certificates/dehydrated-cron
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
master
dehydrated-cron/install_dehydrated.sh

4220 lines
125 KiB
Bash
Executable File
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/usr/bin/env bash
_DH_INSTALL_DIR=/usr/local/dehydrated
_DH_CONF_DIR=/etc/dehydrated
_DH_BASE_DIR=/var/lib/dehydrated
_DH_WELL_KNOWN_DIR=/var/www/dehydrated
STR_PROCESSED="marked to be validated"
STR_SUCCESS="Certificate has been produced"
STR_INVALID_CHALLENGE="Error: Invalid Challenge"
STR_HTTP_REQUEST_FAILED="Error: HTTP-Request failed"
STR_TOO_MANY_CERTIFICATES="too many certificates already issued for"
ERR_MSG_TOO_MANY_CERTS="too many certificates already issued"
# -------------
# --- Some functions
# -------------
echononl(){
echo X\\c > /tmp/shprompt$$
if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then
echo -e -n "$*\\c" 1>&2
else
echo -e -n "$*" 1>&2
fi
rm /tmp/shprompt$$
}
fatal(){
echo ""
echo -e "fataler Fehler: $*"
echo ""
echo -e "\t\033[31m\033[1mInstalllation wird abgebrochen\033[m\033[m"
echo ""
exit 1
}
error(){
echo ""
echo -e "\t[ \033[31m\033[1mFehler\033[m ]: $*"
echo ""
}
warn (){
echo ""
echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*"
echo ""
}
info (){
echo ""
echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*"
echo ""
}
echo_done() {
echo -e "\033[80G[ \033[32mdone\033[m ]"
}
echo_ok() {
echo -e "\033[80G[ \033[32mok\033[m ]"
}
echo_warning() {
echo -e "\033[80G[ \033[33m\033[1mwarn\033[m ]"
}
echo_failed(){
echo -e "\033[80G[ \033[1;31mfailed\033[m ]"
}
echo_skipped() {
echo -e "\033[80G[ \033[33m\033[1mskipped\033[m ]"
}
## - Check if a given array (parameter 2) contains a given string (parameter 1)
## -
containsElement () {
local e
for e in "${@:2}"; do [[ "$e" == "$1" ]] && return 0; done
return 1
}
clear
echo ""
echo -e "\033[21G\033[32mInstallation script for dehydrated\033[m"
echo ""
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Insert DH installation directory"
echo ""
echo ""
DH_INSTALL_DIR=
while [[ "X$DH_INSTALL_DIR" = "X" ]]; do
echononl "DH Installation Directory [$_DH_INSTALL_DIR]: "
read DH_INSTALL_DIR
if [[ "X$DH_INSTALL_DIR" = "X" ]]; then
DH_INSTALL_DIR=$_DH_INSTALL_DIR
fi
done
HOOK_EXAMPLE_FILE=${DH_INSTALL_DIR}/docs/examples/hook.sh
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Insert DH Configuration directory"
echo ""
echo ""
DH_CONF_DIR=
while [[ "X$DH_CONF_DIR" = "X" ]]; do
echononl "DH Configuration Directory [$_DH_CONF_DIR]: "
read DH_CONF_DIR
if [[ "X$DH_CONF_DIR" = "X" ]]; then
DH_CONF_DIR=$_DH_CONF_DIR
fi
done
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Insert DH Base directory"
echo ""
echo ""
DH_BASE_DIR=
while [[ "X$DH_BASE_DIR" = "X" ]]; do
echononl "DH Configuration Directory [$_DH_BASE_DIR]: "
read DH_BASE_DIR
if [[ "X$DH_BASE_DIR" = "X" ]]; then
DH_BASE_DIR=$_DH_BASE_DIR
fi
done
HOOK_OUT_FILE="${DH_BASE_DIR}/hook.sh"
DH_CRON_SCRIPT="${DH_BASE_DIR}/cron/dehydrated_cron.sh"
DH_CHANGE_SSL_DIRECTIVES_SCRIPT="${DH_BASE_DIR}/tools/change_ssl_directives.sh"
DH_UPDATE_SSL_DIRECTIVES_SCRIPT="${DH_BASE_DIR}/tools/update_ssl_directives.sh"
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Insert DH \"WELL KNOWN\" directory"
echo ""
echo "Output directory for challenge-tokens to be served by webserver or"
echo "deployed in HOOK (e.g.: /var/www/dehydrated)"
echo ""
DH_WELL_KNOWN_DIR=
while [[ "X$DH_WELL_KNOWN_DIR" = "X" ]]; do
echononl "DH \"WELL KNOWN\" Directory [$_DH_WELL_KNOWN_DIR]: "
read DH_WELL_KNOWN_DIR
if [[ "X$DH_WELL_KNOWN_DIR" = "X" ]]; then
DH_WELL_KNOWN_DIR=$_DH_WELL_KNOWN_DIR
fi
done
DH_CRON_TYPE=""
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "How to activate the dehydrated cronjob"
echo ""
echo "[1] System defined as cronjob file in /etc/cron.d"
echo "[2] User defined - added to root cronjobs"
echo "[3] Skip Cronjob Activation"
echo ""
echononl "Eingabe: "
while [ "$DH_CRON_TYPE" != "system" -a "$DH_CRON_TYPE" != "user" -a "$DH_CRON_TYPE" != "none" ];do
read OPTION
case $OPTION in
1)
DH_CRON_TYPE="system"
;;
2)
DH_CRON_TYPE="user"
;;
3)
DH_CRON_TYPE="none"
;;
*)
echo ""
echo -e "\tFalsche Eingabe ! [ 1 = System defined ; 2 = User defined , 3 = Skip]"
echo ""
echononl "Eingabe:"
;;
esac
done
WEBSERVER_INSTALLATION=""
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Webserver Installation"
echo ""
echo ""
echo "[1] Apache2 from Debian Package System"
echo "[2] Apache2 installed from Sources"
echo "[3] nginx from Debian Package System"
echo "[4] GitLab integrated Webserver (GiLab CE Omnibus Package)"
echo "[5] Other Webserver Installation"
echo ""
echononl "Eingabe: "
while [ "$WEBSERVER_INSTALLATION" != "Apache2_Debian" \
-a "$WEBSERVER_INSTALLATION" != "Apache2_Source" \
-a "$WEBSERVER_INSTALLATION" != "Nginx_Debian" \
-a "$WEBSERVER_INSTALLATION" != "GitLab" \
-a "$WEBSERVER_INSTALLATION" != "Other_Webserver_Installation" ];do
read OPTION
case $OPTION in
1) WEBSERVER_INSTALLATION="Apache2_Debian"
;;
2) WEBSERVER_INSTALLATION="Apache2_Source"
;;
3) WEBSERVER_INSTALLATION="Nginx_Debian"
;;
4) WEBSERVER_INSTALLATION="GitLab"
;;
5) WEBSERVER_INSTALLATION="Other_Webserver_Installation"
;;
*) echo ""
echo -e "\tFalsche Eingabe ! [ 1 = Apache2 Debian ; 2 = Apache2 Sources ; 3 = Nginx Debian ; 4 = Other ; 5 = GitLab]"
echo ""
echononl "Eingabe:"
;;
esac
done
_set_apache_conf_symlink=false
apache_installed=false
nginx_installed=false
gitlab_installed=false
gitlab_reconfigure=false
nginx_init_script=/etc/init.d/nginx
apache_control_script=/etc/init.d/apache2
gitlab_ctl_script=/usr/bin/gitlab-ctl
if [[ "$WEBSERVER_INSTALLATION" = "Apache2_Debian" ]] ;then
APACHE_VHOST_DIR=/etc/apache2/sites-enabled
APACHE_CONF_DIR=/etc/apache2/conf-available
_set_apache_conf_symlink=true
apache_control_script=`which apachectl`
apache_installed=true
elif [[ "$WEBSERVER_INSTALLATION" = "Apache2_Source" ]] ;then
if [[ ! -d "$_APACHE_VHOST_DIR" ]]; then
if [[ -d "/usr/local/apache2/conf/vhosts" ]]; then
if [[ -d "/usr/local/apache2/conf/vhosts/0" ]]; then
_APACHE_VHOST_DIR=/usr/local/apache2/conf/vhosts/0
else
_APACHE_VHOST_DIR=/usr/local/apache2/conf/vhosts
fi
fi
fi
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Insert VHost Configuration Directory"
echo ""
echo "Type:"
echo -e "\t\033[33mNone\033[m if not present or no webserver configuration should be done."
