free
/
freedombone
Beobachten 1
Favorisieren 0
Fork 0
Code Issues 0 Pull-Requests 0 Releases 0 Wiki Aktivität
8167 Commits
5 Branches
Struktur: e29fe7b88b
Branches Tags
${ item.name }
Erstelle Branch ${ searchTerm }
von 'e29fe7b88b'
${ noResults }
freedombone/src/freedombone-addcert

freedombone-addcert 11KB
Verlauf Originalformat

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366 
  1. #!/bin/bash

  2. #

  3. # .---.                  .              .

  4. # |                      |              |

  5. # |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.

  6. # |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'

  7. # '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'

  8. #

  9. #                    Freedom in the Cloud

  10. #

  11. # Create self-signed or Let's Encrypt certificates on Debian

  12. 

  13. # License

  14. # =======

  15. #

  16. # Copyright (C) 2015-2016 Bob Mottram <bob@freedombone.net>

  17. #

  18. # This program is free software: you can redistribute it and/or modify

  19. # it under the terms of the GNU Affero General Public License as published by

  20. # the Free Software Foundation, either version 3 of the License, or

  21. # (at your option) any later version.

  22. #

  23. # This program is distributed in the hope that it will be useful,

  24. # but WITHOUT ANY WARRANTY; without even the implied warranty of

  25. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  26. # GNU Affero General Public License for more details.

  27. #

  28. # You should have received a copy of the GNU Affero General Public License

  29. # along with this program.  If not, see <http://www.gnu.org/licenses/>.

  30. 

  31. PROJECT_NAME='freedombone'

  32. 

  33. export TEXTDOMAIN=${PROJECT_NAME}-addcert

  34. export TEXTDOMAINDIR="/usr/share/locale"

  35. 

  36. CONFIGURATION_FILE=$HOME/${PROJECT_NAME}.cfg

  37. COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt

  38. 

  39. UTILS_FILES=/usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-*

  40. for f in $UTILS_FILES

  41. do

  42.   source $f

  43. done

  44. 

  45. # Don't pin certs by default

  46. PIN_CERTS=

  47. 

  48. HOSTNAME=

  49. remove_cert=

  50. LETSENCRYPT_HOSTNAME=

  51. COUNTRY_CODE="US"

  52. AREA="Apparent Free Speech Zone"

  53. LOCATION="Freedomville"

  54. ORGANISATION="Freedombone"

  55. UNIT="Freedombone Unit"

  56. EXTENSIONS=""

  57. NODH=

  58. DH_KEYLENGTH=2048

  59. INSTALL_DIR=/root/build

  60. LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'

  61. MY_EMAIL_ADDRESS=

  62. 

  63. function show_help {

  64.     echo ''

  65.     echo $"${PROJECT_NAME}-addcert -h [hostname] -c [country code] -a [area] -l [location]"

  66.     echo $'                    -o [organisation] -u [unit] --ca "" --nodh ""'

  67.     echo ''

  68.     echo $'Creates a self-signed certificate for the given hostname'

  69.     echo ''

  70.     echo $'     --help                     Show help'

  71.     echo $'  -h --hostname [name]          Hostname'

  72.     echo $'  -e --letsencrypt [hostname]   Hostname to use with Lets Encrypt'

  73.     echo $'  -r --rmletsencrypt [hostname] Remove a Lets Encrypt certificate'

  74.     echo $'  -s --server [url]             Lets Encrypt server URL'

  75.     echo $'  -c --country [code]           Optional country code (eg. US, GB, etc)'

  76.     echo $'  -a --area [description]       Optional area description'

  77.     echo $'  -l --location [locn]          Optional location name'

  78.     echo $'  -o --organisation [name]      Optional organisation name'

  79.     echo $'  -u --unit [name]              Optional unit name'

  80.     echo $'     --email [address]          Email address for letsencrypt'

  81.     echo $'     --dhkey [bits]             DH key length in bits'

  82.     echo $'     --nodh ""                  Do not calculate DH params'

  83.     echo $'     --ca ""                    Certificate authority cert'

  84.     echo ''

  85.     exit 0

  86. }

  87. 

  88. while [[ $# > 1 ]]

  89. do

  90.     key="$1"

  91. 

  92.     case $key in

  93.         --help)

  94.             show_help

  95.             ;;

  96.         -h|--hostname)

  97.             shift

  98.             HOSTNAME="$1"

  99.             ;;

  100.         -e|--letsencrypt)

  101.             shift

  102.             LETSENCRYPT_HOSTNAME="$1"

  103.             ;;

  104.         -r|--rmletsencrypt)

  105.             shift

  106.             LETSENCRYPT_HOSTNAME="$1"

  107.             remove_cert=1

  108.             ;;

  109.         --email)

  110.             shift

  111.             MY_EMAIL_ADDRESS="$1"

  112.             ;;

  113.         -s|--server)

  114.             shift

  115.             LETSENCRYPT_SERVER="$1"

  116.             ;;

