2017-08-24 18:25:42 +02:00
|
|
|
#!/bin/sh
|
|
|
|
#
|
|
|
|
# evoacme is a shell script to manage Let's Encrypt certificate with
|
|
|
|
# certbot tool but with a dedicated user (no-root) and from a csr
|
|
|
|
#
|
|
|
|
# Author: Victor Laborie <vlaborie@evolix.fr>
|
|
|
|
# Licence: AGPLv3
|
|
|
|
#
|
2016-12-14 15:49:34 +01:00
|
|
|
|
2017-09-21 03:29:55 +02:00
|
|
|
set -e
|
2017-10-12 18:19:09 +02:00
|
|
|
set -u
|
2017-09-21 03:29:55 +02:00
|
|
|
|
2017-09-11 14:18:20 +02:00
|
|
|
usage() {
|
2017-10-12 18:22:06 +02:00
|
|
|
echo "Usage: $0 NAME"
|
2017-09-21 00:39:06 +02:00
|
|
|
echo ""
|
|
|
|
echo "NAME must be correspond to :"
|
|
|
|
echo "- a CSR in ${CSR_DIR}/NAME.csr"
|
|
|
|
echo "- a KEY in ${SSL_KEY_DIR}/NAME.key"
|
|
|
|
echo ""
|
2017-10-12 18:22:06 +02:00
|
|
|
echo "If env variable TEST=1, certbot is run in staging mode"
|
|
|
|
echo "If env variable DRY_RUN=1, certbot is run in dry-run mode"
|
|
|
|
echo "If env variable CRON=1, no message is output"
|
|
|
|
echo ""
|
2017-09-11 14:18:20 +02:00
|
|
|
}
|
|
|
|
|
2017-10-03 09:50:53 +02:00
|
|
|
debug() {
|
2017-10-12 18:22:06 +02:00
|
|
|
[ "${CRON}" = "0" ] && echo "$1"
|
2017-10-03 09:50:53 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
error() {
|
|
|
|
echo "error: $1" >&2
|
|
|
|
[ "$1" = "invalid argument(s)" ] && usage
|
|
|
|
exit 1
|
|
|
|
}
|
|
|
|
|
2017-10-12 18:19:53 +02:00
|
|
|
sed_cert_path_for_apache() {
|
2017-10-12 00:29:21 +02:00
|
|
|
vhost=$1
|
|
|
|
vhost_full_path="/etc/apache2/ssl/${vhost}.conf"
|
|
|
|
cert_path=$2
|
|
|
|
|
|
|
|
debug "Apache detected... first configuration in ${vhost_full_path}"
|
|
|
|
[ -f "${vhost_full_path}" ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile ${cert_path}~" "${vhost_full_path}"
|
2017-10-12 18:22:43 +02:00
|
|
|
$(command -v apache2ctl) -t
|
2017-08-24 18:25:42 +02:00
|
|
|
}
|
2016-12-14 15:49:34 +01:00
|
|
|
|
2017-10-12 18:19:53 +02:00
|
|
|
sed_cert_path_for_nginx() {
|
2017-10-12 00:29:21 +02:00
|
|
|
vhost=$1
|
|
|
|
vhost_full_path="/etc/nginx/ssl/${vhost}.conf"
|
|
|
|
cert_path=$2
|
|
|
|
|
|
|
|
debug "Nginx detected... first configuration in ${vhost_full_path}"
|
|
|
|
[ -f "${vhost_full_path}" ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate ${cert_path};~" "${vhost_full_path}"
|
2017-10-12 18:22:43 +02:00
|
|
|
$(command -v nginx) -t
|
2017-10-12 00:29:21 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
x509_verify() {
|
2017-10-13 12:08:47 +02:00
|
|
|
file="$1"
|
|
|
|
[ -f "$file" ] || error "File ${file} not found"
|
|
|
|
${OPENSSL_BIN} x509 -noout -modulus -in "$file" >/dev/null
|
2017-10-12 18:20:49 +02:00
|
|
|
}
|
|
|
|
csr_verify() {
|
2017-10-13 12:08:47 +02:00
|
|
|
file="$1"
|
|
|
|
[ -f "$file" ] || error "File ${file} not found"