echo ""
APACHE_VHOST_DIR=
while [[ "X$APACHE_VHOST_DIR" = "X" ]]; do
echononl "VHost Configuration Directory [$_APACHE_VHOST_DIR]: "
read APACHE_VHOST_DIR
if [ "X$APACHE_VHOST_DIR" = "Xnone" -o "X$APACHE_VHOST_DIR" = "XNone" ]; then
warn "Webserver Configuration will be ommited"
APACHE_VHOST_DIR=
break
elif [[ "X$APACHE_VHOST_DIR" = "X" ]]; then
APACHE_VHOST_DIR=$_APACHE_VHOST_DIR
fi
done
if [[ "`basename $APACHE_VHOST_DIR`" = "0" ]]; then
APACHE_CONF_DIR=`dirname $APACHE_VHOST_DIR`
else
APACHE_CONF_DIR=$APACHE_VHOST_DIR
fi
apache_control_script=`which apachectl`
apache_installed=true
elif [[ "$WEBSERVER_INSTALLATION" = "Nginx_Debian" ]] ;then
NGINX_BASE_DIR=/etc/nginx
NGINX_VHOST_DIR=${NGINX_BASE_DIR}/sites-enabled
NGINX_SNIPPET_DIR=${NGINX_BASE_DIR}/snippets
nginx_installed=true
elif [[ "$WEBSERVER_INSTALLATION" = "GitLab" ]] ;then
GITLAB_CONF_FILE=/etc/gitlab/gitlab.rb
gitlab_ctl_script=/usr/bin/gitlab-ctl
gitlab_installed=true
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Insert hostname (external_url)"
echo ""
_HOST_NAME="$(hostname --fqdn)"
HOST_NAME=
echononl "Hostname [${_HOST_NAME}]: "
read HOST_NAME
if [[ "X${HOST_NAME}" = "X" ]] ; then
HOST_NAME="${_HOST_NAME}"
fi
else
APACHE_VHOST_DIR=
APACHE_CONF_DIR=
NGINX_BASE_DIR=
NGINX_VHOST_DIR=
warn "This Type of Webserver Installation is not yet available"
fi
echo ""
echo ""
echo -e "#\033[32m --------------------\033[m"
echo -e "#\033[32m --- Start dehydrated (DH) installation with the following Parameters \033[m"
echo -e "#\033[32m --------------------\033[m"
echo ""
echo "DH Installation Directory.....: $DH_INSTALL_DIR"
echo "DH Configuration Directory....: $DH_CONF_DIR"
echo "DH Base Directory.............: $DH_BASE_DIR"
echo "DH \"WELL KNOWN\" Directory.....: $DH_WELL_KNOWN_DIR"
echo ""
if [[ "$DH_CRON_TYPE" = "system" ]]; then
echo "DH Cronjob Type...............: Installed as file in /etc/cron.d"
elif [[ "$DH_CRON_TYPE" = "user" ]]; then
echo "DH Cronjob Type...............: Added to root cronjobs"
else
echo -e "DH Cronjob Type...............: \033[33mSkip activation\033[m"
fi
echo ""
if [[ "$WEBSERVER_INSTALLATION" =~ Apache2 ]]; then
if [[ "$APACHE_CONF_DIR" != "$APACHE_VHOST_DIR" ]]; then
echo "Apache Config Directory.......: $APACHE_CONF_DIR"
fi
echo "Apache Vhost Directory........: $APACHE_VHOST_DIR"
echo ""
elif [[ "$WEBSERVER_INSTALLATION" =~ Nginx ]]; then
echo "nginx Directory.,............: $NGINX_BASE_DIR"
echo "nginx Vhost Directory........: $NGINX_VHOST_DIR"
elif [[ "$WEBSERVER_INSTALLATION" =~ GitLab ]]; then
echo "Hostname (external_url)......: $HOST_NAME"
fi
echo ""
echononl "Start with that configuration? [yes/no]: "
read OK
while [ "X$OK" != "Xyes" -a "X$OK" != "XYes" -a "X$OK" != "XNo" -a "X$OK" != "Xno" ]
do
echononl "wrong entry! [yes/no] :"
read OK
done
[ $OK = "Yes" -o $OK = "yes" ] || fatal "Change parameters and restart script: `basename $0`"
echo
echo
_date=`date +%Y-%m-%d-%H%M`
## - Configure Apache..
## -
apache_config_changed=false
if [[ -n "$APACHE_CONF_DIR" ]]; then
_apache_dh_conf_file=${APACHE_CONF_DIR}/000-dehydrated.conf
echononl " Configure Apache Webserver: Create alias for WELL-KNOWN Directory.."
if [[ -x "$apache_control_script" ]] && $apache_control_script -M 2> /dev/null | grep -q version_module > /dev/null 2>&1 ; then
cat << EOF > $_apache_dh_conf_file
Alias /.well-known/acme-challenge ${DH_WELL_KNOWN_DIR}/
<Directory /var/www/dehydrated/>
Options +FollowSymLinks
AllowOverride None
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
<IfVersion >= 2.4>
Require all granted
Satisfy Any
</IfVersion>
</Directory>
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
cat << EOF > $_apache_dh_conf_file
Alias /.well-known/acme-challenge ${DH_WELL_KNOWN_DIR}/
# - Notice:
# - If apache version < 2.4 (i.e. 2.2.x), then repclace lines
# - 'Require all granted' and 'Satisfy Any' with:
# - Order allow,deny
# - Allow from all
# -
<Directory /var/www/dehydrated/>
Options +FollowSymLinks
AllowOverride None
Require all granted
Satisfy Any
</Directory>
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
fi
apache_config_changed=true
if $_set_apache_conf_symlink ; then
echononl " Activate \"000-dehydrated.conf\" .. "
if [[ -h /etc/apache2/conf-enabled/000-dehydrated.conf ]] ; then
echo_skipped
else
ln -s ../conf-available/000-dehydrated.conf /etc/apache2/conf-enabled/000-dehydrated.conf
if [[ $? -eq 0 ]] ; then
echo_ok
apache_config_changed=true
else
echo_failed
fi
fi
fi
fi
if [[ -n "$NGINX_BASE_DIR" ]]; then
if [[ ! -d $NGINX_SNIPPET_DIR ]]; then
echononl " Create ${NGINX_SNIPPET_DIR}.."
mkdir $NGINX_SNIPPET_DIR
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
fi
echononl " Configure Nginx Webserver: Create alias for WLLKNOWN Directory.."
if ! grep -E "location\s+/.well-known/acme-challenge/" ${NGINX_SNIPPET_DIR}/letsencrypt-acme-challenge.conf > /dev/null 2>&1 ; then
cat <<EOF > ${NGINX_SNIPPET_DIR}/letsencrypt-acme-challenge.conf
location /.well-known/acme-challenge/ {
alias /var/www/dehydrated/;
location ~ /.well-known/acme-challenge/(.*) {
default_type text/plain;
}
auth_basic off;
}
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
warn "In your appropriate server definitions (or in the global one is exists) add line:\n\n\t\033[37m\033[1minclude /etc/nginx/snippets/letsencrypt-acme-challenge.conf;\033[m"
else
echo_failed
fi
else
echo_skipped
fi
fi
if [[ -n "$GITLAB_CONF_FILE" ]]; then
if [[ ! -d "${DH_BASE_DIR}/certs/${HOST_NAME}" ]]; then
URL_SCHEMA="http"
else
URL_SCHEMA="https"
fi
echononl " Adjust ${GITLAB_CONF_FILE} - external_url"
if ! grep -E "^\s*external_url" $GITLAB_CONF_FILE 2> /dev/null | grep -q -E "${URL_SCHEMA}://${HOST_NAME}" 2> /dev/null ; then
if grep -q -E "^\s*external_url" $GITLAB_CONF_FILE 2> /dev/null ; then
perl -i -n -p -e "s#^(\s*(external_url).*)#\#\# \1\n\2 '${URL_SCHEMA}://${HOST_NAME}'#" $GITLAB_CONF_FILE
if [[ $? -eq 0 ]] ; then
echo_ok
gitlab_reconfigure=true
else
echo_failed
fi
elif ! grep -q -E "^\s*#\s*external_url" $GITLAB_CONF_FILE 2> /dev/null ; then
cat <<EOF >> ${GITLAB_CONF_FILE}
################################################################################
## Added by dehydrated install script $(basename $0)
################################################################################
external_url '${URL_SCHEMA}://${HOST_NAME}'
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
gitlab_reconfigure=true
else
echo_failed
fi
else
perl -i -n -p -e "s#^(\s*\#\s*(external_url).*)#\1\n\2 '${URL_SCHEMA}://${HOST_NAME}'#" $GITLAB_CONF_FILE
if [[ $? -eq 0 ]] ; then
echo_ok
gitlab_reconfigure=true
else
echo_failed
fi
fi
else
echo_skipped
fi
echononl " Adjust ${GITLAB_CONF_FILE} - nginx['custom_gitlab_server_config']"
if ! grep -E "^\s*nginx\['custom_gitlab_server_config'\]" $GITLAB_CONF_FILE 2> /dev/null | grep -q ".well-known/acme-challenge" 2> /dev/null ; then
if ! grep -q -E "^\s*#\s*nginx\['custom_gitlab_server_config'\]" $GITLAB_CONF_FILE 2> /dev/null ; then
cat <<EOF >> ${GITLAB_CONF_FILE}
################################################################################
## Added by dehydrated install script $(basename $0)
################################################################################
nginx['custom_gitlab_server_config'] = "location ^~ /.well-known/acme-challenge {\\n alias /var/www/dehydrated;\\n auth_basic off;\\n }\\n"
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
gitlab_reconfigure=true
else
echo_failed
fi
else
perl -i -n -p -e "s#^(\s*\#\s*(nginx\['custom_gitlab_server_config'\]).*)#\1\n\2 = \"location ^~ /.well-known/acme-challenge {\\\n alias \/var\/www\/dehydrated;\\\n auth_basic off;\\\n }\\\n\"#" $GITLAB_CONF_FILE
