#!/usr/bin/env bash _DH_INSTALL_DIR=/usr/local/dehydrated _DH_CONF_DIR=/etc/dehydrated _DH_BASE_DIR=/var/lib/dehydrated _DH_WELL_KNOWN_DIR=/var/www/dehydrated STR_PROCESSED="marked to be validated" STR_SUCCESS="Certificate has been produced" STR_INVALID_CHALLENGE="Error: Invalid Challenge" STR_HTTP_REQUEST_FAILED="Error: HTTP-Request failed" STR_TOO_MANY_CERTIFICATES="too many certificates already issued for" ERR_MSG_TOO_MANY_CERTS="too many certificates already issued" # ------------- # --- Some functions # ------------- echononl(){ echo X\\c > /tmp/shprompt$$ if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then echo -e -n "$*\\c" 1>&2 else echo -e -n "$*" 1>&2 fi rm /tmp/shprompt$$ } fatal(){ echo "" echo -e "fataler Fehler: $*" echo "" echo -e "\t\033[31m\033[1mInstalllation wird abgebrochen\033[m\033[m" echo "" exit 1 } error(){ echo "" echo -e "\t[ \033[31m\033[1mFehler\033[m ]: $*" echo "" } warn (){ echo "" echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*" echo "" } info (){ echo "" echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*" echo "" } echo_done() { echo -e "\033[80G[ \033[32mdone\033[m ]" } echo_ok() { echo -e "\033[80G[ \033[32mok\033[m ]" } echo_warning() { echo -e "\033[80G[ \033[33m\033[1mwarn\033[m ]" } echo_failed(){ echo -e "\033[80G[ \033[1;31mfailed\033[m ]" } echo_skipped() { echo -e "\033[80G[ \033[33m\033[1mskipped\033[m ]" } ## - Check if a given array (parameter 2) contains a given string (parameter 1) ## - containsElement () { local e for e in "${@:2}"; do [[ "$e" == "$1" ]] && return 0; done return 1 } clear echo "" echo -e "\033[21G\033[32mInstallation script for dehydrated\033[m" echo "" echo "" echo -e "\033[32m--\033[m" echo "" echo "Insert DH installation directory" echo "" echo "" DH_INSTALL_DIR= while [[ "X$DH_INSTALL_DIR" = "X" ]]; do echononl "DH Installation Directory [$_DH_INSTALL_DIR]: " read DH_INSTALL_DIR if [[ "X$DH_INSTALL_DIR" = "X" ]]; then DH_INSTALL_DIR=$_DH_INSTALL_DIR fi done HOOK_EXAMPLE_FILE=${DH_INSTALL_DIR}/docs/examples/hook.sh echo "" echo -e "\033[32m--\033[m" echo "" echo "Insert DH Configuration directory" echo "" echo "" DH_CONF_DIR= while [[ "X$DH_CONF_DIR" = "X" ]]; do echononl "DH Configuration Directory [$_DH_CONF_DIR]: " read DH_CONF_DIR if [[ "X$DH_CONF_DIR" = "X" ]]; then DH_CONF_DIR=$_DH_CONF_DIR fi done echo "" echo -e "\033[32m--\033[m" echo "" echo "Insert DH Base directory" echo "" echo "" DH_BASE_DIR= while [[ "X$DH_BASE_DIR" = "X" ]]; do echononl "DH Configuration Directory [$_DH_BASE_DIR]: " read DH_BASE_DIR if [[ "X$DH_BASE_DIR" = "X" ]]; then DH_BASE_DIR=$_DH_BASE_DIR fi done HOOK_OUT_FILE="${DH_BASE_DIR}/hook.sh" DH_CRON_SCRIPT="${DH_BASE_DIR}/cron/dehydrated_cron.sh" DH_CHANGE_SSL_DIRECTIVES_SCRIPT="${DH_BASE_DIR}/tools/change_ssl_directives.sh" DH_UPDATE_SSL_DIRECTIVES_SCRIPT="${DH_BASE_DIR}/tools/update_ssl_directives.sh" echo "" echo -e "\033[32m--\033[m" echo "" echo "Insert DH \"WELL KNOWN\" directory" echo "" echo "Output directory for challenge-tokens to be served by webserver or" echo "deployed in HOOK (e.g.: /var/www/dehydrated)" echo "" DH_WELL_KNOWN_DIR= while [[ "X$DH_WELL_KNOWN_DIR" = "X" ]]; do echononl "DH \"WELL KNOWN\" Directory [$_DH_WELL_KNOWN_DIR]: " read DH_WELL_KNOWN_DIR if [[ "X$DH_WELL_KNOWN_DIR" = "X" ]]; then DH_WELL_KNOWN_DIR=$_DH_WELL_KNOWN_DIR fi done DH_CRON_TYPE="" echo "" echo -e "\033[32m--\033[m" echo "" echo "How to activate the dehydrated cronjob" echo "" echo "[1] System defined as cronjob file in /etc/cron.d" echo "[2] User defined - added to root cronjobs" echo "[3] Skip Cronjob Activation" echo "" echononl "Eingabe: " while [ "$DH_CRON_TYPE" != "system" -a "$DH_CRON_TYPE" != "user" -a "$DH_CRON_TYPE" != "none" ];do read OPTION case $OPTION in 1) DH_CRON_TYPE="system" ;; 2) DH_CRON_TYPE="user" ;; 3) DH_CRON_TYPE="none" ;; *) echo "" echo -e "\tFalsche Eingabe ! [ 1 = System defined ; 2 = User defined , 3 = Skip]" echo "" echononl "Eingabe:" ;; esac done WEBSERVER_INSTALLATION="" echo "" echo -e "\033[32m--\033[m" echo "" echo "Webserver Installation" echo "" echo "" echo "[1] Apache2 from Debian Package System" echo "[2] Apache2 installed from Sources" echo "[3] nginx from Debian Package System" echo "[4] GitLab integrated Webserver (GiLab CE Omnibus Package)" echo "[5] Other Webserver Installation" echo "" echononl "Eingabe: " while [ "$WEBSERVER_INSTALLATION" != "Apache2_Debian" \ -a "$WEBSERVER_INSTALLATION" != "Apache2_Source" \ -a "$WEBSERVER_INSTALLATION" != "Nginx_Debian" \ -a "$WEBSERVER_INSTALLATION" != "GitLab" \ -a "$WEBSERVER_INSTALLATION" != "Other_Webserver_Installation" ];do read OPTION case $OPTION in 1) WEBSERVER_INSTALLATION="Apache2_Debian" ;; 2) WEBSERVER_INSTALLATION="Apache2_Source" ;; 3) WEBSERVER_INSTALLATION="Nginx_Debian" ;; 4) WEBSERVER_INSTALLATION="GitLab" ;; 5) WEBSERVER_INSTALLATION="Other_Webserver_Installation" ;; *) echo "" echo -e "\tFalsche Eingabe ! [ 1 = Apache2 Debian ; 2 = Apache2 Sources ; 3 = Nginx Debian ; 4 = Other ; 5 = GitLab]" echo "" echononl "Eingabe:" ;; esac done _set_apache_conf_symlink=false apache_installed=false nginx_installed=false gitlab_installed=false gitlab_reconfigure=false nginx_init_script=/etc/init.d/nginx apache_control_script=/etc/init.d/apache2 gitlab_ctl_script=/usr/bin/gitlab-ctl if [[ "$WEBSERVER_INSTALLATION" = "Apache2_Debian" ]] ;then APACHE_VHOST_DIR=/etc/apache2/sites-enabled APACHE_CONF_DIR=/etc/apache2/conf-available _set_apache_conf_symlink=true apache_control_script=`which apachectl` apache_installed=true elif [[ "$WEBSERVER_INSTALLATION" = "Apache2_Source" ]] ;then if [[ ! -d "$_APACHE_VHOST_DIR" ]]; then if [[ -d "/usr/local/apache2/conf/vhosts" ]]; then if [[ -d "/usr/local/apache2/conf/vhosts/0" ]]; then _APACHE_VHOST_DIR=/usr/local/apache2/conf/vhosts/0 else _APACHE_VHOST_DIR=/usr/local/apache2/conf/vhosts fi fi fi echo "" echo -e "\033[32m--\033[m" echo "" echo "Insert VHost Configuration Directory" echo "" echo "Type:" echo -e "\t\033[33mNone\033[m if not present or no webserver configuration should be done." echo "" APACHE_VHOST_DIR= while [[ "X$APACHE_VHOST_DIR" = "X" ]]; do echononl "VHost Configuration Directory [$_APACHE_VHOST_DIR]: " read APACHE_VHOST_DIR if [ "X$APACHE_VHOST_DIR" = "Xnone" -o "X$APACHE_VHOST_DIR" = "XNone" ]; then warn "Webserver Configuration will be ommited" APACHE_VHOST_DIR= break elif [[ "X$APACHE_VHOST_DIR" = "X" ]]; then APACHE_VHOST_DIR=$_APACHE_VHOST_DIR fi done if [[ "`basename $APACHE_VHOST_DIR`" = "0" ]]; then APACHE_CONF_DIR=`dirname $APACHE_VHOST_DIR` else APACHE_CONF_DIR=$APACHE_VHOST_DIR fi apache_control_script=`which apachectl` apache_installed=true elif [[ "$WEBSERVER_INSTALLATION" = "Nginx_Debian" ]] ;then NGINX_BASE_DIR=/etc/nginx NGINX_VHOST_DIR=${NGINX_BASE_DIR}/sites-enabled NGINX_SNIPPET_DIR=${NGINX_BASE_DIR}/snippets nginx_installed=true elif [[ "$WEBSERVER_INSTALLATION" = "GitLab" ]] ;then GITLAB_CONF_FILE=/etc/gitlab/gitlab.rb gitlab_ctl_script=/usr/bin/gitlab-ctl gitlab_installed=true echo "" echo -e "\033[32m--\033[m" echo "" echo "Insert hostname (external_url)" echo "" _HOST_NAME="$(hostname --fqdn)" HOST_NAME= echononl "Hostname [${_HOST_NAME}]: " read HOST_NAME if [[ "X${HOST_NAME}" = "X" ]] ; then HOST_NAME="${_HOST_NAME}" fi else APACHE_VHOST_DIR= APACHE_CONF_DIR= NGINX_BASE_DIR= NGINX_VHOST_DIR= warn "This Type of Webserver Installation is not yet available" fi echo "" echo "" echo -e "#\033[32m --------------------\033[m" echo -e "#\033[32m --- Start dehydrated (DH) installation with the following Parameters \033[m" echo -e "#\033[32m --------------------\033[m" echo "" echo "DH Installation Directory.....: $DH_INSTALL_DIR" echo "DH Configuration Directory....: $DH_CONF_DIR" echo "DH Base Directory.............: $DH_BASE_DIR" echo "DH \"WELL KNOWN\" Directory.....: $DH_WELL_KNOWN_DIR" echo "" if [[ "$DH_CRON_TYPE" = "system" ]]; then echo "DH Cronjob Type...............: Installed as file in /etc/cron.d" elif [[ "$DH_CRON_TYPE" = "user" ]]; then echo "DH Cronjob Type...............: Added to root cronjobs" else echo -e "DH Cronjob Type...............: \033[33mSkip activation\033[m" fi echo "" if [[ "$WEBSERVER_INSTALLATION" =~ Apache2 ]]; then if [[ "$APACHE_CONF_DIR" != "$APACHE_VHOST_DIR" ]]; then echo "Apache Config Directory.......: $APACHE_CONF_DIR" fi echo "Apache Vhost Directory........: $APACHE_VHOST_DIR" echo "" elif [[ "$WEBSERVER_INSTALLATION" =~ Nginx ]]; then echo "nginx Directory.,............: $NGINX_BASE_DIR" echo "nginx Vhost Directory........: $NGINX_VHOST_DIR" elif [[ "$WEBSERVER_INSTALLATION" =~ GitLab ]]; then echo "Hostname (external_url)......: $HOST_NAME" fi echo "" echononl "Start with that configuration? [yes/no]: " read OK while [ "X$OK" != "Xyes" -a "X$OK" != "XYes" -a "X$OK" != "XNo" -a "X$OK" != "Xno" ] do echononl "wrong entry! [yes/no] :" read OK done [ $OK = "Yes" -o $OK = "yes" ] || fatal "Change parameters and restart script: `basename $0`" echo echo _date=`date +%Y-%m-%d-%H%M` ## - Configure Apache.. ## - apache_config_changed=false if [[ -n "$APACHE_CONF_DIR" ]]; then _apache_dh_conf_file=${APACHE_CONF_DIR}/000-dehydrated.conf echononl " Configure Apache Webserver: Create alias for WELL-KNOWN Directory.." if [[ -x "$apache_control_script" ]] && $apache_control_script -M 2> /dev/null | grep -q version_module > /dev/null 2>&1 ; then cat << EOF > $_apache_dh_conf_file Alias /.well-known/acme-challenge ${DH_WELL_KNOWN_DIR}/ Options +FollowSymLinks AllowOverride None Order allow,deny Allow from all = 2.4> Require all granted Satisfy Any EOF if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi else cat << EOF > $_apache_dh_conf_file Alias /.well-known/acme-challenge ${DH_WELL_KNOWN_DIR}/ # - Notice: # - If apache version < 2.4 (i.e. 2.2.x), then repclace lines # - 'Require all granted' and 'Satisfy Any' with: # - Order allow,deny # - Allow from all # - Options +FollowSymLinks AllowOverride None Require all granted Satisfy Any EOF if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi fi apache_config_changed=true if $_set_apache_conf_symlink ; then echononl " Activate \"000-dehydrated.conf\" .. " if [[ -h /etc/apache2/conf-enabled/000-dehydrated.conf ]] ; then echo_skipped else ln -s ../conf-available/000-dehydrated.conf /etc/apache2/conf-enabled/000-dehydrated.conf if [[ $? -eq 0 ]] ; then echo_ok apache_config_changed=true else echo_failed fi fi fi fi if [[ -n "$NGINX_BASE_DIR" ]]; then if [[ ! -d $NGINX_SNIPPET_DIR ]]; then echononl " Create ${NGINX_SNIPPET_DIR}.." mkdir $NGINX_SNIPPET_DIR if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi fi echononl " Configure Nginx Webserver: Create alias for WLLKNOWN Directory.." if ! grep -E "location\s+/.well-known/acme-challenge/" ${NGINX_SNIPPET_DIR}/letsencrypt-acme-challenge.conf > /dev/null 2>&1 ; then cat < ${NGINX_SNIPPET_DIR}/letsencrypt-acme-challenge.conf location /.well-known/acme-challenge/ { alias /var/www/dehydrated/; location ~ /.well-known/acme-challenge/(.*) { default_type text/plain; } auth_basic off; } EOF if [[ $? -eq 0 ]] ; then echo_ok warn "In your appropriate server definitions (or in the global one is exists) add line:\n\n\t\033[37m\033[1minclude /etc/nginx/snippets/letsencrypt-acme-challenge.conf;\033[m" else echo_failed fi else echo_skipped fi fi if [[ -n "$GITLAB_CONF_FILE" ]]; then if [[ ! -d "${DH_BASE_DIR}/certs/${HOST_NAME}" ]]; then URL_SCHEMA="http" else URL_SCHEMA="https" fi echononl " Adjust ${GITLAB_CONF_FILE} - external_url" if ! grep -E "^\s*external_url" $GITLAB_CONF_FILE 2> /dev/null | grep -q -E "${URL_SCHEMA}://${HOST_NAME}" 2> /dev/null ; then if grep -q -E "^\s*external_url" $GITLAB_CONF_FILE 2> /dev/null ; then perl -i -n -p -e "s#^(\s*(external_url).*)#\#\# \1\n\2 '${URL_SCHEMA}://${HOST_NAME}'#" $GITLAB_CONF_FILE if [[ $? -eq 0 ]] ; then echo_ok gitlab_reconfigure=true else echo_failed fi elif ! grep -q -E "^\s*#\s*external_url" $GITLAB_CONF_FILE 2> /dev/null ; then cat <> ${GITLAB_CONF_FILE} ################################################################################ ## Added by dehydrated install script $(basename $0) ################################################################################ external_url '${URL_SCHEMA}://${HOST_NAME}' EOF if [[ $? -eq 0 ]] ; then echo_ok gitlab_reconfigure=true else echo_failed fi else perl -i -n -p -e "s#^(\s*\#\s*(external_url).