; then
-          exit 76283
-      fi
-  else
-      cd $INSTALL_DIR/letsencrypt
-      git stash
-      git pull
-  fi
-
-  cd $INSTALL_DIR/letsencrypt
-  # TODO this requires user interaction - is there a non-interactive mode?
-  ./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory certonly
-  if [ ! "$?" = "0" ]; then
-      echo 'Failed to install letsencrypt'
-      exit 63216
-  fi
-
-  echo 'install_letsencrypt' >> $COMPLETION_FILE
-}
-
 function configure_php {
   sed -i "s/memory_limit = 128M/memory_limit = ${MAX_PHP_MEMORY}M/g" /etc/php5/fpm/php.ini
   sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g' /etc/php5/fpm/php.ini
@@ -8591,7 +8599,11 @@ quit" > $INSTALL_DIR/batch.sql
   configure_php
 
   if [ ! -f /etc/ssl/certs/$OWNCLOUD_DOMAIN_NAME.dhparam ]; then
-      freedombone-addcert -h $OWNCLOUD_DOMAIN_NAME --dhkey $DH_KEYLENGTH
+      if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
+          freedombone-addcert -h $OWNCLOUD_DOMAIN_NAME --dhkey $DH_KEYLENGTH
+      else
+          freedombone-addcert -e $OWNCLOUD_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
+      fi
       check_certificates $OWNCLOUD_DOMAIN_NAME
   fi
 
@@ -8840,7 +8852,11 @@ quit" > $INSTALL_DIR/batch.sql
   configure_php
 
   if [ ! -f /etc/ssl/certs/$GIT_DOMAIN_NAME.dhparam ]; then
-      freedombone-addcert -h $GIT_DOMAIN_NAME --dhkey $DH_KEYLENGTH
+      if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
+          freedombone-addcert -h $GIT_DOMAIN_NAME --dhkey $DH_KEYLENGTH
+      else
+          freedombone-addcert -e $GIT_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
+      fi
       check_certificates $GIT_DOMAIN_NAME
   fi
 
@@ -9298,7 +9314,11 @@ function install_wiki {
       rm -rf /var/www/$WIKI_DOMAIN_NAME/htdocs
   fi
   if [ ! -f /etc/ssl/certs/$WIKI_DOMAIN_NAME.dhparam ]; then
-      freedombone-addcert -h $WIKI_DOMAIN_NAME --dhkey $DH_KEYLENGTH
+      if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
+          freedombone-addcert -h $WIKI_DOMAIN_NAME --dhkey $DH_KEYLENGTH
+      else
+          freedombone-addcert -e $WIKI_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
+      fi
       check_certificates $WIKI_DOMAIN_NAME
   fi
 
@@ -9582,7 +9602,11 @@ function install_blog {
   chown -R www-data:www-data /var/www/$FULLBLOG_DOMAIN_NAME/htdocs
 
   if [ ! -f /etc/ssl/certs/$FULLBLOG_DOMAIN_NAME.dhparam ]; then
-      freedombone-addcert -h $FULLBLOG_DOMAIN_NAME --dhkey $DH_KEYLENGTH
+      if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
+          freedombone-addcert -h $FULLBLOG_DOMAIN_NAME --dhkey $DH_KEYLENGTH
+      else
+          freedombone-addcert -e $FULLBLOG_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
+      fi
       check_certificates $FULLBLOG_DOMAIN_NAME
   fi
 
@@ -9948,7 +9972,11 @@ quit" > $INSTALL_DIR/batch.sql
   configure_php
 
   if [ ! -f /etc/ssl/certs/$MICROBLOG_DOMAIN_NAME.dhparam ]; then
-      freedombone-addcert -h $MICROBLOG_DOMAIN_NAME --dhkey $DH_KEYLENGTH
+      if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
+          freedombone-addcert -h $MICROBLOG_DOMAIN_NAME --dhkey $DH_KEYLENGTH
+      else
+          freedombone-addcert -e $MICROBLOG_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
+      fi
       check_certificates $MICROBLOG_DOMAIN_NAME
   fi
 
@@ -10244,7 +10272,11 @@ quit" > $INSTALL_DIR/batch.sql
   configure_php
 
   if [ ! -f /etc/ssl/certs/$HUBZILLA_DOMAIN_NAME.dhparam ]; then
-      freedombone-addcert -h $HUBZILLA_DOMAIN_NAME --dhkey $DH_KEYLENGTH
+      if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
+          freedombone-addcert -h $HUBZILLA_DOMAIN_NAME --dhkey $DH_KEYLENGTH
+      else
+          freedombone-addcert -e $HUBZILLA_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
+      fi
       check_certificates $HUBZILLA_DOMAIN_NAME
   fi
 