if [[ $? -eq 0 ]] ; then
echo_ok
gitlab_reconfigure=true
else
echo_failed
fi
fi
else
echo_skipped
fi
echononl " Adjust ${GITLAB_CONF_FILE} - nginx['listen_addresses']"
if ! grep -E "^\s*nginx\['listen_addresses'\]" $GITLAB_CONF_FILE 2> /dev/null | grep -q -E "\['\*',\s*'\[::]'\]" 2> /dev/null ; then
if ! grep -q -E "^\s*#\s*nginx\['listen_addresses'\]" $GITLAB_CONF_FILE 2> /dev/null ; then
cat <<EOF >> ${GITLAB_CONF_FILE}
################################################################################
## Added by dehydrated install script $(basename $0)
################################################################################
nginx['listen_addresses'] = ['*', '[::]']
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
gitlab_reconfigure=true
else
echo_failed
fi
else
perl -i -n -p -e "s#^(\s*\#\s*(nginx\['listen_addresses'\]).*)#\1\n\2 = ['*', '[::]']#" $GITLAB_CONF_FILE
if [[ $? -eq 0 ]] ; then
echo_ok
gitlab_reconfigure=true
else
echo_failed
fi
fi
else
echo_skipped
fi
if [[ -d "${DH_BASE_DIR}/certs/${HOST_NAME}" ]]; then
echononl " Adjust ${GITLAB_CONF_FILE} - letsencrypt['enable']"
if ! grep -E "^\s*letsencrypt\['enable'\]" $GITLAB_CONF_FILE 2> /dev/null | grep -q -E "false" 2> /dev/null ; then
if grep -q -E "^\s*letsencrypt\['enable'\]" $GITLAB_CONF_FILE 2> /dev/null ; then
perl -i -n -p -e "s#^(\s*(letsencrypt\['enable'\]).*)#\#\# \1\n\2 = false#" $GITLAB_CONF_FILE
if [[ $? -eq 0 ]] ; then
echo_ok
gitlab_reconfigure=true
else
echo_failed
fi
elif ! grep -q -E "^\s*#\s*letsencrypt\['enable'\]" $GITLAB_CONF_FILE 2> /dev/null ; then
cat <<EOF >> ${GITLAB_CONF_FILE}
################################################################################
## Added by dehydrated install script $(basename $0)
################################################################################
letsencrypt['enable'] = false
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
gitlab_reconfigure=true
else
echo_failed
fi
else
perl -i -n -p -e "s#^(\s*\#\s*(letsencrypt\['enable'\]).*)#\1\n\2 = false#" $GITLAB_CONF_FILE
if [[ $? -eq 0 ]] ; then
echo_ok
gitlab_reconfigure=true
else
echo_failed
fi
fi
else
echo_skipped
fi
echononl " Adjust ${GITLAB_CONF_FILE} - nginx['redirect_http_to_https']"
if ! grep -E "^\s*nginx\['redirect_http_to_https'\]" $GITLAB_CONF_FILE 2> /dev/null | grep -q -E "true" 2> /dev/null ; then
if grep -q -E "^\s*nginx\['redirect_http_to_https'\]" $GITLAB_CONF_FILE 2> /dev/null ; then
perl -i -n -p -e "s#^(\s*(nginx\['redirect_http_to_https'\]).*)#\#\# \1\n\2 = true#" $GITLAB_CONF_FILE
if [[ $? -eq 0 ]] ; then
echo_ok
gitlab_reconfigure=true
else
echo_failed
fi
elif ! grep -q -E "^\s*#\s*nginx\['redirect_http_to_https'\]" $GITLAB_CONF_FILE 2> /dev/null ; then
cat <<EOF >> ${GITLAB_CONF_FILE}
################################################################################
## Added by dehydrated install script $(basename $0)
################################################################################
nginx['redirect_http_to_https'] = true
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
gitlab_reconfigure=true
else
echo_failed
fi
else
perl -i -n -p -e "s#^(\s*\#\s*(nginx\['redirect_http_to_https'\]).*)#\1\n\2 = true#" $GITLAB_CONF_FILE
if [[ $? -eq 0 ]] ; then
echo_ok
gitlab_reconfigure=true
else
echo_failed
fi
fi
else
echo_skipped
fi
echononl " Create Directory '/etc/gitlab/ssl'.."
if [[ ! -d "/etc/gitlab/ssl" ]]; then
mkdir -p "/etc/gitlab/ssl" > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
gitlab_reconfigure=true
else
echo_failed
fi
else
echo_skipped
fi
echononl " Create Symlink '/etc/gitlab/ssl/${HOST_NAME}.key'.."
if [[ -h "/etc/gitlab/ssl/${HOST_NAME}.key" ]] \
&& [[ "$(readlink -qs "/etc/gitlab/ssl/${HOST_NAME}.key")" = "${DH_BASE_DIR}/certs/${HOST_NAME}/privkey.pem" ]] ; then
echo_skipped
else
rm -rf "/etc/gitlab/ssl/${HOST_NAME}.key" > /dev/null 2>&1
ln -s "${DH_BASE_DIR}/certs/${HOST_NAME}/privkey.pem" "/etc/gitlab/ssl/${HOST_NAME}.key" > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
gitlab_reconfigure=true
else
echo_failed
fi
fi
echononl " Create Symlink '/etc/gitlab/ssl/${HOST_NAME}.crt'.."
if [[ -h "/etc/gitlab/ssl/${HOST_NAME}.crt" ]] \
&& [[ "$(readlink -qs "/etc/gitlab/ssl/${HOST_NAME}.crt")" = "${DH_BASE_DIR}/certs/${HOST_NAME}/fullchain.pem" ]]; then
echo_skipped
else
rm -rf "/etc/gitlab/ssl/${HOST_NAME}.crt" > /dev/null 2>&1
ln -s "${DH_BASE_DIR}/certs/${HOST_NAME}/fullchain.pem" "/etc/gitlab/ssl/${HOST_NAME}.crt" > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
gitlab_reconfigure=true
else
echo_failed
fi
fi
fi
fi
if [[ -d "$DH_WELL_KNOWN_DIR" ]]; then
echononl " Backup \"$DH_WELL_KNOWN_DIR\" directory.."
mv $DH_WELL_KNOWN_DIR $DH_WELL_KNOWN_DIR.$_date
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
fi
echononl " Create directory \"$DH_WELL_KNOWN_DIR\" .."
mkdir -p $DH_WELL_KNOWN_DIR
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
echononl " Create index.html file in directory \"$DH_WELL_KNOWN_DIR\" .."
cat << EOF > ${DH_WELL_KNOWN_DIR}/index.html
<!doctype html>
<html>
<head>
<title>HTTP Error 404 / Http Fehler 404</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css">
body {
background: #eee;
font: normal normal 16px/140% Arial, Helvetica, Trebuchet MS, Geneva, sans-serif;
word-wrap: break-word;
}
h1 {
font-size: 30px;
font-weight: bold;
line-height: 100%;
}
h2 {
font-size: 18px;
font-weight: bold;
line-height: 100%;
}
.Container {
background: #fff;
width: 825px;
}
.Content {
background: #fff;
font-size: 12px;
height: 400px;
line-height: 16px;
padding: 10px 20px;
}
</style>
<link rel="shortcut icon" href="/favicon.ico" />
</head>
<body>
<div class="Container">
<div class="Logo"></div>
<div class="Content">
<h1>HTTP Error 404</h1>
<h2>The site you have requestet was not found on this Server</h2>
<p>Please check your spelling and ry again.</p>
<p>Thank You very much!</p>
<h1>HTTP Fehler 404</h1>
<h2>Die von Ihnen aufgerufene Seite gibt es leider nicht - Sorry</h2>
<p>Bitte pr&uuml;fen Sie die Adresse und versuchen es nochmals.</p>
<p>Vielen Dank f&uuml;r Ihr Verst&auml;ndnis!</p>
</div><!-- .Content -->
</div><!-- .Container -->
</body>
</html>
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
if [[ -d "${DH_WELL_KNOWN_DIR}.$_date" ]] ; then
diff $DH_WELL_KNOWN_DIR ${DH_WELL_KNOWN_DIR}.$_date > /dev/null 2>&1
if [[ $? -eq 0 ]]; then
info "$DH_WELL_KNOWN_DIR has not changed.\n\t Removing previos created backup.."
rm -rf ${DH_WELL_KNOWN_DIR}.$_date
fi
fi
if $apache_installed ; then
apache_control_script=`which apachectl`
echononl " Restarting (graceful) apache webserver.."
if $apache_config_changed ; then
if [[ -x "$apache_control_script" ]]; then
$apache_control_script graceful
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
warn "Graceful restart of apache webserver failed.."
fi
else
echo_skipped
warn "Apache Control Script (apachectl) not found."
fi
else
echo_skipped
fi
fi
if $nginx_installed ; then
nginx_init_script=/etc/init.d/nginx
echononl " Restarting nginx webserver.."
if [[ -x "$nginx_init_script" ]]; then
$nginx_init_script restart > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
warn "Restart of nginx webserver failed.."
fi
else
echo_skipped
warn "Nginx Control Script (nginx_init_script) not found."
fi
fi
if $gitlab_installed ; then
echononl " Reconfiguring (and restarting) Gitlab Services.."
if $gitlab_reconfigure ; then
if [[ -x "$gitlab_ctl_script" ]]; then
$gitlab_ctl_script reconfigure > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
warn "Restart of Gitlab Services failed.."
