wagon/back/lib/ssl_peer_add

#!/bin/bash
# FILE:       	wagon:back/lib/ssl/peer/add
# DESCRIPTION:	Create SSL certs for a new host
# USAGE:      	add hostname username ipstring
# ERRORS:
# 	6: not root
# 	7: openssl failed
# 	8: failed to set permissions

source /etc/wagon/config
hostname="${1}"; username="${2}"; ipstring="${3}"

# Make a directory for the new files
if ! sudo mkdir "${SSL_CONFIG_DIR:?}/${username:?}/${hostname:?}/"; then
	printf 'Failed to create directory %s/%s/%s/:\n' "${SSL_CONFIG_DIR}" "${username}" "${hostname}" >&2
	exit 7
fi

# Generate key
if ! sudo /usr/bin/openssl genrsa -out "${SSL_CONFIG_DIR:?}/${username:?}/${hostname:?}/server.key" >>/dev/null 2>&1; then
	printf 'Failed to generate SSL key %s/%s/%s/server.key\n' "${SSL_CONFIG_DIR}" "${username}" "${hostname}" >&2
	exit 7
fi
if ! sudo [ -f "${SSL_CONFIG_DIR}/${username}/${hostname}/server.key" ]; then
	printf 'SSL key %s/%s/%s/server.key was not generated!\n' "${SSL_CONFIG_DIR}" "${username}" "${hostname}" >&2
	ls "${SSL_CONFIG_DIR}/${username}/${hostname}/" >&2
	exit 7
fi
if ! sudo chmod 400 "${SSL_CONFIG_DIR}/${username}/${hostname}/server.key" >&2 2>&1; then
	printf 'Failed to chmod SSL key %s/%s/%s/server.key\n' "${SSL_CONFIG_DIR}" "${username}" "${hostname}" >&2
	exit 7
fi

# Generate config
san="
[SAN]
subjectAltName = DNS:${hostname}.${username}.${TLD},DNS:*.${hostname}.${username}.${TLD}"
[ "${ipstring}" != "" ] && san="${san},${ipstring}"
if ! printf '%s\n' "${san}" | sudo cat '/etc/ssl/openssl.cnf' /dev/stdin \
| sudo tee "${SSL_CONFIG_DIR}/${username}/${hostname}.cnf" >/dev/null; then
		printf 'Failed to generate %s/%s/%s.cnf\n' "${SSL_CONFIG_DIR}" "${username}" "${hostname}" >&2
		exit 7
fi

# Generate CSR
if ! sudo /usr/bin/openssl req -new -sha256 -reqexts SAN -extensions SAN \
	-key "${SSL_CONFIG_DIR}/${username}/${hostname}/server.key" \
	-out "${SSL_CONFIG_DIR}/${username}/${hostname}.csr" \
	-config "${SSL_CONFIG_DIR}/${username}/${hostname}.cnf" \
	-subj "/O=${SSL_ORG}/OU=${username}/CN=${hostname}.${username}.${TLD}" \
	 >/dev/null 2>&1; then
		printf 'Failed to generate %s/%s/%s.csr\n' "${SSL_CONFIG_DIR}" "${username}" "${hostname}" >&2
		exit 7
fi

