gf4
/
wagon
2
0
Fork 0
Code Issues 3 Pull Requests Projects Releases Wiki Activity
wagon/back/lib/ssl_peer_add

85 lines
3.1 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# FILE: wgapi:back/lib/ssl/peer/add
# DESCRIPTION: Create SSL certs for a new host
# USAGE: add hostname username ipstring
# ERRORS:
# 3: Bad usage
# 4: config file not found
# 5: openssl or config not found
# 6: not root
# 7: openssl failed
CONFIG_FILE='/etc/wgapi/config'
[ ${#} -eq 0 ] || exit 3
(( EUID == 0 )) || exit 6
[ -f "${CONFIG_FILE}" ] || exit 4
[ -x '/usr/bin/openssl' ] || exit 5
[ -f '/etc/ssl/openssl.cnf' ] || exit 5
source "${CONFIG_FILE}"
hostname="${1}"
username="${2}"
ipstring="${3}"
printf 'Signing SSL certs for %s.%s.%s...\n' "${hostname}" "${username}" "${TLD}" >>"${LOGFILE}"
# Generate key
/usr/bin/openssl genrsa -out "${SSL_CONFIG_DIR:?}/${username:?}/${hostname:?}/server.key" >/dev/null 2>&1 || (
printf 'Failed to generate SSL key %s/%s/server.key\n' "${username}" "${hostname}" >>"${LOGFILE}"
exit 7
)
[ -f "${SSL_CONFIG_DIR:?}/${username:?}/${hostname:?}/server.key" ] || (
printf 'SSL key %s/%s/server.key was not generated!\n' "${username}" "${hostname}" >>"${LOGFILE}"
exit 7
)
chmod 400 "${SSL_CONFIG_DIR}/${username}/${hostname}/server.key" || (
printf 'Failed to chmod SSL key %s/%s/server.key\n' "${username}" "${hostname}" >>"${LOGFILE}"
exit 7
)
# Generate config
san="\n[SAN]\nsubjectAltNames=DNS:${hostname:?}.${username:?}.${TLD:?},DNS:*.${hostname:?}.${username:?}.${TLD:?}"
[ "${ipstring}" != "" ] && san="${san},${ipstring}"
cat '/etc/ssl/openssl.cnf' <(printf '%s' "${san}") \
> "${SSL_CONFIG_DIR:?}/${username:?}/${hostname:?}.cnf" || (
printf 'Failed to generate %s/%s.cnf\n' "${username}" "${hostname}" >>"${LOGFILE}"
exit 7
)
# Generate CSR
/usr/bin/openssl req -new -sha256 -reqexts SAN \
-key "${SSL_CONFIG_DIR}/${username}/${hostname}/server.key" \
-out "${SSL_CONFIG_DIR}/${username}/${hostname}.csr" \
-config "${SSL_CONFIG_DIR}/${username}/${hostname}.cnf" \
-subj "/O=${SSL_ORG}/OU=${username}/CN=${hostname}.${username}.${TLD}" \
>/dev/null 2>&1 || (
printf 'Failed to generate %s/%s.cnf\n' "${username}" "${hostname}" >>"${LOGFILE}"
exit 7
)
# Generate cert
/usr/bin/openssl x509 -req -sha256 -extensions SAN -CAcreateserial \
-extfile "${SSL_CONFIG_DIR}/${username}/${hostname}.cnf" \
-in "${SSL_CONFIG_DIR}/${username}/${hostname}.csr" \
-CA "${SSL_CA_CERT}" -CAkey "${SSL_CA_KEY}" \
-passin "pass:${SSL_CA_PASS}" \
-out "${SSL_CONFIG_DIR}/${username}/${hostname}/server.crt" \
-days "${SSL_DAYS}" >/dev/null 2>&1 || (
printf 'Failed to generate SSL cert %s/%s/server.crt\n' "${username}" "${hostname}" >>"${LOGFILE}"
exit 7
)
[ -f "${SSL_CONFIG_DIR:?}/${username:?}/${hostname:?}/server.crt" ] || (
printf 'SSL key %s/%s/server.crt was not generated!\n' "${username}" "${hostname}" >>"${LOGFILE}"
exit 7
)
chmod 644 "${SSL_CONFIG_DIR}/${username}/${hostname}/server.crt" || (
printf 'Failed to chmod SSL cert %s/%s/server.crt\n' "${username}" "${hostname}" >>"${LOGFILE}"
exit 7
)
# Remove old files
rm "${SSL_CONFIG_DIR}/${username}/${hostname}.cnf" "${SSL_CONFIG_DIR}/${username}/${hostname}.csr" 2>/dev/null
printf 'SSL certs for %s.%s.%s are ready\n' "${hostname}" "${username}" "${TLD}" >>"${LOGFILE}"
Reference in New Issue View Git Blame Copy Permalink