fi
else
echo_skipped
warn "Gitlab Control Script (gitlab-ctl) not found."
fi
else
echo_skipped
fi
fi
## - dehydrated from git repository
## -
cd `dirname $DH_INSTALL_DIR`
echononl " Cloning repository \"dehydrated.git\".."
if [[ -d "$DH_INSTALL_DIR" ]]; then
echo_skipped
info "$DH_INSTALL_DIR already exists.\n\t Try to update (git pull) now.."
echononl " Backup existing repository"
cp -a $DH_INSTALL_DIR ${DH_INSTALL_DIR}.$_date
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
echononl " Update dehydrated repository"
cd $DH_INSTALL_DIR
git pull > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
warn "Maybe updating dehydrated repository was not successfully. Check it manually."
fi
diff -Nur $DH_INSTALL_DIR ${DH_INSTALL_DIR}.$_date > /dev/null 2>&1
if [[ $? -eq 0 ]]; then
info "Repository has not changed.\n\t Removing previously created backup.."
rm -rf ${DH_INSTALL_DIR}.$_date
fi
else
git clone https://github.com/lukas2511/dehydrated.git $DH_INSTALL_DIR > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fatal "Cloning git repositors \"dehydrated.git\" failed!. Exciting install script.."
fi
fi
## - Create needed directories
## -
## - Configuration directory
## - Base directory (for let's encrypt asccounts, generated certificates,
## -
echononl " Create Directory $DH_CONF_DIR if not exists.."
if [[ -d "$DH_CONF_DIR" ]]; then
echo_skipped
#echononl " Backup configuration directory to ${DH_CONF_DIR}.$_date.."
#cp -a $DH_CONF_DIR ${DH_CONF_DIR}.$_date
#if [[ $? -eq 0 ]] ; then
# echo_ok
#else
# echo_failed
#fi
else
mkdir -p $DH_CONF_DIR
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
fi
echononl " Create Directory ${DH_BASE_DIR}.."
if [[ -d "$DH_BASE_DIR" ]]; then
echo_skipped
else
mkdir -p $DH_BASE_DIR
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
fi
## - Copy example configuration file to $DH_CONF_DIR
## -
echononl " Copy (example) configuration to ${DH_CONF_DIR}/config .."
if [[ -f "${DH_CONF_DIR}/config" ]]; then
echo_skipped
info "Configuration file already exists.\n\t So we let current configuration untouched."
echononl " Copy example Config file to ${DH_CONF_DIR}/config.example"
cp $DH_INSTALL_DIR/docs/examples/config ${DH_CONF_DIR}/config.example > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
cp $DH_INSTALL_DIR/docs/examples/config $DH_CONF_DIR/ > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
## - Adapt configuration file
## -
## - comment out line
## - CA="https://.."
## -
## - Change/Set Values
## -
## - CHALLENGETYPE="http-01"
## - BASEDIR="$DH_BASE_DIR"
## - WELLKNOWN="$DH_WELL_KNOWN_DIR"
## - HOOK="${BASEDIR}/hook.sh"
## -
echononl " Adjust configuration: comment out line 'CA=\"https://..'.."
if $(grep -q -E "^\s*CA\s*=\s*\"http" "$DH_CONF_DIR/config" 2> /dev/null) ; then
perl -i -n -p -e 's/^(\s*)(CA=.*)/## - \1\2\n/' $DH_CONF_DIR/config
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
echononl " Adjust configuration: CHALLENGETYPE=\"http-01\".."
perl -i -n -p -e 's/^(\s*#*\s*)(CHALLENGETYPE=.*)/## - \1\2\nCHALLENGETYPE="http-01"/' $DH_CONF_DIR/config
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
echononl " Adjust configuration: BASEDIR=\"$DH_BASE_DIR\".."
perl -i -n -p -e "s#^(\s*\#*\s*)(BASEDIR=.*)#\#\# - \1\2\nBASEDIR=\"$DH_BASE_DIR\"#" $DH_CONF_DIR/config
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
echononl " Adjust configuration: WELLKNOWN=\"$DH_WELL_KNOWN_DIR\".."
perl -i -n -p -e "s#^(\s*\#*\s*)(WELLKNOWN=.*)#\#\# - \1\2\nWELLKNOWN=\"$DH_WELL_KNOWN_DIR\"#" $DH_CONF_DIR/config
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
echononl " Adjust configuration: HOOK=\"\${BASEDIR}/hook.sh\".."
perl -i -n -p -e "s#^(\s*\#*\s*)(HOOK=.*)#\#\# - \1\2\nHOOK=\"\\\${BASEDIR}/hook.sh\"#" $DH_CONF_DIR/config
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
## - Lets Encrypt has stringent rate limits in place.
## -
## - If you start testing using the production endpoint (which is the
## - default), you will quickly hit these limits and find yourself locked out.
## -
## - To avoid this, please set the CA property to the Lets Encrypt staging
## - server URL in your config file:
## -
#echononl " Set CA property to the Lets Encrypt staging server (for testing).."
#perl -i -n -p -e 's#^(\s*\#*\s*)(CA=.*)#\#\# - \1\2\nCA="https://acme-staging.api.letsencrypt.org/directory"#' \
# $DH_CONF_DIR/config
#if [[ $? -eq 0 ]] ; then
# echo_ok
# warn "Configuration is only for testing\n\t For production mode comment out line \"CA=..\""
#else
# echo_failed
#fi
fi
if [[ -f "$HOOK_OUT_FILE" ]] ; then
echononl " Backup existing hook-file to ${HOOK_OUT_FILE}.$_date"
cp -a $HOOK_OUT_FILE ${HOOK_OUT_FILE}.$_date > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
fi
found_deploy_challenge=false
found_deployed=false
found_request_failure=false
found_invalid_challenge=false
old_IFS=$IFS
IFS=''
> $HOOK_OUT_FILE
#regex_deploy="deploy_cert\s*()"
echononl " Writing file ${HOOK_OUT_FILE}.."
while read -r line || [[ -n "$line" ]]; do
if [[ $line =~ deploy_challenge\s*\(\) ]]; then
found_deploy_challenge=true
else
if $found_deploy_challenge ; then
if [[ $line =~ ^"}"$ ]]; then
echo "" >> $HOOK_OUT_FILE
echo " echo \" + Hook: \$DOMAIN - $STR_PROCESSED\"" >> $HOOK_OUT_FILE
echo "" >> $HOOK_OUT_FILE
found_deploy_challenge=false
fi
fi
fi
if [[ $line =~ deploy_cert\s*\(\) ]]; then
found_deployed=true
else
if $found_deployed ; then
if [[ $line =~ ^"}"$ ]]; then
echo "" >> $HOOK_OUT_FILE
echo " #lynx --source https://www.identrust.com/certificates/trustid/root-download-x3.html \\" >> $HOOK_OUT_FILE
echo " # | grep -v \"\/textarea\" \\" >> $HOOK_OUT_FILE
echo " # | awk '/textarea/{x=NR+18;next}(NR<=x){print}' \\" >> $HOOK_OUT_FILE
echo " # | sed -e '1i-----BEGIN CERTIFICATE-----\' \\" >> $HOOK_OUT_FILE
echo " # | sed -e '\$a-----END CERTIFICATE-----\' \\" >> $HOOK_OUT_FILE
echo " # > \${BASEDIR}/certs/\${DOMAIN}/root-\${TIMESTAMP}.ca" >> $HOOK_OUT_FILE
echo " #ln -s root-\${TIMESTAMP}.ca \${BASEDIR}/certs/\${DOMAIN}/root.ca" >> $HOOK_OUT_FILE
echo " #cp -a \`realpath \$FULLCHAINFILE\` \`realpath \$FULLCHAINFILE\`.ORIG" >> $HOOK_OUT_FILE
echo " #cat \`realpath \$FULLCHAINFILE\`.ORIG \${BASEDIR}/certs/\${DOMAIN}/root-\${TIMESTAMP}.ca > \$FULLCHAINFILE" >> $HOOK_OUT_FILE
echo " cat \"\$KEYFILE\" \"\$FULLCHAINFILE\" > \"\${BASEDIR}/certs/\${DOMAIN}/privkey_cert_chain-\${TIMESTAMP}.pem\"" >> $HOOK_OUT_FILE
echo " if [ -h \"\${BASEDIR}/certs/\${DOMAIN}/privkey_cert_chain.pem\" ]; then" >> $HOOK_OUT_FILE
echo " rm \"\${BASEDIR}/certs/\${DOMAIN}/privkey_cert_chain.pem"\" >> $HOOK_OUT_FILE
echo " fi" >> $HOOK_OUT_FILE
echo " ln -s \"privkey_cert_chain-\${TIMESTAMP}.pem\" \"\${BASEDIR}/certs/\${DOMAIN}/privkey_cert_chain.pem\"" >>$HOOK_OUT_FILE
echo " echo \" + Hook: \$DOMAIN - $STR_SUCCESS\"" >> $HOOK_OUT_FILE
echo "" >> $HOOK_OUT_FILE
found_deployed=false
fi
fi
fi
if [[ $line =~ request_failure\s*\(\) ]]; then
found_request_failure=true
else
if $found_request_failure ; then
if [[ $line =~ ^"}"$ ]]; then
echo "" >> $HOOK_OUT_FILE
echo " echo \" + Hook: \$DOMAIN - $STR_HTTP_REQUEST_FAILED\"" >> $HOOK_OUT_FILE
echo "" >> $HOOK_OUT_FILE
found_request_failure=false
fi
fi
fi
if [[ $line =~ invalid_challenge\s*\(\) ]]; then
found_invalid_challenge=true
else
if $found_invalid_challenge ; then
if [[ $line =~ ^"}"$ ]]; then
echo "" >> $HOOK_OUT_FILE
echo " echo \" + Hook: \$DOMAIN - $STR_INVALID_CHALLENGE\"" >> $HOOK_OUT_FILE
echo "" >> $HOOK_OUT_FILE
found_invalid_challenge=false
fi
fi
fi
echo $line >> $HOOK_OUT_FILE
done < "$HOOK_EXAMPLE_FILE"
IFS=$old_IFS
if [[ -f "$HOOK_OUT_FILE" ]] ; then
echo_ok
else
echo_failed
fi
echononl " Make $HOOK_OUT_FILE executable.."
