free
/
freedombone
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
1973 Commits
5 Branches
Tree: 2a9de7cb00
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '2a9de7cb00'
${ noResults }
freedombone/src/freedombone-renew-cert

freedombone-renew-cert 6.6KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190 
  1. #!/bin/bash

  2. #

  3. # .---.                  .              .

  4. # |                      |              |

  5. # |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.

  6. # |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'

  7. # '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'

  8. #

  9. #                    Freedom in the Cloud

  10. #

  11. # A script for renewing SSL/TLS certificates

  12. 

  13. # License

  14. # =======

  15. #

  16. # Copyright (C) 2015 Bob Mottram <bob@robotics.uk.to>

  17. #

  18. # This program is free software: you can redistribute it and/or modify

  19. # it under the terms of the GNU General Public License as published by

  20. # the Free Software Foundation, either version 3 of the License, or

  21. # (at your option) any later version.

  22. #

  23. # This program is distributed in the hope that it will be useful,

  24. # but WITHOUT ANY WARRANTY; without even the implied warranty of

  25. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

  26. # GNU General Public License for more details.

  27. #

  28. # You should have received a copy of the GNU General Public License

  29. # along with this program. If not, see <http://www.gnu.org/licenses/>.

  30. 

  31. HOSTNAME=

  32. PROVIDER='startssl'

  33. 

  34. function show_help {

  35.     echo ''

  36.     echo 'freedombone-renew-cert -h [hostname] -p [provider]'

  37.     echo ''

  38.     echo 'Makes it easier to renew a ssl/tls certificate for a website'

  39.     echo ''

  40.     echo '     --help                  Show help'

  41.     echo '  -h --hostname [name]       Hostname'

  42.     echo '  -p --provider [name]       eg. startssl'

  43.     echo ''

  44.     exit 0

  45. }

  46. 

  47. function renew_startssl {

  48.     echo 'Renewing StartSSL certificate'

  49.     if [ -s /etc/ssl/certs/$HOSTNAME.new.crt ]; then

  50.         if ! grep -q "-BEGIN CERTIFICATE-" /etc/ssl/certs/$HOSTNAME.new.crt; then

  51.             echo '/etc/ssl/certs/$HOSTNAME.new.crt does not contain a public key'

  52.             return

  53.         fi

  54. 

  55.         cp /etc/ssl/certs/$HOSTNAME.new.crt /etc/ssl/certs/$HOSTNAME.crt

  56. 

  57.         if [ ! -d /etc/ssl/roots ]; then

  58.             mkdir /etc/ssl/roots

  59.         fi

  60.         if [ ! -d /etc/ssl/chains ]; then

  61.             mkdir /etc/ssl/chains

  62.         fi

  63. 

  64.         # download intermediate certs

  65.         wget "http://www.startssl.com/certs/ca.pem" --output-document="/etc/ssl/roots/startssl-root.ca"

  66.         wget "http://www.startssl.com/certs/sub.class1.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class1.server.ca.pem"

  67.         wget "http://www.startssl.com/certs/sub.class2.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class2.server.ca.pem"

  68.         wget "http://www.startssl.com/certs/sub.class3.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class3.server.ca.pem"

  69.         ln -s "/etc/ssl/roots/startssl-root.ca" "/etc/ssl/roots/$HOSTNAME-root.ca"

  70.         ln -s "/etc/ssl/chains/startssl-sub.class1.server.ca.pem" "/etc/ssl/chains/$HOSTNAME.ca"

  71.         cp "/etc/ssl/certs/$HOSTNAME.crt" "/etc/ssl/certs/$HOSTNAME.crt+chain+root"

  72.         test -e "/etc/ssl/chains/$HOSTNAME.ca" && cat "/etc/ssl/chains/$HOSTNAME.ca" >> "/etc/ssl/certs/$HOSTNAME.crt+chain+root"

  73.         test -e "/etc/ssl/roots/$HOSTNAME-root.ca" && cat "/etc/ssl/roots/$HOSTNAME-root.ca" >> "/etc/ssl/certs/$HOSTNAME.crt+chain+root"

  74. 

  75.         # remove the password from the private cert

  76.         openssl rsa -in /etc/ssl/private/$HOSTNAME.key -out /etc/ssl/private/$HOSTNAME.new.key

  77.         cp /etc/ssl/private/$HOSTNAME.new.key /etc/ssl/private/$HOSTNAME.key

  78.         shred -zu /etc/ssl/private/$HOSTNAME.new.key

  79. 

  80.         # bundle the cert

  81.         cat /etc/ssl/certs/$HOSTNAME.crt /etc/ssl/chains/startssl-sub.class1.server.ca.pem > /etc/ssl/certs/$HOSTNAME.bundle.crt

  82. 

