Improve evoacme, mainly evoacme.sh script
This commit is contained in:
commit
3e92696556
|
@ -10,5 +10,5 @@
|
||||||
[ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt'
|
[ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt'
|
||||||
|
|
||||||
find "${CRT_DIR}" -maxdepth 1 -mindepth 1 -type d ! -path "*accounts" -exec basename {} \; | while read vhost; do
|
find "${CRT_DIR}" -maxdepth 1 -mindepth 1 -type d ! -path "*accounts" -exec basename {} \; | while read vhost; do
|
||||||
evoacme "$vhost"
|
evoacme "$vhost"
|
||||||
done
|
done
|
||||||
|
|
|
@ -7,78 +7,109 @@
|
||||||
# Licence: AGPLv3
|
# Licence: AGPLv3
|
||||||
#
|
#
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
usage() {
|
usage() {
|
||||||
echo "Usage: $0 NAME"
|
echo "Usage: $0 [ --cron ] NAME"
|
||||||
echo ""
|
echo ""
|
||||||
echo "NAME must be correspond to :"
|
echo "NAME must be correspond to :"
|
||||||
echo "- a CSR in ${CSR_DIR}/NAME.csr"
|
echo "- a CSR in ${CSR_DIR}/NAME.csr"
|
||||||
echo "- a KEY in ${SSL_KEY_DIR}/NAME.key"
|
echo "- a KEY in ${SSL_KEY_DIR}/NAME.key"
|
||||||
echo ""
|
echo ""
|
||||||
}
|
}
|
||||||
|
|
||||||
mkconf_apache() {
|
mkconf_apache() {
|
||||||
[ -f "/etc/apache2/ssl/${vhost}.conf" ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $CRT_DIR/${vhost}/live/fullchain.pem~" "/etc/apache2/ssl/${vhost}.conf"
|
echo "Apache detected... first configuration"
|
||||||
apache2ctl -t 2>/dev/null && service apache2 reload
|
[ -f "/etc/apache2/ssl/${vhost}.conf" ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $CRT_DIR/${vhost}/live/fullchain.pem~" "/etc/apache2/ssl/${vhost}.conf"
|
||||||
|
apache2ctl -t
|
||||||
}
|
}
|
||||||
|
|
||||||
mkconf_nginx() {
|
mkconf_nginx() {
|
||||||
[ -f "/etc/nginx/ssl/${vhost}.conf" ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $CRT_DIR/${vhost}/live/fullchain.pem;~" "/etc/nginx/ssl/${vhost}.conf"
|
echo "Nginx detected... first configuration"
|
||||||
nginx -t 2>/dev/null && service nginx reload
|
[ -f "/etc/nginx/ssl/${vhost}.conf" ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $CRT_DIR/${vhost}/live/fullchain.pem;~" "/etc/nginx/ssl/${vhost}.conf"
|
||||||
}
|
nginx -t
|
||||||
|
|
||||||
mkconf_haproxy() {
|
|
||||||
mkdir -p /etc/ssl/haproxy -m 700
|
|
||||||
cat "$CRT_DIR/${vhost}/live/fullchain.pem" "$SSL_KEY_DIR/${vhost}.key" > "/etc/ssl/haproxy/${vhost}.pem"
|
|
||||||
[ -f "$DH_DIR/${vhost}.pem" ] && cat "$DH_DIR/${vhost}.pem" >> "/etc/ssl/haproxy/${vhost}.pem"
|
|
||||||
haproxy -c -f /etc/haproxy/haproxy.cfg >/dev/null && service haproxy reload
|
|
||||||
}
|
}
|
||||||
|
|
||||||
main() {
|
main() {
|
||||||
[ -f /etc/default/evoacme ] && . /etc/default/evoacme
|
[ -f /etc/default/evoacme ] && . /etc/default/evoacme
|
||||||
[ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private'
|
[ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR=/etc/ssl/private
|
||||||
[ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt'
|
[ -z "${ACME_DIR}" ] && ACME_DIR=/var/lib/letsencrypt
|
||||||
[ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests'
|
[ -z "${CSR_DIR}" ] && CSR_DIR=/etc/ssl/requests
|
||||||
[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed'
|
[ -z "${CRT_DIR}" ] && CRT_DIR=/etc/letsencrypt
|
||||||
[ -z "${DH_DIR}" ] && DH_DIR='/etc/ssl/dhparam'
|
[ -z "${LOG_DIR}" ] && LOG_DIR=/var/log/evoacme
|
||||||
[ -z "${LOG_DIR}" ] && LOG_DIR='/var/log/evoacme'
|
[ -z "${SSL_MINDAY}" ] && SSL_MINDAY=30
|
||||||
|
[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR=/etc/ssl/self-signed
|
||||||
[ "$#" -ne 1 ] && usage && exit 1
|
[ -z "${DH_DIR}" ] && DH_DIR=etc/ssl/dhparam
|
||||||
|
|
||||||
vhost=$(basename "$1" .conf)
|
# misc verifications
|
||||||
|
[ "$1" = "-h" ] || [ "$1" = "--help" ] && usage && exit 0
|
||||||
|
which openssl >/dev/null || ( echo "error: openssl command not installed" && exit 1 )
|
||||||
|
which certbot >/dev/null || ( echo "error: certbot command not installed" && exit 1 )
|
||||||
|
[ ! -d $ACME_DIR ] && echo "error: $ACME_DIR is not a directory" && exit 1
|
||||||
|
[ ! -d $CSR_DIR ] && echo "error: $CSR_DIR is not a directory" && exit 1
|
||||||
|
[ ! -d $LOG_DIR ] && echo "error: $LOG_DIR is not a directory" && exit 1
|
||||||
|
[ "$#" -ge 3 ] || [ "$#" -le 0 ] && echo "error: invalid argument(s)" && usage && exit 1
|
||||||
|
[ "$#" -eq 2 ] && [ "$1" != "--cron" ] && echo "error: invalid argument(s)" && usage && exit 1
|
||||||
|
|
||||||
# Check master status for evoadmin-cluster
|
[ "$#" -eq 1 ] && vhost=$(basename "$1" .conf) && CRON=NO
|
||||||
if [ -f "/home/${vhost}/state" ]; then
|
[ "$#" -eq 2 ] && vhost=$(basename "$2" .conf) && CRON=YES
|
||||||
grep -q "STATE=master" "/home/${vhost}/state" || exit 0
|
|
||||||
fi
|
# verify .csr file
|
||||||
|
test ! -f "$CSR_DIR/${vhost}.csr" && echo "error: $CSR_DIR/${vhost}.csr absent" && exit 1
|
||||||
|
test ! -r "$CSR_DIR/${vhost}.csr" && echo "error: $CSR_DIR/${vhost}.csr is not readable" && exit 1
|
||||||
|
openssl req -noout -modulus -in "$CSR_DIR/${vhost}.csr" >/dev/null || ( echo "error: $CSR_DIR/${vhost}.csr is invalid" && exit 1 )
|
||||||
|
[ "$CRON" = "NO" ] && echo "Using CSR file: $CSR_DIR/${vhost}.csr"
|
||||||
|
|
||||||
|
# Hook for evoadmin-web in cluster mode : check master status
|
||||||
|
if [ -f "/home/${vhost}/state" ]; then
|
||||||
|
grep -q "STATE=master" "/home/${vhost}/state" || exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -n "$SSL_EMAIL" ]; then
|
||||||
|
emailopt="-m $SSL_EMAIL"
|
||||||
|
else
|
||||||
|
emailopt="--register-unsafely-without-email"
|
||||||
|
fi
|
||||||
|
|
||||||
|
DATE=$(date "+%Y%m%d")