chmod 700 $HOOK_OUT_FILE
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
diff $HOOK_OUT_FILE ${HOOK_OUT_FILE}.$_date > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
info "$HOOK_OUT_FILE has not changed.\n\t Removing previously created backup"
rm -f ${HOOK_OUT_FILE}.$_date > /dev/null 2>&1
fi
if [[ ! -f "${DH_BASE_DIR}/domains.txt" ]]; then
echononl " Create empty \"domains.txt\" file.."
touch ${DH_BASE_DIR}/domains.txt
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
fi
echononl " Create configuration file for Cron Job Script to \"$DH_CONF_DIR\".."
if [[ -f "${DH_CONF_DIR}/dehydrated_cron.conf" ]]; then
echo_skipped
info "${DH_CONF_DIR}/dehydrated_cron.conf already exists.\n\t So we let current configuration untouched."
echononl " Copy example Config file to ${DH_CONF_DIR}/ehydrated_cron.conf.example"
cat << EOF > ${DH_CONF_DIR}/dehydrated_cron.conf.example
## -------------------------------------------
## - Configuration file for dehydrated cronjob
## -------------------------------------------
# - log_level: possible values are "0" for only error
# - messages or "1" for verbose
# -
# - If called from a noninteractive shell (as cron), log_level
# - will be set to "0"
# -
# - Defaults to "0"
# -
log_level=1
# - Where to find dehydrated script
# -
script_dir=$DH_INSTALL_DIR
# - Where to find (common) names (and alternative names) for certificates
# -
domains_txt=${DH_BASE_DIR}/domains.txt
# - Define hostnames from services other than webservices
# - Only one hostname is allowed, but you can define alternative
# - names (until to 99) for the certificate. this cab be done
# - by defining the concerning *_server_alt_names variable as a
# - space seperated list of hostnames
# -
# - example:
# - mail_server="mx.example.com"
# - mail_server_alt_names="mail.example.com smtp.example.com imap.example.com pop.example.com"
# -
mail_server=""
mail_server_alt_names=""
ftp_server=""
ftp_server_alt_names=""
# - Services installed on this mashine
# -
postfix_installed=false
dovecot_installed=false
pureftpd_installed=false
apache_installed=$apache_installed
nginx_installed=$nginx_installed
# - gitlab_installed
# -
# - Set to "true" if webserver nginx is controlled by GitLab (Omnibus Package).
# - Note: in that case, "nginx_installed" must be set to "false"
gitlab_installed=$gitlab_installed
# ---
# --- DANE
# ---
# - Notice:
# - Supporting Dane is a little bit complex, because befor providing
# - the new certificates on a service, a TLSA record must be present. So
# - access to the nameserver within the permissions to generate the TLSA
# - records AND reload the concerning zone is required.
# - Dane supported hostname:port
# -
# - Space seperated list of entries <hostname>:<port>
# -
# - example:
# - dane_records="\${mail_server}:25 \${mail_server}:587 webmail.so36.net:443"
# -
dane_records=""
# - (Primary) Nameserver which supports Dane Records
# -
dane_nameserver=""
# - How to access the namesever via ssh?
# -
# - Note:
# - Take care to provies an entry for nameservers dane_ssh_user in his
# - authorized_keys file.
# -
# - The ssh-key must not have a password! Otherwise this script will
# - not work!
# -
dane_ssh_user="manage-bind"
dane_ssh_port=22
dane_ssh_key=/root/.ssh/id_rsa-dehydrated
# - Scripts used on nameserver.
# -
# - Note:
# - The scripts must be accessable by dane_ssh_user. This
# - ca be realised by adding a concerning entry into sudo file
# -
# - for example:
# - manage-bind ALL=(root)NOPASSWD:/usr/local/bin/bind_*
# -
set_new_serial_script=bind_set_new_serial.sh
renew_tlsa_record=bind_set_renew_tlsa.sh
get_domain_by_hostname=bind_get_domain_by_hostname.sh
# Which TLSA Records are to be released?
#
generate_tlsa_311=true
generate_tlsa_301=false
generate_tlsa_211=true
generate_tlsa_201=false
generate_tlsa_202=false
# - TTL for Records "IN TLSA 3 1 1", "IN TLSA 3 0 1", "IN TLSA 2 0 1", "IN TLSA 2 0 2" and "IN TLSA 2 1 1"
# -
ttl_311=3600
ttl_301=3600
ttl_201=3600
ttl_202=3600
ttl_211=3600
# - Logfile where the certificate generation process, called from dehydrated
# - script, will write down the results. This logfile will be evaluated
# - afterwords to do some post generation tasks (in case of success) or inform
# - about errors.
# -
# - Logging in that file and evaluatiog the results will happen in any case,
# - even if variable LOGGING is set to true
# -
_logfile="/tmp/dehydrated-\$(date +%Y-%m-%d-%H%M).log"
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
cat << EOF > ${DH_CONF_DIR}/dehydrated_cron.conf
## -------------------------------------------
## - Configuration file for dehydrated cronjob
## -------------------------------------------
# - log_level: possible values are "0" for only error
# - messages or "1" for verbose
# -
# - If called from a noninteractive shell (as cron), log_level
# - will be set to "0"
# -
# - Defaults to "0"
# -
log_level=1
# - Where to find dehydrated script
# -
script_dir=$DH_INSTALL_DIR
# - Where to find (common) names (and alternative names) for certificates
# -
domains_txt=${DH_BASE_DIR}/domains.txt
# - Define hostnames from services other than webservices
# - Only one hostname is allowed, but you can define alternative
# - names (until to 99) for the certificate. this cab be done
# - by defining the concerning *_server_alt_names variable as a
# - space seperated list of hostnames
# -
# - example:
# - mail_server="mx.example.com"
# - mail_server_alt_names="mail.example.com smtp.example.com imap.example.com pop.example.com"
# -
mail_server=""
mail_server_alt_names=""
ftp_server=""
ftp_server_alt_names=""
# - Services installed on this mashine
# -
postfix_installed=false
dovecot_installed=false
pureftpd_installed=false
apache_installed=$apache_installed
nginx_installed=$nginx_installed
# ---
# --- DANE
# ---
# - Notice:
# - Supporting Dane is a little bit complex, because befor providing
# - the new certificates on a service, a TLSA record must be present. So
# - access to the nameserver within the permissions to generate the TLSA
# - records AND reload the concerning zone is required.
# - Dane supported hostname:port
# -
# - Space seperated list of entries <hostname>:<port>
# -
# - example:
# - dane_hosts_port="\${mail_server}:25 \${mail_server}:587 webmail.so36.net:443"
# -
dane_records=""
# - (Primary) Nameserver which supports Dane Records
# -
dane_nameserver=""
# - How to access the namesever via ssh?
# -
# - Note:
# - Take care to provies an entry for nameservers dane_ssh_user in his
# - authorized_keys file.
# -
# - The ssh-key must not have a password! Otherwise this script will
# - not work!
# -
dane_ssh_user="manage-bind"
dane_ssh_port=22
dane_ssh_key=/root/.ssh/id_rsa-dehydrated
# - Scripts used on nameserver.
# -
# - Note:
# - The scripts must be accessable by dane_ssh_user. This
# - ca be realised by adding a concerning entry into sudo file
# -
# - for example:
# - manage-bind ALL=(root)NOPASSWD:/usr/local/bin/bind_*
# -
set_new_serial_script=bind_set_new_serial.sh
renew_tlsa_record=bind_set_renew_tlsa.sh
get_domain_by_hostname=bind_get_domain_by_hostname.sh
# Which TLSA Records are to be released?
#
generate_tlsa_311=true
generate_tlsa_301=false
generate_tlsa_211=true
generate_tlsa_201=false
generate_tlsa_202=false
# - TTL for Records "IN TLSA 3 1 1", "IN TLSA 3 0 1", "IN TLSA 2 0 1", "IN TLSA 2 0 2" and "IN TLSA 2 1 1"
# -
ttl_311=3600
ttl_301=3600
ttl_201=3600
ttl_202=3600
ttl_211=3600
# - Logfile where the certificate generation process, called from dehydrated
# - script, will write down the results. This logfile will be evaluated
# - afterwords to do some post generation tasks (in case of success) or inform
# - about errors.
# -
# - Logging in that file and evaluatiog the results will happen in any case,
# - even if variable LOGGING is set to true
# -
_logfile="/tmp/dehydrated-\`date +%Y-%m-%d-%H%M\`.log"
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
fi
echononl " Create directory \"${DH_BASE_DIR}/cron\".."
