freedombone-addcert 11KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356
  1. #!/bin/bash
  2. # _____ _ _
  3. # | __|___ ___ ___ _| |___ _____| |_ ___ ___ ___
  4. # | __| _| -_| -_| . | . | | . | . | | -_|
  5. # |__| |_| |___|___|___|___|_|_|_|___|___|_|_|___|
  6. #
  7. # Freedom in the Cloud
  8. #
  9. # Create self-signed or Let's Encrypt certificates on Debian
  10. # License
  11. # =======
  12. #
  13. # Copyright (C) 2015-2018 Bob Mottram <bob@freedombone.net>
  14. #
  15. # This program is free software: you can redistribute it and/or modify
  16. # it under the terms of the GNU Affero General Public License as published by
  17. # the Free Software Foundation, either version 3 of the License, or
  18. # (at your option) any later version.
  19. #
  20. # This program is distributed in the hope that it will be useful,
  21. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  22. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  23. # GNU Affero General Public License for more details.
  24. #
  25. # You should have received a copy of the GNU Affero General Public License
  26. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  27. PROJECT_NAME='freedombone'
  28. export TEXTDOMAIN=${PROJECT_NAME}-addcert
  29. export TEXTDOMAINDIR="/usr/share/locale"
  30. CONFIGURATION_FILE=$HOME/${PROJECT_NAME}.cfg
  31. COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt
  32. UTILS_FILES="/usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-*"
  33. for f in $UTILS_FILES
  34. do
  35. source "$f"
  36. done
  37. # Don't pin certs by default
  38. PIN_CERTS=
  39. HOSTNAME=
  40. remove_cert=
  41. LETSENCRYPT_HOSTNAME=
  42. COUNTRY_CODE="US"
  43. AREA="Apparent Free Speech Zone"
  44. LOCATION="Freedomville"
  45. ORGANISATION="Freedombone"
  46. UNIT="Freedombone Unit"
  47. EXTENSIONS=""
  48. NODH=
  49. DH_KEYLENGTH=2048
  50. INSTALL_DIR=/root/build
  51. LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
  52. MY_EMAIL_ADDRESS=
  53. function show_help {
  54. echo ''
  55. echo $"${PROJECT_NAME}-addcert -h [hostname] -c [country code] -a [area] -l [location]"
  56. echo $' -o [organisation] -u [unit] --ca "" --nodh ""'
  57. echo ''
  58. echo $'Creates a self-signed certificate for the given hostname'
  59. echo ''
  60. echo $' --help Show help'
  61. echo $' -h --hostname [name] Hostname'
  62. echo $' -e --letsencrypt [hostname] Hostname to use with Lets Encrypt'
  63. echo $' -r --rmletsencrypt [hostname] Remove a Lets Encrypt certificate'
  64. echo $' -s --server [url] Lets Encrypt server URL'
  65. echo $' -c --country [code] Optional country code (eg. US, GB, etc)'
  66. echo $' -a --area [description] Optional area description'
  67. echo $' -l --location [locn] Optional location name'
  68. echo $' -o --organisation [name] Optional organisation name'
  69. echo $' -u --unit [name] Optional unit name'
  70. echo $' --email [address] Email address for letsencrypt'
  71. echo $' --dhkey [bits] DH key length in bits'
  72. echo $' --nodh "" Do not calculate DH params'
  73. echo $' --ca "" Certificate authority cert'
  74. echo ''
  75. exit 0
  76. }
  77. while [ $# -gt 1 ]
  78. do
  79. key="$1"
  80. case $key in
  81. --help)
  82. show_help
  83. ;;
  84. -h|--hostname)
  85. shift
  86. HOSTNAME="$1"
  87. ;;
  88. -e|--letsencrypt)
  89. shift
  90. LETSENCRYPT_HOSTNAME="$1"
  91. ;;
  92. -r|--rmletsencrypt)
  93. shift
  94. LETSENCRYPT_HOSTNAME="$1"
  95. remove_cert=1
  96. ;;
  97. --email)
  98. shift
  99. MY_EMAIL_ADDRESS="$1"
  100. ;;
  101. -s|--server)
  102. shift
  103. LETSENCRYPT_SERVER="$1"
  104. ;;
  105. -c|--country)
  106. shift
  107. COUNTRY_CODE="$1"
  108. ;;
  109. -a|--area)
  110. shift
  111. AREA="$1"
  112. ;;
  113. -l|--location)
  114. shift