*)#\1\n\2 '${URL_SCHEMA}://${HOST_NAME}'#" $GITLAB_CONF_FILE if [[ $? -eq 0 ]] ; then echo_ok gitlab_reconfigure=true else echo_failed fi fi else echo_skipped fi echononl " Adjust ${GITLAB_CONF_FILE} - nginx['custom_gitlab_server_config']" if ! grep -E "^\s*nginx\['custom_gitlab_server_config'\]" $GITLAB_CONF_FILE 2> /dev/null | grep -q ".well-known/acme-challenge" 2> /dev/null ; then if ! grep -q -E "^\s*#\s*nginx\['custom_gitlab_server_config'\]" $GITLAB_CONF_FILE 2> /dev/null ; then cat <> ${GITLAB_CONF_FILE} ################################################################################ ## Added by dehydrated install script $(basename $0) ################################################################################ nginx['custom_gitlab_server_config'] = "location ^~ /.well-known/acme-challenge {\\n alias /var/www/dehydrated;\\n auth_basic off;\\n }\\n" EOF if [[ $? -eq 0 ]] ; then echo_ok gitlab_reconfigure=true else echo_failed fi else perl -i -n -p -e "s#^(\s*\#\s*(nginx\['custom_gitlab_server_config'\]).*)#\1\n\2 = \"location ^~ /.well-known/acme-challenge {\\\n alias \/var\/www\/dehydrated;\\\n auth_basic off;\\\n }\\\n\"#" $GITLAB_CONF_FILE if [[ $? -eq 0 ]] ; then echo_ok gitlab_reconfigure=true else echo_failed fi fi else echo_skipped fi echononl " Adjust ${GITLAB_CONF_FILE} - nginx['listen_addresses']" if ! grep -E "^\s*nginx\['listen_addresses'\]" $GITLAB_CONF_FILE 2> /dev/null | grep -q -E "\['\*',\s*'\[::]'\]" 2> /dev/null ; then if ! grep -q -E "^\s*#\s*nginx\['listen_addresses'\]" $GITLAB_CONF_FILE 2> /dev/null ; then cat <> ${GITLAB_CONF_FILE} ################################################################################ ## Added by dehydrated install script $(basename $0) ################################################################################ nginx['listen_addresses'] = ['*', '[::]'] EOF if [[ $? -eq 0 ]] ; then echo_ok gitlab_reconfigure=true else echo_failed fi else perl -i -n -p -e "s#^(\s*\#\s*(nginx\['listen_addresses'\]).*)#\1\n\2 = ['*', '[::]']#" $GITLAB_CONF_FILE if [[ $? -eq 0 ]] ; then echo_ok gitlab_reconfigure=true else echo_failed fi fi else echo_skipped fi if [[ -d "${DH_BASE_DIR}/certs/${HOST_NAME}" ]]; then echononl " Adjust ${GITLAB_CONF_FILE} - letsencrypt['enable']" if ! grep -E "^\s*letsencrypt\['enable'\]" $GITLAB_CONF_FILE 2> /dev/null | grep -q -E "false" 2> /dev/null ; then if grep -q -E "^\s*letsencrypt\['enable'\]" $GITLAB_CONF_FILE 2> /dev/null ; then perl -i -n -p -e "s#^(\s*(letsencrypt\['enable'\]).*)#\#\# \1\n\2 = false#" $GITLAB_CONF_FILE if [[ $? -eq 0 ]] ; then echo_ok gitlab_reconfigure=true else echo_failed fi elif ! grep -q -E "^\s*#\s*letsencrypt\['enable'\]" $GITLAB_CONF_FILE 2> /dev/null ; then cat <> ${GITLAB_CONF_FILE} ################################################################################ ## Added by dehydrated install script $(basename $0) ################################################################################ letsencrypt['enable'] = false EOF if [[ $? -eq 0 ]] ; then echo_ok gitlab_reconfigure=true else echo_failed fi else perl -i -n -p -e "s#^(\s*\#\s*(letsencrypt\['enable'\]).*)#\1\n\2 = false#" $GITLAB_CONF_FILE if [[ $? -eq 0 ]] ; then echo_ok gitlab_reconfigure=true else echo_failed fi fi else echo_skipped fi echononl " Adjust ${GITLAB_CONF_FILE} - nginx['redirect_http_to_https']" if ! grep -E "^\s*nginx\['redirect_http_to_https'\]" $GITLAB_CONF_FILE 2> /dev/null | grep -q -E "true" 2> /dev/null ; then if grep -q -E "^\s*nginx\['redirect_http_to_https'\]" $GITLAB_CONF_FILE 2> /dev/null ; then perl -i -n -p -e "s#^(\s*(nginx\['redirect_http_to_https'\]).*)#\#\# \1\n\2 = true#" $GITLAB_CONF_FILE if [[ $? -eq 0 ]] ; then echo_ok gitlab_reconfigure=true else echo_failed fi elif ! grep -q -E "^\s*#\s*nginx\['redirect_http_to_https'\]" $GITLAB_CONF_FILE 2> /dev/null ; then cat <> ${GITLAB_CONF_FILE} ################################################################################ ## Added by dehydrated install script $(basename $0) ################################################################################ nginx['redirect_http_to_https'] = true EOF if [[ $? -eq 0 ]] ; then echo_ok gitlab_reconfigure=true else echo_failed fi else perl -i -n -p -e "s#^(\s*\#\s*(nginx\['redirect_http_to_https'\]).*)#\1\n\2 = true#" $GITLAB_CONF_FILE if [[ $? -eq 0 ]] ; then echo_ok gitlab_reconfigure=true else echo_failed fi fi else echo_skipped fi echononl " Create Directory '/etc/gitlab/ssl'.." if [[ ! -d "/etc/gitlab/ssl" ]]; then mkdir -p "/etc/gitlab/ssl" > /dev/null 2>&1 if [[ $? -eq 0 ]] ; then echo_ok gitlab_reconfigure=true else echo_failed fi else echo_skipped fi echononl " Create Symlink '/etc/gitlab/ssl/${HOST_NAME}.key'.." if [[ -h "/etc/gitlab/ssl/${HOST_NAME}.key" ]] \ && [[ "$(readlink -qs "/etc/gitlab/ssl/${HOST_NAME}.key")" = "${DH_BASE_DIR}/certs/${HOST_NAME}/privkey.pem" ]] ; then echo_skipped else rm -rf "/etc/gitlab/ssl/${HOST_NAME}.key" > /dev/null 2>&1 ln -s "${DH_BASE_DIR}/certs/${HOST_NAME}/privkey.pem" "/etc/gitlab/ssl/${HOST_NAME}.key" > /dev/null 2>&1 if [[ $? -eq 0 ]] ; then echo_ok gitlab_reconfigure=true else echo_failed fi fi echononl " Create Symlink '/etc/gitlab/ssl/${HOST_NAME}.crt'.." if [[ -h "/etc/gitlab/ssl/${HOST_NAME}.crt" ]] \ && [[ "$(readlink -qs "/etc/gitlab/ssl/${HOST_NAME}.crt")" = "${DH_BASE_DIR}/certs/${HOST_NAME}/fullchain.pem" ]]; then echo_skipped else rm -rf "/etc/gitlab/ssl/${HOST_NAME}.crt" > /dev/null 2>&1 ln -s "${DH_BASE_DIR}/certs/${HOST_NAME}/fullchain.pem" "/etc/gitlab/ssl/${HOST_NAME}.crt" > /dev/null 2>&1 if [[ $? -eq 0 ]] ; then echo_ok gitlab_reconfigure=true else echo_failed fi fi fi fi if [[ -d "$DH_WELL_KNOWN_DIR" ]]; then echononl " Backup \"$DH_WELL_KNOWN_DIR\" directory.." mv $DH_WELL_KNOWN_DIR $DH_WELL_KNOWN_DIR.$_date if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi fi echononl " Create directory \"$DH_WELL_KNOWN_DIR\" .." mkdir -p $DH_WELL_KNOWN_DIR if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi echononl " Create index.html file in directory \"$DH_WELL_KNOWN_DIR\" .." cat << EOF > ${DH_WELL_KNOWN_DIR}/index.html HTTP Error 404 / Http Fehler 404

HTTP Error 404

The site you have requestet was not found on this Server

Please check your spelling and ry again.

Thank You very much!

HTTP Fehler 404

Die von Ihnen aufgerufene Seite gibt es leider nicht - Sorry

Bitte prüfen Sie die Adresse und versuchen es nochmals.

Vielen Dank für Ihr Verständnis!

EOF if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi if [[ -d "${DH_WELL_KNOWN_DIR}.$_date" ]] ; then diff $DH_WELL_KNOWN_DIR ${DH_WELL_KNOWN_DIR}.$_date > /dev/null 2>&1 if [[ $? -eq 0 ]]; then info "$DH_WELL_KNOWN_DIR has not changed.\n\t Removing previos created backup.." rm -rf ${DH_WELL_KNOWN_DIR}.$_date fi fi if $apache_installed ; then apache_control_script=`which apachectl` echononl " Restarting (graceful) apache webserver.." if $apache_config_changed ; then if [[ -x "$apache_control_script" ]]; then $apache_control_script graceful if [[ $? -eq 0 ]] ; then echo_ok else echo_failed warn "Graceful restart of apache webserver failed.." fi else echo_skipped warn "Apache Control Script (apachectl) not found." fi else echo_skipped fi fi if $nginx_installed ; then nginx_init_script=/etc/init.d/nginx echononl " Restarting nginx webserver.." if [[ -x "$nginx_init_script" ]]; then $nginx_init_script restart > /dev/null 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed warn "Restart of nginx webserver failed.." fi else echo_skipped warn "Nginx Control Script (nginx_init_script) not found." fi fi if $gitlab_installed ; then echononl " Reconfiguring (and restarting) Gitlab Services.." if $gitlab_reconfigure ; then if [[ -x "$gitlab_ctl_script" ]]; then $gitlab_ctl_script reconfigure > /dev/null 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed warn "Restart of Gitlab Services failed.." fi else echo_skipped warn "Gitlab Control Script (gitlab-ctl) not found." fi else echo_skipped fi fi ## - dehydrated from git repository ## - cd `dirname $DH_INSTALL_DIR` echononl " Cloning repository \"dehydrated.git\".." if [[ -d "$DH_INSTALL_DIR" ]]; then echo_skipped info "$DH_INSTALL_DIR already exists.\n\t Try to update (git pull) now.." echononl " Backup existing repository" cp -a $DH_INSTALL_DIR ${DH_INSTALL_DIR}.$_date if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi echononl " Update dehydrated repository" cd $DH_INSTALL_DIR git pull > /dev/null 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed warn "Maybe updating dehydrated repository was not successfully. Check it manually." fi diff -Nur $DH_INSTALL_DIR ${DH_INSTALL_DIR}.$_date > /dev/null 2>&1 if [[ $? -eq 0 ]]; then info "Repository has not changed.\n\t Removing previously created backup.." rm -rf ${DH_INSTALL_DIR}.$_date fi else git clone https://github.com/lukas2511/dehydrated.git $DH_INSTALL_DIR > /dev/null 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fatal "Cloning git repositors \"dehydrated.git\" failed!. Exciting install script.." fi fi ## - Create needed directories ## - ## - Configuration directory ## - Base directory (for let's encrypt asccounts, generated certificates, ## - echononl " Create Directory $DH_CONF_DIR if not exists.." if [[ -d "$DH_CONF_DIR" ]]; then echo_skipped #echononl " Backup configuration directory to ${DH_CONF_DIR}.$_date.." #cp -a $DH_CONF_DIR ${DH_CONF_DIR}.$_date #if [[ $? -eq 0 ]] ; then # echo_ok #else # echo_failed #fi else mkdir -p $DH_CONF_DIR if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi fi echononl " Create Directory ${DH_BASE_DIR}.." if [[ -d "$DH_BASE_DIR" ]]; then echo_skipped else mkdir -p $DH_BASE_DIR if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi fi ## - Copy example configuration file to $DH_CONF_DIR ## - echononl " Copy (example) configuration to ${DH_CONF_DIR}/config .." if [[ -f "${DH_CONF_DIR}/config" ]]; then echo_skipped info "Configuration file already exists.\n\t So we let current configuration untouched." echononl " Copy example Config file to ${DH_CONF_DIR}/config.example" cp $DH_INSTALL_DIR/docs/examples/config ${DH_CONF_DIR}/config.example > /dev/null 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi else cp $DH_INSTALL_DIR/docs/examples/config $DH_CONF_DIR/ > /dev/null 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi ## - Adapt configuration file ## - ## - comment out line ## - CA="https://.." ## - ## - Change/Set Values ## - ## - CHALLENGETYPE="http-01" ## - BASEDIR="$DH_BASE_DIR" ## - WELLKNOWN="$DH_WELL_KNOWN_DIR" ## - HOOK="${BASEDIR}/hook.sh" ## - echononl " Adjust configuration: comment out line 'CA=\"https://..'.." if $(grep -q -E "^\s*CA\s*=\s*\"http" "$DH_CONF_DIR/config" 2> /dev/null) ; then perl -i -n -p -e 's/^(\s*)(CA=.*)/## - \1\2\n/' $DH_CONF_DIR/config if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi else echo_skipped fi echononl " Adjust configuration: CHALLENGETYPE=\"http-01\".." perl -i -n -p -e 's/^(\s*#*\s*)(CHALLENGETYPE=.*)/## - \1\2\nCHALLENGETYPE="http-01"/' $DH_CONF_DIR/config if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi echononl " Adjust configuration: BASEDIR=\"$DH_BASE_DIR\".." perl -i -n -p -e "s#^(\s*\#*\s*)(BASEDIR=.*)#\#\# - \1\2\nBASEDIR=\"$DH_BASE_DIR\"#" $DH_CONF_DIR/config if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi echononl " Adjust configuration: WELLKNOWN=\"$DH_WELL_KNOWN_DIR\".." perl -i -n -p -e "s#^(\s*\#*\s*)(WELLKNOWN=.*)#\#\# - \1\2\nWELLKNOWN=\"$DH_WELL_KNOWN_DIR\"#" $DH_CONF_DIR/config if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi echononl " Adjust configuration: HOOK=\"\${BASEDIR}/hook.sh\".." perl -i -n -p -e "s#^(\s*\#*\s*)(HOOK=.*)#\#\# - \1\2\nHOOK=\"\\\${BASEDIR}/hook.sh\"#" $DH_CONF_DIR/config if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi ## - Let’s Encrypt has stringent rate limits in place. ## - ## - If you start testing using the production endpoint (which is the ## - default), you will quickly hit these limits and find yourself locked out. ## - ## - To avoid this, please set the CA property to the Let’s Encrypt staging ## - server URL in your config file: ## - #echononl " Set CA property to the Let’s Encrypt staging server (for testing).." #perl -i -n -p -e 's#^(\s*\#*\s*)(CA=.*)#\#\# - \1\2\nCA="https://acme-staging.api.letsencrypt.org/directory"#' \ # $DH_CONF_DIR/config #if [[ $? -eq 0 ]] ; then # echo_ok # warn "Configuration is only for testing\n\t For production mode comment out line \"CA=..\"" #else # echo_failed #fi fi if [[ -f "$HOOK_OUT_FILE" ]] ; then echononl " Backup existing hook-file to ${HOOK_OUT_FILE}.$_date" cp -a $HOOK_OUT_FILE ${HOOK_OUT_FILE}.