if [[ ! -d "${DH_BASE_DIR}/cron" ]] ; then
mkdir $DH_BASE_DIR/cron > /dev/null 2>&1
if [[ $? -eq 0 ]]; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
if [[ -f "$DH_CRON_SCRIPT" ]]; then
echononl " Backup cron script \"$DH_CRON_SCRIPT\".."
cp -a $DH_CRON_SCRIPT ${DH_CRON_SCRIPT}.$_date
if [[ $? -eq 0 ]]; then
echo_ok
else
echo_failed
fi
fi
echononl " Install Cron Script \"$DH_CRON_SCRIPT\".."
cat << EOF > $DH_CRON_SCRIPT
#!/usr/bin/env bash
## ------------------------------------------------------------------------------
## --- All Configurations will be done in ${DH_CONF_DIR}/dehydrated_cron.conf
## ------------------------------------------------------------------------------
if [[ -f "${DH_CONF_DIR}/dehydrated_cron.conf" ]]; then
source ${DH_CONF_DIR}/dehydrated_cron.conf
else
echo
echo -e " [ Error ]: No Configuration File found. Exiting now!"
echo
exit 1
fi
## --- some functions
## ---
echononl(){
echo X\\\\c > /tmp/shprompt\$\$
if [ \`wc -c /tmp/shprompt\$\$ | awk '{print \$1}'\` -eq 1 ]; then
echo -e -n "\$*\\\\c" 1>&2
else
echo -e -n "\$*" 1>&2
fi
rm /tmp/shprompt\$\$
}
fatal(){
echo ""
echo -e "fataler Fehler: \$*"
echo ""
echo -e "\t\033[31m\033[1mInstalllation wird abgebrochen\033[m\033[m"
echo ""
exit 1
}
error(){
echo ""
echo -e "\t[ \033[31m\033[1mFehler\033[m ]: \$*"
echo ""
}
warn (){
echo ""
echo -e "\t[ \033[33m\033[1mWarning\033[m ]: \$*"
echo ""
}
info (){
echo ""
echo -e "\t[ \033[32m\033[1mInfo\033[m ]: \$*"
echo ""
}
echo_done() {
echo -e "\033[75G[ \033[32mdone\033[m ]"
}
echo_ok() {
echo -e "\033[75G[ \033[32mok\033[m ]"
}
echo_warning() {
echo -e "\033[75G[ \033[33m\033[1mwarn\033[m ]"
}
echo_failed(){
echo -e "\033[75G[ \033[1;31mfailed\033[m ]"
}
echo_skipped() {
echo -e "\033[75G[ \033[33m\033[1mskipped\033[m ]"
}
## - Check if a given array (parameter 2) contains a given string (parameter 1)
## -
containsElement () {
local e
for e in "\${@:2}"; do [[ "\$e" == "\$1" ]] && return 0; done
return 1
}
## ---
## --- END: functions
# - Set log_level
# -
# - Test whether stdout (file descriptor 1) is a terminal or not (e.g. cron
# - or if you pipe the output to some other program)
#
if [[ -t 1 ]] ; then
case "\$log_level" in
1)
verbose=true
;;
*)
verbose=false
;;
esac
else
verbose=false
fi
# -------------
# - Read Commanline Arguments
# -------------
# If option '-q' is present, be silent, even if running in a terminal
#
while getopts q opt ; do
case \$opt in
q) verbose=false ;;
esac
done
# -Is systemd supported on this system?
# -
systemd_supported=false
systemd=\$(which systemd)
systemctl=\$(which systemctl)
if [[ -n "\$systemd" ]] && [[ -n "\$systemctl" ]] ; then
systemd_supported=true
fi
# ---
# --- Some checks
# ---
if [[ ! -d "\$script_dir" ]] ; then
if \$verbose ; then
error "Dehydrated script directors \\"\$script_dir\\" not found!"
else
echo -e "\\n [ Error ]: Dehydrated script directors \\"\$script_dir\\" not found! \\n"
fi
exit 99
fi
dehydrated_script=\${script_dir}/dehydrated
if [[ ! -f "\$dehydrated_script" ]] ; then
if \$verbose ; then
error "Dehydrated script \"\$dehydrated_script\" not found!"
else
echo -e "\\n [ Error ]: Dehydrated script \"\$dehydrated_script\" not found! \\n"
fi
exit 99
fi
if [[ ! -x "\$dehydrated_script" ]] ; then
if \$verbose ; then
error "Dehydrated script \"\$dehydrated_script\" is not executable!"
else
echo -e "\\n [ Error ]: Dehydrated script \"\$dehydrated_script\" is not executable! \\n"
fi
exit 99
fi
if [[ ! -f "\$domains_txt" ]] ; then
if [[ ! -d \`dirname \$domains_txt\` ]] ; then
if \$verbose ; then
error "File (domains.txt) with domain names not found!"
else
echo -e "\\n [ Error ]: File (domains.txt) with domain names not found! \\n"
fi
exit 99
fi
fi
if [[ -n "\$dane_records" ]] ; then
if [[ -z \$set_new_serial_script ]];then
if \$verbose ; then
error "Script to set new serial not given! (var: set_new_serial_script)"
else
echo -e "\\n [ Error ]: Script to set new serial not given! (var: set_new_serial_script) \\n"
fi
exit 99
fi
if [[ -z \$renew_tlsa_record ]];then
if \$verbose ; then
error "Script to set/renew TLSA record not given! (var: renew_tlsa_record)"
else
echo -e "\\n [ Error ]: Script to set/renew TLSA record not given! (var: renew_tlsa_record) \\n"
fi
exit 99
fi
ssh -q -p \$dane_ssh_port \\
-o BatchMode=yes \\
-o StrictHostKeyChecking=no \\
-i \$dane_ssh_key \\
\$dane_ssh_user@\$dane_nameserver "ls" > /dev/null 2>&1
if [[ \$? -gt 0 ]] ;then
if \$verbose ; then
error "Nameserver \"\$dane_nameserver\" is not reachable vis ssh!"
else
echo -e "\\n [ Error ]: Nameserver \"\$dane_nameserver\" is not reachable vis ssh! \\n"
fi
exit 99
fi
ssh -q -p \$dane_ssh_port \\
-o BatchMode=yes \\
-o StrictHostKeyChecking=no \\
-i \$dane_ssh_key \\
\$dane_ssh_user@\$dane_nameserver "sudo \$set_new_serial_script check > /dev/null 2>&1"
if [[ \$? -gt 0 ]]; then
if \$verbose ; then
error "Failed to acces script \"\$set_new_serial_script\" on host \"\$dane_nameserver\"!"
else
echo -e "\\n Failed to acces script \"\$set_new_serial_script\" on host \"\$dane_nameserver\"! \\n"
fi
exit 99
fi
ssh -q -p \$dane_ssh_port \\
-o BatchMode=yes \\
-o StrictHostKeyChecking=no \\
-i \$dane_ssh_key \\
\$dane_ssh_user@\$dane_nameserver "sudo \$renew_tlsa_record check > /dev/null 2>&1"
if [[ \$? -gt 0 ]]; then
if \$verbose ; then
error "Failed to acces script \"\$renew_tlsa_record\" on host \"\$dane_nameserver\"!"
else
echo -e "\\n Failed to acces script \"\$renew_tlsa_record\" on host \"\$dane_nameserver\"! \\n"
fi
exit 99
fi
fi
\$verbose && echo ""
# ---
# --- Prepare dehydrated
# ---
# - Read dehydrated configuration variables.."
# -
\$verbose && echononl " Read dehydrated configuration variables .."
eval "\$(/usr/local/dehydrated/dehydrated --env)"
ret_val=\$?
if [[ \$ret_val -eq 0 ]]; then
\$verbose && echo_ok
else
\$verbose && echo_failed
if \$verbose ; then
error "Reading dehydrated configuration variables failed!"
else
echo -e "\\n [ Error ]: Reading dehydrated configuration variables failed! \\n"
fi
echo ""
echo "Error message from dehydrated script:"
echo "====================================="
echo ""
cat \$_logfile
echo ""
exit 10
fi
# - Add maill server name and, if present, concerning alternative names
# - to domains.txt
# -
if [[ -n "\$mail_server" ]]; then
\$verbose && echononl " Add mail server name (with alternative names) to domains.txt"
if grep -e "^\s*\$mail_server" \$domains_txt > /dev/null 2>&1 ; then
if \$verbose ; then
echo_skipped
fi
else
echo "\$mail_server \$mail_server_alt_names" >> \$domains_txt
if [[ \$? -eq 0 ]]; then
\$verbose && echo_ok
else
\$verbose && echo_failed
if \$verbose ; then
error "Adding mailserver name to \"domains.txt\" failed!"
else
echo -e "\\n [ Error ]: Adding mailserver name to \"domains.txt\" failed! \\n"
fi
fi
fi
fi
# - Add ftp server name and, if present, concerning alternative names
# - to domains.txt
# -
if [[ -n "\$ftp_server" ]]; then
\$verbose && echononl " Add ftpserver name (with alternative names) to domains.txt"
if grep -e "^\s*\$ftp_server" \$domains_txt > /dev/null 2>&1 ; then
if \$verbose ; then
echo_skipped
fi
else
echo "\$ftp_server \$ftp_server_alt_names" >> \$domains_txt
if [[ \$? -eq 0 ]]; then
\$verbose && echo_ok
else
\$verbose && echo_failed
if \$verbose ; then
error "Adding ftpserver name to \"domains.txt\" failed!"
else
echo -e "\\n [ Error ]: Adding ftpserver name to \"domains.txt\" failed! \\n"
fi
fi
fi
fi
# ---
# --- Certificate Generation
# ---
# - Invoke the dehydrated script to generate th let's encrypt certificates if
# - needed.
# -
\$verbose && echononl " Register account and agree to their terms of service .."