# Generate cert
if ! sudo /usr/bin/openssl x509 -req -sha256 -extensions SAN -CAcreateserial \
	-extfile "${SSL_CONFIG_DIR}/${username}/${hostname}.cnf" \
	-in "${SSL_CONFIG_DIR}/${username}/${hostname}.csr" \
	-CA "${SSL_CA_CERT}" -CAkey "${SSL_CA_KEY}" \
	-passin "pass:${SSL_CA_PASS}" \
	-out "${SSL_CONFIG_DIR}/${username}/${hostname}/server.crt" \
	-days "${SSL_DAYS}"  >/dev/null 2>&1; then
		printf 'ERROR! Failed to generate SSL cert %s/%s/server.crt\n' "${username}" "${hostname}" >&2
		exit 7
fi; if ! sudo [ -f "${SSL_CONFIG_DIR:?}/${username:?}/${hostname:?}/server.crt" ]; then
	printf 'ERROR! SSL key %s/%s/server.crt was not generated!\n' "${username}" "${hostname}" >&2
	exit 7
fi; if ! sudo chmod 640 "${SSL_CONFIG_DIR}/${username}/${hostname}/server.crt" "${SSL_CONFIG_DIR}/${username}/${hostname}/server.key"; then
	printf 'ERROR! Failed to chmod SSL cert %s/%s/server.*\n' "${username}" "${hostname}" >&2
	exit 8
fi & if ! sudo chgrp -R www-data "${SSL_CONFIG_DIR}/${username}/"; then
	printf 'ERROR! Failed to set group of %s!\n' "${SSL_CONFIG_DIR}/${username}/" >&2
	exit 8
fi

# Remove old files
if ! sudo rm "${SSL_CONFIG_DIR}/${username}/${hostname}.cnf" "${SSL_CONFIG_DIR}/${username}/${hostname}.csr" 2>/dev/null; then
	printf 'Failed to remove old SSL config files %s/%s/%s.cnf\n' "${SSL_CONFIG_DIR}" "${username}" "${hostname}" >&2
	exit 7
fi
Moved everything around 2022-08-29 01:04:37 -06:00			`#!/bin/bash`
#9 Renamed to wagon and added README info 2023-04-02 13:46:52 -06:00			`# FILE: wagon:back/lib/ssl/peer/add`
Moved everything around 2022-08-29 01:04:37 -06:00			`# DESCRIPTION: Create SSL certs for a new host`
Finished adding dashboard api add and delete endpoints 2022-08-29 11:42:13 -06:00			`# USAGE: add hostname username ipstring`
Got peer listing working 2022-09-06 20:57:41 -06:00			`# ERRORS:`
			`# 6: not root`
			`# 7: openssl failed`
Set new ssl cert permissions 2022-10-20 19:12:36 -06:00			`# 8: failed to set permissions`
Moved everything around 2022-08-29 01:04:37 -06:00
#9 Renamed to wagon and added README info 2023-04-02 13:46:52 -06:00			`source /etc/wagon/config`
Shellcheck, added server secret checks, removed double-quotes from library file calls 2022-12-04 08:53:22 -07:00			`hostname="${1}"; username="${2}"; ipstring="${3}"`
Added error handling to ssl_peer_add 2022-09-09 20:02:39 -06:00
fixed one problem 2022-09-10 11:32:12 -06:00			`# Make a directory for the new files`
Fixed ssl volume 2022-09-10 19:13:47 -06:00			`if ! sudo mkdir "${SSL_CONFIG_DIR:?}/${username:?}/${hostname:?}/"; then`
Completely replaced logfile with stderr 2022-12-03 17:07:03 -07:00			`printf 'Failed to create directory %s/%s/%s/:\n' "${SSL_CONFIG_DIR}" "${username}" "${hostname}" >&2`
fixed one problem 2022-09-10 11:32:12 -06:00			`exit 7`
			`fi`

