freedombone-renew-cert 7.6KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223
  1. #!/bin/bash
  2. #
  3. # .---. . .
  4. # | | |
  5. # |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
  6. # | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
  7. # ' ' --' --' -' - -' ' ' -' -' -' ' - --'
  8. #
  9. # Freedom in the Cloud
  10. #
  11. # A script for renewing SSL/TLS certificates
  12. # License
  13. # =======
  14. #
  15. # Copyright (C) 2015-2018 Bob Mottram <bob@freedombone.net>
  16. #
  17. # This program is free software: you can redistribute it and/or modify
  18. # it under the terms of the GNU Affero General Public License as published by
  19. # the Free Software Foundation, either version 3 of the License, or
  20. # (at your option) any later version.
  21. #
  22. # This program is distributed in the hope that it will be useful,
  23. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  24. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  25. # GNU Affero General Public License for more details.
  26. #
  27. # You should have received a copy of the GNU Affero General Public License
  28. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  29. PROJECT_NAME='freedombone'
  30. export TEXTDOMAIN=${PROJECT_NAME}-renew-cert
  31. export TEXTDOMAINDIR="/usr/share/locale"
  32. HOSTNAME=
  33. PROVIDER='startssl'
  34. DH_KEYLENGTH=2048
  35. LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
  36. INSTALL_DIR=/root/build
  37. function show_help {
  38. echo ''
  39. echo $"${PROJECT_NAME}-renew-cert -h [hostname] -p [provider]"
  40. echo ''
  41. echo $'Makes it easier to renew a ssl/tls certificate for a website'
  42. echo ''
  43. echo $' --help Show help'
  44. echo $' -h --hostname [name] Hostname'
  45. echo $' -p --provider [name] eg. startssl/letsencrypt'
  46. echo ''
  47. exit 0
  48. }
  49. function renew_letsencrypt {
  50. if [ ! -f /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem ]; then
  51. echo $"Adding Let's Encrypt certificate"
  52. else
  53. echo $"Renewing Let's Encrypt certificate"
  54. fi
  55. if ! ${PROJECT_NAME}-addcert -e $HOSTNAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH; then
  56. echo $"Unable to add Let's encrypt certificate"
  57. exit 6328
  58. fi
  59. # Ensure that links are in place
  60. ln -s /etc/letsencrypt/live/${HOSTNAME}/privkey.pem /etc/ssl/private/${HOSTNAME}.key
  61. ln -s /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem /etc/ssl/certs/${HOSTNAME}.pem
  62. ${PROJECT_NAME}-pin-cert $HOSTNAME remove
  63. }
  64. function renew_startssl {
  65. echo $'Renewing StartSSL certificate'
  66. if [ -s /etc/ssl/certs/$HOSTNAME.new.crt ]; then
  67. if ! grep -q "-BEGIN CERTIFICATE-" /etc/ssl/certs/$HOSTNAME.new.crt; then
  68. echo $'/etc/ssl/certs/$HOSTNAME.new.crt does not contain a public key'
  69. return
  70. fi
  71. cp /etc/ssl/certs/$HOSTNAME.new.crt /etc/ssl/certs/$HOSTNAME.crt
  72. if [ ! -d /etc/ssl/roots ]; then
  73. mkdir /etc/ssl/roots
  74. fi
  75. if [ ! -d /etc/ssl/chains ]; then
  76. mkdir /etc/ssl/chains
  77. fi
  78. # download intermediate certs
  79. wget "http://www.startssl.com/certs/ca.pem" --output-document="/etc/ssl/roots/startssl-root.ca"
  80. wget "http://www.startssl.com/certs/sub.class1.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class1.server.ca.pem"
  81. wget "http://www.startssl.com/certs/sub.class2.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class2.server.ca.pem"
  82. wget "http://www.startssl.com/certs/sub.class3.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class3.server.ca.pem"
  83. ln -s "/etc/ssl/roots/startssl-root.ca" "/etc/ssl/roots/$HOSTNAME-root.ca"
  84. ln -s "/etc/ssl/chains/startssl-sub.class1.server.ca.pem" "/etc/ssl/chains/$HOSTNAME.ca"
  85. cp "/etc/ssl/certs/$HOSTNAME.crt" "/etc/ssl/certs/$HOSTNAME.crt+chain+root"
  86. test -e "/etc/ssl/chains/$HOSTNAME.ca" && cat "/etc/ssl/chains/$HOSTNAME.ca" >> "/etc/ssl/certs/$HOSTNAME.crt+chain+root"