@@ -10569,7 +10601,11 @@ function install_mediagoblin {
   echo '}' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME
 
   if [ ! -f /etc/ssl/certs/$MEDIAGOBLIN_DOMAIN_NAME.dhparam ]; then
-      freedombone-addcert -h $MEDIAGOBLIN_DOMAIN_NAME --dhkey $DH_KEYLENGTH
+      if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
+          freedombone-addcert -h $MEDIAGOBLIN_DOMAIN_NAME --dhkey $DH_KEYLENGTH
+      else
+          freedombone-addcert -e $MEDIAGOBLIN_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
+      fi
       check_certificates $MEDIAGOBLIN_DOMAIN_NAME
   fi
 
@@ -11401,7 +11437,6 @@ encrypt_all_email
 import_email
 script_for_attaching_usb_drive
 install_web_server
-#install_letsencrypt
 configure_firewall_for_web_server
 install_owncloud
 install_owncloud_music_app

src/freedombone-addcert

@@ -29,6 +29,7 @@
 # along with this program. If not, see <http://www.gnu.org/licenses/>.
 
 HOSTNAME=
+LETSENCRYPT_HOSTNAME=
 COUNTRY_CODE="US"
 AREA="Free Speech Zone"
 LOCATION="Freedomville"
@@ -37,6 +38,8 @@ UNIT="Freedombone Unit"
 EXTENSIONS=""
 NODH=
 DH_KEYLENGTH=2048
+INSTALL_DIR=/root/build
+LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
 
 function show_help {
     echo ''
@@ -45,16 +48,18 @@ function show_help {
     echo ''
     echo 'Creates a self-signed certificate for the given hostname'
     echo ''
-    echo '     --help                  Show help'
-    echo '  -h --hostname [name]       Hostname'
-    echo '  -c --country [code]        Optional country code (eg. US, GB, etc)'
-    echo '  -a --area [description]    Optional area description'
-    echo '  -l --location [locn]       Optional location name'
-    echo '  -o --organisation [name]   Optional organisation name'
-    echo '  -u --unit [name]           Optional unit name'
-    echo '     --dhkey [bits]          DH key length in bits'
-    echo '     --nodh ""               Do not calculate DH params'
-    echo '     --ca ""                 Certificate authority cert'
+    echo '     --help                   Show help'
+    echo '  -h --hostname [name]        Hostname'
+    echo '  -e --letsencrypt [hostname] Hostname to use with Lets Encrypt'
+    echo '  -s --server [url]           Lets Encrypt server URL'
+    echo '  -c --country [code]         Optional country code (eg. US, GB, etc)'
+    echo '  -a --area [description]     Optional area description'
+    echo '  -l --location [locn]        Optional location name'
+    echo '  -o --organisation [name]    Optional organisation name'
+    echo '  -u --unit [name]            Optional unit name'
+    echo '     --dhkey [bits]           DH key length in bits'
+    echo '     --nodh ""                Do not calculate DH params'
+    echo '     --ca ""                  Certificate authority cert'
     echo ''
     exit 0
 }
@@ -71,6 +76,14 @@ case $key in
     shift
     HOSTNAME="$1"
     ;;
+    -e|--letsencrypt)
+    shift
+    LETSENCRYPT_HOSTNAME="$1"
+    ;;
+    -s|--server)
+    shift
+    LETSENCRYPT_SERVER="$1"
+    ;;
     -c|--country)
     shift
     COUNTRY_CODE="$1"
@@ -112,8 +125,10 @@ shift
 done
 
 if [ ! $HOSTNAME ]; then
-    echo 'No hostname specified'
-    exit 5748
+	if [ ! $LETSENCRYPT_HOSTNAME ]; then
+        echo 'No hostname specified'
+        exit 5748
+	fi
 fi
 
 if ! which openssl > /dev/null ;then
@@ -121,34 +136,94 @@ if ! which openssl > /dev/null ;then
     exit 5689
 fi
 
-CERTFILE=$HOSTNAME
-if [[ $ORGANISATION == "Freedombone-CA" ]]; then
-    CERTFILE="ca-$HOSTNAME"
+if [ ! -d /etc/ssl/mycerts ]; then
+    mkdir /etc/ssl/mycerts
 fi
 