\$dehydrated_script --config ${DH_CONF_DIR}/config --register --accept-terms > \$_logfile 2>&1
ret_val=\$?
if [[ \$ret_val -eq 0 ]]; then
\$verbose && echo_ok
else
\$verbose && echo_failed
if \$verbose ; then
error "Dehydrated Script to register account returns with error (\$ret_val)!"
else
echo -e "\\n [ Error ]: Dehydrated Script to register account returns with error (\$ret_val)! \\n"
fi
echo ""
echo "Error message from dehydrated script:"
echo "====================================="
echo ""
cat \$_logfile
echo ""
exit 10
fi
\$verbose && echononl " Invoking the main dehydrated script for certificate generation.."
\$dehydrated_script --config ${DH_CONF_DIR}/config -c -g > \$_logfile 2>&1
ret_val=\$?
if [[ \$ret_val -eq 0 ]]; then
_successfully_finished_script=true
\$verbose && echo_ok
else
_successfully_finished_script=false
\$verbose && echo_failed
if \$verbose ; then
error "Dehydrated Script returns with error (\$ret_val)!"
else
echo -e "\\n [ Error ]: Dehydrated Script returns with error (\$ret_val)! \\n"
fi
echo ""
fi
#_logfile_ECC="/tmp/dehydrated-ECC.log"
#\$verbose && echononl " Generate ECC flavor of cert .."
#\$dehydrated_script -c -g --algo prime256v1 --out \${CERTDIR}/ECC > \$_logfile_ECC 2>&1
#ret_val=\$?
#if [[ \$ret_val -eq 0 ]]; then
# \$verbose && echo_ok
#else
# \$verbose && echo_failed
# if \$verbose ; then
# error "Dehydrated Script returns with error (\$ret_val)!"
# else
# echo -e "\\n [ Error ]: Dehydrated Script returns with error (\$ret_val)! \\n"
# fi
# echo ""
# echo "Error message from dehydrated script:"
# echo "====================================="
# echo ""
# cat \$_logfile_ECC
# echo ""
# exit 10
#fi
# ---
# --- Postgeneration Tasks
# ---
# - Set defaults
restart_postfix=false
restart_dovecot=false
restart_pureftpd=false
restart_apache=false
restart_nginx=false
restart_gitlab=false
declare -a zone_to_reload_arr
declare -a _tmp_arr
certs_updated=false
certs_processed=false
_hosts_processed="\$(cat \$_logfile | grep "$STR_PROCESSED" 2> /dev/null | awk '{print\$3}')"
_successfully_created_hosts="\$(cat \$_logfile | grep "$STR_SUCCESS" 2> /dev/null | awk '{print\$3}')"
_invalid_challenge="\$(cat \$_logfile | grep "$STR_INVALID_CHALLENGE" 2> /dev/null | awk '{print\$3}')"
_http_request_failed="\$(cat \$_logfile | grep "$STR_HTTP_REQUEST_FAILED" 2> /dev/null | awk '{print\$3}')"
if grep -i -q "$ERR_MSG_TOO_MANY_CERTS" \$_logfile 2> /dev/null ; then
_too_many_certs_err_msg="\$(grep -i "$ERR_MSG_TOO_MANY_CERTS" \$_logfile 2> /dev/null)"
fi
if [[ -n "\$_hosts_processed" ]] ; then
certs_processed=true
fi
# - Evaluate dehydrated's output - see if certificates where created
# -
if [[ -n "\$_successfully_created_hosts" ]] ; then
certs_updated=true
for hostname in \$_successfully_created_hosts ; do
# ---
# - Services to restart after changing/adding the certificate
# ---
if [ -n "\$mail_server" -a "\$hostname" = "\$mail_server" ]; then
\$postfix_installed && restart_postfix=true
\$dovecot_installed && restart_dovecot=true
fi
if [ -n "\$ftp_server" -a "\$hostname" = "\$ftp_server" ]; then
\$pureftpd_installed && restart_pureftpd=true
fi
if \$apache_installed ; then
restart_apache=true
elif \$nginx_installed ; then
restart_nginx=true
elif \$gitlab_installed ; then
restart_gitlab=true
fi
# ---
# - Dane
# ---
# - See if dane is enabled for that certificate
[[ -n "\$dane_records" ]] || continue
if [[ "\$dane_records" =~ "\$hostname" ]]; then
\$verbose && echo ""
\$verbose && info "Going to provide TLSA record for \$hostname"
fi
CUR_IFS=\$IFS
for _entry in \$dane_records ; do
unset _tmp_arr
IFS=':'
_tmp_arr=(\$_entry)
IFS=\$CUR_IFS
if [[ "\$hostname" = "\${_tmp_arr[0]}" ]];then
# - Get Zone (domain) for given host
# -
\$verbose && echononl " Get Zone containing \"\$hostname\\".."
domain=\$(ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\
"sudo \$get_domain_by_hostname \$hostname"
)
if [[ -n "\$domain" ]]; then
\$verbose && echo_ok
else
\$verbose && echo_failed
if \$verbose ; then
error "Getting Zone for \"\$hostname\\" failed!"
else
echo -e "\\n [ Error ]: Getting Zone for \"\$hostname\\" failed! \\n"
fi
continue
fi
# - Generate TLSA 3 1 1 record
# -
\$verbose && echononl " Generate \"TLSA 3 1 1\\" record from certificate (\${_tmp_arr[0]}).."
if ! \${generate_tlsa_311} ; then
\$verbose && echo_skipped
else
tlsa_record_311=\$(
printf "_%s._tcp.%s. \$ttl_311 IN TLSA 3 1 1 %s\\n" \\
\${_tmp_arr[1]} \\
\${_tmp_arr[0]} \\
\$(openssl x509 -in ${DH_BASE_DIR}/certs/\${_tmp_arr[0]}/cert.pem -noout -pubkey |
openssl pkey -pubin -outform DER |
openssl dgst -sha256 -binary |
hexdump -ve '/1 "%02x"')
)
if [[ \$? -eq 0 ]] ; then
\$verbose && echo_ok
else
\$verbose && echo_failed
if \$verbose ; then
error "Generating \"TLSA 3 1 1\\" record failed! "
else
echo -e "\\n [ Error ]: Generating \"TLSA 3 1 1\\" record failed! \\n"
fi
continue
fi
# - Add/Renew Record in concerning zone file
# -
\$verbose && echononl " Add/Renew Record in concerning zone file.."
ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\
"sudo \$renew_tlsa_record \$tlsa_record_311 > /dev/null 2>&1"
ret_val=\$?
case \$ret_val in
0)
\$verbose && echo_skipped
if \$verbose ; then
info "TLSA 3 1 1 record for \\"\$hostname\\" is up to date."
else
echo -e "\\n [ Info ]: TLSA 3 1 1 record for \\"\$hostname\\" is up to date.\\n"
fi
;;
1)
\$verbose && echo_ok
if \$verbose ; then
info "TLSA 3 1 1 record for \\"\$hostname\\" replaced."
else
echo -e "\\n [ Info ]: TLSA 3 1 1 record for \\"\$hostname\\" replaced.\\n"
fi
;;
2)
\$verbose && echo_ok
if \$verbose ; then
info "New TLSA 3 1 1 record for \\"\$hostname\\" added."
else
echo -e "\\n [ Info ]: New TLSA 3 1 1 record for \\"\$hostname\\" added.\\n"
fi
;;
10)
\$verbose && echo_failed
if \$verbose ; then
error "Invalid TLSA record given!"
else
echo -e "\\n [ Error ]: Invalid TLSA record given! \\n"
fi
continue
;;
11)
\$verbose && echo_failed
if \$verbose ; then
error "No zonefile for host \\"\$hostname\\" found!"
else
echo -e "\\n [ Error ]: No zonefile for host \\"\$hostname\\" found! \\n"
fi
;;
20)
\$verbose && echo_failed
if \$verbose ; then
error "Replacing TLSA 3 1 1 record for host \\"\$hostname\\" failed!"
else
echo -e "\\n [ Error ]: Replacing TLSA 3 1 1 record for host \\"\$hostname\\" failed! \\n"
fi
continue
;;
21)
\$verbose && echo_failed
if \$verbose ; then
error "Adding TLSA 3 1 1 record for host \\"\$hostname\\" failed!"
else
echo -e "\\n [ Error ]: Adding TLSA 3 1 1 record for host \\"\$hostname\\" failed! \\n"
fi
continue
;;
99)
\$verbose && echo_failed
if \$verbose ; then
error "Fatal Error!"