Finished adding dashboard api add and delete endpoints 2022-08-29 11:42:13 -06:00			`# Generate key`
Improvements 2022-09-10 11:50:07 -06:00			`if ! sudo /usr/bin/openssl genrsa -out "${SSL_CONFIG_DIR:?}/${username:?}/${hostname:?}/server.key" >>/dev/null 2>&1; then`
Completely replaced logfile with stderr 2022-12-03 17:07:03 -07:00			`printf 'Failed to generate SSL key %s/%s/%s/server.key\n' "${SSL_CONFIG_DIR}" "${username}" "${hostname}" >&2`
Added error handling to ssl_peer_add 2022-09-09 20:02:39 -06:00			`exit 7`
More logs 2022-09-10 12:00:30 -06:00			`fi`
More logs 2022-09-10 12:04:43 -06:00			`if ! sudo [ -f "${SSL_CONFIG_DIR}/${username}/${hostname}/server.key" ]; then`
Completely replaced logfile with stderr 2022-12-03 17:07:03 -07:00			`printf 'SSL key %s/%s/%s/server.key was not generated!\n' "${SSL_CONFIG_DIR}" "${username}" "${hostname}" >&2`
			`ls "${SSL_CONFIG_DIR}/${username}/${hostname}/" >&2`
Added error handling to ssl_peer_add 2022-09-09 20:02:39 -06:00			`exit 7`
More logs 2022-09-10 12:00:30 -06:00			`fi`
Completely replaced logfile with stderr 2022-12-03 17:07:03 -07:00			`if ! sudo chmod 400 "${SSL_CONFIG_DIR}/${username}/${hostname}/server.key" >&2 2>&1; then`
			`printf 'Failed to chmod SSL key %s/%s/%s/server.key\n' "${SSL_CONFIG_DIR}" "${username}" "${hostname}" >&2`
Added error handling to ssl_peer_add 2022-09-09 20:02:39 -06:00			`exit 7`
Switch to if statements to kill script on failure 2022-09-10 11:14:07 -06:00			`fi`
Finished adding dashboard api add and delete endpoints 2022-08-29 11:42:13 -06:00
Fixed ssl 2022-09-10 13:30:39 -06:00			`# Generate config`
Fixed ssl 2022-09-10 13:32:48 -06:00			`san="`
			`[SAN]`
Fixed ssl 2022-09-10 13:33:40 -06:00			`subjectAltName = DNS:${hostname}.${username}.${TLD},DNS:*.${hostname}.${username}.${TLD}"`
Added debugging 2022-09-10 12:54:31 -06:00			`[ "${ipstring}" != "" ] && san="${san},${ipstring}"`
Fixed ssl 2022-09-10 13:30:39 -06:00			`if ! printf '%s\n' "${san}" \| sudo cat '/etc/ssl/openssl.cnf' /dev/stdin \`
Quiet all the greps 2022-09-10 14:31:29 -06:00			`\| sudo tee "${SSL_CONFIG_DIR}/${username}/${hostname}.cnf" >/dev/null; then`
Completely replaced logfile with stderr 2022-12-03 17:07:03 -07:00			`printf 'Failed to generate %s/%s/%s.cnf\n' "${SSL_CONFIG_DIR}" "${username}" "${hostname}" >&2`
Fixed ssl 2022-09-10 13:30:39 -06:00			`exit 7`
			`fi`

