gf4
/
wagon
2
0
Fork 0
Code Issues 3 Pull Requests Projects Releases Wiki Activity
wagon/back/lib/ssl_peer_add

82 lines
3.4 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# FILE: wagon:back/lib/ssl/peer/add
# DESCRIPTION: Create SSL certs for a new host
# USAGE: add hostname username ipstring
# ERRORS:
# 6: not root
# 7: openssl failed
# 8: failed to set permissions
source /etc/wagon/config
hostname="${1}"; username="${2}"; ipstring="${3}"
# Make a directory for the new files
if ! sudo mkdir "${SSL_CONFIG_DIR:?}/${username:?}/${hostname:?}/"; then
printf 'Failed to create directory %s/%s/%s/:\n' "${SSL_CONFIG_DIR}" "${username}" "${hostname}" >&2
exit 7
fi
# Generate key
if ! sudo /usr/bin/openssl genrsa -out "${SSL_CONFIG_DIR:?}/${username:?}/${hostname:?}/server.key" >>/dev/null 2>&1; then
printf 'Failed to generate SSL key %s/%s/%s/server.key\n' "${SSL_CONFIG_DIR}" "${username}" "${hostname}" >&2
exit 7
fi
if ! sudo [ -f "${SSL_CONFIG_DIR}/${username}/${hostname}/server.key" ]; then
printf 'SSL key %s/%s/%s/server.key was not generated!\n' "${SSL_CONFIG_DIR}" "${username}" "${hostname}" >&2
ls "${SSL_CONFIG_DIR}/${username}/${hostname}/" >&2
exit 7
fi
if ! sudo chmod 400 "${SSL_CONFIG_DIR}/${username}/${hostname}/server.key" >&2 2>&1; then
printf 'Failed to chmod SSL key %s/%s/%s/server.key\n' "${SSL_CONFIG_DIR}" "${username}" "${hostname}" >&2
exit 7
fi
# Generate config
san="
[SAN]
subjectAltName = DNS:${hostname}.${username}.${TLD},DNS:*.${hostname}.${username}.${TLD}"
[ "${ipstring}" != "" ] && san="${san},${ipstring}"
if ! printf '%s\n' "${san}" | sudo cat '/etc/ssl/openssl.cnf' /dev/stdin \
| sudo tee "${SSL_CONFIG_DIR}/${username}/${hostname}.cnf" >/dev/null; then
printf 'Failed to generate %s/%s/%s.cnf\n' "${SSL_CONFIG_DIR}" "${username}" "${hostname}" >&2
exit 7
fi
# Generate CSR
if ! sudo /usr/bin/openssl req -new -sha256 -reqexts SAN -extensions SAN \
-key "${SSL_CONFIG_DIR}/${username}/${hostname}/server.key" \
-out "${SSL_CONFIG_DIR}/${username}/${hostname}.csr" \
-config "${SSL_CONFIG_DIR}/${username}/${hostname}.cnf" \
-subj "/O=${SSL_ORG}/OU=${username}/CN=${hostname}.${username}.${TLD}" \
>/dev/null 2>&1; then
printf 'Failed to generate %s/%s/%s.csr\n' "${SSL_CONFIG_DIR}" "${username}" "${hostname}" >&2
exit 7
fi
# Generate cert
if ! sudo /usr/bin/openssl x509 -req -sha256 -extensions SAN -CAcreateserial \
-extfile "${SSL_CONFIG_DIR}/${username}/${hostname}.cnf" \
-in "${SSL_CONFIG_DIR}/${username}/${hostname}.csr" \
-CA "${SSL_CA_CERT}" -CAkey "${SSL_CA_KEY}" \
-passin "pass:${SSL_CA_PASS}" \
-out "${SSL_CONFIG_DIR}/${username}/${hostname}/server.crt" \
-days "${SSL_DAYS}" >/dev/null 2>&1; then
printf 'ERROR! Failed to generate SSL cert %s/%s/server.crt\n' "${username}" "${hostname}" >&2
exit 7
fi; if ! sudo [ -f "${SSL_CONFIG_DIR:?}/${username:?}/${hostname:?}/server.crt" ]; then
printf 'ERROR! SSL key %s/%s/server.crt was not generated!\n' "${username}" "${hostname}" >&2
exit 7
fi; if ! sudo chmod 640 "${SSL_CONFIG_DIR}/${username}/${hostname}/server.crt" "${SSL_CONFIG_DIR}/${username}/${hostname}/server.key"; then
printf 'ERROR! Failed to chmod SSL cert %s/%s/server.*\n' "${username}" "${hostname}" >&2
exit 8
fi & if ! sudo chgrp -R www-data "${SSL_CONFIG_DIR}/${username}/"; then
printf 'ERROR! Failed to set group of %s!\n' "${SSL_CONFIG_DIR}/${username}/" >&2
exit 8
fi
# Remove old files
if ! sudo rm "${SSL_CONFIG_DIR}/${username}/${hostname}.cnf" "${SSL_CONFIG_DIR}/${username}/${hostname}.csr" 2>/dev/null; then
printf 'Failed to remove old SSL config files %s/%s/%s.cnf\n' "${SSL_CONFIG_DIR}" "${username}" "${hostname}" >&2
exit 7
fi
Reference in New Issue View Git Blame Copy Permalink