|
||||||
|
[ ! -n "$DATE" ] && echo "error: invalid date" && exit 1
|
||||||
|
|
||||||
|
|
||||||
|
# If live link already exists, it's not our first time...
|
||||||
|
if [ -h "$CRT_DIR/${vhost}/live" ]; then
|
||||||
|
openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/live/cert.crt" >/dev/null || ( echo "error: $CRT_DIR/${vhost}/live/cert.crt is invalid" && exit 1 )
|
||||||
|
|
||||||
|
# Verify if our certificate will expire
|
||||||
|
crt_end_date=$(openssl x509 -noout -enddate -in "$CRT_DIR/${vhost}/live/cert.crt" | cut -d= -f2)
|
||||||
|
date_renew=$(date -ud "$crt_end_date - $SSL_MINDAY days" +"%s")
|
||||||
|
date_today=$(date +'%s')
|
||||||
|
[ "$date_today" -lt "$date_renew" ] && ( [ "$CRON" = "NO" ] && echo "Cert $CRT_DIR/${vhost}/live/cert.crt expires at $crt_end_date => more than $SSL_MINDAY days: thxbye." || true ) && exit 0
|
||||||
|
else
|
||||||
|
which apache2ctl >/dev/null && mkconf_apache
|
||||||
|
which nginx >/dev/null && mkconf_nginx
|
||||||
|
fi
|
||||||
|
|
||||||
|
# renew certificate with certbot
|
||||||
|
[ -d "$CRT_DIR/${vhost}/${DATE}" ] && echo "error: $CRT_DIR/${vhost}/${DATE} directory already exists, remove it manually." && exit 1
|
||||||
|
mkdir -pm 755 "$CRT_DIR/${vhost}/${DATE}"
|
||||||
|
chown -R acme: "$CRT_DIR/${vhost}/${DATE}"
|
||||||
|
[ "$CRON" = "YES" ] && CERTBOT_OPTS="--quiet"
|
||||||
|
sudo -u acme certbot certonly $CERTBOT_OPTS --webroot --csr "$CSR_DIR/${vhost}.csr" --webroot-path "$ACME_DIR" -n --agree-tos --cert-path="$CRT_DIR/${vhost}/${DATE}/cert.crt" --fullchain-path="$CRT_DIR/${vhost}/${DATE}/fullchain.pem" --chain-path="$CRT_DIR/${vhost}/${DATE}/chain.pem" "$emailopt" --logs-dir "$LOG_DIR" 2>&1 | grep -v "certbot.crypto_util"
|
||||||
|
|
||||||
|
# verify if all is right
|
||||||
|
openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/${DATE}/cert.crt" >/dev/null || ( echo "error: new $CRT_DIR/${vhost}/${DATE}/cert.crt is invalid" && exit 1 )
|
||||||
|
openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/${DATE}/fullchain.pem" >/dev/null || ( echo "error: new $CRT_DIR/${vhost}/${DATE}/fullchain.pem is invalid" && exit 1 )
|
||||||
|
openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/${DATE}/chain.pem" >/dev/null || ( echo "error: new $CRT_DIR/${vhost}/${DATE}/chain.pem is invalid" && exit 1 )
|
||||||
|
|
||||||
|
# link dance
|
||||||
|
[ -h "$CRT_DIR/${vhost}/live" ] && rm "$CRT_DIR/${vhost}/live"
|
||||||
|
ln -s "$CRT_DIR/${vhost}/${DATE}" "$CRT_DIR/${vhost}/live"
|
||||||
|
openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/live/cert.crt" >/dev/null || ( echo "error: new $CRT_DIR/{vhost}/live/cert.crt is invalid" && exit 1 )
|
||||||
|
|
||||||
|
# reload apache or nginx (TODO: need improvments)
|
||||||
|
pidof apache2 >/dev/null && apache2ctl -t 2>/dev/null && ( [ "$CRON" = "NO" ] && echo "Apache detected... reloading" || true ) && systemctl reload apache2
|
||||||
|