|
|
|
|
${OPENSSL_BIN} req -noout -modulus -in "$file" >/dev/null
|
2017-10-12 00:29:21 +02:00
|
|
|
}
|
|
|
|
x509_enddate() {
|
2017-10-13 12:08:47 +02:00
|
|
|
file="$1"
|
|
|
|
[ -f "$file" ] || error "File ${file} not found"
|
|
|
|
${OPENSSL_BIN} x509 -noout -enddate -in "$file"
|
2017-08-24 18:25:42 +02:00
|
|
|
}
|
2016-12-14 15:49:34 +01:00
|
|
|
|
2017-08-24 18:25:42 +02:00
|
|
|
main() {
|
2017-10-12 18:22:43 +02:00
|
|
|
# Read configuration file, if it exists
|
2017-09-21 00:39:06 +02:00
|
|
|
[ -f /etc/default/evoacme ] && . /etc/default/evoacme
|
2017-10-12 18:22:43 +02:00
|
|
|
|
|
|
|
# Default value for main variables
|
|
|
|
SSL_KEY_DIR=${SSL_KEY_DIR:-"/etc/ssl/private"}
|
|
|
|
ACME_DIR=${ACME_DIR:-"/var/lib/letsencrypt"}
|
|
|
|
CSR_DIR=${CSR_DIR:-"/etc/ssl/requests"}
|
|
|
|
CRT_DIR=${CRT_DIR:-"/etc/letsencrypt"}
|
|
|
|
LOG_DIR=${LOG_DIR:-"/var/log/evoacme"}
|
|
|
|
SSL_MINDAY=${SSL_MINDAY:-"30"}
|
|
|
|
SELF_SIGNED_DIR=${SELF_SIGNED_DIR:-"/etc/ssl/self-signed"}
|
|
|
|
SSL_EMAIL=${SSL_EMAIL:-""}
|
2017-09-21 03:29:55 +02:00
|
|
|
|
2017-10-12 18:22:06 +02:00
|
|
|
CRON=${CRON:-"0"}
|
|
|
|
TEST=${TEST:-"0"}
|
|
|
|
DRY_RUN=${DRY_RUN:-"0"}
|
|
|
|
|
2017-09-21 03:29:55 +02:00
|
|
|
[ "$1" = "-h" ] || [ "$1" = "--help" ] && usage && exit 0
|
2017-10-12 00:29:21 +02:00
|
|
|
# check arguments
|
2017-10-12 18:22:43 +02:00
|
|
|
[ "$#" -eq 1 ] || error "invalid argument(s)"
|
2017-09-21 03:29:55 +02:00
|
|
|
|
2017-10-12 18:22:43 +02:00
|
|
|
VHOST=$(basename "$1" .conf)
|
2017-10-12 00:29:21 +02:00
|
|
|
|
|
|
|
# check for important programs
|
2017-10-12 18:22:43 +02:00
|
|
|
OPENSSL_BIN=$(command -v openssl) || error "openssl command not installed"
|
|
|
|
CERTBOT_BIN=$(command -v certbot) || error "certbot command not installed"
|
2017-10-12 00:29:21 +02:00
|
|
|
|
|
|
|
# double check for directories
|
|
|
|
[ ! -d "${ACME_DIR}" ] && error "${ACME_DIR} is not a directory"
|
|
|
|
[ ! -d "${CSR_DIR}" ] && error "${CSR_DIR} is not a directory"
|
2017-10-13 11:16:46 +02:00
|
|
|
[ ! -d "${LOG_DIR}" ] && error "${LOG_DIR} is not a directory"
|
2017-10-12 00:29:21 +02:00
|
|
|
|
|
|
|
#### CSR VALIDATION
|
2017-09-21 03:29:55 +02:00
|
|
|
|
|
|
|
# verify .csr file
|
2017-10-12 00:29:21 +02:00
|
|
|
CSR_FILE="${CSR_DIR}/${VHOST}.csr"
|
|
|
|
debug "Using CSR file: ${CSR_FILE}"
|
|
|
|
[ ! -f "${CSR_FILE}" ] && error "${CSR_FILE} absent"
|
|
|
|
[ ! -r "${CSR_FILE}" ] && error "${CSR_FILE} is not readable"
|
|
|
|
|
2017-10-12 18:20:49 +02:00
|
|
|
csr_verify "${CSR_FILE}" || error "${CSR_FILE} is invalid"
|
2017-09-21 03:29:55 +02:00
|
|
|
|
|
|
|
# Hook for evoadmin-web in cluster mode : check master status
|
2017-10-12 00:29:21 +02:00
|
|
|
evoadmin_state_file="/home/${VHOST}/state"
