#!/bin/bash # FILE: wagon:back/lib/ssl/peer/add # DESCRIPTION: Create SSL certs for a new host # USAGE: add hostname username ipstring # ERRORS: # 6: not root # 7: openssl failed # 8: failed to set permissions source /etc/wagon/config hostname="${1}"; username="${2}"; ipstring="${3}" # Make a directory for the new files if ! sudo mkdir "${SSL_CONFIG_DIR:?}/${username:?}/${hostname:?}/"; then printf 'Failed to create directory %s/%s/%s/:\n' "${SSL_CONFIG_DIR}" "${username}" "${hostname}" >&2 exit 7 fi # Generate key if ! sudo /usr/bin/openssl ecparam -name secp384r1 -out "${SSL_CONFIG_DIR:?}/${username:?}/${hostname:?}/key.pem" >>/dev/null 2>&1; then printf 'Failed to generate SSL key %s/%s/%s/key.pem\n' "${SSL_CONFIG_DIR}" "${username}" "${hostname}" >&2 exit 7 fi if ! sudo [ -f "${SSL_CONFIG_DIR}/${username}/${hostname}/key.pem" ]; then printf 'SSL key %s/%s/%s/key.pem was not generated!\n' "${SSL_CONFIG_DIR}" "${username}" "${hostname}" >&2 ls "${SSL_CONFIG_DIR}/${username}/${hostname}/" >&2 exit 7 fi if ! sudo chmod 400 "${SSL_CONFIG_DIR}/${username}/${hostname}/key.pem" >&2 2>&1; then printf 'Failed to chmod SSL key %s/%s/%s/key.pem\n' "${SSL_CONFIG_DIR}" "${username}" "${hostname}" >&2 exit 7 fi # Generate config san=" [SAN] subjectAltName = DNS:${hostname}.${username}.${TLD},DNS:*.${hostname}.${username}.${TLD}" [ "${ipstring}" != "" ] && san="${san},${ipstring}" if ! printf '%s\n' "${san}" | sudo cat '/etc/ssl/openssl.cnf' /dev/stdin \ | sudo tee "${SSL_CONFIG_DIR}/${username}/${hostname}.cnf" >/dev/null; then printf 'Failed to generate %s/%s/%s.cnf\n' "${SSL_CONFIG_DIR}" "${username}" "${hostname}" >&2 exit 7 fi # Generate CSR if ! sudo /usr/bin/openssl req -new -sha384 -reqexts SAN -extensions SAN \ -key "${SSL_CONFIG_DIR}/${username}/${hostname}/key.pem" \ -out "${SSL_CONFIG_DIR}/${username}/${hostname}.csr" \ -config "${SSL_CONFIG_DIR}/${username}/${hostname}.cnf" \ -subj "/O=${SSL_ORG}/OU=${username}/CN=${hostname}.${username}.${TLD}" \ >/dev/null 2>&1; then printf 'Failed to generate %s/%s/%s.csr\n' "${SSL_CONFIG_DIR}" "${username}" "${hostname}" >&2 exit 7 fi # Generate cert if ! sudo /usr/bin/openssl x509 -req -sha384 -extensions SAN -CAcreateserial \ -extfile "${SSL_CONFIG_DIR}/${username}/${hostname}.cnf" \ -in "${SSL_CONFIG_DIR}/${username}/${hostname}.csr" \ -CA "${SSL_CA_CERT}" -CAkey "${SSL_CA_KEY}" \ -passin "pass:${SSL_CA_PASS}" \ -out "${SSL_CONFIG_DIR}/${username}/${hostname}/cert.pem" \ -days "${SSL_DAYS}" >/dev/null 2>&1; then printf 'ERROR! Failed to generate SSL cert %s/%s/cert.pem\n' "${username}" "${hostname}" >&2 exit 7 fi; if ! sudo [ -f "${SSL_CONFIG_DIR:?}/${username:?}/${hostname:?}/cert.pem" ]; then printf 'ERROR! SSL key %s/%s/cert.pem was not generated!\n' "${username}" "${hostname}" >&2 exit 7 fi; if ! sudo chmod 640 "${SSL_CONFIG_DIR}/${username}/${hostname}/cert.pem" "${SSL_CONFIG_DIR}/${username}/${hostname}/key.pem"; then printf 'ERROR! Failed to chmod SSL cert %s/%s/*.pem\n' "${username}" "${hostname}" >&2 exit 8 fi & if ! sudo chgrp -R www-data "${SSL_CONFIG_DIR}/${username}/"; then printf 'ERROR! Failed to set group of %s!\n' "${SSL_CONFIG_DIR}/${username}/" >&2 exit 8 fi # Remove old files if ! sudo rm "${SSL_CONFIG_DIR}/${username}/${hostname}.cnf" "${SSL_CONFIG_DIR}/${username}/${hostname}.csr" 2>/dev/null; then printf 'Failed to remove old SSL config files %s/%s/%s.cnf\n' "${SSL_CONFIG_DIR}" "${username}" "${hostname}" >&2 exit 7 fi