pidof nginx >/dev/null && nginx -t 2>/dev/null && ( [ "$CRON" = "NO" ] && echo "Nginx detected... reloading" || true ) && systemctl reload apache2
|
||||||
|
|
||||||
SSL_EMAIL=$(grep emailAddress "${CRT_DIR}/openssl.cnf"|cut -d'=' -f2|xargs)
|
|
||||||
if [ -n "$SSL_EMAIL" ]; then
|
|
||||||
emailopt="-m $SSL_EMAIL"
|
|
||||||
else
|
|
||||||
emailopt="--register-unsafely-without-email"
|
|
||||||
fi
|
|
||||||
DATE=$(date "+%Y%m%d")
|
|
||||||
|
|
||||||
if [ -h "$CRT_DIR/${vhost}/live" ]; then
|
|
||||||
crt_end_date=$(openssl x509 -noout -enddate -in "$CRT_DIR/${vhost}/live/cert.crt"|sed -e "s/.*=//")
|
|
||||||
date_crt=$(date -ud "$crt_end_date" +"%s")
|
|
||||||
date_today=$(date +'%s')
|
|
||||||
date_diff=$(((date_crt - date_today) / (60*60*24)))
|
|
||||||
[ "$date_diff" -ge "$SSL_MINDAY" ] && exit 0
|
|
||||||
fi
|
|
||||||
rm -rf "$CRT_DIR/${vhost}/${DATE}"
|
|
||||||
mkdir -pm 755 "$CRT_DIR/${vhost}/${DATE}"
|
|
||||||
chown -R acme: "$CRT_DIR/${vhost}"
|
|
||||||
sudo -u acme certbot certonly --quiet --webroot --csr "$CSR_DIR/${vhost}.csr" --webroot-path "$ACME_DIR" -n --agree-tos --cert-path="$CRT_DIR/${vhost}/${DATE}/cert.crt" --fullchain-path="$CRT_DIR/${vhost}/${DATE}/fullchain.pem" --chain-path="$CRT_DIR/${vhost}/${DATE}/chain.pem" "$emailopt" --logs-dir "$LOG_DIR" 2>&1 | grep -v "certbot.crypto_util"
|
|
||||||
if [ -f "$CRT_DIR/${vhost}/${DATE}/fullchain.pem" ]; then
|
|
||||||
rm -f "$CRT_DIR/${vhost}/live"
|
|
||||||
ln -s "$CRT_DIR/${vhost}/${DATE}" "$CRT_DIR/${vhost}/live"
|
|
||||||
which apache2ctl >/dev/null && mkconf_apache
|
|
||||||
which nginx >/dev/null && mkconf_nginx
|
|
||||||
which haproxy >/dev/null && mkconf_haproxy
|
|
||||||
else
|
|
||||||
rmdir "$CRT_DIR/${vhost}/${DATE}"
|
|
||||||
fi
|
|
||||||
}
|
}
|
||||||
|
|
||||||
main "$@"
|
main "$@"
|
||||||
|
|
|
@ -8,143 +8,143 @@
|
||||||
#
|
#
|
||||||
|
|
||||||
get_domains() {
|
get_domains() {
|
||||||
echo "$vhostfile"|grep -q nginx
|
echo "$vhostfile"|grep -q nginx
|
||||||
if [ "$?" -eq 0 ]; then
|
if [ "$?" -eq 0 ]; then
|
||||||
domains=$(grep -oE "^( )*[^#]+" "$vhostfile" |grep -oE "[^\$]server_name.*;$"|sed 's/server_name//'|tr -d ';'|sed 's/\s\{1,\}//'|sed 's/\s\{1,\}/\n/g'|sort|uniq)
|
domains=$(grep -oE "^( )*[^#]+" "$vhostfile" |grep -oE "[^\$]server_name.*;$"|sed 's/server_name//'|tr -d ';'|sed 's/\s\{1,\}//'|sed 's/\s\{1,\}/\n/g'|sort|uniq)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "$vhostfile" |grep -q apache2
|
echo "$vhostfile" |grep -q apache2
|
||||||
if [ "$?" -eq 0 ]; then
|
if [ "$?" -eq 0 ]; then
|
||||||
domains=$(grep -oE "^( )*[^#]+" "$vhostfile" |grep -oE "(ServerName|ServerAlias).*"|sed 's/ServerName//'|sed 's/ServerAlias//'|sed 's/\s\{1,\}//'|sort|uniq)
|
domains=$(grep -oE "^( )*[^#]+" "$vhostfile" |grep -oE "(ServerName|ServerAlias).*"|sed 's/ServerName//'|sed 's/ServerAlias//'|sed 's/\s\{1,\}//'|sort|uniq)
|
||||||
fi
|
fi
|
||||||
valid_domains=""
|
valid_domains=""
|
||||||
nb=0