$_date > /dev/null 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi fi found_deploy_challenge=false found_deployed=false found_request_failure=false found_invalid_challenge=false old_IFS=$IFS IFS='' > $HOOK_OUT_FILE #regex_deploy="deploy_cert\s*()" echononl " Writing file ${HOOK_OUT_FILE}.." while read -r line || [[ -n "$line" ]]; do if [[ $line =~ deploy_challenge\s*\(\) ]]; then found_deploy_challenge=true else if $found_deploy_challenge ; then if [[ $line =~ ^"}"$ ]]; then echo "" >> $HOOK_OUT_FILE echo " echo \" + Hook: \$DOMAIN - $STR_PROCESSED\"" >> $HOOK_OUT_FILE echo "" >> $HOOK_OUT_FILE found_deploy_challenge=false fi fi fi if [[ $line =~ deploy_cert\s*\(\) ]]; then found_deployed=true else if $found_deployed ; then if [[ $line =~ ^"}"$ ]]; then echo "" >> $HOOK_OUT_FILE echo " #lynx --source https://www.identrust.com/certificates/trustid/root-download-x3.html \\" >> $HOOK_OUT_FILE echo " # | grep -v \"\/textarea\" \\" >> $HOOK_OUT_FILE echo " # | awk '/textarea/{x=NR+18;next}(NR<=x){print}' \\" >> $HOOK_OUT_FILE echo " # | sed -e '1i-----BEGIN CERTIFICATE-----\' \\" >> $HOOK_OUT_FILE echo " # | sed -e '\$a-----END CERTIFICATE-----\' \\" >> $HOOK_OUT_FILE echo " # > \${BASEDIR}/certs/\${DOMAIN}/root-\${TIMESTAMP}.ca" >> $HOOK_OUT_FILE echo " #ln -s root-\${TIMESTAMP}.ca \${BASEDIR}/certs/\${DOMAIN}/root.ca" >> $HOOK_OUT_FILE echo " #cp -a \`realpath \$FULLCHAINFILE\` \`realpath \$FULLCHAINFILE\`.ORIG" >> $HOOK_OUT_FILE echo " #cat \`realpath \$FULLCHAINFILE\`.ORIG \${BASEDIR}/certs/\${DOMAIN}/root-\${TIMESTAMP}.ca > \$FULLCHAINFILE" >> $HOOK_OUT_FILE echo " cat \"\$KEYFILE\" \"\$FULLCHAINFILE\" > \"\${BASEDIR}/certs/\${DOMAIN}/privkey_cert_chain-\${TIMESTAMP}.pem\"" >> $HOOK_OUT_FILE echo " if [ -h \"\${BASEDIR}/certs/\${DOMAIN}/privkey_cert_chain.pem\" ]; then" >> $HOOK_OUT_FILE echo " rm \"\${BASEDIR}/certs/\${DOMAIN}/privkey_cert_chain.pem"\" >> $HOOK_OUT_FILE echo " fi" >> $HOOK_OUT_FILE echo " ln -s \"privkey_cert_chain-\${TIMESTAMP}.pem\" \"\${BASEDIR}/certs/\${DOMAIN}/privkey_cert_chain.pem\"" >>$HOOK_OUT_FILE echo " echo \" + Hook: \$DOMAIN - $STR_SUCCESS\"" >> $HOOK_OUT_FILE echo "" >> $HOOK_OUT_FILE found_deployed=false fi fi fi if [[ $line =~ request_failure\s*\(\) ]]; then found_request_failure=true else if $found_request_failure ; then if [[ $line =~ ^"}"$ ]]; then echo "" >> $HOOK_OUT_FILE echo " echo \" + Hook: \$DOMAIN - $STR_HTTP_REQUEST_FAILED\"" >> $HOOK_OUT_FILE echo "" >> $HOOK_OUT_FILE found_request_failure=false fi fi fi if [[ $line =~ invalid_challenge\s*\(\) ]]; then found_invalid_challenge=true else if $found_invalid_challenge ; then if [[ $line =~ ^"}"$ ]]; then echo "" >> $HOOK_OUT_FILE echo " echo \" + Hook: \$DOMAIN - $STR_INVALID_CHALLENGE\"" >> $HOOK_OUT_FILE echo "" >> $HOOK_OUT_FILE found_invalid_challenge=false fi fi fi echo $line >> $HOOK_OUT_FILE done < "$HOOK_EXAMPLE_FILE" IFS=$old_IFS if [[ -f "$HOOK_OUT_FILE" ]] ; then echo_ok else echo_failed fi echononl " Make $HOOK_OUT_FILE executable.." chmod 700 $HOOK_OUT_FILE if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi diff $HOOK_OUT_FILE ${HOOK_OUT_FILE}.$_date > /dev/null 2>&1 if [[ $? -eq 0 ]] ; then info "$HOOK_OUT_FILE has not changed.\n\t Removing previously created backup" rm -f ${HOOK_OUT_FILE}.$_date > /dev/null 2>&1 fi if [[ ! -f "${DH_BASE_DIR}/domains.txt" ]]; then echononl " Create empty \"domains.txt\" file.." touch ${DH_BASE_DIR}/domains.txt if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi fi echononl " Create configuration file for Cron Job Script to \"$DH_CONF_DIR\".." if [[ -f "${DH_CONF_DIR}/dehydrated_cron.conf" ]]; then echo_skipped info "${DH_CONF_DIR}/dehydrated_cron.conf already exists.\n\t So we let current configuration untouched." echononl " Copy example Config file to ${DH_CONF_DIR}/ehydrated_cron.conf.example" cat << EOF > ${DH_CONF_DIR}/dehydrated_cron.conf.example ## ------------------------------------------- ## - Configuration file for dehydrated cronjob ## ------------------------------------------- # - log_level: possible values are "0" for only error # - messages or "1" for verbose # - # - If called from a noninteractive shell (as cron), log_level # - will be set to "0" # - # - Defaults to "0" # - log_level=1 # - Where to find dehydrated script # - script_dir=$DH_INSTALL_DIR # - Where to find (common) names (and alternative names) for certificates # - domains_txt=${DH_BASE_DIR}/domains.txt # - Define hostnames from services other than webservices # - Only one hostname is allowed, but you can define alternative # - names (until to 99) for the certificate. this cab be done # - by defining the concerning *_server_alt_names variable as a # - space seperated list of hostnames # - # - example: # - mail_server="mx.example.com" # - mail_server_alt_names="mail.example.com smtp.example.com imap.example.com pop.example.com" # - mail_server="" mail_server_alt_names="" ftp_server="" ftp_server_alt_names="" # - Services installed on this mashine # - postfix_installed=false dovecot_installed=false pureftpd_installed=false apache_installed=$apache_installed nginx_installed=$nginx_installed # - gitlab_installed # - # - Set to "true" if webserver nginx is controlled by GitLab (Omnibus Package). # - Note: in that case, "nginx_installed" must be set to "false" gitlab_installed=$gitlab_installed # --- # --- DANE # --- # - Notice: # - Supporting Dane is a little bit complex, because befor providing # - the new certificates on a service, a TLSA record must be present. So # - access to the nameserver within the permissions to generate the TLSA # - records AND reload the concerning zone is required. # - Dane supported hostname:port # - # - Space seperated list of entries : # - # - example: # - dane_records="\${mail_server}:25 \${mail_server}:587 webmail.so36.net:443" # - dane_records="" # - (Primary) Nameserver which supports Dane Records # - dane_nameserver="" # - How to access the namesever via ssh? # - # - Note: # - Take care to provies an entry for nameservers dane_ssh_user in his # - authorized_keys file. # - # - The ssh-key must not have a password! Otherwise this script will # - not work! # - dane_ssh_user="manage-bind" dane_ssh_port=22 dane_ssh_key=/root/.ssh/id_rsa-dehydrated # - Scripts used on nameserver. # - # - Note: # - The scripts must be accessable by dane_ssh_user. This # - ca be realised by adding a concerning entry into sudo file # - # - for example: # - manage-bind ALL=(root)NOPASSWD:/usr/local/bin/bind_* # - set_new_serial_script=bind_set_new_serial.sh renew_tlsa_record=bind_set_renew_tlsa.sh get_domain_by_hostname=bind_get_domain_by_hostname.sh # Which TLSA Records are to be released? # generate_tlsa_311=true generate_tlsa_301=false generate_tlsa_211=true generate_tlsa_201=false generate_tlsa_202=false # - TTL for Records "IN TLSA 3 1 1", "IN TLSA 3 0 1", "IN TLSA 2 0 1", "IN TLSA 2 0 2" and "IN TLSA 2 1 1" # - ttl_311=3600 ttl_301=3600 ttl_201=3600 ttl_202=3600 ttl_211=3600 # - Logfile where the certificate generation process, called from dehydrated # - script, will write down the results. This logfile will be evaluated # - afterwords to do some post generation tasks (in case of success) or inform # - about errors. # - # - Logging in that file and evaluatiog the results will happen in any case, # - even if variable LOGGING is set to true # - _logfile="/tmp/dehydrated-\$(date +%Y-%m-%d-%H%M).log" EOF if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi else cat << EOF > ${DH_CONF_DIR}/dehydrated_cron.conf ## ------------------------------------------- ## - Configuration file for dehydrated cronjob ## ------------------------------------------- # - log_level: possible values are "0" for only error # - messages or "1" for verbose # - # - If called from a noninteractive shell (as cron), log_level # - will be set to "0" # - # - Defaults to "0" # - log_level=1 # - Where to find dehydrated script # - script_dir=$DH_INSTALL_DIR # - Where to find (common) names (and alternative names) for certificates # - domains_txt=${DH_BASE_DIR}/domains.txt # - Define hostnames from services other than webservices # - Only one hostname is allowed, but you can define alternative # - names (until to 99) for the certificate. this cab be done # - by defining the concerning *_server_alt_names variable as a # - space seperated list of hostnames # - # - example: # - mail_server="mx.example.com" # - mail_server_alt_names="mail.example.com smtp.example.com imap.example.com pop.example.com" # - mail_server="" mail_server_alt_names="" ftp_server="" ftp_server_alt_names="" # - Services installed on this mashine # - postfix_installed=false dovecot_installed=false pureftpd_installed=false apache_installed=$apache_installed nginx_installed=$nginx_installed # --- # --- DANE # --- # - Notice: # - Supporting Dane is a little bit complex, because befor providing # - the new certificates on a service, a TLSA record must be present. So # - access to the nameserver within the permissions to generate the TLSA # - records AND reload the concerning zone is required. # - Dane supported hostname:port # - # - Space seperated list of entries : # - # - example: # - dane_hosts_port="\${mail_server}:25 \${mail_server}:587 webmail.so36.net:443" # - dane_records="" # - (Primary) Nameserver which supports Dane Records # - dane_nameserver="" # - How to access the namesever via ssh? # - # - Note: # - Take care to provies an entry for nameservers dane_ssh_user in his # - authorized_keys file. # - # - The ssh-key must not have a password! Otherwise this script will # - not work! # - dane_ssh_user="manage-bind" dane_ssh_port=22 dane_ssh_key=/root/.ssh/id_rsa-dehydrated # - Scripts used on nameserver. # - # - Note: # - The scripts must be accessable by dane_ssh_user. This # - ca be realised by adding a concerning entry into sudo file # - # - for example: # - manage-bind ALL=(root)NOPASSWD:/usr/local/bin/bind_* # - set_new_serial_script=bind_set_new_serial.sh renew_tlsa_record=bind_set_renew_tlsa.sh get_domain_by_hostname=bind_get_domain_by_hostname.sh # Which TLSA Records are to be released? # generate_tlsa_311=true generate_tlsa_301=false generate_tlsa_211=true generate_tlsa_201=false generate_tlsa_202=false # - TTL for Records "IN TLSA 3 1 1", "IN TLSA 3 0 1", "IN TLSA 2 0 1", "IN TLSA 2 0 2" and "IN TLSA 2 1 1" # - ttl_311=3600 ttl_301=3600 ttl_201=3600 ttl_202=3600 ttl_211=3600 # - Logfile where the certificate generation process, called from dehydrated # - script, will write down the results. This logfile will be evaluated # - afterwords to do some post generation tasks (in case of success) or inform # - about errors. # - # - Logging in that file and evaluatiog the results will happen in any case, # - even if variable LOGGING is set to true # - _logfile="/tmp/dehydrated-\`date +%Y-%m-%d-%H%M\`.log" EOF if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi fi echononl " Create directory \"${DH_BASE_DIR}/cron\".." if [[ ! -d "${DH_BASE_DIR}/cron" ]] ; then mkdir $DH_BASE_DIR/cron > /dev/null 2>&1 if [[ $? -eq 0 ]]; then echo_ok else echo_failed fi else echo_skipped fi if [[ -f "$DH_CRON_SCRIPT" ]]; then echononl " Backup cron script \"$DH_CRON_SCRIPT\".." cp -a $DH_CRON_SCRIPT ${DH_CRON_SCRIPT}.$_date if [[ $? -eq 0 ]]; then echo_ok else echo_failed fi fi echononl " Install Cron Script \"$DH_CRON_SCRIPT\".." cat << EOF > $DH_CRON_SCRIPT #!