|
2017-10-12 18:22:43 +02:00
|
|
|
[ -f "${evoadmin_state_file}" ] \
|
|
|
|
&& grep -q "STATE=slave" "${evoadmin_state_file}" \
|
|
|
|
&& debug "We are slave of this evoadmin cluster. Quit!" \
|
|
|
|
&& exit 0
|
2017-09-11 14:18:20 +02:00
|
|
|
|
2017-10-12 00:29:21 +02:00
|
|
|
#### INIT OR RENEW?
|
|
|
|
|
|
|
|
LIVE_DIR="${CRT_DIR}/${VHOST}/live"
|
|
|
|
LIVE_CERT="${LIVE_DIR}/cert.crt"
|
|
|
|
LIVE_FULLCHAIN="${LIVE_DIR}/fullchain.pem"
|
|
|
|
LIVE_CHAIN="${LIVE_DIR}/chain.pem"
|
|
|
|
|
|
|
|
# If live symlink already exists, it's not our first time...
|
|
|
|
if [ -h "${LIVE_DIR}" ]; then
|
|
|
|
# we have a live symlink
|
|
|
|
# let's see if there is a cert to renew
|
|
|
|
x509_verify "${LIVE_CERT}" || error "${LIVE_CERT} is invalid"
|
|
|
|
|
|
|
|
# Verify if our certificate will expire
|
|
|
|
crt_end_date=$(x509_enddate "${LIVE_CERT}" | cut -d= -f2)
|
|
|
|
date_renew=$(date -ud "${crt_end_date} - ${SSL_MINDAY} days" +"%s")
|
|
|
|
date_today=$(date +'%s')
|
|
|
|
if [ "${date_today}" -lt "${date_renew}" ]; then
|
|
|
|
debug "Cert ${LIVE_CERT} expires at ${crt_end_date} => more than ${SSL_MINDAY} days: kthxbye."
|
|
|
|
exit 0
|
|
|
|
fi
|
2017-09-21 00:39:06 +02:00
|
|
|
fi
|
2017-09-21 03:29:55 +02:00
|
|
|
|
2017-10-12 00:29:21 +02:00
|
|
|
#### CERTIFICATE CREATION WITH CERTBOT
|
2017-09-21 03:29:55 +02:00
|
|
|
|
2017-10-13 11:17:32 +02:00
|
|
|
ITERATION=$(date "+%Y%m%d%H%M%S")
|
2017-10-12 00:29:21 +02:00
|
|
|
[ -z "${ITERATION}" ] && error "invalid iteration (${ITERATION})"
|
2017-09-21 03:29:55 +02:00
|
|
|
|
2017-10-12 00:29:21 +02:00
|
|
|
NEW_DIR="${CRT_DIR}/${VHOST}/${ITERATION}"
|
2017-09-21 03:29:55 +02:00
|
|
|
|
2017-10-12 00:29:21 +02:00
|
|
|
[ -d "${NEW_DIR}" ] && error "${NEW_DIR} directory already exists, remove it manually."
|
2017-10-13 12:08:47 +02:00
|
|
|
mkdir -p "${NEW_DIR}"
|
|
|
|
chmod -R 0700 "${CRT_DIR}"
|
|
|
|
chown -R acme: "${CRT_DIR}"
|
2017-10-12 00:29:21 +02:00
|
|
|
debug "New cert will be created in ${NEW_DIR}"
|
|
|
|
|
|
|
|
NEW_CERT="${NEW_DIR}/cert.crt"
|
|
|
|
NEW_FULLCHAIN="${NEW_DIR}/fullchain.pem"
|
|
|
|
NEW_CHAIN="${NEW_DIR}/chain.pem"
|
|
|
|
|
|
|
|
CERTBOT_MODE=""
|
2017-10-12 18:22:06 +02:00
|
|
|
[ "${TEST}" = "1" ] && CERTBOT_MODE="${CERTBOT_MODE} --test-cert"
|
|
|
|
[ "${CRON}" = "1" ] && CERTBOT_MODE="${CERTBOT_MODE} --quiet"
|
|
|
|
[ "${DRY_RUN}" = "1" ] && CERTBOT_MODE="${CERTBOT_MODE} --dry-run"
|
2017-10-12 00:29:21 +02:00
|
|
|
|
|
|
|
CERTBOT_REGISTRATION="--agree-tos"
|
|
|
|
if [ -n "${SSL_EMAIL}" ]; then
|
|
|
|
debug "Registering at certbot with ${SSL_EMAIL} as email"
|
|
|
|
CERTBOT_REGISTRATION="${CERTBOT_REGISTRATION} -m ${SSL_EMAIL}"
|
2017-09-21 03:29:55 +02:00
|
|
|
else
|
2017-10-12 00:29:21 +02:00
|
|
|
debug "Registering at certbot without email"
|
|
|
|
CERTBOT_REGISTRATION="${CERTBOT_REGISTRATION} --register-unsafely-without-email"
|
2017-09-21 00:39:06 +02:00
|
|
|
fi
|
2017-09-21 03:29:55 +02:00
|
|
|
|
2017-10-13 12:08:47 +02:00
|
|
|
# Permissions checks for acme user
|
|
|
|
