2016-12-14 15:49:34 +01:00
|
|
|
#!/bin/bash
|
2017-01-31 17:09:42 +01:00
|
|
|
|
2017-02-03 15:52:48 +01:00
|
|
|
[ -f /etc/default/evoacme ] && source /etc/default/evoacme
|
2017-01-31 17:09:42 +01:00
|
|
|
[ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private'
|
|
|
|
[ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests'
|
|
|
|
[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed'
|
2016-12-14 15:49:34 +01:00
|
|
|
|
2017-01-31 15:14:20 +01:00
|
|
|
shopt -s extglob
|
|
|
|
|
2016-12-14 15:49:34 +01:00
|
|
|
vhost=$1
|
2017-01-31 15:14:20 +01:00
|
|
|
vhostfiles=$(ls -1 /etc/{nginx,apache2}/sites-enabled/${vhost}?(.conf) 2>/dev/null)
|
2016-12-14 15:49:34 +01:00
|
|
|
|
2017-01-31 15:14:20 +01:00
|
|
|
if [ $(echo "${vhostfiles}"|wc -l) -lt 1 ]; then
|
|
|
|
echo "$vhost doesn't exist !"
|
|
|
|
exit 1
|
2016-12-14 15:49:34 +01:00
|
|
|
fi
|
|
|
|
|
2017-01-31 15:14:20 +01:00
|
|
|
for vhostfile in "${vhostfiles}"; do
|
|
|
|
break;
|
|
|
|
done
|
|
|
|
|
2016-12-14 15:49:34 +01:00
|
|
|
if [ -f $SSL_KEY_DIR/${vhost}.key ]; then
|
|
|
|
read -p "$vhost key already exist, overwrite it ? (y)" -n 1 -r
|
|
|
|
echo ""
|
|
|
|
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
SSL_KEY_SIZE=$(grep default_bits /etc/letsencrypt/openssl.cnf|cut -d'=' -f2|xargs)
|
|
|
|
openssl genrsa -out $SSL_KEY_DIR/${vhost}.key $SSL_KEY_SIZE
|
|
|
|
chown root: $SSL_KEY_DIR/${vhost}.key
|
2017-01-31 17:09:42 +01:00
|
|
|
chmod 600 $SSL_KEY_DIR/${vhost}.key
|
2016-12-14 15:49:34 +01:00
|
|
|
|
|
|
|
nb=0
|
|
|
|
|
2017-01-31 15:14:20 +01:00
|
|
|
echo $vhostfile |grep -q nginx
|
|
|
|
if [ $? -eq 0 ]; then
|
|
|
|
domains=`grep -oE "^( )*[^#]+" $vhostfile |grep -oE "[^\$]server_name.*;$"|sed 's/server_name//'|tr -d ';'|sed 's/\s\{1,\}//'|sed 's/\s\{1,\}/\n/g'|sort|uniq`
|
2016-12-14 15:49:34 +01:00
|
|
|
fi
|
|
|
|
|
2017-01-31 15:14:20 +01:00
|
|
|
echo $vhostfile |grep -q apache2
|
|
|
|
if [ $? -eq 0 ]; then
|
|
|
|
domains=`grep -oE "^( )*[^#]+" $vhostfile |grep -oE "(ServerName|ServerAlias).*"|sed 's/ServerName//'|sed 's/ServerAlias//'|sed 's/\s\{1,\}//'|sort|uniq`
|
2016-12-14 15:49:34 +01:00
|
|
|
fi
|
|
|
|
|
2017-01-17 14:54:31 +01:00
|
|
|
valid_domains=''
|
|
|
|
srv_ip=$(ip a|grep brd|cut -d'/' -f1|grep -oE "([0-9]+\.){3}[0-9]+")
|
|
|
|
|
|
|
|
echo "Valid Domain(s) for $vhost :"
|
2016-12-14 15:49:34 +01:00
|
|
|
for domain in $domains
|
|
|
|
do
|
2017-01-17 14:54:31 +01:00
|
|
|
real_ip=$(dig +short $domain|grep -oE "([0-9]+\.){3}[0-9]+")