  117.         -c|--country)

  118.             shift

  119.             COUNTRY_CODE="$1"

  120.             ;;

  121.         -a|--area)

  122.             shift

  123.             AREA="$1"

  124.             ;;

  125.         -l|--location)

  126.             shift

  127.             LOCATION="$1"

  128.             ;;

  129.         -o|--organisation)

  130.             shift

  131.             ORGANISATION="$1"

  132.             ;;

  133.         -u|--unit)

  134.             shift

  135.             UNIT="$1"

  136.             ;;

  137.         --ca)

  138.             shift

  139.             EXTENSIONS="-extensions v3_ca"

  140.             ORGANISATION="Freedombone-CA"

  141.             ;;

  142.         --nodh)

  143.             shift

  144.             NODH="true"

  145.             ;;

  146.         --dhkey)

  147.             shift

  148.             DH_KEYLENGTH=${1}

  149.             ;;

  150.         --pin)

  151.             shift

  152.             PIN_CERTS=${1}

  153.             ;;

  154.         *)

  155.             # unknown option

  156.             ;;

  157.     esac

  158.     shift

  159. done

  160. 

  161. if [ ! $HOSTNAME ]; then

  162.     if [ ! $LETSENCRYPT_HOSTNAME ]; then

  163.         echo $'No hostname specified'

  164.         exit 5748

  165.     fi

  166. fi

  167. 

  168. if ! which openssl > /dev/null ;then

  169.     echo $"$0: openssl is not installed, exiting" 1>&2

  170.     exit 5689

  171. fi

  172. 

  173. if [ ! -d /etc/ssl/mycerts ]; then

  174.     mkdir /etc/ssl/mycerts

  175. fi

  176. 

  177. CERTFILE=$HOSTNAME

  178. 

  179. function remove_cert_letsencrypt {

  180.     CERTFILE=$LETSENCRYPT_HOSTNAME

  181. 

  182.     # disable the site if needed

  183.     if [ -f /etc/nginx/sites-available/${LETSENCRYPT_HOSTNAME} ]; then

  184.         if grep -q "443" /etc/nginx/sites-available/${LETSENCRYPT_HOSTNAME}; then

  185.             nginx_dissite ${LETSENCRYPT_HOSTNAME}

  186.         fi

  187.     fi

  188. 

  189.     # remove the cert

  190.     rm -rf /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}*

  191.     rm -rf /etc/letsencrypt/archive/${LETSENCRYPT_HOSTNAME}*

  192.     rm /etc/letsencrypt/renewal/${LETSENCRYPT_HOSTNAME}.conf

  193. 

  194.     # restart the web server

  195.     systemctl restart nginx

  196. }

  197. 

  198. function add_cert_letsencrypt {

  199.     CERTFILE=$LETSENCRYPT_HOSTNAME

  200. 

  201.     # obtain the email address for the admin user

  202.     if [ ! $MY_EMAIL_ADDRESS ]; then

  203.         if [ -f $CONFIGURATION_FILE ]; then

  204.             read_config_param MY_EMAIL_ADDRESS

  205.         fi

  206.     fi

  207.     if [ ! $MY_EMAIL_ADDRESS ]; then

  208.         if [ -f $COMPLETION_FILE ]; then

  209.             if grep -q "Admin user:" $COMPLETION_FILE; then

  210.                 function_check get_completion_param

  211.                 ADMIN_USER=$(get_completion_param "Admin user")

  212.                 if [ ${#ADMIN_USER} -eq 0 ]; then

  213.                     exit 463732

  214.                 fi

  215.                 MY_EMAIL_ADDRESS=$ADMIN_USER@$HOSTNAME

  216.             fi

  217.         fi

  218.     fi

  219. 

  220.     if [ ! -f /usr/bin/certbot ]; then

  221.         apt-get -yq -t stretch-backports install certbot

  222.         groupadd ssl-cert

  223.         if [ ! -f /usr/bin/certbot ]; then

  224.             echo $'LetsEncrypt certbot failed to install'

  225.             exit 762830

  226.         fi

  227.     fi

  228. 

  229.     # stop the web server

  230.     systemctl stop nginx

  231. 

  232.     chgrp -R root /etc/letsencrypt

  233.     chmod -R 777 /etc/letsencrypt

  234. 

  235.     certbot certonly -n --server $LETSENCRYPT_SERVER --standalone -d $LETSENCRYPT_HOSTNAME --renew-by-default --agree-tos --email $MY_EMAIL_ADDRESS

  236.     if [ ! "$?" = "0" ]; then

  237.         echo $"Failed to install letsencrypt for domain $LETSENCRYPT_HOSTNAME"

  238.         echo $'Also see https://letsencrypt.status.io to check for any service outages'

  239.         chgrp -R ssl-cert /etc/letsencrypt

  240.         chmod -R 600 /etc/letsencrypt

  241.         chmod -R g=rX /etc/letsencrypt

  242.         chown -R root:ssl-cert /etc/letsencrypt

  243.         systemctl start nginx

  244.         exit 63216

  245.     fi

  246. 