|
nb=0
|
||||||
|
|
||||||
echo "Valid(s) domain(s) in $vhost :"
|
echo "Valid(s) domain(s) in $vhost :"
|
||||||
for domain in $domains; do
|
for domain in $domains; do
|
||||||
real_ip=$(dig +short "$domain"|grep -oE "([0-9]+\.){3}[0-9]+")
|
real_ip=$(dig +short "$domain"|grep -oE "([0-9]+\.){3}[0-9]+")
|
||||||
for ip in $(echo "$SRV_IP"|xargs -n1); do
|
for ip in $(echo "$SRV_IP"|xargs -n1); do
|
||||||
if [ "${ip}" = "${real_ip}" ]; then
|
if [ "${ip}" = "${real_ip}" ]; then
|
||||||
valid_domains="$valid_domains $domain"
|
valid_domains="$valid_domains $domain"
|
||||||
nb=$(( nb + 1 ))
|
nb=$(( nb + 1 ))
|
||||||
echo "* $domain -> $real_ip"
|
echo "* $domain -> $real_ip"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
done
|
done
|
||||||
|
|
||||||
if [ "$nb" -eq 0 ]; then
|
if [ "$nb" -eq 0 ]; then
|
||||||
nb=$(echo "$domains"|wc -l)
|
nb=$(echo "$domains"|wc -l)
|
||||||
echo "* No valid domain found"
|
echo "* No valid domain found"
|
||||||
echo "All following(s) domain(s) will be used for CSR creation :"
|
echo "All following(s) domain(s) will be used for CSR creation :"
|
||||||
for domain in $domains; do
|
for domain in $domains; do
|
||||||
echo "* $domain"
|
echo "* $domain"
|
||||||
done
|
done
|
||||||
else
|
else
|
||||||
domains="$valid_domains"
|
domains="$valid_domains"
|
||||||
fi
|
fi
|
||||||
domains=$(echo "$domains"|xargs -n1)
|
domains=$(echo "$domains"|xargs -n1)
|
||||||
}
|
}
|
||||||
|
|
||||||
make_key() {
|
make_key() {
|
||||||
openssl genrsa -out "$SSL_KEY_DIR/${vhost}.key" "$SSL_KEY_SIZE" 2>/dev/null
|
openssl genrsa -out "$SSL_KEY_DIR/${vhost}.key" "$SSL_KEY_SIZE" 2>/dev/null
|
||||||
chown root: "$SSL_KEY_DIR/${vhost}.key"
|
chown root: "$SSL_KEY_DIR/${vhost}.key"
|
||||||
chmod 600 "$SSL_KEY_DIR/${vhost}.key"
|
chmod 600 "$SSL_KEY_DIR/${vhost}.key"
|
||||||
}
|
}
|
||||||
|
|
||||||
make_csr() {
|
make_csr() {
|
||||||
domains="$1"
|
domains="$1"
|
||||||
nb=$(echo "$domains"|wc -l)
|
nb=$(echo "$domains"|wc -l)
|
||||||
config_file="/tmp/make-csr-${vhost}.conf"
|
config_file="/tmp/make-csr-${vhost}.conf"
|
||||||
|
|
||||||
mkdir -p "$CSR_DIR" -m 0755
|
mkdir -p "$CSR_DIR" -m 0755
|
||||||
|
|
||||||
if [ "$nb" -eq 1 ]; then
|
if [ "$nb" -eq 1 ]; then
|
||||||
cat /etc/letsencrypt/openssl.cnf - > "$config_file" <<EOF
|
cat /etc/letsencrypt/openssl.cnf - > "$config_file" <<EOF
|
||||||
CN=$domains
|
CN=$domains
|
||||||
EOF
|
EOF
|
||||||
openssl req -new -sha256 -key "$SSL_KEY_DIR/${vhost}.key" -config "$config_file" -out "$CSR_DIR/${vhost}.csr"
|
openssl req -new -sha256 -key "$SSL_KEY_DIR/${vhost}.key" -config "$config_file" -out "$CSR_DIR/${vhost}.csr"
|
||||||
elif [ "$nb" -gt 1 ]; then
|
elif [ "$nb" -gt 1 ]; then
|
||||||
san=''
|
san=''
|
||||||
for domain in $domains
|
for domain in $domains
|
||||||
do
|
do
|
||||||
san="$san,DNS:$domain"
|
san="$san,DNS:$domain"
|
||||||
done
|
done
|
||||||
san=$(echo "$san"|sed 's/,//')
|