			`# Generate CSR`
Fixed ssl 2022-09-10 13:32:48 -06:00			`if ! sudo /usr/bin/openssl req -new -sha256 -reqexts SAN -extensions SAN \`
Finished adding dashboard api add and delete endpoints 2022-08-29 11:42:13 -06:00			`-key "${SSL_CONFIG_DIR}/${username}/${hostname}/server.key" \`
Cleanup and shellchecks 2022-09-08 21:15:30 -06:00			`-out "${SSL_CONFIG_DIR}/${username}/${hostname}.csr" \`
Fixed ssl 2022-09-10 13:32:48 -06:00			`-config "${SSL_CONFIG_DIR}/${username}/${hostname}.cnf" \`
Finished adding dashboard api add and delete endpoints 2022-08-29 11:42:13 -06:00			`-subj "/O=${SSL_ORG}/OU=${username}/CN=${hostname}.${username}.${TLD}" \`
removed some logging, working now 2022-09-10 13:37:56 -06:00			`>/dev/null 2>&1; then`
Completely replaced logfile with stderr 2022-12-03 17:07:03 -07:00			`printf 'Failed to generate %s/%s/%s.csr\n' "${SSL_CONFIG_DIR}" "${username}" "${hostname}" >&2`
Added error handling to ssl_peer_add 2022-09-09 20:02:39 -06:00			`exit 7`
Switch to if statements to kill script on failure 2022-09-10 11:14:07 -06:00			`fi`
Added debugging 2022-09-10 12:35:00 -06:00
Finished adding dashboard api add and delete endpoints 2022-08-29 11:42:13 -06:00			`# Generate cert`
Switch to if statements to kill script on failure 2022-09-10 11:14:07 -06:00			`if ! sudo /usr/bin/openssl x509 -req -sha256 -extensions SAN -CAcreateserial \`
Finished adding dashboard api add and delete endpoints 2022-08-29 11:42:13 -06:00			`-extfile "${SSL_CONFIG_DIR}/${username}/${hostname}.cnf" \`
			`-in "${SSL_CONFIG_DIR}/${username}/${hostname}.csr" \`
			`-CA "${SSL_CA_CERT}" -CAkey "${SSL_CA_KEY}" \`
			`-passin "pass:${SSL_CA_PASS}" \`
Cleanup and shellchecks 2022-09-08 21:15:30 -06:00			`-out "${SSL_CONFIG_DIR}/${username}/${hostname}/server.crt" \`
removed some logging, working now 2022-09-10 13:37:56 -06:00			`-days "${SSL_DAYS}" >/dev/null 2>&1; then`
Completely replaced logfile with stderr 2022-12-03 17:07:03 -07:00			`printf 'ERROR! Failed to generate SSL cert %s/%s/server.crt\n' "${username}" "${hostname}" >&2`
Added error handling to ssl_peer_add 2022-09-09 20:02:39 -06:00			`exit 7`
More logs 2022-09-10 12:04:43 -06:00			`fi; if ! sudo [ -f "${SSL_CONFIG_DIR:?}/${username:?}/${hostname:?}/server.crt" ]; then`
Completely replaced logfile with stderr 2022-12-03 17:07:03 -07:00			`printf 'ERROR! SSL key %s/%s/server.crt was not generated!\n' "${username}" "${hostname}" >&2`
Added error handling to ssl_peer_add 2022-09-09 20:02:39 -06:00			`exit 7`
Don't let new peers be deleted 2022-10-21 12:42:34 -06:00			`fi; if ! sudo chmod 640 "${SSL_CONFIG_DIR}/${username}/${hostname}/server.crt" "${SSL_CONFIG_DIR}/${username}/${hostname}/server.key"; then`
Completely replaced logfile with stderr 2022-12-03 17:07:03 -07:00			`printf 'ERROR! Failed to chmod SSL cert %s/%s/server.*\n' "${username}" "${hostname}" >&2`
Set new ssl cert permissions 2022-10-20 19:12:36 -06:00			`exit 8`
www-data should work for now 2022-10-20 19:18:28 -06:00			`fi & if ! sudo chgrp -R www-data "${SSL_CONFIG_DIR}/${username}/"; then`
Completely replaced logfile with stderr 2022-12-03 17:07:03 -07:00			`printf 'ERROR! Failed to set group of %s!\n' "${SSL_CONFIG_DIR}/${username}/" >&2`
Fixed adding SSL certs 2022-10-20 19:23:01 -06:00			`exit 8`
			`fi`
Finished adding dashboard api add and delete endpoints 2022-08-29 11:42:13 -06:00
			`# Remove old files`
Fixed ssl 2022-09-10 13:30:39 -06:00			`if ! sudo rm "${SSL_CONFIG_DIR}/${username}/${hostname}.cnf" "${SSL_CONFIG_DIR}/${username}/${hostname}.csr" 2>/dev/null; then`
Completely replaced logfile with stderr 2022-12-03 17:07:03 -07:00			`printf 'Failed to remove old SSL config files %s/%s/%s.cnf\n' "${SSL_CONFIG_DIR}" "${username}" "${hostname}" >&2`
Fixed ssl 2022-09-10 13:30:39 -06:00			`exit 7`
			`fi`