sudo -u acme test -r "${CSR_FILE}" || error "File ${CSR_FILE} is not readable by user 'acme'"
|
|
|
|
sudo -u acme test -w "${NEW_DIR}" || error "File ${NEW_DIR} is not writable by user 'acme'"
|
|
|
|
|
2017-10-12 00:29:21 +02:00
|
|
|
# create a certificate with certbot
|
2017-10-12 18:22:43 +02:00
|
|
|
sudo -u acme \
|
|
|
|
${CERTBOT_BIN} \
|
2017-10-12 00:29:21 +02:00
|
|
|
certonly \
|
2017-10-12 18:22:43 +02:00
|
|
|
${CERTBOT_MODE} \
|
|
|
|
${CERTBOT_REGISTRATION} \
|
|
|
|
--non-interactive \
|
|
|
|
--webroot \
|
|
|
|
--csr "${CSR_FILE}" \
|
|
|
|
--webroot-path "${ACME_DIR}" \
|
|
|
|
--cert-path "${NEW_CERT}" \
|
|
|
|
--fullchain-path "${NEW_FULLCHAIN}" \
|
|
|
|
--chain-path "${NEW_CHAIN}" \
|
|
|
|
--logs-dir "$LOG_DIR" \
|
|
|
|
2>&1 \
|
|
|
|
| grep -v "certbot.crypto_util"
|
2017-09-21 03:29:55 +02:00
|
|
|
|
|
|
|
# verify if all is right
|
2017-10-12 00:29:21 +02:00
|
|
|
x509_verify "${NEW_CERT}" || error "${NEW_CERT} is invalid"
|
|
|
|
x509_verify "${NEW_FULLCHAIN}" || error "${NEW_FULLCHAIN} is invalid"
|
|
|
|
x509_verify "${NEW_CHAIN}" || error "${NEW_CHAIN} is invalid"
|
|
|
|
|
|
|
|
#### CERTIFICATE ACTIVATION
|
2017-09-21 03:29:55 +02:00
|
|
|
|
2017-10-13 11:18:15 +02:00
|
|
|
if [ -h "${LIVE_DIR}" ]; then
|
|
|
|
# We don't have a live symlink yet
|
|
|
|
# Let's start from scratch and configure our web server(s)
|
|
|
|
command -v apache2ctl && sed_cert_path_for_apache "${VHOST}" "${LIVE_FULLCHAIN}"
|
|
|
|
command -v nginx && sed_cert_path_for_nginx "${VHOST}" "${LIVE_FULLCHAIN}"
|
|
|
|
fi
|
|
|
|
|
2017-09-21 03:29:55 +02:00
|
|
|
# link dance
|
2017-10-12 00:29:21 +02:00
|
|
|
if [ -h "${LIVE_DIR}" ]; then
|
|
|
|
rm "${LIVE_DIR}"
|
|
|
|
debug "Remove ${LIVE_DIR} link"
|
|
|
|
fi
|
|
|
|
ln -s "${NEW_DIR}" "${LIVE_DIR}"
|
|
|
|
debug "Link ${NEW_DIR} to ${LIVE_DIR}"
|
|
|
|
# verify final path
|
|
|
|
x509_verify "${LIVE_CERT}" || error "${LIVE_CERT} is invalid"
|
2017-09-21 03:29:55 +02:00
|
|
|
|
2017-10-12 00:29:21 +02:00
|
|
|
# disable error catching
|
|
|
|
# below this point anything can break
|
2017-10-03 10:44:20 +02:00
|
|
|
set +e
|
2017-10-12 00:29:21 +02:00
|
|
|
|
|
|
|
# reload apache if present
|
|
|
|
if [ -n "$(pidof apache2)" ]; then
|
2017-10-13 11:18:37 +02:00
|
|
|
if $($(command -v apache2ctl) -t 2>/dev/null); then
|
2017-10-12 00:29:21 +02:00
|
|
|
debug "Apache detected... reloading"
|
|
|
|
service apache2 reload
|
2017-10-03 10:44:20 +02:00
|
|
|
else
|
|
|
|
error "Apache config is broken, you must fix it !"
|
|
|
|
fi
|
|
|
|
fi
|
2017-10-12 00:29:21 +02:00
|
|
|
|
|
|
|
# reload nginx if present
|
|
|
|
if [ -n "$(pidof nginx)" ]; then
|
2017-10-13 11:18:37 +02:00
|
|
|
if $($(command -v nginx) -t 2>/dev/null); then
|
2017-10-12 00:29:21 +02:00
|
|
|
debug "Nginx detected... reloading"
|
|
|
|
service nginx reload
|
2017-10-03 10:44:20 +02:00
|
|
|
else
|
|
|
|
error "Nginx config is broken, you must fix it !"
|
|
|
|
fi
|
|
|
|
fi
|
2017-08-24 18:25:42 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
main "$@"
|