san=$(echo "$san"|sed 's/,//')
|
||||||
cat /etc/letsencrypt/openssl.cnf - > "$config_file" <<EOF
|
cat /etc/letsencrypt/openssl.cnf - > "$config_file" <<EOF
|
||||||
[SAN]
|
[SAN]
|
||||||
subjectAltName=$san
|
subjectAltName=$san
|
||||||
EOF
|
EOF
|
||||||
openssl req -new -sha256 -key "$SSL_KEY_DIR/${vhost}.key" -reqexts SAN -config "$config_file" > "$CSR_DIR/${vhost}.csr"
|
openssl req -new -sha256 -key "$SSL_KEY_DIR/${vhost}.key" -reqexts SAN -config "$config_file" > "$CSR_DIR/${vhost}.csr"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -f "$CSR_DIR/${vhost}.csr" ]; then
|
if [ -f "$CSR_DIR/${vhost}.csr" ]; then
|
||||||
chmod 644 "$CSR_DIR/${vhost}.csr"
|
chmod 644 "$CSR_DIR/${vhost}.csr"
|
||||||
mkdir -p "$SELF_SIGNED_DIR" -m 0755
|
mkdir -p "$SELF_SIGNED_DIR" -m 0755
|
||||||
openssl x509 -req -sha256 -days 365 -in "$CSR_DIR/${vhost}.csr" -signkey "$SSL_KEY_DIR/${vhost}.key" -out "$SELF_SIGNED_DIR/${vhost}.pem"
|
openssl x509 -req -sha256 -days 365 -in "$CSR_DIR/${vhost}.csr" -signkey "$SSL_KEY_DIR/${vhost}.key" -out "$SELF_SIGNED_DIR/${vhost}.pem"
|
||||||
[ -f "$SELF_SIGNED_DIR/${vhost}.pem" ] && chmod 644 "$SELF_SIGNED_DIR/${vhost}.pem"
|
[ -f "$SELF_SIGNED_DIR/${vhost}.pem" ] && chmod 644 "$SELF_SIGNED_DIR/${vhost}.pem"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
mkconf_apache() {
|
mkconf_apache() {
|
||||||
mkdir -p /etc/apache2/ssl
|
mkdir -p /etc/apache2/ssl
|
||||||
if [ ! -f "/etc/apache2/ssl/${vhost}.conf" ]; then
|
if [ ! -f "/etc/apache2/ssl/${vhost}.conf" ]; then
|
||||||
cat > "/etc/apache2/ssl/${vhost}.conf" <<EOF
|
cat > "/etc/apache2/ssl/${vhost}.conf" <<EOF
|
||||||
SSLEngine On
|
SSLEngine On
|
||||||
SSLCertificateFile $SELF_SIGNED_DIR/${vhost}.pem
|
SSLCertificateFile $SELF_SIGNED_DIR/${vhost}.pem
|
||||||
SSLCertificateKeyFile $SSL_KEY_DIR/${vhost}.key
|
SSLCertificateKeyFile $SSL_KEY_DIR/${vhost}.key
|
||||||
EOF
|
EOF
|
||||||
else
|
else
|
||||||
sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $SELF_SIGNED_DIR/${vhost}.pem~" "/etc/apache2/ssl/${vhost}.conf"
|
sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $SELF_SIGNED_DIR/${vhost}.pem~" "/etc/apache2/ssl/${vhost}.conf"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
mkconf_nginx() {
|
mkconf_nginx() {
|
||||||
mkdir -p /etc/nginx/ssl
|
mkdir -p /etc/nginx/ssl
|
||||||
if [ ! -f "/etc/nginx/ssl/${vhost}.conf" ]; then
|
if [ ! -f "/etc/nginx/ssl/${vhost}.conf" ]; then
|
||||||
cat > "/etc/nginx/ssl/${vhost}.conf" <<EOF
|
cat > "/etc/nginx/ssl/${vhost}.conf" <<EOF
|
||||||
ssl_certificate $SELF_SIGNED_DIR/${vhost}.pem;
|
ssl_certificate $SELF_SIGNED_DIR/${vhost}.pem;
|
||||||
ssl_certificate_key $SSL_KEY_DIR/${vhost}.key;
|
ssl_certificate_key $SSL_KEY_DIR/${vhost}.key;
|
||||||
EOF
|
EOF
|
||||||
else
|
else
|
||||||
sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $SELF_SIGNED_DIR/${vhost}.pem;~" "/etc/nginx/ssl/${vhost}.conf"
|
sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $SELF_SIGNED_DIR/${vhost}.pem;~" "/etc/nginx/ssl/${vhost}.conf"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
main() {
|
main() {
|
||||||
if [ "$#" -ne 1 ]; then
|
if [ "$#" -ne 1 ]; then
|
||||||
echo "You need to provide one argument !" >&2
|
echo "You need to provide one argument !" >&2
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
vhost=$(basename "$1" .conf)
|
vhost=$(basename "$1" .conf)
|
||||||
local_ip=$(ip a|grep brd|cut -d'/' -f1|grep -oE "([0-9]+\.){3}[0-9]+")
|
local_ip=$(ip a|grep brd|cut -d'/' -f1|grep -oE "([0-9]+\.){3}[0-9]+")
|
||||||
|
|
||||||
[ -f /etc/default/evoacme ] && . /etc/default/evoacme
|
[ -f /etc/default/evoacme ] && . /etc/default/evoacme
|
||||||
[ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private'
|
[ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private'
|
||||||
[ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests'
|
[ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests'
|
||||||
[ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt'
|
[ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt'
|
||||||
[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed'
|
[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed'
|
||||||
SSL_KEY_SIZE=$(grep default_bits /etc/letsencrypt/openssl.cnf|cut -d'=' -f2|xargs)
|
SSL_KEY_SIZE=$(grep default_bits /etc/letsencrypt/openssl.cnf|cut -d'=' -f2|xargs)
|
||||||
[ -n "${SRV_IP}" ] && SRV_IP="${SRV_IP} $local_ip" || SRV_IP="$local_ip"
|
[ -n "${SRV_IP}" ] && SRV_IP="${SRV_IP} $local_ip" || SRV_IP="$local_ip"
|
||||||
|
|
||||||
vhostfile=$(ls "/etc/nginx/sites-enabled/${vhost}" "/etc/nginx/sites-enabled/${vhost}.conf" "/etc/apache2/sites-enabled/${vhost}" "/etc/apache2/sites-enabled/${vhost}.conf" 2>/dev/null|head -n1)
|
vhostfile=$(ls "/etc/nginx/sites-enabled/${vhost}" "/etc/nginx/sites-enabled/${vhost}.conf" "/etc/apache2/sites-enabled/${vhost}" "/etc/apache2/sites-enabled/${vhost}.conf" 2>/dev/null|head -n1)
|
||||||
|
|
||||||
if [ ! -h "$vhostfile" ]; then
|
if [ ! -h "$vhostfile" ]; then
|
||||||
echo "$vhost is not a valid virtualhost !" >&2
|
echo "$vhost is not a valid virtualhost !" >&2
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -f "$SSL_KEY_DIR/${vhost}.key" ]; then
|
if [ -f "$SSL_KEY_DIR/${vhost}.key" ]; then
|
||||||
echo "$vhost key already exist, overwrite it ? (y)"
|
echo "$vhost key already exist, overwrite it ? (y)"
|
||||||
read REPLY
|
read REPLY
|
||||||
[ "$REPLY" = "Y" ] || [ "$REPLY" = "y" ] || exit 0
|
[ "$REPLY" = "Y" ] || [ "$REPLY" = "y" ] || exit 0
|
||||||
rm -f "/etc/apache2/ssl/${vhost}.conf /etc/nginx/ssl/${vhost}.conf"
|
rm -f "/etc/apache2/ssl/${vhost}.conf /etc/nginx/ssl/${vhost}.conf"
|
||||||
[ -h "${CRT_DIR}/${vhost}/live" ] && rm "${CRT_DIR}/${vhost}/live"
|
[ -h "${CRT_DIR}/${vhost}/live" ] && rm "${CRT_DIR}/${vhost}/live"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
get_domains
|
get_domains
|
||||||
make_key
|
make_key
