evolix/ansible-roles
22
2
Fork 2
Code Issues 61 Pull requests 18 Releases 32 Wiki Activity

evoacme: use hooks after certificate creation

Browse source
This commit is contained in:
Jérémy Lecour 2017-10-19 22:21:18 +02:00
parent 1fa4ccc338
commit 4d6853f844
5 changed files with 80 additions and 114 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

47
evoacme/files/apache_update_and_reload.sh
View file

@ -1,47 +0,0 @@
#!/bin/sh
error() {
>&2 echo "${PROGNAME}: $1"
exit 1
}
debug() {
if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
>&2 echo "${PROGNAME}: $1"
fi
}
readonly PROGNAME=$(basename "$0")
readonly VERBOSE=${VERBOSE:-"0"}
if [ -z "${EVOACME_VHOST_PATH}"]; then
error "Missing EVOACME_VHOST_PATH environment variable"
fi
if [ -z "${EVOACME_CERT_PATH}"]; then
error "Missing EVOACME_CERT_PATH environment variable"
fi
readonly APACHE2CTL_BIN=$(command -v apache2ctl) || error "apache2ctl command not installed"
[ -r "${EVOACME_VHOST_PATH}"] || error "File ${EVOACME_VHOST_PATH} is not readable"
local search="^SSLCertificateFile.*$"
local replace="SSLCertificateFile ${EVOACME_VHOST_PATH}"
if ! $(grep -qE "${search}" "${EVOACME_VHOST_PATH}"); then
[ -w "${EVOACME_VHOST_PATH}" ] || error "File ${EVOACME_VHOST_PATH} is not writable"
sed -i "s~${search}~${replace}~" "${EVOACME_VHOST_PATH}"
debug "Config in ${EVOACME_VHOST_PATH} has been updated"
fi
if [ -n "$(pidof apache2)" ]; then
if $(${APACHE2CTL_BIN} -t 2> /dev/null); then
debug "Apache detected... reloading"
service apache2 reload
else
error "Apache config is broken, you must fix it !"
fi
fi
exit 0

44
evoacme/files/evoacme.sh
View file

@ -92,6 +92,20 @@ csr_verify() {
"${OPENSSL_BIN}" req -noout -modulus -in "$file" >/dev/null
}
exec_hooks() {
local hooks_dir="$1"
export EVOACME_VHOST_NAME="${VHOST}"
export EVOACME_LIVE_FULLCHAIN="${LIVE_FULLCHAIN}"
for hook in $(find ${HOOKS_DIR} -type f | grep -v ".disabled$"); do
if [ -x "${hook}" ]; then
debug "Executing ${hook}"
${hook}
fi
done
}
main() {
# check arguments
[ "$#" -eq 1 ] || error "invalid argument(s)"
@ -112,6 +126,10 @@ main() {
chown root: "${LOG_DIR}"
[ -w "${LOG_DIR}" ] || error "Directory ${LOG_DIR} is not writable"
mkdir -p "${HOOKS_DIR}"
chown root: "${HOOKS_DIR}"
[ -d "${HOOKS_DIR}" ] || error "Directory ${HOOKS_DIR} is not found"
readonly VHOST=$(basename "$1" .conf)
# check for important programs
@ -239,27 +257,12 @@ main() {
# verify final path
x509_verify "${LIVE_CERT}" || error "${LIVE_CERT} is invalid"
# update and reload Apache
command -v apache2ctl > /dev/null && sed_cert_path_for_apache "${VHOST}" "${LIVE_FULLCHAIN}"
if [ -n "$(pidof apache2)" ]; then
if $($(command -v apache2ctl) -t 2>/dev/null); then
debug "Apache detected... reloading"
service apache2 reload
else
error "Apache config is broken, you must fix it !"
fi
fi
# update Apache
sed_cert_path_for_apache "${VHOST}" "${LIVE_FULLCHAIN}"
# update Nginx
sed_cert_path_for_nginx "${VHOST}" "${LIVE_FULLCHAIN}"
# update and reload Nginx
command -v nginx > /dev/null && sed_cert_path_for_nginx "${VHOST}" "${LIVE_FULLCHAIN}"
if [ -n "$(pidof nginx)" ]; then
if $($(command -v nginx) -t 2>/dev/null); then
debug "Nginx detected... reloading"
service nginx reload
else
error "Nginx config is broken, you must fix it !"
fi
fi
exec_hooks "${HOOKS_DIR}"
}
readonly PROGNAME=$(basename "$0")
@ -280,6 +283,7 @@ readonly ACME_DIR=${ACME_DIR:-"/var/lib/letsencrypt"}
readonly CSR_DIR=${CSR_DIR:-"/etc/ssl/requests"}
readonly CRT_DIR=${CRT_DIR:-"/etc/letsencrypt"}
readonly LOG_DIR=${LOG_DIR:-"/var/log/evoacme"}
readonly HOOKS_DIR=${HOOKS_DIR:-"${CRT_DIR}/hooks"}
readonly SSL_MINDAY=${SSL_MINDAY:-"30"}
readonly SSL_EMAIL=${SSL_EMAIL:-""}