|
2017-01-25 11:16:50 +01:00
|
|
|
for ip in $(echo $srv_ip|xargs -n1); do
|
|
|
|
if [ "${ip}" == "${real_ip}" ]; then
|
2017-01-17 14:54:31 +01:00
|
|
|
valid_domains="$valid_domains $domain"
|
|
|
|
nb=$(( nb + 1 ))
|
|
|
|
echo "- $domain"
|
|
|
|
fi
|
|
|
|
done
|
2016-12-14 15:49:34 +01:00
|
|
|
done
|
|
|
|
|
2017-01-17 14:54:31 +01:00
|
|
|
if [ $nb -eq 0 ]; then
|
|
|
|
nb=`echo $domains|wc -l`
|
|
|
|
echo "No valid domains : $domains" >&2
|
|
|
|
else
|
|
|
|
domains=$valid_domains
|
|
|
|
fi
|
|
|
|
|
2017-01-31 17:09:42 +01:00
|
|
|
mkdir -p $CSR_DIR -m 0755
|
2016-12-14 15:49:34 +01:00
|
|
|
|
|
|
|
if [ $nb -eq 1 ]; then
|
2017-01-31 17:09:42 +01:00
|
|
|
openssl req -new -sha256 -key $SSL_KEY_DIR/${vhost}.key -config <(cat /etc/letsencrypt/openssl.cnf <(printf "CN=$domain")) -out $CSR_DIR/${vhost}.csr
|
2016-12-14 15:49:34 +01:00
|
|
|
elif [ $nb -gt 1 ]; then
|
|
|
|
san=''
|
|
|
|
for domain in $domains
|
|
|
|
do
|
|
|
|
san="$san,DNS:$domain"
|
|
|
|
done
|
|
|
|
san=`echo $san|sed 's/,//'`
|
2017-01-31 17:09:42 +01:00
|
|
|
openssl req -new -sha256 -key $SSL_KEY_DIR/${vhost}.key -reqexts SAN -config <(cat /etc/letsencrypt/openssl.cnf <(printf "[SAN]\nsubjectAltName=$san")) > $CSR_DIR/${vhost}.csr
|
2016-12-14 15:49:34 +01:00
|
|
|
fi
|
|
|
|
|
|
|
|
if [ -f $CSR_DIR/${vhost}.csr ]; then
|
|
|
|
chmod 644 $CSR_DIR/${vhost}.csr
|
2017-01-31 17:09:42 +01:00
|
|
|
mkdir -p $SELF_SIGNED_DIR -m 0755
|
|
|
|
openssl x509 -req -sha256 -days 365 -in $CSR_DIR/${vhost}.csr -signkey $SSL_KEY_DIR/${vhost}.key -out $SELF_SIGNED_DIR/${vhost}.pem
|
|
|
|
if [ -f $SELF_SIGNED_DIR/${vhost}.pem ]; then
|
|
|
|
chmod 644 $SELF_SIGNED_DIR/${vhost}.pem
|
2016-12-14 15:49:34 +01:00
|
|
|
fi
|
|
|
|
fi
|
2017-02-03 15:52:48 +01:00
|
|
|
|
|
|
|
if [ -d /etc/apache2 ]; then
|
|
|
|
mkdir -p /etc/apache2/ssl
|
|
|
|
if [ ! -f /etc/apache2/ssl/${vhost}.conf ]; then
|
|
|
|
cat > /etc/apache2/ssl/${vhost}.conf <<EOF
|
|
|
|
SSLEngine On
|
|
|
|
SSLCertificateFile $SELF_SIGNED_DIR/${vhost}.pem
|
|
|
|
SSLCertificateKeyFile $SSL_KEY_DIR/${vhost}.key
|
|
|
|
EOF
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [ -d /etc/nginx ]; then
|
|
|
|
mkdir -p /etc/nginx/ssl
|
|
|
|
if [ ! -f /etc/nginx/ssl/${vhost}.conf ]; then
|
|
|
|
cat > /etc/nginx/ssl/${vhost}.conf <<EOF
|
|
|
|
ssl_certificate $SELF_SIGNED_DIR/${vhost}.pem;
|
|
|
|
ssl_certificate_key $SSL_KEY_DIR/${vhost}.key;
|
|
|
|
EOF
|
|
|
|
fi
|
|
|
|
fi
|