  247.     # replace some legacy filenames

  248.     if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt ]; then

  249.         mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem

  250.     fi

  251.     if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt ]; then

  252.         mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem

  253.     fi

  254.     sed -i "s|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem|g" /etc/nginx/sites-available/$LETSENCRYPT_HOSTNAME

  255.     sed -i "s|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem|g" /etc/nginx/sites-available/$LETSENCRYPT_HOSTNAME

  256. 

  257.     # link the private key

  258.     if [ -f /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key ]; then

  259.         if [ ! -f /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key.old ]; then

  260.             mv /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key.old

  261.         else

  262.             rm -f /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key

  263.         fi

  264.     fi

  265.     if [ -L /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key ]; then

  266.         rm /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key

  267.     fi

  268.     ln -s /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/privkey.pem /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key

  269. 

  270.     # link the public key

  271.     if [ -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem ]; then

  272.         if [ ! -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem.old ]; then

  273.             mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem.old

  274.         else

  275.             rm -f /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem

  276.         fi

  277.     fi

  278.     if [ -L /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem ]; then

  279.         rm /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem

  280.     fi

  281.     ln -s /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/fullchain.pem /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem

  282. 

  283.     cp /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/fullchain.pem /etc/ssl/mycerts/${LETSENCRYPT_HOSTNAME}.pem

  284. 

  285.     update_default_domain

  286. 

  287.     # this group can be used to assign read permissions for

  288.     # application user accounts

  289.     chgrp -R ssl-cert /etc/letsencrypt

  290.     chmod -R 600 /etc/letsencrypt

  291.     chmod -R g=rX /etc/letsencrypt

  292.     chown -R root:ssl-cert /etc/letsencrypt

  293. 

  294.     nginx_ensite ${LETSENCRYPT_HOSTNAME}

  295.     systemctl start nginx

  296. 

  297.     if [ $PIN_CERTS ]; then

  298.         ${PROJECT_NAME}-pin-cert $LETSENCRYPT_HOSTNAME

  299.         if [ ! "$?" = "0" ]; then

  300.             echo $"Certificate for $LETSENCRYPT_HOSTNAME could not be pinned"

  301.             exit 62878

  302.         fi

  303.     fi

  304. }

  305. 

  306. function add_cert_selfsigned {

  307.     if [[ $ORGANISATION == "Freedombone-CA" ]]; then

  308.         CERTFILE="ca-$HOSTNAME"

  309.     fi

  310. 

  311.     openssl req -x509 ${EXTENSIONS} -nodes -days 3650 -sha256 \

  312.             -subj "/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME" \

  313.             -newkey rsa:2048 -keyout /etc/ssl/private/${CERTFILE}.key \

  314.             -out /etc/ssl/certs/${CERTFILE}.crt

  315.     chmod 400 /etc/ssl/private/${CERTFILE}.key

  316.     chmod 640 /etc/ssl/certs/${CERTFILE}.crt

  317.     cp /etc/ssl/certs/${CERTFILE}.crt /etc/ssl/mycerts

  318. 

  319.     if [ $PIN_CERTS ]; then

  320.         ${PROJECT_NAME}-pin-cert $CERTFILE

  321.         if [ ! "$?" = "0" ]; then

  322.             echo $"Certificate for $CERTFILE could not be pinned"

  323.             exit 62879

  324.         fi

  325.     fi

  326. }

  327. 

  328. function generate_dh_params {

  329.     if [ ! $NODH ]; then

  330.         if [ ! -f /etc/ssl/certs/${CERTFILE}.dhparam ]; then

  331.             ${PROJECT_NAME}-dhparam -h ${CERTFILE} --fast yes

  332.         fi

  333.     fi

  334. }

  335. 

  336. function restart_web_server {

  337.     if [ -f /etc/init.d/nginx ]; then

  338.         /etc/init.d/nginx reload

  339.     fi

  340. }

  341. 

  342. function make_cert_bundle {

  343.     # Create a bundle of your certificates

  344.     cat /etc/ssl/mycerts/*.crt /etc/ssl/mycerts/*.pem > /etc/ssl/${PROJECT_NAME}-bundle.crt

  345.     tar -czvf /etc/ssl/${PROJECT_NAME}-certs.tar.gz /etc/ssl/mycerts/*.crt /etc/ssl/mycerts/*.pem

  346. }

  347. 

  348. function create_cert {

  349.     if [ $remove_cert ]; then

  350.         remove_cert_letsencrypt

  351.         return

  352.     fi

  353. 

  354.     if [ $LETSENCRYPT_HOSTNAME ]; then

  355.         add_cert_letsencrypt

  356.     else

  357.         add_cert_selfsigned

  358.     fi

  359. }

  360. 

  361. create_cert

  362. generate_dh_params

  363. restart_web_server

  364. make_cert_bundle

  365. 

  366. exit 0