28
evoacme/files/hooks/reload_apache Executable file
View file

@ -0,0 +1,28 @@
#!/bin/sh
readonly PROGNAME=$(basename "$0")
readonly ARGS=$@
readonly VERBOSE=${VERBOSE:-"0"}
readonly QUIET=${QUIET:-"0"}
error() {
>&2 echo "${PROGNAME}: $1"
exit 1
}
debug() {
if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
>&2 echo "${PROGNAME}: $1"
fi
}
if [ -n "$(pidof apache2)" ]; then
if $($(command -v apache2ctl) -t 2> /dev/null); then
debug "Apache detected... reloading"
service apache2 reload
else
error " Apache config is broken, you must fix it !"
fi
else
debug "Apache is not running. Skip."
fi

28
evoacme/files/hooks/reload_nginx Executable file
View file

@ -0,0 +1,28 @@
#!/bin/sh
readonly PROGNAME=$(basename "$0")
readonly ARGS=$@
readonly VERBOSE=${VERBOSE:-"0"}
readonly QUIET=${QUIET:-"0"}
error() {
>&2 echo "${PROGNAME}: $1"
exit 1
}
debug() {
if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
>&2 echo "${PROGNAME}: $1"
fi
}
if [ -n "$(pidof nginx)" ]; then
if $($(command -v nginx) -t 2> /dev/null); then
debug "Nginx detected... reloading"
service nginx reload
else
error "Nginx config is broken, you must fix it !"
fi
else
debug "Nginx is not running. Skip."
fi

47
evoacme/files/nginx_update_and_reload.sh
View file

@ -1,47 +0,0 @@
#!/bin/sh
error() {
>&2 echo "${PROGNAME}: $1"
exit 1
}
debug() {
if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
>&2 echo "${PROGNAME}: $1"
fi
}
readonly PROGNAME=$(basename "$0")
readonly VERBOSE=${VERBOSE:-"0"}
if [ -z "${EVOACME_VHOST_PATH}"]; then
error "Missing EVOACME_VHOST_PATH environment variable"
fi
if [ -z "${EVOACME_CERT_PATH}"]; then
error "Missing EVOACME_CERT_PATH environment variable"
fi
readonly NGINX_BIN=$(command -v nginx) || error "nginx command not installed"
[ -r "${EVOACME_VHOST_PATH}"] || error "File ${EVOACME_VHOST_PATH} is not readable"
readonly search="^ssl_certificate[^_].*$"
readonly replace="ssl_certificate ${EVOACME_CERT_PATH};"
if ! $(grep -qE "${search}" "${EVOACME_VHOST_PATH}"); then
[ -w "${EVOACME_VHOST_PATH}" ] || error "File ${EVOACME_VHOST_PATH} is not writable"
sed -i "s~${search}~${replace}~" "${EVOACME_VHOST_PATH}"
debug "Config in ${EVOACME_VHOST_PATH} has been updated"
fi
if [ -n "$(pidof nginx)" ]; then
if $(${NGINX_BIN} -t 2> /dev/null); then
debug "Nginx detected... reloading"
service nginx reload
else
error "Nginx config is broken, you must fix it !"
fi
fi
exit 0