/usr/bin/env bash ## ------------------------------------------------------------------------------ ## --- All Configurations will be done in ${DH_CONF_DIR}/dehydrated_cron.conf ## ------------------------------------------------------------------------------ if [[ -f "${DH_CONF_DIR}/dehydrated_cron.conf" ]]; then source ${DH_CONF_DIR}/dehydrated_cron.conf else echo echo -e " [ Error ]: No Configuration File found. Exiting now!" echo exit 1 fi ## --- some functions ## --- echononl(){ echo X\\\\c > /tmp/shprompt\$\$ if [ \`wc -c /tmp/shprompt\$\$ | awk '{print \$1}'\` -eq 1 ]; then echo -e -n "\$*\\\\c" 1>&2 else echo -e -n "\$*" 1>&2 fi rm /tmp/shprompt\$\$ } fatal(){ echo "" echo -e "fataler Fehler: \$*" echo "" echo -e "\t\033[31m\033[1mInstalllation wird abgebrochen\033[m\033[m" echo "" exit 1 } error(){ echo "" echo -e "\t[ \033[31m\033[1mFehler\033[m ]: \$*" echo "" } warn (){ echo "" echo -e "\t[ \033[33m\033[1mWarning\033[m ]: \$*" echo "" } info (){ echo "" echo -e "\t[ \033[32m\033[1mInfo\033[m ]: \$*" echo "" } echo_done() { echo -e "\033[75G[ \033[32mdone\033[m ]" } echo_ok() { echo -e "\033[75G[ \033[32mok\033[m ]" } echo_warning() { echo -e "\033[75G[ \033[33m\033[1mwarn\033[m ]" } echo_failed(){ echo -e "\033[75G[ \033[1;31mfailed\033[m ]" } echo_skipped() { echo -e "\033[75G[ \033[33m\033[1mskipped\033[m ]" } ## - Check if a given array (parameter 2) contains a given string (parameter 1) ## - containsElement () { local e for e in "\${@:2}"; do [[ "\$e" == "\$1" ]] && return 0; done return 1 } ## --- ## --- END: functions # - Set log_level # - # - Test whether stdout (file descriptor 1) is a terminal or not (e.g. cron # - or if you pipe the output to some other program) # if [[ -t 1 ]] ; then case "\$log_level" in 1) verbose=true ;; *) verbose=false ;; esac else verbose=false fi # ------------- # - Read Commanline Arguments # ------------- # If option '-q' is present, be silent, even if running in a terminal # while getopts q opt ; do case \$opt in q) verbose=false ;; esac done # -Is systemd supported on this system? # - systemd_supported=false systemd=\$(which systemd) systemctl=\$(which systemctl) if [[ -n "\$systemd" ]] && [[ -n "\$systemctl" ]] ; then systemd_supported=true fi # --- # --- Some checks # --- if [[ ! -d "\$script_dir" ]] ; then if \$verbose ; then error "Dehydrated script directors \\"\$script_dir\\" not found!" else echo -e "\\n [ Error ]: Dehydrated script directors \\"\$script_dir\\" not found! \\n" fi exit 99 fi dehydrated_script=\${script_dir}/dehydrated if [[ ! -f "\$dehydrated_script" ]] ; then if \$verbose ; then error "Dehydrated script \"\$dehydrated_script\" not found!" else echo -e "\\n [ Error ]: Dehydrated script \"\$dehydrated_script\" not found! \\n" fi exit 99 fi if [[ ! -x "\$dehydrated_script" ]] ; then if \$verbose ; then error "Dehydrated script \"\$dehydrated_script\" is not executable!" else echo -e "\\n [ Error ]: Dehydrated script \"\$dehydrated_script\" is not executable! \\n" fi exit 99 fi if [[ ! -f "\$domains_txt" ]] ; then if [[ ! -d \`dirname \$domains_txt\` ]] ; then if \$verbose ; then error "File (domains.txt) with domain names not found!" else echo -e "\\n [ Error ]: File (domains.txt) with domain names not found! \\n" fi exit 99 fi fi if [[ -n "\$dane_records" ]] ; then if [[ -z \$set_new_serial_script ]];then if \$verbose ; then error "Script to set new serial not given! (var: set_new_serial_script)" else echo -e "\\n [ Error ]: Script to set new serial not given! (var: set_new_serial_script) \\n" fi exit 99 fi if [[ -z \$renew_tlsa_record ]];then if \$verbose ; then error "Script to set/renew TLSA record not given! (var: renew_tlsa_record)" else echo -e "\\n [ Error ]: Script to set/renew TLSA record not given! (var: renew_tlsa_record) \\n" fi exit 99 fi ssh -q -p \$dane_ssh_port \\ -o BatchMode=yes \\ -o StrictHostKeyChecking=no \\ -i \$dane_ssh_key \\ \$dane_ssh_user@\$dane_nameserver "ls" > /dev/null 2>&1 if [[ \$? -gt 0 ]] ;then if \$verbose ; then error "Nameserver \"\$dane_nameserver\" is not reachable vis ssh!" else echo -e "\\n [ Error ]: Nameserver \"\$dane_nameserver\" is not reachable vis ssh! \\n" fi exit 99 fi ssh -q -p \$dane_ssh_port \\ -o BatchMode=yes \\ -o StrictHostKeyChecking=no \\ -i \$dane_ssh_key \\ \$dane_ssh_user@\$dane_nameserver "sudo \$set_new_serial_script check > /dev/null 2>&1" if [[ \$? -gt 0 ]]; then if \$verbose ; then error "Failed to acces script \"\$set_new_serial_script\" on host \"\$dane_nameserver\"!" else echo -e "\\n Failed to acces script \"\$set_new_serial_script\" on host \"\$dane_nameserver\"! \\n" fi exit 99 fi ssh -q -p \$dane_ssh_port \\ -o BatchMode=yes \\ -o StrictHostKeyChecking=no \\ -i \$dane_ssh_key \\ \$dane_ssh_user@\$dane_nameserver "sudo \$renew_tlsa_record check > /dev/null 2>&1" if [[ \$? -gt 0 ]]; then if \$verbose ; then error "Failed to acces script \"\$renew_tlsa_record\" on host \"\$dane_nameserver\"!" else echo -e "\\n Failed to acces script \"\$renew_tlsa_record\" on host \"\$dane_nameserver\"! \\n" fi exit 99 fi fi \$verbose && echo "" # --- # --- Prepare dehydrated # --- # - Read dehydrated configuration variables.." # - \$verbose && echononl " Read dehydrated configuration variables .." eval "\$(/usr/local/dehydrated/dehydrated --env)" ret_val=\$? if [[ \$ret_val -eq 0 ]]; then \$verbose && echo_ok else \$verbose && echo_failed if \$verbose ; then error "Reading dehydrated configuration variables failed!" else echo -e "\\n [ Error ]: Reading dehydrated configuration variables failed! \\n" fi echo "" echo "Error message from dehydrated script:" echo "=====================================" echo "" cat \$_logfile echo "" exit 10 fi # - Add maill server name and, if present, concerning alternative names # - to domains.txt # - if [[ -n "\$mail_server" ]]; then \$verbose && echononl " Add mail server name (with alternative names) to domains.txt" if grep -e "^\s*\$mail_server" \$domains_txt > /dev/null 2>&1 ; then if \$verbose ; then echo_skipped fi else echo "\$mail_server \$mail_server_alt_names" >> \$domains_txt if [[ \$? -eq 0 ]]; then \$verbose && echo_ok else \$verbose && echo_failed if \$verbose ; then error "Adding mailserver name to \"domains.txt\" failed!" else echo -e "\\n [ Error ]: Adding mailserver name to \"domains.txt\" failed! \\n" fi fi fi fi # - Add ftp server name and, if present, concerning alternative names # - to domains.txt # - if [[ -n "\$ftp_server" ]]; then \$verbose && echononl " Add ftpserver name (with alternative names) to domains.txt" if grep -e "^\s*\$ftp_server" \$domains_txt > /dev/null 2>&1 ; then if \$verbose ; then echo_skipped fi else echo "\$ftp_server \$ftp_server_alt_names" >> \$domains_txt if [[ \$? -eq 0 ]]; then \$verbose && echo_ok else \$verbose && echo_failed if \$verbose ; then error "Adding ftpserver name to \"domains.txt\" failed!" else echo -e "\\n [ Error ]: Adding ftpserver name to \"domains.txt\" failed! \\n" fi fi fi fi # --- # --- Certificate Generation # --- # - Invoke the dehydrated script to generate th let's encrypt certificates if # - needed. # - \$verbose && echononl " Register account and agree to their terms of service .." \$dehydrated_script --config ${DH_CONF_DIR}/config --register --accept-terms > \$_logfile 2>&1 ret_val=\$? if [[ \$ret_val -eq 0 ]]; then \$verbose && echo_ok else \$verbose && echo_failed if \$verbose ; then error "Dehydrated Script to register account returns with error (\$ret_val)!" else echo -e "\\n [ Error ]: Dehydrated Script to register account returns with error (\$ret_val)! \\n" fi echo "" echo "Error message from dehydrated script:" echo "=====================================" echo "" cat \$_logfile echo "" exit 10 fi \$verbose && echononl " Invoking the main dehydrated script for certificate generation.." \$dehydrated_script --config ${DH_CONF_DIR}/config -c -g > \$_logfile 2>&1 ret_val=\$? if [[ \$ret_val -eq 0 ]]; then _successfully_finished_script=true \$verbose && echo_ok else _successfully_finished_script=false \$verbose && echo_failed if \$verbose ; then error "Dehydrated Script returns with error (\$ret_val)!" else echo -e "\\n [ Error ]: Dehydrated Script returns with error (\$ret_val)! \\n" fi echo "" fi #_logfile_ECC="/tmp/dehydrated-ECC.log" #\$verbose && echononl " Generate ECC flavor of cert .." #\$dehydrated_script -c -g --algo prime256v1 --out \${CERTDIR}/ECC > \$_logfile_ECC 2>&1 #ret_val=\$? #if [[ \$ret_val -eq 0 ]]; then # \$verbose && echo_ok #else # \$verbose && echo_failed # if \$verbose ; then # error "Dehydrated Script returns with error (\$ret_val)!" # else # echo -e "\\n [ Error ]: Dehydrated Script returns with error (\$ret_val)! \\n" # fi # echo "" # echo "Error message from dehydrated script:" # echo "=====================================" # echo "" # cat \$_logfile_ECC # echo "" # exit 10 #fi # --- # --- Postgeneration Tasks # --- # - Set defaults restart_postfix=false restart_dovecot=false restart_pureftpd=false restart_apache=false restart_nginx=false restart_gitlab=false declare -a zone_to_reload_arr declare -a _tmp_arr certs_updated=false certs_processed=false _hosts_processed="\$(cat \$_logfile | grep "$STR_PROCESSED" 2> /dev/null | awk '{print\$3}')" _successfully_created_hosts="\$(cat \$_logfile | grep "$STR_SUCCESS" 2> /dev/null | awk '{print\$3}')" _invalid_challenge="\$(cat \$_logfile | grep "$STR_INVALID_CHALLENGE" 2> /dev/null | awk '{print\$3}')" _http_request_failed="\$(cat \$_logfile | grep "$STR_HTTP_REQUEST_FAILED" 2> /dev/null | awk '{print\$3}')" if grep -i -q "$ERR_MSG_TOO_MANY_CERTS" \$_logfile 2> /dev/null ; then _too_many_certs_err_msg="\$(grep -i "$ERR_MSG_TOO_MANY_CERTS" \$_logfile 2> /dev/null)" fi if [[ -n "\$_hosts_processed" ]] ; then certs_processed=true fi # - Evaluate dehydrated's output - see if certificates where created # - if [[ -n "\$_successfully_created_hosts" ]] ; then certs_updated=true for hostname in \$_successfully_created_hosts ; do # --- # - Services to restart after changing/adding the certificate # --- if [ -n "\$mail_server" -a "\$hostname" = "\$mail_server" ]; then \$postfix_installed && restart_postfix=true \$dovecot_installed && restart_dovecot=true fi if [ -n "\$ftp_server" -a "\$hostname" = "\$ftp_server" ]; then \$pureftpd_installed && restart_pureftpd=true fi if \$apache_installed ; then restart_apache=true elif \$nginx_installed ; then restart_nginx=true elif \$gitlab_installed ; then restart_gitlab=true fi # --- # - Dane # --- # - See if dane is enabled for that certificate [[ -n "\$dane_records" ]] || continue if [[ "\$dane_records" =~ "\$hostname" ]]; then \$verbose && echo "" \$verbose && info "Going to provide TLSA record for \$hostname" fi CUR_IFS=\$IFS for _entry in \$dane_records ; do unset _tmp_arr IFS=':' _tmp_arr=(\$_entry) IFS=\$CUR_IFS if [[ "\$hostname" = "\${_tmp_arr[0]}" ]];then # - Get Zone (domain) for given host # - \$verbose && echononl " Get Zone containing \"\$hostname\\".." domain=\$(ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\ "sudo \$get_domain_by_hostname \$hostname" ) if [[ -n "\$domain" ]]; then \$verbose && echo_ok else \$verbose && echo_failed if \$verbose ; then error "Getting Zone for \"\$hostname\\" failed!" else echo -e "\\n [ Error ]: Getting Zone for \"\$hostname\\" failed! \\n" fi continue fi # - Generate TLSA 3 1 1 record # - \$verbose && echononl " Generate \"TLSA 3 1 1\\" record from certificate (\${_tmp_arr[0]}).." if ! \${generate_tlsa_311} ; then \$verbose && echo_skipped else tlsa_record_311=\$( printf "_%s._tcp.%s. \$ttl_311 IN TLSA 3 1 1 %s\\n" \\ \${_tmp_arr[1]} \\ \${_tmp_arr[0]} \\ \$(openssl x509 -in ${DH_BASE_DIR}/certs/\${_tmp_arr[0]}/cert.pem -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | hexdump -ve '/1 "%02x"') ) if [[ \$? -eq 0 ]] ; then \$verbose && echo_ok else \$verbose && echo_failed if \$verbose ; then error "Generating \"TLSA 3 1 1\\" record failed! " else echo -e "\\n [ Error ]: Generating \"TLSA 3 1 1\\" record failed! \\n" fi continue fi # - Add/Renew Record in concerning zone file # - \$verbose && echononl " Add/Renew Record in concerning zone file.." ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\ "sudo \$renew_tlsa_record \$tlsa_record_311 > /dev/null 2>&1" ret_val=\$? case \$ret_val in 0) \$verbose && echo_skipped if \$verbose ; then info "TLSA 3 1 1 record for \\"\$hostname\\" is up to date." else echo -e "\\n [ Info ]: TLSA 3 1 1 record for \\"\$hostname\\" is up to date.\\n" fi ;; 1) \$verbose && echo_ok if \$verbose ; then info "TLSA 3 1 1 record for \\"\$hostname\\" replaced." else echo -e "\\n [ Info ]: TLSA 3 1 1 record for \\"\$hostname\\" replaced.\\n" fi ;; 2) \$verbose && echo_ok if \$verbose ; then info "New TLSA 3 1 1 record for \\"\$hostname\\" added." else echo -e "\\n [ Info ]: New TLSA 3 1 1 record for \\"\$hostname\\" added.\\n" fi ;; 10) \$verbose && echo_failed if \$verbose ; then error "Invalid TLSA record given!" else echo -e "\\n [ Error ]: Invalid TLSA record given! \\n" fi continue ;; 11) \$verbose && echo_failed if \$verbose ; then error "No zonefile for host \\"\$hostname\\" found!" else echo -e "\\n [ Error ]: No zonefile for host \\"\$hostname\\" found! \\n" fi ;; 20) \$verbose && echo_failed if \$verbose ; then error "Replacing TLSA 3 1 1 record for host \\"\$hostname\\" failed!" else echo -e "\\n [ Error ]: Replacing TLSA 3 1 1 record for host \\"\$hostname\\" failed! \\n" fi continue ;; 21) \$verbose && echo_failed if \$verbose ; then error "Adding TLSA 3 1 1 record for host \\"\$hostname\\" failed!" else echo -e "\\n [ Error ]: Adding TLSA 3 1 1 record for host \\"\$hostname\\" failed! \\n" fi continue ;; 99) \$verbose && echo_failed if \$verbose ; then error "Fatal Error!" else echo -e "\\n [ Error ]: Fatal Error! \\n" fi continue ;; *) \$verbose && echo_failed if \$verbose ; then error "Unknown exit code from remote script \\"\$renew_tlsa_record\"!" else echo -e "\\n [ Error ]: Unknown exit code from remote script \\"\$renew_tlsa_record\! \\n" fi continue ;; esac fi # if ! \${generate_tlsa_311} # - Generate TLSA 3 0 1 record # - \$verbose && echononl " Generate \"TLSA 3 0 1\\" record from certificate (\${_tmp_arr[0]}).." if ! \${generate_tlsa_301} ; then \$verbose && echo_skipped else tlsa_record_301=\$( printf "_%s._tcp.