-openssl req -x509 $EXTENSIONS -nodes -days 3650 -sha256 \
+if [ $LETSENCRYPT_HOSTNAME ]; then
+    CERTFILE=$LETSENCRYPT_HOSTNAME
+
+	if [ ! -d $INSTALL_DIR ]; then
+		mkdir -p $INSTALL_DIR
+	fi
+	cd $INSTALL_DIR
+
+	# obtain the repo
+	if [ ! -d $INSTALL_DIR/letsencrypt ]; then
+		git clone https://github.com/letsencrypt/letsencrypt
+		if [ ! -d $INSTALL_DIR/letsencrypt ]; then
+			exit 76283
+		fi
+	else
+		cd $INSTALL_DIR/letsencrypt
+		git stash
+		git pull
+	fi
+
+	cd $INSTALL_DIR/letsencrypt
+	# TODO this requires user interaction - is there a non-interactive mode?
+	./letsencrypt-auto certonly --server $LETSENCRYPT_SERVER --standalone -d $LETSENCRYPT_HOSTNAME
+	if [ ! "$?" = "0" ]; then
+		echo "Failed to install letsencrypt for domain $LETSENCRYPT_HOSTNAME"
+		exit 63216
+	fi
+
+	# replace some legacy filenames
+	if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt ]; then
+		mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
+	fi
+	if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt ]; then
+		mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
+	fi
+	sed -i "s|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem|g" /etc/nginx/sites-available/$LETSENCRYPT_HOSTNAME
+	sed -i "s|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem|g" /etc/nginx/sites-available/$LETSENCRYPT_HOSTNAME
+  
+	# link the private key
+	if [ -f /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key ]; then
+		if [ ! -f /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key.old ]; then
+			mv /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key.old
+		fi
+	fi
+	ln -s /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/privkey.pem /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key
+
+	# link the public key
+	if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem ]; then
+		if [ ! -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem.old ]; then
+			mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem.old
+		fi
+	fi
+	ln -s /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/fullchain.pem /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
+
+    cp /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/fullchain.pem /etc/ssl/mycerts/${LETSENCRYPT_HOSTNAME}.pem
+else
+    CERTFILE=$HOSTNAME
+    if [[ $ORGANISATION == "Freedombone-CA" ]]; then
+        CERTFILE="ca-$HOSTNAME"
+    fi
+
+    openssl req -x509 $EXTENSIONS -nodes -days 3650 -sha256 \
         -subj "/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME" \
         -newkey rsa:4096 -keyout /etc/ssl/private/$CERTFILE.key \
         -out /etc/ssl/certs/$CERTFILE.crt
-if [ ! $NODH ]; then
-    openssl dhparam -check -text -5 $DH_KEYLENGTH -out /etc/ssl/certs/$CERTFILE.dhparam
+    chmod 400 /etc/ssl/private/$CERTFILE.key
+    chmod 640 /etc/ssl/certs/$CERTFILE.crt
+    cp /etc/ssl/certs/$CERTFILE.crt /etc/ssl/mycerts
 fi
-chmod 400 /etc/ssl/private/$CERTFILE.key
-chmod 640 /etc/ssl/certs/$CERTFILE.crt
-chmod 640 /etc/ssl/certs/$CERTFILE.dhparam
 
-if [ -f /etc/init.d/nginx ]; then
-  /etc/init.d/nginx reload
+# generate DH params
+if [ ! $NODH ]; then
+	if [ ! -f /etc/ssl/certs/$CERTFILE.dhparam ]; then
+		openssl dhparam -check -text -5 $DH_KEYLENGTH -out /etc/ssl/certs/$CERTFILE.dhparam
+		chmod 640 /etc/ssl/certs/$CERTFILE.dhparam
+	fi
 fi
 
-# add the public certificate to a separate directory
-# so that we can redistribute it easily
-if [ ! -d /etc/ssl/mycerts ]; then
-  mkdir /etc/ssl/mycerts
+if [ -f /etc/init.d/nginx ]; then
+    /etc/init.d/nginx reload
 fi
-cp /etc/ssl/certs/$CERTFILE.crt /etc/ssl/mycerts
 
 # Create a bundle of your certificates
-cat /etc/ssl/mycerts/*.crt > /etc/ssl/freedombone-bundle.crt
-tar -czvf /etc/ssl/freedombone-certs.tar.gz /etc/ssl/mycerts/*.crt
+cat /etc/ssl/mycerts/*.crt /etc/ssl/mycerts/*.pem > /etc/ssl/freedombone-bundle.crt
+tar -czvf /etc/ssl/freedombone-certs.tar.gz /etc/ssl/mycerts/*.crt /etc/ssl/mycerts/*.pem
+
 exit 0