  87. test -e "/etc/ssl/roots/$HOSTNAME-root.ca" && cat "/etc/ssl/roots/$HOSTNAME-root.ca" >> "/etc/ssl/certs/$HOSTNAME.crt+chain+root"
  88. # remove the password from the private cert
  89. openssl rsa -in /etc/ssl/private/$HOSTNAME.key -out /etc/ssl/private/$HOSTNAME.new.key
  90. cp /etc/ssl/private/$HOSTNAME.new.key /etc/ssl/private/$HOSTNAME.key
  91. shred -zu /etc/ssl/private/$HOSTNAME.new.key
  92. # bundle the cert
  93. cat /etc/ssl/certs/$HOSTNAME.crt /etc/ssl/chains/startssl-sub.class1.server.ca.pem > /etc/ssl/certs/$HOSTNAME.bundle.crt
  94. # add it to mycerts
  95. cp /etc/ssl/certs/$HOSTNAME.bundle.crt /etc/ssl/mycerts
  96. cat /etc/ssl/mycerts/*.crt > /etc/ssl/${PROJECT_NAME}-bundle.crt
  97. tar -czvf /etc/ssl/${PROJECT_NAME}-certs.tar.gz /etc/ssl/mycerts/*.crt
  98. # create backups
  99. if [ ! -d /etc/ssl/backups ]; then
  100. mkdir /etc/ssl/backups
  101. fi
  102. if [ ! -d /etc/ssl/backups/certs ]; then
  103. mkdir /etc/ssl/backups/certs
  104. fi
  105. if [ ! -d /etc/ssl/backups/private ]; then
  106. mkdir /etc/ssl/backups/private
  107. fi
  108. cp /etc/ssl/certs/$HOSTNAME* /etc/ssl/backups/certs/
  109. cp /etc/ssl/private/$HOSTNAME* /etc/ssl/backups/private/
  110. chmod -R 400 /etc/ssl/backups/certs/*
  111. chmod -R 400 /etc/ssl/backups/private/*
  112. rm /etc/ssl/certs/$HOSTNAME.new.crt
  113. rm /etc/ssl/requests/$HOSTNAME.csr
  114. # update your site to include the bundle
  115. sed -i "s|$HOSTNAME.crt|$HOSTNAME.bundle.crt|g" /etc/nginx/sites-available/$HOSTNAME
  116. echo $'Certificate installed'
  117. systemctl restart nginx
  118. return
  119. fi
  120. if [ -f /etc/ssl/requests/$HOSTNAME.csr ]; then
  121. echo $'Certificate request already created:'
  122. echo ''
  123. cat /etc/ssl/requests/$HOSTNAME.csr
  124. echo ''
  125. echo $"Save the requested public key to /etc/ssl/certs/$HOSTNAME.new.crt"
  126. echo $'then run this command again.'
  127. echo ''
  128. return
  129. fi
  130. openssl genrsa -out /etc/ssl/private/$HOSTNAME.new.key 2048
  131. chown root:ssl-cert /etc/ssl/private/$HOSTNAME.new.key
  132. chmod 440 /etc/ssl/private/$HOSTNAME.new.key
  133. if [ ! -d /etc/ssl/requests ]; then
  134. mkdir /etc/ssl/requests
  135. fi
  136. openssl req -new -sha256 -key /etc/ssl/private/$HOSTNAME.new.key -out /etc/ssl/requests/$HOSTNAME.csr
  137. echo ''
  138. cat /etc/ssl/requests/$HOSTNAME.csr
  139. echo ''
  140. echo $'On the StartSSL site select Certificates Wizard then'
  141. echo $'Web server SSL/TLS Certificate. You can then click on "skip"'
  142. echo $'and then copy and paste the above certificate request into the text'
  143. echo $'entry box. You may now need to wait a few hours for a confirmation'
  144. echo $'email indicating that the new certificate was created.'
  145. echo ''
  146. echo $'Once you have retrieved the new public certificate paste it to:'
  147. echo $"/etc/ssl/certs/$HOSTNAME.new.crt then run this command again."
  148. echo ''
  149. ${PROJECT_NAME}-pin-cert $HOSTNAME remove
  150. }
  151. while [ $# -gt 1 ]
  152. do
  153. key="$1"
  154. case $key in
  155. --help)
  156. show_help
  157. ;;
  158. -h|--hostname)
  159. shift
  160. HOSTNAME="$1"
  161. ;;
  162. -p|--provider)
  163. shift
  164. PROVIDER="$1"
  165. ;;
  166. *)
  167. # unknown option
  168. ;;
  169. esac
  170. shift
  171. done
  172. if [ ! "$HOSTNAME" ]; then
  173. echo $'No hostname specified'
  174. exit 5748
  175. fi
  176. if ! which openssl > /dev/null ;then
  177. echo $"$0: openssl is not installed, exiting" 1>&2
  178. exit 5689
  179. fi
  180. # check that the web site exists
  181. if [ ! -f "/etc/nginx/sites-available/$HOSTNAME" ]; then
  182. echo $"/etc/nginx/sites-available/$HOSTNAME does not exist"
  183. exit 7598
  184. fi
  185. if [[ $PROVIDER == 'startssl' || $PROVIDER == 'StartSSL' ]]; then
  186. renew_startssl
  187. else
  188. if [[ $PROVIDER == 'letsencrypt' ]]; then
  189. renew_letsencrypt
  190. else
  191. echo $"$PROVIDER is not currently supported"
  192. fi
  193. fi
  194. exit 0