%s. \$ttl_301 IN TLSA 3 0 1 %s\\n" \\ \${_tmp_arr[1]} \\ \${_tmp_arr[0]} \\ \$(openssl x509 -in ${DH_BASE_DIR}/certs/\${_tmp_arr[0]}/cert.pem -outform DER | openssl dgst -sha256 -binary | hexdump -ve '/1 "%02x"') ) if [[ \$? -eq 0 ]] ; then \$verbose && echo_ok else \$verbose && echo_failed if \$verbose ; then error "Generating \"TLSA 3 0 1\\" record failed! " else echo -e "\\n [ Error ]: Generating \"TLSA 3 0 1\\" record failed! \\n" fi continue fi # - Add/Renew Record in concerning zone file # - \$verbose && echononl " Add/Renew Record in concerning zone file.." ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\ "sudo \$renew_tlsa_record \$tlsa_record_301 > /dev/null 2>&1" ret_val=\$? case \$ret_val in 0) \$verbose && echo_skipped if \$verbose ; then info "TLSA 3 0 1 record for \\"\$hostname\\" is up to date." else echo -e "\\n [ Info ]: TLSA 3 0 1 record for \\"\$hostname\\" is up to date.\\n" fi ;; 1) \$verbose && echo_ok if \$verbose ; then info "TLSA 3 0 1 record for \\"\$hostname\\" replaced." else echo -e "\\n [ Info ]: TLSA 3 0 1 record for \\"\$hostname\\" replaced.\\n" fi ;; 2) \$verbose && echo_ok if \$verbose ; then info "New TLSA 3 0 1 record for \\"\$hostname\\" added." else echo -e "\\n [ Info ]: New TLSA 3 0 1 record for \\"\$hostname\\" added.\\n" fi ;; 10) \$verbose && echo_failed if \$verbose ; then error "Invalid TLSA record given!" else echo -e "\\n [ Error ]: Invalid TLSA record given! \\n" fi continue ;; 11) \$verbose && echo_failed if \$verbose ; then error "No zonefile for host \\"\$hostname\\" found!" else echo -e "\\n [ Error ]: No zonefile for host \\"\$hostname\\" found! \\n" fi ;; 20) \$verbose && echo_failed if \$verbose ; then error "Replacing TLSA 3 0 1 record for host \\"\$hostname\\" failed!" else echo -e "\\n [ Error ]: Replacing TLSA 3 0 1 record for host \\"\$hostname\\" failed! \\n" fi continue ;; 21) \$verbose && echo_failed if \$verbose ; then error "Adding TLSA 3 0 1 record for host \\"\$hostname\\" failed!" else echo -e "\\n [ Error ]: Adding TLSA 3 0 1 record for host \\"\$hostname\\" failed! \\n" fi continue ;; 99) \$verbose && echo_failed if \$verbose ; then error "Fatal Error!" else echo -e "\\n [ Error ]: Fatal Error! \\n" fi continue ;; *) \$verbose && echo_failed if \$verbose ; then error "Unknown exit code from remote script \\"\$renew_tlsa_record\"!" else echo -e "\\n [ Error ]: Unknown exit code from remote script \\"\$renew_tlsa_record\! \\n" fi continue ;; esac fi # if ! \${generate_tlsa_301} # - Generate TLSA 2 1 1 record # - \$verbose && echononl " Generate \"TLSA 2 1 1\\" record from certificate (\${_tmp_arr[0]}).." if ! \${generate_tlsa_211} ; then \$verbose && echo_skipped else tlsa_record_211=\$( printf "_%s._tcp.%s. \$ttl_211 IN TLSA 2 1 1 %s\\n" \\ \${_tmp_arr[1]} \\ \${_tmp_arr[0]} \\ \$(openssl x509 -in ${DH_BASE_DIR}/certs/\${_tmp_arr[0]}/chain.pem -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | hexdump -ve '/1 "%02x"') ) if [[ \$? -eq 0 ]] ; then \$verbose && echo_ok else \$verbose && echo_failed if \$verbose ; then error "Generating \"TLSA 2 1 1\\" record failed! " else echo -e "\\n [ Error ]: Generating \"TLSA 2 1 1\\" record failed! \\n" fi continue fi # - Add/Renew Record in concerning zone file # - \$verbose && echononl " Add/Renew Record in concerning zone file.." ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\ "sudo \$renew_tlsa_record \$tlsa_record_211 > /dev/null 2>&1" ret_val=\$? case \$ret_val in 0) \$verbose && echo_skipped if \$verbose ; then info "TLSA 2 1 1 record for \\"\$hostname\\" is up to date." else echo -e "\\n [ Info ]: TLSA 2 1 1 record for \\"\$hostname\\" is up to date.\\n" fi ;; 1) \$verbose && echo_ok if \$verbose ; then info "TLSA 2 1 1 record for \\"\$hostname\\" replaced." else echo -e "\\n [ Info ]: TLSA 2 1 1 record for \\"\$hostname\\" replaced.\\n" fi ;; 2) \$verbose && echo_ok if \$verbose ; then info "New TLSA 2 1 1 record for \\"\$hostname\\" added." else echo -e "\\n [ Info ]: New TLSA 2 1 1 record for \\"\$hostname\\" added.\\n" fi ;; 10) \$verbose && echo_failed if \$verbose ; then error "Invalid TLSA record given!" else echo -e "\\n [ Error ]: Invalid TLSA record given! \\n" fi continue ;; 11) \$verbose && echo_failed if \$verbose ; then error "No zonefile for host \\"\$hostname\\" found!" else echo -e "\\n [ Error ]: No zonefile for host \\"\$hostname\\" found! \\n" fi ;; 20) \$verbose && echo_failed if \$verbose ; then error "Replacing TLSA 2 1 1 record for host \\"\$hostname\\" failed!" else echo -e "\\n [ Error ]: Replacing TLSA 2 1 1 record for host \\"\$hostname\\" failed! \\n" fi continue ;; 21) \$verbose && echo_failed if \$verbose ; then error "Adding TLSA 2 1 1 record for host \\"\$hostname\\" failed!" else echo -e "\\n [ Error ]: Adding TLSA 2 1 1 record for host \\"\$hostname\\" failed! \\n" fi continue ;; 99) \$verbose && echo_failed if \$verbose ; then error "Fatal Error!" else echo -e "\\n [ Error ]: Fatal Error! \\n" fi continue ;; *) \$verbose && echo_failed if \$verbose ; then error "Unknown exit code from remote script \\"\$renew_tlsa_record\"!" else echo -e "\\n [ Error ]: Unknown exit code from remote script \\"\$renew_tlsa_record\! \\n" fi continue ;; esac fi # if ! \${generate_tlsa_211} # - Generate TLSA 2 0 1 record # - \$verbose && echononl " Generate \\"TLSA 2 0 1\\" record from root certificate (root.ca).." if ! \${generate_tlsa_201} ; then \$verbose && echo_skipped else tlsa_record_201=\$( printf "_%s._tcp.%s. \$ttl_201 IN TLSA 2 0 1 %s\\n" \\ \${_tmp_arr[1]} \\ \${_tmp_arr[0]} \\ \$(openssl x509 -in ${DH_BASE_DIR}/certs/\${_tmp_arr[0]}/chain.pem -outform DER | openssl dgst -sha256 -binary | hexdump -ve '/1 "%02x"') ) if [[ \$? -eq 0 ]] ; then \$verbose && echo_ok else \$verbose && echo_failed if \$verbose ; then error "Generating \\"TLSA 2 0 1\\" record failed! " else echo -e "\\n [ Error ]: Generating \\"TLSA 2 0 1\\" record failed! \\n" fi continue fi # - Add/Renew Record in concerning zone file # - \$verbose && echononl " Add/Renew Record in concerning zone file.." ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\ "sudo \$renew_tlsa_record \$tlsa_record_201 > /dev/null 2>&1" ret_val=\$? case \$ret_val in 0) \$verbose && echo_skipped if \$verbose ; then info "TLSA 2 0 1 record for \\"\$hostname\\" is up to date." else echo -e "\\n [ Info ]: TLSA 2 0 1 record for \\"\$hostname\\" is up to date.\\n" fi ;; 1) \$verbose && echo_ok if \$verbose ; then info "TLSA 2 0 1 record for \\"\$hostname\\" replaced." else echo -e "\\n [ Info ]: TLSA 2 0 1 record for \\"\$hostname\\" replaced.\\n" fi ;; 2) \$verbose && echo_ok if \$verbose ; then info "New TLSA 2 0 1 record for \\"\$hostname\\" added." else echo -e "\\n [ Info ]: New TLSA 2 0 1 record for \\"\$hostname\\" added.\\n" fi ;; 10) \$verbose && echo_failed if \$verbose ; then error "Invalid TLSA record given!" else echo -e "\\n [ Error ]: Invalid TLSA record given! \\n" fi continue ;; 11) \$verbose && echo_failed if \$verbose ; then error "No zonefile for host \\"\$hostname\\" found!" else echo -e "\\n [ Error ]: No zonefile for host \\"\$hostname\\" found! \\n" fi continue ;; 20) \$verbose && echo_failed if \$verbose ; then error "Replacing TLSA 2 0 1 record for host \\"\$hostname\\" failed!" else echo -e "\\n [ Error ]: Replacing TLSA 2 0 1 record for host \\"\$hostname\\" failed! \\n" fi continue ;; 21) \$verbose && echo_failed if \$verbose ; then error "Adding TLSA 2 0 1 record for host \\"\$hostname\\" failed!" else echo -e "\\n [ Error ]: Adding TLSA 2 0 1 record for host \\"\$hostname\\" failed! \\n" fi continue ;; 99) \$verbose && echo_failed if \$verbose ; then error "Fatal Error!" else echo -e "\\n [ Error ]: Fatal Error! \\n" fi continue ;; *) \$verbose && echo_failed if \$verbose ; then error "Unknown exit code from remote script \\"\$renew_tlsa_record\"!" else echo -e "\\n [ Error ]: Unknown exit code from remote script \\"\$renew_tlsa_record\"! \\n" fi continue ;; esac fi # if ! \${generate_tlsa_201} # - Generate TLSA 2 0 2 record # - \$verbose && echononl " Generate \\"TLSA 2 0 2\\" record from root certificate (root.ca).." if ! \${generate_tlsa_202} ; then \$verbose && echo_skipped else tlsa_record_202=\$( printf "_%s._tcp.%s. \$ttl_202 IN TLSA 2 0 2 %s\\n" \\ \${_tmp_arr[1]} \\ \${_tmp_arr[0]} \\ \$(openssl x509 -in ${DH_BASE_DIR}/certs/\${_tmp_arr[0]}/chain.pem -outform DER | openssl dgst -sha512 -binary | hexdump -ve '/1 "%02x"') ) if [[ \$? -eq 0 ]] ; then \$verbose && echo_ok else \$verbose && echo_failed if \$verbose ; then error "Generating \\"TLSA 2 0 2\\" record failed! " else echo -e "\\n [ Error ]: Generating \\"TLSA 2 0 2\\" record failed! \\n" fi continue fi # - Add/Renew Record in concerning zone file # - \$verbose && echononl " Add/Renew Record in concerning zone file.." ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\ "sudo \$renew_tlsa_record \$tlsa_record_202 > /dev/null 2>&1" ret_val=\$? case \$ret_val in 0) \$verbose && echo_skipped if \$verbose ; then info "TLSA 2 0 2 record for \\"\$hostname\\" is up to date." else echo -e "\\n [ Info ]: TLSA 2 0 2 record for \\"\$hostname\\" is up to date.\\n" fi ;; 1) \$verbose && echo_ok if \$verbose ; then info "TLSA 2 0 2 record for \\"\$hostname\\" replaced." else echo -e "\\n [ Info ]: TLSA 2 0 2 record for \\"\$hostname\\" replaced.\\n" fi ;; 2) \$verbose && echo_ok if \$verbose ; then info "New TLSA 2 0 2 record for \\"\$hostname\\" added." else echo -e "\\n [ Info ]: New TLSA 2 0 2 record for \\"\$hostname\\" added.\\n" fi ;; 10) \$verbose && echo_failed if \$verbose ; then error "Invalid TLSA record given!" else echo -e "\\n [ Error ]: Invalid TLSA record given! \\n" fi continue ;; 11) \$verbose && echo_failed if \$verbose ; then error "No zonefile for host \\"\$hostname\\" found!" else echo -e "\\n [ Error ]: No zonefile for host \\"\$hostname\\" found! \\n" fi continue ;; 20) \$verbose && echo_failed if \$verbose ; then error "Replacing TLSA 2 0 2 record for host \\"\$hostname\\" failed!" else echo -e "\\n [ Error ]: Replacing TLSA 2 0 2 record for host \\"\$hostname\\" failed! \\n" fi continue ;; 21) \$verbose && echo_failed if \$verbose ; then error "Adding TLSA 2 0 2 record for host \\"\$hostname\\" failed!" else echo -e "\\n [ Error ]: Adding TLSA 2 0 2 record for host \\"\$hostname\\" failed! \\n" fi continue ;; 99) \$verbose && echo_failed if \$verbose ; then error "Fatal Error!" else echo -e "\\n [ Error ]: Fatal Error! \\n" fi continue ;; *) \$verbose && echo_failed if \$verbose ; then error "Unknown exit code from remote script \\"\$renew_tlsa_record\"!" else echo -e "\\n [ Error ]: Unknown exit code from remote script \\"\$renew_tlsa_record\"! \\n" fi continue ;; esac fi # if ! \${generate_tlsa_202} ; then # - To avoid multiple reloading og one and the same zone, we only # - collect the zones, having to reload, at this time and do the # - reloading later. if ! containsElement \$domain \${zone_to_reload_arr[@]} ; then zone_to_reload_arr+=("\$domain") fi fi done done fi # - Nothing to do if al is up tp date # - #if ! \$certs_updated && ! grep -q -i "error:" \$_logfile 2> /dev/null ; then if ! \$certs_updated && ! \$certs_processed && \$_successfully_finished_script ; then if \$verbose ; then info "All Certificates are up to date." echo "" fi rm -f \$_logfile exit 0 fi # - Reload zones if needed (updated certificate which supports # - TLSA Record) # - if [[ \${#zone_to_reload_arr[@]} -gt 0 ]] ; then for _zone in \${zone_to_reload_arr[@]} ; do # - Increase serial in concerning zone file and reload zone # - \$verbose && echononl " Set new serial for zone \\"\$_zone\\" and also reload zone.." ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\ "sudo \$set_new_serial_script \$_zone > /dev/null 2>&1" ret_val=\$? case \$ret_val in 0) \$verbose && echo_ok if \$verbose ; then info "Serial is replaced and Zone is reloaded (\$_zone)." else echo -e "\\n [ Info ]: Serial is replaced and Zone is reloaded (\$_zone).