src/freedombone-controlpanel

@@ -521,6 +521,30 @@ function reset_tripwire {
   any_key
 }
 
+function hubzilla_renew_cert {
+    dialog --title "Renew SSL certificate" \
+           --backtitle "Freedombone Control Panel" \
+           --yesno "\nThis will renew a letsencrypt certificate. Select 'yes' to continue" 16 60
+    sel=$?
+    case $sel in
+        1) return;;
+        255) return;;
+    esac
+    HUBZILLA_DOMAIN_NAME=$(cat $COMPLETION_FILE | grep "Hubzilla domain" | awk -F ':' '{print $2}')
+    if [ ! -d /var/www/$HUBZILLA_DOMAIN_NAME/htdocs ]; then
+       dialog --title "Renew SSL certificate" \
+              --msgbox "Hubzilla install directory not found" 6 40
+       return
+    fi
+    freedombone-renew-cert -h $HUBZILLA_DOMAIN_NAME -p 'letsencrypt'
+    if [ ! "$?" = "0" ]; then
+        any_key
+    else
+        dialog --title "Renew SSL certificate" \
+               --msgbox "Hubzilla certificate has been renewed" 6 40
+    fi
+}
+
 function hubzilla_restore {
     dialog --title "Restore hubzilla from USB backup" \
            --backtitle "Freedombone Control Panel" \
@@ -542,7 +566,7 @@ function hubzilla_channel_directory_server {
        return
     fi
     HUBZILLA_DOMAIN_NAME=$(cat $COMPLETION_FILE | grep "Hubzilla domain" | awk -F ':' '{print $2}')
-    if [ ! -d /var/www/$HUBZILLA_DOMAIN_NAME ]; then
+    if [ ! -d /var/www/$HUBZILLA_DOMAIN_NAME/htdocs ]; then
        dialog --title "Hubzilla channel directory server" \
               --msgbox "Hubzilla install directory not found" 6 40
        return
@@ -713,10 +737,11 @@ function menu_hubzilla {
         trap "rm -f $data" 0 1 2 5 15
         dialog --backtitle "Freedombone Control Panel" \
                --title "Hubzilla" \
-               --radiolist "Choose an operation:" 12 70 3 \
+               --radiolist "Choose an operation:" 13 70 4 \
                1 "Restore from usb backup" off \
                2 "Set channel directory server" off \
-               3 "Back to main menu" on 2> $data
+               3 "Renew SSL certificate" off \
+               4 "Back to main menu" on 2> $data
         sel=$?
         case $sel in
             1) break;;
@@ -725,7 +750,8 @@ function menu_hubzilla {
         case $(cat $data) in
             1) hubzilla_restore;;
             2) hubzilla_channel_directory_server;;
-            3) break;;
+            3) hubzilla_renew_cert;;
+            4) break;;
         esac
     done
 }

src/freedombone-renew-cert

@@ -30,6 +30,8 @@
 
 HOSTNAME=
 PROVIDER='startssl'
+DH_KEYLENGTH=2048
+LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
 
 function show_help {
     echo ''
@@ -44,14 +46,28 @@ function show_help {
     exit 0
 }
 
-function renew_startssl {
-    echo "Renewing Let's Encrypt certificate"
-    letsencrypt renew \
-                --cert-path /etc/ssl/certs/$HOSTNAME.crt \
-                --key-path /etc/ssl/private/$HOSTNAME.key
-    if [ ! "$?" = "0" ]; then
-        echo "Unable to renew Let's encrypt certificate"
+function renew_letsencrypt {
+    if [ ! -f /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem ]; then
+        echo "Adding Let's Encrypt certificate"
+        freedombone-addcert -e $HOSTNAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
+        if [ ! "$?" = "0" ]; then
+            echo "Unable to add Let's encrypt certificate"
+            exit 6328
+        fi
+    else
+        echo "Renewing Let's Encrypt certificate"
+        letsencrypt renew \
+                    --cert-path /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem \
+                    --key-path /etc/letsencrypt/live/${HOSTNAME}/privkey.pem
+        if [ ! "$?" = "0" ]; then
+            echo "Unable to renew Let's encrypt certificate"
+            exit 2624
+        fi
     fi
+
+    # Ensure that links are in place
+    ln -s /etc/letsencrypt/live/${HOSTNAME}/privkey.pem /etc/ssl/private/${HOSTNAME}.key
+    ln -s /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem /etc/ssl/certs/${HOSTNAME}.pem
 }
 
 function renew_startssl {

src/freedombone-sec

@@ -452,7 +452,7 @@ function renew_letsencrypt {
 	  return	  
   fi
 
-  freedombone-renew-cert -h $renew_domain -p letsencrypt
+  freedombone-renew-cert -h $renew_domain -p 'letsencrypt'
 
   exit 0
 }