free
/
freedombone
Bevaka 1
Stjärnmärk 0
Förgrening 0
Kod Ärenden 0 Pull-förfrågningar 0 Släpp 0 Wiki Activity
9636 Incheckningar
5 Grenar
Träd: 3fe5830e02
Grenar Taggar
${ item.name }
Create branch ${ searchTerm }
from '3fe5830e02'
${ noResults }
freedombone/src/freedombone-renew-cert

freedombone-renew-cert 7.6KB
Historik

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221 
  1. #!/bin/bash

  2. #  _____               _           _

  3. # |   __|___ ___ ___ _| |___ _____| |_ ___ ___ ___

  4. # |   __|  _| -_| -_| . | . |     | . | . |   | -_|

  5. # |__|  |_| |___|___|___|___|_|_|_|___|___|_|_|___|

  6. #

  7. #                              Freedom in the Cloud

  8. #

  9. # A script for renewing SSL/TLS certificates

  10. #

  11. # License

  12. # =======

  13. #

  14. # Copyright (C) 2015-2018 Bob Mottram <bob@freedombone.net>

  15. #

  16. # This program is free software: you can redistribute it and/or modify

  17. # it under the terms of the GNU Affero General Public License as published by

  18. # the Free Software Foundation, either version 3 of the License, or

  19. # (at your option) any later version.

  20. #

  21. # This program is distributed in the hope that it will be useful,

  22. # but WITHOUT ANY WARRANTY; without even the implied warranty of

  23. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  24. # GNU Affero General Public License for more details.

  25. #

  26. # You should have received a copy of the GNU Affero General Public License

  27. # along with this program.  If not, see <http://www.gnu.org/licenses/>.

  28. 

  29. PROJECT_NAME='freedombone'

  30. 

  31. export TEXTDOMAIN=${PROJECT_NAME}-renew-cert

  32. export TEXTDOMAINDIR="/usr/share/locale"

  33. 

  34. HOSTNAME=

  35. PROVIDER='startssl'

  36. DH_KEYLENGTH=2048

  37. LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'

  38. INSTALL_DIR=/root/build

  39. 

  40. function show_help {

  41.     echo ''

  42.     echo $"${PROJECT_NAME}-renew-cert -h [hostname] -p [provider]"

  43.     echo ''

  44.     echo $'Makes it easier to renew a ssl/tls certificate for a website'

  45.     echo ''

  46.     echo $'     --help                  Show help'

  47.     echo $'  -h --hostname [name]       Hostname'

  48.     echo $'  -p --provider [name]       eg. startssl/letsencrypt'

  49.     echo ''

  50.     exit 0

  51. }

  52. 

  53. function renew_letsencrypt {

  54.     if [ ! -f /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem ]; then

  55.         echo $"Adding Let's Encrypt certificate"

  56.     else

  57.         echo $"Renewing Let's Encrypt certificate"

  58.     fi

  59. 

  60.     if ! ${PROJECT_NAME}-addcert -e $HOSTNAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH; then

  61.         echo $"Unable to add Let's encrypt certificate"

  62.         exit 6328

  63.     fi

  64. 

  65.     # Ensure that links are in place

  66.     ln -s /etc/letsencrypt/live/${HOSTNAME}/privkey.pem /etc/ssl/private/${HOSTNAME}.key

  67.     ln -s /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem /etc/ssl/certs/${HOSTNAME}.pem

  68. 

  69.     ${PROJECT_NAME}-pin-cert $HOSTNAME remove

  70. }

  71. 

  72. function renew_startssl {

  73.     echo $'Renewing StartSSL certificate'

  74.     if [ -s /etc/ssl/certs/$HOSTNAME.new.crt ]; then

  75.         if ! grep -q "-BEGIN CERTIFICATE-" /etc/ssl/certs/$HOSTNAME.new.crt; then

  76.             echo $'/etc/ssl/certs/$HOSTNAME.new.crt does not contain a public key'

  77.             return

  78.         fi

  79. 

  80.         cp /etc/ssl/certs/$HOSTNAME.new.crt /etc/ssl/certs/$HOSTNAME.crt

  81. 

  82.         if [ ! -d /etc/ssl/roots ]; then

  83.             mkdir /etc/ssl/roots

  84.         fi

  85.         if [ ! -d /etc/ssl/chains ]; then

  86.             mkdir /etc/ssl/chains

  87.         fi

  88. 

  89.         # download intermediate certs

  90.         wget "http://www.startssl.com/certs/ca.pem" --output-document="/etc/ssl/roots/startssl-root.ca"

  91.         wget "http://www.startssl.com/certs/sub.class1.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class1.server.ca.pem"

  92.         wget "http://www.startssl.com/certs/sub.class2.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class2.server.ca.pem"

  93.         wget "http://www.startssl.com/certs/sub.class3.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class3.server.ca.pem"

  94.         ln -s "/etc/ssl/roots/startssl-root.ca" "/etc/ssl/roots/$HOSTNAME-root.ca"

  95.         ln -s "/etc/ssl/chains/startssl-sub.class1.server.ca.pem" "/etc/ssl/chains/$HOSTNAME.ca"

  96.         cp "/etc/ssl/certs/$HOSTNAME.crt" "/etc/ssl/certs/$HOSTNAME.crt+chain+root"

  97.         test -e "/etc/ssl/chains/$HOSTNAME.ca" && cat "/etc/ssl/chains/$HOSTNAME.ca" >> "/etc/ssl/certs/$HOSTNAME.crt+chain+root"

  98.         test -e "/etc/ssl/roots/$HOSTNAME-root.ca" && cat "/etc/ssl/roots/$HOSTNAME-root.ca" >> "/etc/ssl/certs/$HOSTNAME.crt+chain+root"

  99. 