\\n" fi ;; 10) \$verbose && echo_failed if \$verbose ; then error "Invalid Hostname/Domain given!" else echo -e "\\n [ Error ]: Invalid Hostname/Domain given! \\n" fi ;; 11) \$verbose && echo_failed if \$verbose ; then error "No zonefile found!" else echo -e "\\n [ Error ]: No zonefile found! \\n" fi ;; 12) \$verbose && echo_failed if \$verbose ; then error "Determin new Serial failed!" else echo -e "\\n [ Error ]: Determin new Serial failed! \\n" fi ;; 13) \$verbose && echo_failed if \$verbose ; then error "Increasing serial failed!" else echo -e "\\n [ Error ]: Increasing serial failed! \\n" fi ;; 14) \$verbose && echo_failed if \$verbose ; then error "Reloading Zone failed!" else echo -e "\\n [ Error ]: Reloading Zone failed! \\n" fi ;; 15) \$verbose && echo_failed if \$verbose ; then error "Hostname/Domain not supported!" else echo -e "\\n [ Error ]: Hostname/Domain not supported! \\n" fi ;; 99) \$verbose && echo_failed if \$verbose ; then error "Fatal Error!" else echo -e "\\n [ Error ]: Fatal Error! \\n" fi continue ;; *) \$verbose && echo_failed if \$verbose ; then error "Unknown exit code from remote script \\"\$set_new_serial_script \$_zone\"!" else echo -e "\\n [ Error ]: Unknown exit code from remote script \\"\$set_new_serial_script \$_zone\"! \\n" fi continue ;; esac done fi # --- # --- Restart Services # --- if \$certs_updated ; then if \$restart_apache ; then if [[ -x "$apache_control_script" ]]; then $apache_control_script graceful > /dev/null 2>&1 if [[ \$? -gt 0 ]]; then if \$verbose ; then error "Restarting Apache Webserver failed!" else echo -e "\\n [ Error ]: Restarting Apache Webserver failed! \\n" fi else if \$verbose ; then info "Apache Webserver restarted." else echo -e "\\n [ Info ]: Apache Webserver restarted.\\n" fi fi else if \$verbose ; then warn "Apache Control Script (apachectl) not found. Take care to restart webservice manually" else echo -e "\\n [ Warn ]: Apache Control Script (apachectl) not found. Take care to restart webservice manually" fi fi fi if \$restart_gitlab ; then if [[ -x "$gitlab_ctl_script" ]]; then $gitlab_ctl_script hup > /dev/null 2>&1 if [[ \$? -gt 0 ]]; then if \$verbose ; then error "Graceful restart of GitLab Services (sending HUP signal) failed!" else echo -e "\\n [ Error ]: Graceful restart of GitLab Services (sending HUP signal) failed! \\n" fi else if \$verbose ; then info "GitLab Services reloaded." else echo -e "\\n [ Info ]: GitLab Services reloaded.\\n" fi fi else if \$verbose ; then warn "GitLab Control Script (gitlab-ctl) not found. Take care to restart service manually" else echo -e "\\n [ Warn ]: GitLab Control Script (gitlab-ctl) not found. Take care to restart service manually" fi fi fi if \$restart_postfix ; then if \$systemd_supported ; then \$systemctl reload postfix > /dev/null 2>&1 else /etc/init.d/postfix reload > /dev/null 2>&1 fi if [[ \$? -gt 0 ]]; then if \$verbose ; then error "Reloading Postfix Service failed!" else echo -e "\\n [ Error ]: Reloading Postfix Service failed! \\n" fi else if \$verbose ; then info "Postfix service successfully reloaded." else echo -e "\\n [ Info ]: Postfix service successfully reloaded.\\n" fi fi fi if \$restart_dovecot ; then if \$systemd_supported ; then \$systemctl restart dovecot > /dev/null 2>&1 else /etc/init.d/dovecot restart > /dev/null 2>&1 fi if [[ \$? -gt 0 ]]; then if \$verbose ; then error "Reloading Dovecot Service failed!" else echo -e "\\n [ Error ]: Reloading Dovecot Service failed! \\n" fi else if \$verbose ; then info "Dovecot service successfully reloaded." else echo -e "\\n [ Info ]: Dovecot service successfully reloaded.\\n" fi fi fi if \$restart_pureftpd ; then if \$systemd_supported ; then \$systemctl restart pure-ftpd > /dev/null 2>&1 else /etc/init.d/pure-ftpd restart > /dev/null 2>&1 fi if [[ \$? -gt 0 ]]; then if \$verbose ; then error "Restarting PureFTP Server failed!" else echo -e "\\n [ Error ]: Restarting PureFTP Server failed! \\n" fi else if \$verbose ; then info "PureFTP Server restarted." else echo -e "\\n [ Info ]: PureFTP Server restarted.\\n" fi fi fi if \$restart_nginx ; then if \$systemd_supported ; then \$systemctl restart nginx > /dev/null 2>&1 else /etc/init.d/nginx restart > /dev/null 2>&1 fi if [[ \$? -gt 0 ]]; then if \$verbose ; then error "Restarting Nginx Webserver failed!" else echo -e "\\n [ Error ]: Restarting Nginx Webserver failed! \\n" fi else if \$verbose ; then info "Nginx Webserver restarted." else echo -e "\\n [ Info ]: Nginx Webserver restarted.\\n" fi fi fi fi if [[ -n "\$_invalid_challenge" ]] ; then echo "" echo "" echo "Certificates NOT been created - invalid challenge:" echo "==================================================" echo "" for _hostname in \$_invalid_challenge ; do echo " \$_hostname" done echo "" fi if [[ -n "\$_http_request_failed" ]] ; then echo "" echo "" echo "Certificates NOT been created - http request failed:" echo "====================================================" echo "" for _hostname in \$_http_request_failed ; do echo " \$_hostname" done echo "" fi if [[ -n "\$_successfully_created_hosts" ]] ; then echo "" echo "" echo "Certificates successfully created:" echo "==================================" echo "" for _hostname in \$_successfully_created_hosts ; do echo " https://\$_hostname" done echo "" fi if [[ -n "\$_too_many_certs_err_msg" ]] ; then echo "" echo "" echo "Creating NEW Certificates failed - too many certificates already issued" echo "========================================================================" echo "" echo -e "\$_too_many_certs_err_msg" echo "" fi if ! \$_successfully_finished_script || grep -i "error:" \$_logfile > /dev/null 2>&1 || grep -i "$ERR_MSG_TOO_MANY_CERTS" \$_logfile > /dev/null 2>&1 ; then cp -a \$_logfile /var/log/ > /dev/null 2>&1 if \$verbose ; then error "Creating (some) Certificates failed!\\n\\t See also /var/log/\$(basename \$_logfile)" else echo -e "\\n[ Error ]: Creating (some) Certificates failed!" echo -e " See also /var/log/\$(basename \$_logfile) \\n" echo "" echo "Output message from dehydrated script:" echo "======================================" echo "" cat \$_logfile echo "" fi fi rm -f \$_logfile \$verbose && echo "" exit 0 EOF if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi echononl " Make Cron Script \"$DH_CRON_SCRIPT executable.." chmod 700 $DH_CRON_SCRIPT if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi if [[ -f "${DH_CRON_SCRIPT}.$_date" ]] ; then diff $DH_CRON_SCRIPT ${DH_CRON_SCRIPT}.$_date > /dev/null 2>&1 if [[ $? -eq 0 ]] ; then echo_ok info "Cronjob has not changed.\n\t Removing previously created backup.." rm -f ${DH_CRON_SCRIPT}.$_date fi fi if [[ "$DH_CRON_TYPE" = "user" ]]; then # Cronjob for dehydrated main script (ordering certificates) # echononl " Activate dehydrated cronjob for $(basename "$DH_CRON_SCRIPT") for root user .." _success=true _cur_cron=`mktemp` [[ $? -ne 0 ]] && _success=false crontab -u root -l > $_cur_cron [[ $? -ne 0 ]] && _success=false if ! $success ; then echo_failed else if grep `basename $DH_CRON_SCRIPT` $_cur_cron > /dev/null 2>&1 ; then echo_skipped info "Cronjob for $(basename "$DH_CRON_SCRIPT") already activated." else _success=true cat <> $_cur_cron # - Generate/Renew Let's Encrypt Certificates if needed (using dehydrated script) # - 23 05 * * * $DH_CRON_SCRIPT EOF [[ $? -ne 0 ]] && _success=false crontab -u root $_cur_cron [[ $? -ne 0 ]] && _success=false if $success ; then echo_ok else echo_failed fi fi # if grep `basename $DH_CRON_SCRIPT` fi # if ! $success ; then rm -f $_cur_cron # - Check, whether a system based dehydrated cron exists in /etc/cron.d # - if grep -l `basename $DH_CRON_SCRIPT` /etc/cron.d/* > /dev/null 2>&1 ; then warn "A system based dehydrated cronjob already exists in /etc/cron.d/\n\t Deleteing this one now.." _success=true echononl " Delete dehydrated cronjob in /etc/cron.d/.." for _file in $(grep -l `basename $DH_CRON_SCRIPT` /etc/cron.d/*) ; do rm -f $_file > /dev/null 2>&1 [[ $? -ne 0 ]] && _success=false done if $success ; then echo_ok else echo_failed fi fi # if grep `basename $DH_CRON_SCRIPT` /etc/cron.d/* # Cronjob for dehydrated update vhosts script (change ssl directives) # echononl " Activate dehydrated cronjob for $(basename "$DH_UPDATE_SSL_DIRECTIVES_SCRIPT") for root user .." _success=true _cur_cron=`mktemp` [[ $? -ne 0 ]] && _success=false crontab -u root -l > $_cur_cron [[ $? -ne 0 ]] && _success=false if ! $success ; then echo_failed else if grep `basename $DH_UPDATE_SSL_DIRECTIVES_SCRIPT` $_cur_cron > /dev/null 2>&1 ; then echo_skipped info "Cronjob for $(basename "$DH_UPDATE_SSL_DIRECTIVES_SCRIPT") already activated." else _success=true cat <> $_cur_cron # - Check whether all certificates are included in the VHOST configurations # - 33 05 * * * $DH_UPDATE_SSL_DIRECTIVES_SCRIPT EOF [[ $? -ne 0 ]] && _success=false crontab -u root $_cur_cron [[ $? -ne 0 ]] && _success=false if $success ; then echo_ok else echo_failed fi fi # if grep `basename $DH_UPDATE_SSL_DIRECTIVES_SCRIPT` fi # if ! $success ; then rm -f $_cur_cron # - Check, whether a system based update vhosts script exists in /etc/cron.d # - if grep -l `basename $DH_UPDATE_SSL_DIRECTIVES_SCRIPT` /etc/cron.d/* > /dev/null 2>&1 ; then warn "A system based update vhost cronjob already exists in /etc/cron.d/\n\t Deleteing this one now.." _success=true echononl " Delete update vhost cronjob in /etc/cron.d/.." for _file in $(grep -l `basename $DH_UPDATE_SSL_DIRECTIVES_SCRIPT` /etc/cron.d/*) ; do rm -f $_file > /dev/null 2>&1 [[ $? -ne 0 ]] && _success=false done if $success ; then echo_ok else echo_failed fi fi # if grep `basename $DH_CHANGE_SSL_DIRECTIVES_SCRIPT` /etc/cron.d/* # - Remove crontjob's for old (and noe renamed) script $DH_CHANGE_SSL_DIRECTIVES_SCRIPT # - if crontab -l | grep `basename $DH_CHANGE_SSL_DIRECTIVES_SCRIPT` > /dev/null 2>&1 ; then warn "Dehydrated's update vhost cronjob is also activated for root user.\n\t Deleting now.." echononl " Delete dehydrated's update vhost cronjob for user root.." _success=true _cur_cron=`mktemp` [[ $? -ne 0 ]] && _success=false crontab -u root -l > $_cur_cron [[ $? -ne 0 ]] && _success=false sed -i "/`basename $DH_CHANGE_SSL_DIRECTIVES_SCRIPT`/d" $_cur_cron > /dev/null 2>&1 [[ $? -ne 0 ]] && _success=false crontab -u root $_cur_cron [[ $? -ne 0 ]] && _success=false if $success ; then echo_ok else echo_failed fi fi # if crontab -l | grep `basename $DH_CHANGE_SSL_DIRECTIVES_SCRIPT` elif [[ "$DH_CRON_TYPE" = "system" ]]; then echononl " Activate dehydrated cronjob in /etc/cron.d/" if grep -q $(basename "${DH_CRON_SCRIPT}") /etc/cron.d/* 2> /dev/null \ && grep -q $(basename "${DH_UPDATE_SSL_DIRECTIVES_SCRIPT}") /etc/cron.d/* 2> /dev/null ; then echo_skipped info "Cronjobs already activated." else cat < /etc/cron.d/dehydrated # - Generate/Renew Let's Encrypt Certificates if needed (using dehydrated script) # - 21 05 * * * root $DH_CRON_SCRIPT # - Check whether all certificates are included in the VHOST configurations # - 31 05 * * * root $DH_UPDATE_SSL_DIRECTIVES_SCRIPT EOF if [[ $? -eq 0 ]]; then echo_ok else echo_skipped fi fi # if grep `basename $DH_CRON_SCRIPT` # - Check, whether a dehydrated cron job exists for user root # - if crontab -l | grep `basename $DH_CRON_SCRIPT` > /dev/null 2>&1 ; then warn "Dehydrated cronjob is also activated for root user.\n\t Deleting now.." echononl " Delete dehydrated cronjob for user root.." _success=true _cur_cron=`mktemp` [[ $? -ne 0 ]] && _success=false crontab -u root -l > $_cur_cron [[ $? -ne 0 ]] && _success=false sed -i "/`basename $DH_CRON_SCRIPT`/d" $_cur_cron > /dev/null 2>&1 [[ $? -ne 0 ]] && _success=false crontab -u root $_cur_cron [[ $? -ne 0 ]] && _success=false if $success ; then echo_ok else echo_failed fi fi # if crontab -l | grep `basename $DH_CRON_SCRIPT` # - Check, whether a dehydrated's update vhost cron job exists for user root # - if crontab -l | grep `basename $DH_UPDATE_SSL_DIRECTIVES_SCRIPT` > /dev/null 2>&1 ; then warn "Dehydrated's update vhost cronjob is also activated for root user.\n\t Deleting now.." echononl " Delete dehydrated's update vhost cronjob for user root.." _success=true _cur_cron=`mktemp` [[ $? -ne 0 ]] && _success=false crontab -u root -l > $_cur_cron [[ $? -ne 0 ]] && _success=false sed -i "/`basename $DH_UPDATE_SSL_DIRECTIVES_SCRIPT`/d" $_cur_cron > /dev/null 2>&1 [[ $? -ne 0 ]] && _success=false crontab -u root $_cur_cron [[ $? -ne 0 ]] && _success=false if $success ; then echo_ok else echo_failed fi fi # if crontab -l | grep `basename $DH_UPDATE_SSL_DIRECTIVES_SCRIPT` fi echononl " Create directory ${DH_BASE_DIR}/tools (if not exists)." if [[ ! -d "${DH_BASE_DIR}/tools" ]] ; then mkdir ${DH_BASE_DIR}/tools > /dev/null 2>&1 if [[ $? -eq 0 ]]; then echo_ok else echo_failed fi else echo_skipped fi # - Sript create_domains_file.sh # if [[ -f "${DH_BASE_DIR}/tools/create_domains_file.sh" ]]; then # - Backup existing script create_domains_file.sh # - echononl " Backup ${DH_BASE_DIR}/tools/create_domains_file.sh.." cp -a ${DH_BASE_DIR}/tools/create_domains_file.sh ${DH_BASE_DIR}/tools/create_domains_file.sh.