  115. LOCATION="$1"
  116. ;;
  117. -o|--organisation)
  118. shift
  119. ORGANISATION="$1"
  120. ;;
  121. -u|--unit)
  122. shift
  123. UNIT="$1"
  124. ;;
  125. --ca)
  126. shift
  127. EXTENSIONS="-extensions v3_ca"
  128. ORGANISATION="Freedombone-CA"
  129. ;;
  130. --nodh)
  131. shift
  132. NODH="true"
  133. ;;
  134. --dhkey)
  135. shift
  136. DH_KEYLENGTH="${1}"
  137. ;;
  138. --pin)
  139. shift
  140. PIN_CERTS="${1}"
  141. ;;
  142. *)
  143. # unknown option
  144. ;;
  145. esac
  146. shift
  147. done
  148. if [ ! "$HOSTNAME" ]; then
  149. if [ ! "$LETSENCRYPT_HOSTNAME" ]; then
  150. echo $'No hostname specified'
  151. exit 5748
  152. fi
  153. fi
  154. if ! which openssl > /dev/null ;then
  155. echo $"$0: openssl is not installed, exiting" 1>&2
  156. exit 5689
  157. fi
  158. CERTFILE=$HOSTNAME
  159. function remove_cert_letsencrypt {
  160. CERTFILE=$LETSENCRYPT_HOSTNAME
  161. # disable the site if needed
  162. if [ -f "/etc/nginx/sites-available/${LETSENCRYPT_HOSTNAME}" ]; then
  163. if grep -q "443" "/etc/nginx/sites-available/${LETSENCRYPT_HOSTNAME}"; then
  164. nginx_dissite "${LETSENCRYPT_HOSTNAME}"
  165. fi
  166. fi
  167. # remove the cert
  168. rm -rf "/etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}*"
  169. rm -rf "/etc/letsencrypt/archive/${LETSENCRYPT_HOSTNAME}*"
  170. rm "/etc/letsencrypt/renewal/${LETSENCRYPT_HOSTNAME}.conf"
  171. # restart the web server
  172. fuser -k 80/tcp
  173. fuser -k 443/tcp
  174. systemctl restart nginx
  175. }
  176. function add_cert_letsencrypt {
  177. CERTFILE=$LETSENCRYPT_HOSTNAME
  178. # obtain the email address for the admin user
  179. if [ ! "$MY_EMAIL_ADDRESS" ]; then
  180. if [ -f "$CONFIGURATION_FILE" ]; then
  181. read_config_param MY_EMAIL_ADDRESS
  182. fi
  183. fi
  184. if [ ! "$MY_EMAIL_ADDRESS" ]; then
  185. if [ -f "$COMPLETION_FILE" ]; then
  186. if grep -q "Admin user:" "$COMPLETION_FILE"; then
  187. function_check get_completion_param
  188. ADMIN_USER=$(get_completion_param "Admin user")
  189. if [ ${#ADMIN_USER} -eq 0 ]; then
  190. exit 463732
  191. fi
  192. MY_EMAIL_ADDRESS=$ADMIN_USER@$HOSTNAME
  193. fi
  194. fi
  195. fi
  196. if [ ! -f /usr/bin/certbot ]; then
  197. apt-get -yq -t stretch-backports install certbot
  198. groupadd ssl-cert
  199. if [ ! -f /usr/bin/certbot ]; then
  200. echo $'LetsEncrypt certbot failed to install'
  201. exit 762830
  202. fi
  203. fi
  204. # stop the web server
  205. systemctl stop nginx
  206. chgrp -R root /etc/letsencrypt
  207. chmod -R 777 /etc/letsencrypt
  208. if ! certbot certonly -n --server "$LETSENCRYPT_SERVER" --standalone -d "$LETSENCRYPT_HOSTNAME" --renew-by-default --agree-tos --email "$MY_EMAIL_ADDRESS"; then
  209. echo $"Failed to install letsencrypt for domain $LETSENCRYPT_HOSTNAME"
  210. echo $'Also see https://letsencrypt.status.io to check for any service outages'
  211. chgrp -R ssl-cert /etc/letsencrypt
  212. chmod -R 600 /etc/letsencrypt
  213. chmod -R g=rX /etc/letsencrypt
  214. chown -R root:ssl-cert /etc/letsencrypt
  215. systemctl start nginx
  216. exit 63216
  217. fi
  218. # replace some legacy filenames
  219. if [ -f "/etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt" ]; then
  220. # shellcheck disable=SC2086
  221. mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
  222. fi
  223. if [ -f "/etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt" ]; then
  224. # shellcheck disable=SC2086
  225. mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
  226. fi
  227. sed -i "s|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.bundle.crt|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem|g" "/etc/nginx/sites-available/$LETSENCRYPT_HOSTNAME"