|
||||||
make_csr "$domains"
|
make_csr "$domains"
|
||||||
which apache2ctl >/dev/null && mkconf_apache
|
which apache2ctl >/dev/null && mkconf_apache
|
||||||
which nginx >/dev/null && mkconf_nginx
|
which nginx >/dev/null && mkconf_nginx
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -42,6 +42,18 @@
|
||||||
path: /usr/local/bin/certbot
|
path: /usr/local/bin/certbot
|
||||||
state: absent
|
state: absent
|
||||||
|
|
||||||
|
- name: stat /etc/cron.d/certbot
|
||||||
|
stat:
|
||||||
|
path: /etc/cron.d/certbot
|
||||||
|
register: etc_cron_d_certbot
|
||||||
|
|
||||||
|
- name: Rename certbot dpkg cron to .disabled
|
||||||
|
copy:
|
||||||
|
remote_src: True
|
||||||
|
src: /etc/cron.d/certbot
|
||||||
|
dest: /etc/cron.d/certbot.disabled
|
||||||
|
when: etc_cron_d_certbot.stat.exists
|
||||||
|
|
||||||
- name: Remove certbot dpkg cron
|
- name: Remove certbot dpkg cron
|
||||||
file:
|
file:
|
||||||
path: /etc/cron.d/certbot
|
path: /etc/cron.d/certbot
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
- ini_file:
|
- ini_file:
|
||||||
dest: /etc/letsencrypt/openssl.cnf
|
dest: "{{ evoacme_crt_dir }}/openssl.cnf"
|
||||||
section: 'req'
|
section: 'req'
|
||||||
option: "{{ item.name }}"
|
option: "{{ item.name }}"
|
||||||
value: "{{ item.var }}"
|
value: "{{ item.var }}"
|
||||||
|
|
|
@ -13,7 +13,17 @@
|
||||||
|
|
||||||
- include: scripts.yml
|
- include: scripts.yml
|
||||||
|
|
||||||
- include: webserver.yml
|
- name: Determine Apache presence
|
||||||
|
stat:
|
||||||
|
path: /etc/apache2/apache2.conf
|
||||||
|
check_mode: no
|
||||||
|
register: sta
|
||||||
|
|
||||||
|
- name: Determine Nginx presence
|
||||||
|
stat:
|
||||||
|
path: /etc/nginx/nginx.conf
|
||||||
|
check_mode: no
|
||||||
|
register: stn
|
||||||
|
|
||||||
- include: apache.yml
|
- include: apache.yml
|
||||||
when: sta.stat.isreg is defined and sta.stat.isreg
|
when: sta.stat.isreg is defined and sta.stat.isreg
|
||||||
|
|
|
@ -9,7 +9,7 @@
|
||||||
|
|
||||||
- name: Copy make-csr.sh script
|
- name: Copy make-csr.sh script
|
||||||
copy:
|
copy:
|
||||||
src: files/make-csr.sh
|
src: make-csr.sh
|
||||||
dest: /usr/local/sbin/make-csr
|
dest: /usr/local/sbin/make-csr
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
@ -17,7 +17,7 @@
|
||||||
|
|
||||||
- name: Copy evoacme script
|
- name: Copy evoacme script
|
||||||
copy:
|
copy:
|
||||||
src: files/evoacme.sh
|
src: evoacme.sh
|
||||||
dest: /usr/local/sbin/evoacme
|
dest: /usr/local/sbin/evoacme
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
|
|
@ -1,12 +0,0 @@
|
||||||
---
|
|
||||||
- name: Determine Nginx presence
|
|
||||||
stat:
|
|
||||||
path: /etc/nginx/nginx.conf
|
|
||||||
check_mode: no
|
|
||||||
register: stn
|
|
||||||
|
|
||||||
- name: Determine Apache presence
|
|
||||||
stat:
|
|
||||||
path: /etc/apache2/apache2.conf
|
|
||||||
check_mode: no
|
|
||||||
register: sta
|
|
Loading…
Reference in a new issue