$_date > /dev/null 2>&1 if [[ $? -eq 0 ]]; then echo_ok else echo_failed fi fi echononl " Install script \"create_domains_file.sh\" into ${DH_BASE_DIR}/tools/" cat < ${DH_BASE_DIR}/tools/create_domains_file.sh #!/usr/bin/env bash # - Creates "domains.txt" die for dehydrated script (let's encrypt) # - _DH_BASE_DIR=$DH_BASE_DIR _APACHE_VHOST_DIR=$APACHE_VHOST_DIR _NGINX_VHOST_DIR=$NGINX_VHOST_DIR # ------------- # --- Some functions # ------------- echononl(){ echo X\\\\c > /tmp/shprompt\$\$ if [ \`wc -c /tmp/shprompt\$\$ | awk '{print \$1}'\` -eq 1 ]; then echo -e -n "\$*\\\\c" 1>&2 else echo -e -n "\$*" 1>&2 fi rm /tmp/shprompt\$\$ } fatal(){ echo "" echo -e "fataler Fehler: \$*" echo "" echo -e "\t\033[31m\033[1mInstalllation wird abgebrochen\033[m\033[m" echo "" exit 1 } error(){ echo "" echo -e "\t[ \033[31m\033[1mFehler\033[m ]: \$*" echo "" } warn (){ echo "" echo -e "\t[ \033[33m\033[1mWarning\033[m ]: \$*" echo "" } info (){ echo "" echo -e "\t[ \033[32m\033[1mInfo\033[m ]: \$*" echo "" } echo_done() { echo -e "\033[75G[ \033[32mdone\033[m ]" } echo_ok() { echo -e "\033[75G[ \033[32mok\033[m ]" } echo_warning() { echo -e "\033[75G[ \033[33m\033[1mwarn\033[m ]" } echo_failed(){ echo -e "\033[75G[ \033[1;31mfailed\033[m ]" } echo_skipped() { echo -e "\033[75G[ \033[33m\033[1mskipped\033[m ]" } ## - Check if a given array (parameter 2) contains a given string (parameter 1) ## - containsElement () { local e for e in "\${@:2}"; do [[ "\$e" == "\$1" ]] && return 0; done return 1 } clear echo "" echo -e "\033[21G\033[32mGets ServerName and ServerAlias(es) from Apache VHost Configuration\033[m" echo -e "\033[21G\033[32mand adde them to dehydrated's \"domains.txt\" file\033[m" echo "" echo "" echo -e "\033[32m--\033[m" echo "" echo "Insert DH Base directory" echo "" echo "" DH_BASE_DIR= while [[ "X\$DH_BASE_DIR" = "X" ]]; do echononl "DH Configuration Directory [\$_DH_BASE_DIR]: " read DH_BASE_DIR if [[ "X\$DH_BASE_DIR" = "X" ]]; then DH_BASE_DIR=\$_DH_BASE_DIR fi done SCRIPT_INSTALL_DIR=\${DH_BASE_DIR}/tools DOMAINS_TXT_FILE=\${DH_BASE_DIR}/domains.txt if [[ ! -d "\$_APACHE_VHOST_DIR" ]]; then if [[ -d "/etc/apache2/sites-available" ]]; then _VHOST_DIR=/etc/apache2/conf-available elif [[ -d "/usr/local/apache2/conf/vhosts" ]]; then if [[ -d "/usr/local/apache2/conf/vhosts/0" ]]; then _VHOST_DIR=/usr/local/apache2/conf/vhosts/0 else _VHOST_DIR=/usr/local/apache2/conf/vhosts fi fi else _VHOST_DIR=\$_APACHE_VHOST_DIR fi if [[ ! -d "\$_NGINX_VHOST_DIR" ]]; then if [[ -d "/etc/nginx/sites-available" ]]; then _VHOST_DIR=\$_NGINX_VHOST_DIR fi else _VHOST_DIR=\$_NGINX_VHOST_DIR fi echo "" echo -e "\033[32m--\033[m" echo "" echo "Insert VHost Directory" echo "" echo "" VHOST_DIR= while [[ "X\$VHOST_DIR" = "X" ]]; do echononl "VHost Directory [\$_VHOST_DIR]: " read VHOST_DIR if [ "X\$VHOST_DIR" = "Xnone" -o "X\$VHOST_DIR" = "XNone" ]; then warn "Webserver Configuration will be ommited" VHOST_DIR= break elif [[ "X\$VHOST_DIR" = "X" ]]; then VHOST_DIR=\$_VHOST_DIR fi done if [[ ! -d "\$VHOST_DIR" ]]; then fatal "No Webserver VHost Configuration directory found!" fi echo "" echo -e "\033[32m--\033[m" echo "" echo "Sites without creating a certificate for" echo "" echo "Insert only siteames configured as \"ServerName\" (NOT ServerAlias) in VHost configuration" echo "" echo "Insert a blank seperated list of names or leave empty for none." echo "" SITES_WITHOUT_CERTS= echononl "Sites without certificate: " read SITES_WITHOUT_CERTS echo "" echo "" echo -e "#\033[32m --------------------\033[m" echo -e "#\033[32m --- Starts Script the following Parameters \033[m" echo -e "#\033[32m --------------------\033[m" echo "" echo "DH Base Directory.............: \$DH_BASE_DIR" echo "DH domains.txt file...........: \$DOMAINS_TXT_FILE" echo "" echo "Script Installation Directory.: \${DH_BASE_DIR}/tools" echo "" echo "Vhosts Directory..............: \$VHOST_DIR" echo "" echo "Sites without Certificate.....: \$SITES_WITHOUT_CERTS" echo "" echononl "Start with that configuration? [yes/no]: " read OK while [ "X\$OK" != "Xyes" -a "X\$OK" != "XYes" -a "X\$OK" != "XNo" -a "X\$OK" != "Xno" ] do echononl "wrong entry! [yes/no] :" read OK done [ \$OK = "Yes" -o \$OK = "yes" ] || fatal "Change parameters and restart script: \`basename \$0\`" declare -a SITE_WITHOUT_CERTS_arr for _site in \$SITES_WITHOUT_CERTS ; do SITE_WITHOUT_CERTS_arr+=("\${_site}") done _date=\`date +%Y-%m-%d-%H%M\` echo "" echononl " Save existing file \`basename \$DOMAINS_TXT_FILE\`" if [[ -f "\$DOMAINS_TXT_FILE" ]]; then cp -a \$DOMAINS_TXT_FILE \$DOMAINS_TXT_FILE.\`date +%Y-%m-%d-%H%M\` if [[ \$? = 0 ]]; then echo_ok else echo_failed fi fi echo "" declare -a vhost_file_arr echononl " Create Array of VHost configuration files.." while IFS='' read -r -d '' filename ; do if [[ \`basename \$filename\` =~ ^00 ]] ; then continue elif ! grep SSLCertificate \$filename > /dev/null 2>&1 && ! grep ssl_certificate \$filename > /dev/null 2>&1; then continue elif containsElement \`basename \${filename%.*}\` \${SITE_WITHOUT_CERTS_arr[@]} ; then continue else vhost_file_arr+=("\`realpath \$filename\`") fi done < <(find \$VHOST_DIR -mindepth 1 -maxdepth 1 -name "*.conf" -print0) if [[ \$? -eq 0 ]]; then echo_ok else echo_failed fi declare -i number_errors=0 for file in \${vhost_file_arr[@]} ; do #echo \$file _server_name="" _server_name_failed=false # - Create empty array _server_aliases_arr=() _server_alias="" number_errors=0 more_aliases=false echo "" echononl " Get ServerName/ServerAlias from file \"\`basename \$file\`\"" while read line ; do # - Get ServerName Apache if echo \$line | grep -e "^\s*ServerName" > /dev/null ; then _server_name_tmp=\`echo \$line | awk '{print\$2}'\` if [ -z "\$_server_name" ]; then _server_name=\$_server_name_tmp elif [ "\$_server_name" != "\$_server_name_tmp" ]; then if [ \$number_errors -eq 0 ]; then echo "[ Error ]: Misconfigured ServerName in file \"\$file\"" fi #error "Misconfigured ServerName" _server_name_failed=true let number_errors++ fi continue fi # - Get Server Names (also Aliases) Nginx if echo \$line | grep -e "^\s*server_name" > /dev/null ; then _server_name_tmp=\`echo \$line | sed -e "s/server_name//" | sed "s/;//" | sed "s/^\s*//" | sed "s/\s*$//"\` if [[ -z "\$_server_name_tmp" ]] ; then if [ \$number_errors -eq 0 ]; then echo "[ Error ]: Misconfigured ServerName in file \"\$file\"" fi _server_name_failed=true let number_errors++ continue fi _server_name=\`echo \$_server_name_tmp | awk '{print\$1}'\` _server_alias_tmp=\${_server_name_tmp#\$_server_name} for _alias in \$_server_alias_tmp ; do containsElement "\$_alias" "\${_server_aliases_arr[@]}" && continue _server_aliases_arr+=("\$_alias") done if ! echo \$line | grep ";" > /dev/null 2>&1 ; then more_aliases=true continue else more_aliases=false fi fi if \$more_aliases ; then _server_aliases_tmp=\`echo \$line | sed "s/;//" | sed "s/^\s*//" | sed "s/\s*$//"\` for _alias in \$_server_aliases_tmp ; do containsElement "\$_alias" "\${_server_aliases_arr[@]}" && continue _server_aliases_arr+=("\$_alias") done if echo \$line | grep ";" > /dev/null 2>&1 ; then more_aliases=false else continue fi fi containsElement \$_server_name \${SITE_WITHOUT_CERTS_arr[@]} && continue # - Get ServerAlias if echo \$line | grep -e "^\s*ServerAlias" > /dev/null ; then _server_alias_tmp=\`echo \$line | awk '{print\$2}'\` if [ \${#_server_aliases_arr[@]} -eq 0 ] ; then for _alias in \$_server_alias_tmp ; do _server_aliases_arr+=("\$_alias") done else for _alias in \$_server_alias_tmp ; do containsElement "\$_alias" "\${_server_aliases_arr[@]}" && continue _server_aliases_arr+=("\$_alias") done fi continue fi done < \$file if [[ \$number_errors -eq 0 ]]; then echo_ok else echo_done fi add_to_domains=false echononl " Add Servernames to \"\$DOMAINS_TXT_FILE\".." if ! grep -e "^\$_server_name" \$DOMAINS_TXT_FILE > /dev/null 2>&1 ; then add_to_domains=true else for _alias in \${_server_aliases_arr[@]} ; do if ! grep -e "^\$_server_name.*\$_alias" \$DOMAINS_TXT_FILE > /dev/null 2>&1 ; then sed -i "/^\$_server_name/d" \$DOMAINS_TXT_FILE add_to_domains=true fi done fi if \$add_to_domains ; then echo "\$_server_name \${_server_aliases_arr[@]}" >> \$DOMAINS_TXT_FILE if [[ \$? -eq 0 ]] ; then echo_ok else echo_done fi else echo_skipped fi done if [[ -f "\${DOMAINS_TXT_FILE}.\$_date" ]]; then diff \$DOMAINS_TXT_FILE \${DOMAINS_TXT_FILE}.\$_date > /dev/null 2>&1 if [[ \$? -eq 0 ]] ; then info "\$DOMAINS_TXT_FILE was already up to date.\n\t Deleting previously created backup.." rm -f \${DOMAINS_TXT_FILE}.\$_date else echo "" echononl "Sort \$DOMAINS_TXT_FILE.." _success=true _tmpfile=\`mktemp\` if [[ \$? -eq 0 ]]; then cat \$DOMAINS_TXT_FILE | sort -u > \$_tmpfile [[ \$? -ne 0 ]] && _success=false cp -a \$_tmpfile \$DOMAINS_TXT_FILE [[ \$? -ne 0 ]] && _success=false if \$_success ; then echo_ok else echo_failed fi else echo_skipped warn "\$DOMAINS_TXT_FILE left unsorted.." fi fi fi echo exit 0 EOF if [[ $? -eq 0 ]]; then echo_ok else echo_failed fi echononl " Make \"${DH_BASE_DIR}/tools/create_domains_file.sh\" executable.." chmod 755 ${DH_BASE_DIR}/tools/create_domains_file.sh if [[ $? -eq 0 ]]; then echo_ok else echo_failed fi if [[ -f "${DH_BASE_DIR}/tools/create_domains_file.sh.$_date" ]]; then diff ${DH_BASE_DIR}/tools/create_domains_file.sh ${DH_BASE_DIR}/tools/create_domains_file.sh.$_date > /dev/null 2>&1 if [[ $? -eq 0 ]]; then info "Script create_domains_file.sh has not change.\n\t Removing previously created backup.." echononl " Remove ${DH_BASE_DIR}/tools/create_domains_file.sh.$_date.." rm -f ${DH_BASE_DIR}/tools/create_domains_file.sh.$_date if [[ $? -eq 0 ]]; then echo_ok else echo_failed fi fi fi # - Backup outdated sript change_ssl_directives.sh # echononl " Backup outdated script '$(basename "${DH_CHANGE_SSL_DIRECTIVES_SCRIPT}")'.." if [[ -f "${DH_CHANGE_SSL_DIRECTIVES_SCRIPT}" ]]; then mv "${DH_CHANGE_SSL_DIRECTIVES_SCRIPT}" "${DH_CHANGE_SSL_DIRECTIVES_SCRIPT}.$_date" > /dev/null 2>&1 if [[ $? -eq 0 ]]; then echo_ok else echo_failed fi else echo_skipped fi # - Backup Sript update_ssl_directives.sh # if [[ -f "${DH_UPDATE_SSL_DIRECTIVES_SCRIPT}" ]]; then # - Backup existing script change_ssl_directives.sh # - echononl " Backup ${DH_UPDATE_SSL_DIRECTIVES_SCRIPT}.." cp -a "${DH_UPDATE_SSL_DIRECTIVES_SCRIPT}" "${DH_UPDATE_SSL_DIRECTIVES_SCRIPT}.$_date" > /dev/null 2>&1 if [[ $? -eq 0 ]]; then echo_ok else echo_failed fi fi echononl " Install script \"$(basename "${DH_UPDATE_SSL_DIRECTIVES_SCRIPT}")\" into ${DH_BASE_DIR}/tools/" cat < ${DH_UPDATE_SSL_DIRECTIVES_SCRIPT} #!/usr/bin/env bash # - Changes "SSLCertificate.."-lines in vhost configuration _DH_BASE_DIR=$DH_BASE_DIR _APACHE_VHOST_DIR=$APACHE_VHOST_DIR _NGINX_VHOST_DIR=$NGINX_VHOST_DIR if [[ -n "\$_APACHE_VHOST_DIR" ]] ; then if [[ ! -d "\$_APACHE_VHOST_DIR" ]]; then if [[ -d "/etc/apache2/sites-available" ]]; then _VHOST_DIR=/etc/apache2/conf-available elif [[ -d "/usr/local/apache2/conf/vhosts" ]]; then if [[ -d "/usr/local/apache2/conf/vhosts/0" ]]; then _VHOST_DIR=/usr/local/apache2/conf/vhosts/0 else _VHOST_DIR=/usr/local/apache2/conf/vhosts fi fi else _VHOST_DIR=\$_APACHE_VHOST_DIR fi fi if [[ -n "\$_NGINX_VHOST_DIR" ]] ; then if [[ ! -d "\$_NGINX_VHOST_DIR" ]]; then if [[ -d "/etc/nginx/sites-available" ]]; then _VHOST_DIR=\$_NGINX_VHOST_DIR fi else _VHOST_DIR=\$_NGINX_VHOST_DIR fi fi _apache_debian_install=false # ------------- # --- Some functions # ------------- echononl(){ if \$terminal ; then echo X\\\\c > /tmp/shprompt\$\$ if [ \`wc -c /tmp/shprompt\$\$ | awk '{print \$1}'\` -eq 1 ]; then echo -e -n "\$*\\\\c" 1>&2 else echo -e -n "\$*" 1>&2 fi rm /tmp/shprompt\$\$ fi } fatal(){ echo "" echo -e "fataler Fehler: \$*" echo "" echo -e "\t\033[31m\033[1mInstalllation wird abgebrochen\033[m\033[m" echo "" exit 1 } error(){ echo "" if \$terminal ; then echo -e "\t[ \033[31m\033[1mFehler\033[m ]: \$*" else echo "[ Error ]: \$*" fi echo "" } warn (){ if \$terminal ; then echo "" echo -e "\t[ \033[33m\033[1mWarning\033[m ]: \$*" echo "" fi } info (){ if \$terminal ; then echo "" echo -e "\t[ \033[32m\033[1mInfo\033[m ]: \$*" echo "" fi } echo_done() { if \$terminal ; then echo -e "\033[75G[ \033[32mdone\033[m ]" fi } echo_ok() { if \$terminal ; then echo -e "\033[75G[ \033[32mok\033[m ]" fi } echo_warning() { if \$terminal ; then echo -e "\033[75G[ \033[33m\033[1mwarn\033[m ]" fi } echo_failed(){ if \$terminal ; then echo -e "\033[75G[ \033[1;31mfailed\033[m ]" fi } echo_skipped() { if \$terminal ; then echo -e "\033[75G[ \033[37m\033[1mskipped\033[m ]" fi } blank_line() { if \$terminal ; then echo "" fi } ## - Check if a given array (parameter 2) contains a given string (parameter 1) ## - containsElement () { local e for e in "\${@:2}"; do [[ "\$e" == "\$1" ]] && return 0; done return 1 } # ------------- # --- Check some prerequisites # ------------- # - Running in a terminal? # - if [[ -t 1 ]] ; then terminal=true else terminal=false fi # ------------- # - Read Commanline Arguments # ------------- # If option '-q' is present, be silent, even if running in a terminal # while getopts q opt ; do case \$opt in q) terminal=false ;; esac done if \$terminal ; then clear echo "" echo -e "\033[21G\033[32mChanges SSLCertificate directives at apache vhost configurations\033[m" echo -e "\033[21G\033[32mto their appropriate path to Let's Encrypt Certificate/Key.