  100.         # remove the password from the private cert

  101.         openssl rsa -in /etc/ssl/private/$HOSTNAME.key -out /etc/ssl/private/$HOSTNAME.new.key

  102.         cp /etc/ssl/private/$HOSTNAME.new.key /etc/ssl/private/$HOSTNAME.key

  103.         shred -zu /etc/ssl/private/$HOSTNAME.new.key

  104. 

  105.         # bundle the cert

  106.         cat /etc/ssl/certs/$HOSTNAME.crt /etc/ssl/chains/startssl-sub.class1.server.ca.pem > /etc/ssl/certs/$HOSTNAME.bundle.crt

  107. 

  108.         # add it to mycerts

  109.         cp /etc/ssl/certs/$HOSTNAME.bundle.crt /etc/ssl/mycerts

  110.         cat /etc/ssl/mycerts/*.crt > /etc/ssl/${PROJECT_NAME}-bundle.crt

  111.         tar -czvf /etc/ssl/${PROJECT_NAME}-certs.tar.gz /etc/ssl/mycerts/*.crt

  112. 

  113.         # create backups

  114.         if [ ! -d /etc/ssl/backups ]; then

  115.             mkdir /etc/ssl/backups

  116.         fi

  117.         if [ ! -d /etc/ssl/backups/certs ]; then

  118.             mkdir /etc/ssl/backups/certs

  119.         fi

  120.         if [ ! -d /etc/ssl/backups/private ]; then

  121.             mkdir /etc/ssl/backups/private

  122.         fi

  123.         cp /etc/ssl/certs/$HOSTNAME* /etc/ssl/backups/certs/

  124.         cp /etc/ssl/private/$HOSTNAME* /etc/ssl/backups/private/

  125.         chmod -R 400 /etc/ssl/backups/certs/*

  126.         chmod -R 400 /etc/ssl/backups/private/*

  127. 

  128.         rm /etc/ssl/certs/$HOSTNAME.new.crt

  129.         rm /etc/ssl/requests/$HOSTNAME.csr

  130. 

  131.         # update your site to include the bundle

  132.         sed -i "s|$HOSTNAME.crt|$HOSTNAME.bundle.crt|g" /etc/nginx/sites-available/$HOSTNAME

  133. 

  134.         echo $'Certificate installed'

  135.         systemctl restart nginx

  136.         return

  137.     fi

  138. 

  139.     if [ -f /etc/ssl/requests/$HOSTNAME.csr ]; then

  140.         echo $'Certificate request already created:'

  141.         echo ''

  142.         cat /etc/ssl/requests/$HOSTNAME.csr

  143.         echo ''

  144.         echo $"Save the requested public key to /etc/ssl/certs/$HOSTNAME.new.crt"

  145.         echo $'then run this command again.'

  146.         echo ''

  147.         return

  148.     fi

  149.     openssl genrsa -out /etc/ssl/private/$HOSTNAME.new.key 2048

  150.     chown root:ssl-cert /etc/ssl/private/$HOSTNAME.new.key

  151.     chmod 440 /etc/ssl/private/$HOSTNAME.new.key

  152.     if [ ! -d /etc/ssl/requests ]; then

  153.         mkdir /etc/ssl/requests

  154.     fi

  155.     openssl req -new -sha256 -key /etc/ssl/private/$HOSTNAME.new.key -out /etc/ssl/requests/$HOSTNAME.csr

  156.     echo ''

  157.     cat /etc/ssl/requests/$HOSTNAME.csr

  158.     echo ''

  159.     echo $'On the StartSSL site select Certificates Wizard then'

  160.     echo $'Web server SSL/TLS Certificate. You can then click on "skip"'

  161.     echo $'and then copy and paste the above certificate request into the text'

  162.     echo $'entry box. You may now need to wait a few hours for a confirmation'

  163.     echo $'email indicating that the new certificate was created.'

  164.     echo ''

  165.     echo $'Once you have retrieved the new public certificate paste it to:'

  166.     echo $"/etc/ssl/certs/$HOSTNAME.new.crt then run this command again."

  167.     echo ''

  168. 

  169.     ${PROJECT_NAME}-pin-cert $HOSTNAME remove

  170. }

  171. 

  172. while [ $# -gt 1 ]

  173. do

  174. key="$1"

  175. 

  176. case $key in

  177.     --help)

  178.     show_help

  179.     ;;

  180.     -h|--hostname)

  181.     shift

  182.     HOSTNAME="$1"

  183.     ;;

  184.     -p|--provider)

  185.     shift

  186.     PROVIDER="$1"

  187.     ;;

  188.     *)

  189.     # unknown option

  190.     ;;

  191. esac

  192. shift

  193. done

  194. 

  195. if [ ! "$HOSTNAME" ]; then

  196.     echo $'No hostname specified'

  197.     exit 5748

  198. fi

  199. 

  200. if ! which openssl > /dev/null ;then

  201.     echo $"$0: openssl is not installed, exiting" 1>&2

  202.     exit 5689

  203. fi

  204. 

  205. # check that the web site exists

  206. if [ ! -f "/etc/nginx/sites-available/$HOSTNAME" ]; then

  207.     echo $"/etc/nginx/sites-available/$HOSTNAME does not exist"

  208.     exit 7598

  209. fi

  210. 

  211. if [[ $PROVIDER == 'startssl' || $PROVIDER == 'StartSSL' ]]; then

  212.     renew_startssl

  213. else

  214.     if [[ $PROVIDER == 'letsencrypt' ]]; then

  215.         renew_letsencrypt

  216.     else

  217.         echo $"$PROVIDER is not currently supported"

  218.     fi

  219. fi

  220. 

  221. exit 0