  83.         # add it to mycerts

  84.         cp /etc/ssl/certs/$HOSTNAME.bundle.crt /etc/ssl/mycerts

  85.         cat /etc/ssl/mycerts/*.crt > /etc/ssl/freedombone-bundle.crt

  86.         tar -czvf /etc/ssl/freedombone-certs.tar.gz /etc/ssl/mycerts/*.crt

  87. 

  88.         # create backups

  89.         if [ ! -d /etc/ssl/backups ]; then

  90.             mkdir /etc/ssl/backups

  91.         fi

  92.         if [ ! -d /etc/ssl/backups/certs ]; then

  93.             mkdir /etc/ssl/backups/certs

  94.         fi

  95.         if [ ! -d /etc/ssl/backups/private ]; then

  96.             mkdir /etc/ssl/backups/private

  97.         fi

  98.         cp /etc/ssl/certs/$HOSTNAME* /etc/ssl/backups/certs/

  99.         cp /etc/ssl/private/$HOSTNAME* /etc/ssl/backups/private/

  100.         chmod -R 400 /etc/ssl/backups/certs/*

  101.         chmod -R 400 /etc/ssl/backups/private/*

  102. 

  103.         rm /etc/ssl/certs/$HOSTNAME.new.crt

  104.         rm /etc/ssl/requests/$HOSTNAME.csr

  105. 

  106.         # update your site to include the bundle

  107.         sed -i "s|$HOSTNAME.crt|$HOSTNAME.bundle.crt|g" /etc/nginx/sites-available/$HOSTNAME

  108. 

  109.         echo 'Certificate installed'

  110.         service nginx restart

  111.         return

  112.     fi

  113. 

  114.     if [ -f /etc/ssl/requests/$HOSTNAME.csr ]; then

  115.         echo 'Certificate request already created:'

  116.         echo ''

  117.         cat /etc/ssl/requests/$HOSTNAME.csr

  118.         echo ''

  119.         echo "Save the requested public key to /etc/ssl/certs/$HOSTNAME.new.crt"

  120.         echo 'then run this command again.'

  121.         echo ''

  122.         return

  123.     fi

  124.     openssl genrsa -out /etc/ssl/private/$HOSTNAME.new.key 2048

  125.     chown root:ssl-cert /etc/ssl/private/$HOSTNAME.new.key

  126.     chmod 440 /etc/ssl/private/$HOSTNAME.new.key

  127.     if [ ! -d /etc/ssl/requests ]; then

  128.         mkdir /etc/ssl/requests

  129.     fi

  130.     openssl req -new -sha256 -key /etc/ssl/private/$HOSTNAME.new.key -out /etc/ssl/requests/$HOSTNAME.csr

  131.     echo ''

  132.     cat /etc/ssl/requests/$HOSTNAME.csr

  133.     echo ''

  134.     echo 'On the StartSSL site select Certificates Wizard then'

  135.     echo 'Web server SSL/TLS Certificate. You can then click on "skip"'

  136.     echo 'and then copy and paste the above certificate request into the text'

  137.     echo 'entry box. You may now need to wait a few hours for a confirmation'

  138.     echo 'email indicating that the new certificate was created.'

  139.     echo ''

  140.     echo 'Once you have retrieved the new public certificate paste it to:'

  141.     echo "/etc/ssl/certs/$HOSTNAME.new.crt then run this command again."

  142.     echo ''

  143. }

  144. 

  145. while [[ $# > 1 ]]

  146. do

  147. key="$1"

  148. 

  149. case $key in

  150.     --help)

  151.     show_help

  152.     ;;

  153.     -h|--hostname)

  154.     shift

  155.     HOSTNAME="$1"

  156.     ;;

  157.     -p|--provider)

  158.     shift

  159.     PROVIDER="$1"

  160.     ;;

  161.     *)

  162.     # unknown option

  163.     ;;

  164. esac

  165. shift

  166. done

  167. 

  168. if [ ! $HOSTNAME ]; then

  169.     echo 'No hostname specified'

  170.     exit 5748

  171. fi

  172. 

  173. if ! which openssl > /dev/null ;then

  174.     echo "$0: openssl is not installed, exiting" 1>&2

  175.     exit 5689

  176. fi

  177. 

  178. # check that the web site exists

  179. if [ ! -f /etc/nginx/sites-available/$HOSTNAME ]; then

  180.     echo "/etc/nginx/sites-available/$HOSTNAME does not exist"

  181.     exit 7598

  182. fi

  183. 

  184. if [[ $PROVIDER == 'startssl' || $PROVIDER == 'StartSSL' ]]; then

  185.     renew_startssl

  186. else

  187.     echo "$PROVIDER is not currently supported"

  188. fi

  189. 

  190. exit 0