\033[m" echo "" fi if \$terminal ; then echo "" echo -e "\033[32m--\033[m" echo "" echo "Insert DH Base directory" echo "" echo "" DH_BASE_DIR= while [[ "X\$DH_BASE_DIR" = "X" ]]; do echononl "DH Configuration Directory [\$_DH_BASE_DIR]: " read DH_BASE_DIR if [[ "X\$DH_BASE_DIR" = "X" ]]; then DH_BASE_DIR=\$_DH_BASE_DIR fi done SCRIPT_INSTALL_DIR=\${DH_BASE_DIR}/tools DOMAINS_TXT_FILE=\${DH_BASE_DIR}/domains.txt if [[ ! -f "\$DOMAINS_TXT_FILE" ]] ; then fatal "Domain file \"\`basename \$DOMAINS_TXT_FILE\`\" not found!" fi echo "" echo -e "\033[32m--\033[m" echo "" echo "Insert VHost Directory" echo "" echo "" VHOST_DIR= while [[ "X\$VHOST_DIR" = "X" ]]; do echononl "VHost Directory [\$_VHOST_DIR]: " read VHOST_DIR if [ "X\$VHOST_DIR" = "Xnone" -o "X\$VHOST_DIR" = "XNone" ]; then warn "Webserver Configuration will be ommited" VHOST_DIR= break elif [[ "X\$VHOST_DIR" = "X" ]]; then VHOST_DIR=\$_VHOST_DIR fi done if [[ ! -d "\$VHOST_DIR" ]]; then fatal "No Webserver VHost Configuration directory found!" fi echo "" echo "" echo -e "#\033[32m --------------------\033[m" echo -e "#\033[32m --- Starts Script the following Parameters \033[m" echo -e "#\033[32m --------------------\033[m" echo "" echo "DH Base Directory.............: \$DH_BASE_DIR" echo "DH domains.txt file...........: \$DOMAINS_TXT_FILE" echo "" echo "Script Installation Directory.: \${DH_BASE_DIR}/tools" echo "" echo "Vhosts Directory..............: \$VHOST_DIR" echo "" echononl "Start with that configuration? [yes/no]: " read OK while [ "X\$OK" != "Xyes" -a "X\$OK" != "XYes" -a "X\$OK" != "XNo" -a "X\$OK" != "Xno" ] do echononl "wrong entry! [yes/no] :" read OK done [ \$OK = "Yes" -o \$OK = "yes" ] || fatal "Change parameters and restart script: \`basename \$0\`" else DH_BASE_DIR=\$_DH_BASE_DIR DOMAINS_TXT_FILE=\${DH_BASE_DIR}/domains.txt if [[ ! -f "\$DOMAINS_TXT_FILE" ]] ; then fatal "Domain file \"\`basename \$DOMAINS_TXT_FILE\`\" not found!" fi VHOST_DIR=\$_VHOST_DIR fi _date=\`date +%Y-%m-%d-%H%M\` if [[ "\$VHOST_DIR" = "/etc/apache2/sites-enabled" ]] ; then APACHE_VHOST_DIR="/etc/apache2/sites-available" VHOST_DIR=\$APACHE_VHOST_DIR fi if [[ "\$VHOST_DIR" = "/etc/nginx/sites-enabled" ]] ; then NGINX_VHOST_DIR="/etc/nginx/sites-available" VHOST_DIR=\$NGINX_VHOST_DIR fi blank_line echononl " Backup existing VHost Directory .." if [[ "\$(dirname \$VHOST_DIR)" =~ vhosts?/?\$ ]] ; then BACKUP_SRC_DIR="\$(dirname \$VHOST_DIR)" else BACKUP_SRC_DIR="\$VHOST_DIR" fi cp -a "\$BACKUP_SRC_DIR" "\${BACKUP_SRC_DIR}.\$_date" if [[ \$? -eq 0 ]] ; then echo_ok else echo_failed fi blank_line declare -a vhost_file_arr while IFS=' ' read -r site_server_name rest ; do unset vhost_file_arr if [[ "\$VHOST_DIR" =~ apache ]]; then while IFS=' ' read filename_site ; do #if ! \$_apache_debian_install ; then # [[ -h "\$filename_site" ]] && continue #fi if ! containsElement \`realpath \$filename_site\` \${vhost_file_arr[@]} ; then vhost_file_arr+=("\`realpath \$filename_site\`") fi done < <(grep -s -l -E "ServerName\s+\${site_server_name}" \${VHOST_DIR}/*) else while IFS=' ' read filename_site ; do #if ! \$_apache_debian_install ; then # [[ -h "\$filename_site" ]] && continue #fi if ! containsElement \`realpath \$filename_site\` \${vhost_file_arr[@]} ; then vhost_file_arr+=("\`realpath \$filename_site\`") fi done < <(grep -s -l -E "server_name\s+\${site_server_name}" \${VHOST_DIR}/*) fi echononl " Adjust entries for \"\${site_server_name}\" .." if [[ \${#vhost_file_arr[@]} -eq 0 ]]; then echo_skipped warn "No vhost configuration found for \$site_server_name" else _cert_dir=\${DH_BASE_DIR}/certs/\${site_server_name} if [[ ! -h "\${_cert_dir}/fullchain.pem" ]] ; then echo_skipped warn "No certificate found for \$site_server_name" continue fi if [[ ! -h "\${_cert_dir}/privkey.pem" ]] ; then echo_skipped warn "No private key found for \$site_server_name" continue fi failed=false _ssl_directive_changed=false if [[ "\$VHOST_DIR" =~ apache ]]; then # - Apache or nginx ? # - for _name in \${vhost_file_arr[@]} ; do if ! grep -q -i -E "\s*SSLCertificateFile\s*\${_cert_dir}/fullchain.pem" \$_name 2> /dev/null ; then perl -i -n -p -e s"#^(\s*)SSLCertificateFile.*#\1SSLCertificateFile \${_cert_dir}/fullchain.pem#" \$_name [[ \$? -ne 0 ]] && failed=true _ssl_directive_changed=true fi if ! grep -q -i -E "\s*SSLCertificateKeyFile\s+\${_cert_dir}/privkey.pem" \$_name 2> /dev/null ; then perl -i -n -p -e s"#^(\s*)SSLCertificateKeyFile.*#\1SSLCertificateKeyFile \${_cert_dir}/privkey.pem#" \$_name [[ \$? -ne 0 ]] && failed=true _ssl_directive_changed=true fi if grep -q -i -E "\s*/SSLCertificateChainFile" \$_name 2> /dev/null ; then sed -i '/SSLCertificateChainFile/d' \$_name [[ \$? -ne 0 ]] && failed=true _ssl_directive_changed=true fi done else for _name in \${vhost_file_arr[@]} ; do if ! grep -q -i -E "\s*\s*ssl_certificate\s+\${_cert_dir}/fullchain.pem" \$_name 2> /dev/null ; then perl -i -n -p -e s"#^(\s*)ssl_certificate\s+.*#\1ssl_certificate \${_cert_dir}/fullchain.pem;#" \$_name [[ \$? -ne 0 ]] && failed=true _ssl_directive_changed=true fi if ! grep -q -i -E "\s*\s*ssl_certificate_key\s+\${_cert_dir}/privkey.pem" \$_name 2> /dev/null ; then perl -i -n -p -e s"#^(\s*)ssl_certificate_key\s+.*#\1ssl_certificate_key \${_cert_dir}/privkey.pem;#" \$_name [[ \$? -ne 0 ]] && failed=true _ssl_directive_changed=true fi done fi if \$_ssl_directive_changed ; then if \$failed ; then echo_failed else echo_ok fi else echo_skipped fi fi done < <(cat \$DOMAINS_TXT_FILE) if [[ -d "\${BACKUP_SRC_DIR}.\$_date" ]]; then diff -Nur "\$BACKUP_SRC_DIR" "\${BACKUP_SRC_DIR}.\$_date" > /dev/null 2>&1 if [[ \$? -eq 0 ]]; then info "No VHosts configuration has changed.\n\t Removing previously created backup" echononl "Delete \"\${BACKUP_SRC_DIR}.\$_date\".." rm -rf "\${BACKUP_SRC_DIR}.\$_date" if [[ \$? -eq 0 ]]; then echo_ok else echo_failed fi else if [[ "\$VHOST_DIR" =~ apache ]]; then if [[ -x "$apache_control_script" ]]; then $apache_control_script graceful > /dev/null 2>&1 if [[ \$? -gt 0 ]]; then if \$terminal ; then error "Restarting Apache Webserver failed!" fi else if \$terminal ; then info "Apache Webserver restarted." fi fi else if \$terminal ; then warn "Apache Control Script (apachectl) not found. Take care to restart webservice manually" else echo -e "\\n [ Warn ]: Apache Control Script (apachectl) not found. Take care to restart webservice manually" fi fi else if [[ -x "$nginx_init_script" ]]; then $nginx_init_script restart > /dev/null 2>&1 if [[ \$? -gt 0 ]]; then if \$terminal ; then error "Restarting Nginx Webserver failed!" fi else if \$terminal ; then info "Nginx Webserver restarted." fi fi else if \$terminal ; then warn "Nginx Init Script ($nginx_init_script) not found. Take care to restart webservice manually" else echo -e "\\n [ Warn ]: Nginx INIT Script ($nginx_init_script) not found. Take care to restart webservice manually" fi fi fi fi fi blank_line exit EOF if [[ $? -eq 0 ]]; then echo_ok else echo_failed fi echononl " Make \"${DH_UPDATE_SSL_DIRECTIVES_SCRIPT}\" executable.." chmod 755 "${DH_UPDATE_SSL_DIRECTIVES_SCRIPT}" if [[ $? -eq 0 ]]; then echo_ok else echo_failed fi if [[ -f "${DH_UPDATE_SSL_DIRECTIVES_SCRIPT}.$_date" ]]; then diff "${DH_UPDATE_SSL_DIRECTIVES_SCRIPT}" "${DH_UPDATE_SSL_DIRECTIVES_SCRIPT}.$_date" > /dev/null 2>&1 if [[ $? -eq 0 ]]; then info "Script $(basename "${DH_UPDATE_SSL_DIRECTIVES_SCRIPT}") has not change.\n\t Removing previously created backup.." echononl " Remove ${DH_UPDATE_SSL_DIRECTIVES_SCRIPT}.$_date.." rm -f "${DH_UPDATE_SSL_DIRECTIVES_SCRIPT}.$_date" if [[ $? -eq 0 ]]; then echo_ok else echo_failed fi fi fi # - Sript dh_tlsgen.sh # if [[ -f "${DH_BASE_DIR}/tools/dh_tlsgen.sh" ]]; then # - Backup existing script dh_tlsgen.sh # - echononl " Backup ${DH_BASE_DIR}/tools/dh_tlsgen.sh.." cp -a ${DH_BASE_DIR}/tools/dh_tlsgen.sh ${DH_BASE_DIR}/tools/dh_tlsgen.sh.$_date > /dev/null 2>&1 if [[ $? -eq 0 ]]; then echo_ok else echo_failed fi fi echononl " Install script \"dh_tlsgen.sh\" into ${DH_BASE_DIR}/tools/" cat < ${DH_BASE_DIR}/tools/dh_tlsgen.sh #!/usr/bin/env bash ## ------------------------------------------------------------------------------ ## --- All Configurations will be done in ${DH_CONF_DIR}/dehydrated_cron.conf ## ------------------------------------------------------------------------------ if [[ -f "${DH_CONF_DIR}/dehydrated_cron.conf" ]]; then source ${DH_CONF_DIR}/dehydrated_cron.conf else echo echo -e " [ Error ]: No Configuration File found. Exiting now!" echo exit 1 fi if [[ \$# -ne 1 ]] ; then echo -e "\n usage: \$(basename "\$0") \n" exit fi CUR_IFS=\$IFS IFS=":" _tmp_arr=(\$@) IFS=\$CUR_IFS port=\${_tmp_arr[1]} hostname=\${_tmp_arr[0]} cert=${DH_BASE_DIR}/certs/\${hostname}/cert.pem tlsa_record_311=\$( printf "_%s._tcp.%s. \${ttl_311} IN TLSA 3 1 1 %s\n" \\ \$port \\ \$hostname \\ "\$(openssl x509 -in \$cert -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | hexdump -ve '/1 "%02x"')" ) cert=${DH_BASE_DIR}/certs/\${hostname}/cert.pem tlsa_record_301=\$( printf "_%s._tcp.%s. \${ttl_301} IN TLSA 3 0 1 %s\n" \\ \$port \\ \$hostname \\ "\$(openssl x509 -in \$cert -outform DER | openssl dgst -sha256 -binary | hexdump -ve '/1 "%02x"')" ) cert=${DH_BASE_DIR}/certs/\${hostname}/chain.pem tlsa_record_211_chain=\$( printf "_%s._tcp.%s. \${ttl_211} IN TLSA 2 1 1 %s\n" \\ \$port \\ \$hostname \\ "\$(openssl x509 -in \$cert -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | hexdump -ve '/1 "%02x"')" ) cert=${DH_BASE_DIR}/certs/\${hostname}/chain.pem tlsa_record_201_chain=\$( printf "_%s._tcp.%s. \${ttl_201} IN TLSA 2 0 1 %s\n" \\ \$port \\ \$hostname \\ "\$(openssl x509 -in \$cert -outform DER | openssl dgst -sha256 -binary | hexdump -ve '/1 "%02x"')" ) cert=${DH_BASE_DIR}/certs/\${hostname}/chain.pem tlsa_record_202_chain=\$( printf "_%s._tcp.%s. \${ttl_202} IN TLSA 2 0 2 %s\n" \\ \$port \\ \$hostname \\ "\$(openssl x509 -in \$cert -outform DER | openssl dgst -sha512 -binary | hexdump -ve '/1 "%02x"')" ) tlsa_record_211_root="" cert=${DH_BASE_DIR}/certs/\${hostname}/root.ca if [[ -f "\$cert" ]]; then tlsa_record_211_root=\$( printf "_%s._tcp.%s. \${ttl_211} IN TLSA 2 1 1 %s\n" \\ \$port \\ \$hostname \\ "\$(openssl x509 -in \$cert -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | hexdump -ve '/1 "%02x"')" ) fi echo "" echo "TLSA 3 1 1 certificate" echo "======================" echo "\$tlsa_record_311" echo "" echo "TLSA 3 0 1 certificate" echo "======================" echo "\$tlsa_record_301" echo "" echo "TLSA 2 1 1 chain" echo "================" echo "\$tlsa_record_211_chain" echo "" echo "TLSA 2 0 1 chain" echo "================" echo "\$tlsa_record_201_chain" echo "" echo "TLSA 2 0 2 chain" echo "================" echo "\$tlsa_record_202_chain" echo "" if [[ -n "\$tlsa_record_211_root" ]]; then echo "TLSA 2 1 1 root" echo "===============" echo "\$tlsa_record_211_root" echo "" fi exit 0 EOF if [[ $? -eq 0 ]]; then echo_ok else echo_failed fi echononl " Make \"${DH_BASE_DIR}/tools/dh_tlsgen.sh\" executable.." chmod 755 ${DH_BASE_DIR}/tools/dh_tlsgen.sh if [[ $? -eq 0 ]]; then echo_ok else echo_failed fi if [[ -f "${DH_BASE_DIR}/tools/dh_tlsgen.sh.$_date" ]]; then diff ${DH_BASE_DIR}/tools/dh_tlsgen.sh ${DH_BASE_DIR}/tools/dh_tlsgen.sh.$_date > /dev/null 2>&1 if [[ $? -eq 0 ]]; then info "Script dh_tlsgen.sh has not change.\n\t Removing previously created backup.." echononl " Remove ${DH_BASE_DIR}/tools/dh_tlsgen.sh.$_date.." rm -f ${DH_BASE_DIR}/tools/dh_tlsgen.sh.$_date if [[ $? -eq 0 ]]; then echo_ok else echo_failed fi fi fi echo "" exit 0