  228. sed -i "s|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.crt|ssl_certificate /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem|g" "/etc/nginx/sites-available/$LETSENCRYPT_HOSTNAME"
  229. # link the private key
  230. if [ -f "/etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key" ]; then
  231. if [ ! -f "/etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key.old" ]; then
  232. # shellcheck disable=SC2086
  233. mv /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key /etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key.old
  234. else
  235. rm -f "/etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key"
  236. fi
  237. fi
  238. if [ -L "/etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key" ]; then
  239. rm "/etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key"
  240. fi
  241. ln -s "/etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/privkey.pem" "/etc/ssl/private/${LETSENCRYPT_HOSTNAME}.key"
  242. # link the public key
  243. if [ -f "/etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem" ]; then
  244. if [ ! -f "/etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem.old" ]; then
  245. # shellcheck disable=SC2086
  246. mv /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem.old
  247. else
  248. rm -f "/etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem"
  249. fi
  250. fi
  251. if [ -L "/etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem" ]; then
  252. rm "/etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem"
  253. fi
  254. ln -s "/etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/fullchain.pem" "/etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem"
  255. cp "/etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/fullchain.pem" "/etc/ssl/mycerts/${LETSENCRYPT_HOSTNAME}.pem"
  256. update_default_domain
  257. # this group can be used to assign read permissions for
  258. # application user accounts
  259. chgrp -R ssl-cert /etc/letsencrypt
  260. chmod -R 600 /etc/letsencrypt
  261. chmod -R g=rX /etc/letsencrypt
  262. chown -R root:ssl-cert /etc/letsencrypt
  263. nginx_ensite "${LETSENCRYPT_HOSTNAME}"
  264. systemctl start nginx
  265. if [ "$PIN_CERTS" ]; then
  266. if ! "${PROJECT_NAME}-pin-cert" "$LETSENCRYPT_HOSTNAME"; then
  267. echo $"Certificate for $LETSENCRYPT_HOSTNAME could not be pinned"
  268. exit 62878
  269. fi
  270. fi
  271. }
  272. function add_cert_selfsigned {
  273. if [[ "$ORGANISATION" == "Freedombone-CA" ]]; then
  274. CERTFILE="ca-$HOSTNAME"
  275. fi
  276. # shellcheck disable=SC2086
  277. openssl req -x509 ${EXTENSIONS} -nodes -days 3650 -sha256 \
  278. -subj "/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME" \
  279. -newkey rsa:2048 -keyout "/etc/ssl/private/${CERTFILE}.key" \
  280. -out "/etc/ssl/certs/${CERTFILE}.crt"
  281. chmod 400 "/etc/ssl/private/${CERTFILE}.key"
  282. chmod 640 "/etc/ssl/certs/${CERTFILE}.crt"
  283. if [ "$PIN_CERTS" ]; then
  284. if ! "${PROJECT_NAME}-pin-cert" "$CERTFILE"; then
  285. echo $"Certificate for $CERTFILE could not be pinned"
  286. exit 62879
  287. fi
  288. fi
  289. }
  290. function generate_dh_params {
  291. if [ ! "$NODH" ]; then
  292. if [ ! -f "/etc/ssl/certs/${CERTFILE}.dhparam" ]; then
  293. "${PROJECT_NAME}-dhparam" -h "${CERTFILE}" --fast yes
  294. fi
  295. fi
  296. }
  297. function restart_web_server {
  298. if [ -f /etc/init.d/nginx ]; then
  299. /etc/init.d/nginx reload
  300. fi
  301. }
  302. function create_cert {
  303. if [ "$remove_cert" ]; then
  304. remove_cert_letsencrypt
  305. return
  306. fi
  307. if [ "$LETSENCRYPT_HOSTNAME" ]; then
  308. add_cert_letsencrypt
  309. else
  310. add_cert_selfsigned
  311. fi
  312. }
  313. create_cert
  314. generate_dh_params
  315. restart_web_server
  316. exit 0