else
echo -e "\\n [ Error ]: Fatal Error! \\n"
fi
continue
;;
*)
\$verbose && echo_failed
if \$verbose ; then
error "Unknown exit code from remote script \\"\$renew_tlsa_record\"!"
else
echo -e "\\n [ Error ]: Unknown exit code from remote script \\"\$renew_tlsa_record\! \\n"
fi
continue
;;
esac
fi # if ! \${generate_tlsa_311}
# - Generate TLSA 3 0 1 record
# -
\$verbose && echononl " Generate \"TLSA 3 0 1\\" record from certificate (\${_tmp_arr[0]}).."
if ! \${generate_tlsa_301} ; then
\$verbose && echo_skipped
else
tlsa_record_301=\$(
printf "_%s._tcp.%s. \$ttl_301 IN TLSA 3 0 1 %s\\n" \\
\${_tmp_arr[1]} \\
\${_tmp_arr[0]} \\
\$(openssl x509 -in ${DH_BASE_DIR}/certs/\${_tmp_arr[0]}/cert.pem -outform DER |
openssl dgst -sha256 -binary |
hexdump -ve '/1 "%02x"')
)
if [[ \$? -eq 0 ]] ; then
\$verbose && echo_ok
else
\$verbose && echo_failed
if \$verbose ; then
error "Generating \"TLSA 3 0 1\\" record failed! "
else
echo -e "\\n [ Error ]: Generating \"TLSA 3 0 1\\" record failed! \\n"
fi
continue
fi
# - Add/Renew Record in concerning zone file
# -
\$verbose && echononl " Add/Renew Record in concerning zone file.."
ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\
"sudo \$renew_tlsa_record \$tlsa_record_301 > /dev/null 2>&1"
ret_val=\$?
case \$ret_val in
0)
\$verbose && echo_skipped
if \$verbose ; then
info "TLSA 3 0 1 record for \\"\$hostname\\" is up to date."
else
echo -e "\\n [ Info ]: TLSA 3 0 1 record for \\"\$hostname\\" is up to date.\\n"
fi
;;
1)
\$verbose && echo_ok
if \$verbose ; then
info "TLSA 3 0 1 record for \\"\$hostname\\" replaced."
else
echo -e "\\n [ Info ]: TLSA 3 0 1 record for \\"\$hostname\\" replaced.\\n"
fi
;;
2)
\$verbose && echo_ok
if \$verbose ; then
info "New TLSA 3 0 1 record for \\"\$hostname\\" added."
else
echo -e "\\n [ Info ]: New TLSA 3 0 1 record for \\"\$hostname\\" added.\\n"
fi
;;
10)
\$verbose && echo_failed
if \$verbose ; then
error "Invalid TLSA record given!"
else
echo -e "\\n [ Error ]: Invalid TLSA record given! \\n"
fi
continue
;;
11)
\$verbose && echo_failed
if \$verbose ; then
error "No zonefile for host \\"\$hostname\\" found!"
else
echo -e "\\n [ Error ]: No zonefile for host \\"\$hostname\\" found! \\n"
fi
;;
20)
\$verbose && echo_failed
if \$verbose ; then
error "Replacing TLSA 3 0 1 record for host \\"\$hostname\\" failed!"
else
echo -e "\\n [ Error ]: Replacing TLSA 3 0 1 record for host \\"\$hostname\\" failed! \\n"
fi
continue
;;
21)
\$verbose && echo_failed
if \$verbose ; then
error "Adding TLSA 3 0 1 record for host \\"\$hostname\\" failed!"
else
echo -e "\\n [ Error ]: Adding TLSA 3 0 1 record for host \\"\$hostname\\" failed! \\n"
fi
continue
;;
99)
\$verbose && echo_failed
if \$verbose ; then
error "Fatal Error!"
else
echo -e "\\n [ Error ]: Fatal Error! \\n"
fi
continue
;;
*)
\$verbose && echo_failed
if \$verbose ; then
error "Unknown exit code from remote script \\"\$renew_tlsa_record\"!"
else
echo -e "\\n [ Error ]: Unknown exit code from remote script \\"\$renew_tlsa_record\! \\n"
fi
continue
;;
esac
fi # if ! \${generate_tlsa_301}
# - Generate TLSA 2 1 1 record
# -
\$verbose && echononl " Generate \"TLSA 2 1 1\\" record from certificate (\${_tmp_arr[0]}).."
if ! \${generate_tlsa_211} ; then
\$verbose && echo_skipped
else
tlsa_record_211=\$(
printf "_%s._tcp.%s. \$ttl_211 IN TLSA 2 1 1 %s\\n" \\
\${_tmp_arr[1]} \\
\${_tmp_arr[0]} \\
\$(openssl x509 -in ${DH_BASE_DIR}/certs/\${_tmp_arr[0]}/chain.pem -noout -pubkey |
openssl pkey -pubin -outform DER |
openssl dgst -sha256 -binary |
hexdump -ve '/1 "%02x"')
)
if [[ \$? -eq 0 ]] ; then
\$verbose && echo_ok
else
\$verbose && echo_failed
if \$verbose ; then
error "Generating \"TLSA 2 1 1\\" record failed! "
else
echo -e "\\n [ Error ]: Generating \"TLSA 2 1 1\\" record failed! \\n"
fi
continue
fi
# - Add/Renew Record in concerning zone file
# -
\$verbose && echononl " Add/Renew Record in concerning zone file.."
ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\
"sudo \$renew_tlsa_record \$tlsa_record_211 > /dev/null 2>&1"
ret_val=\$?
case \$ret_val in
0)
\$verbose && echo_skipped
if \$verbose ; then
info "TLSA 2 1 1 record for \\"\$hostname\\" is up to date."
else
echo -e "\\n [ Info ]: TLSA 2 1 1 record for \\"\$hostname\\" is up to date.\\n"
fi
;;
1)
\$verbose && echo_ok
if \$verbose ; then
info "TLSA 2 1 1 record for \\"\$hostname\\" replaced."
else
echo -e "\\n [ Info ]: TLSA 2 1 1 record for \\"\$hostname\\" replaced.\\n"
fi
;;
2)
\$verbose && echo_ok
if \$verbose ; then
info "New TLSA 2 1 1 record for \\"\$hostname\\" added."
else
echo -e "\\n [ Info ]: New TLSA 2 1 1 record for \\"\$hostname\\" added.\\n"
fi
;;
10)
\$verbose && echo_failed
if \$verbose ; then
error "Invalid TLSA record given!"
else
echo -e "\\n [ Error ]: Invalid TLSA record given! \\n"
fi
continue
;;
11)
\$verbose && echo_failed
if \$verbose ; then
error "No zonefile for host \\"\$hostname\\" found!"
else
echo -e "\\n [ Error ]: No zonefile for host \\"\$hostname\\" found! \\n"
fi
;;
20)
\$verbose && echo_failed
if \$verbose ; then
error "Replacing TLSA 2 1 1 record for host \\"\$hostname\\" failed!"
else
echo -e "\\n [ Error ]: Replacing TLSA 2 1 1 record for host \\"\$hostname\\" failed! \\n"
fi
continue
;;
21)
\$verbose && echo_failed
if \$verbose ; then
error "Adding TLSA 2 1 1 record for host \\"\$hostname\\" failed!"
else
echo -e "\\n [ Error ]: Adding TLSA 2 1 1 record for host \\"\$hostname\\" failed! \\n"
fi
continue
;;
99)
\$verbose && echo_failed
if \$verbose ; then
error "Fatal Error!"
else
echo -e "\\n [ Error ]: Fatal Error! \\n"
fi
continue
;;
*)
\$verbose && echo_failed
if \$verbose ; then
error "Unknown exit code from remote script \\"\$renew_tlsa_record\"!"
else
echo -e "\\n [ Error ]: Unknown exit code from remote script \\"\$renew_tlsa_record\! \\n"
fi
continue
;;
esac
fi # if ! \${generate_tlsa_211}
# - Generate TLSA 2 0 1 record
# -
\$verbose && echononl " Generate \\"TLSA 2 0 1\\" record from root certificate (root.ca).."
if ! \${generate_tlsa_201} ; then
\$verbose && echo_skipped
else
tlsa_record_201=\$(
printf "_%s._tcp.%s. \$ttl_201 IN TLSA 2 0 1 %s\\n" \\
\${_tmp_arr[1]} \\
\${_tmp_arr[0]} \\
\$(openssl x509 -in ${DH_BASE_DIR}/certs/\${_tmp_arr[0]}/chain.pem -outform DER |
openssl dgst -sha256 -binary |
hexdump -ve '/1 "%02x"')
)
if [[ \$? -eq 0 ]] ; then
\$verbose && echo_ok
else
\$verbose && echo_failed
if \$verbose ; then
error "Generating \\"TLSA 2 0 1\\" record failed! "
else
echo -e "\\n [ Error ]: Generating \\"TLSA 2 0 1\\" record failed! \\n"
fi
continue
fi
# - Add/Renew Record in concerning zone file
# -
\$verbose && echononl " Add/Renew Record in concerning zone file.."
ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\
"sudo \$renew_tlsa_record \$tlsa_record_201 > /dev/null 2>&1"
ret_val=\$?
case \$ret_val in
0)
\$verbose && echo_skipped
if \$verbose ; then
info "TLSA 2 0 1 record for \\"\$hostname\\" is up to date."
else
echo -e "\\n [ Info ]: TLSA 2 0 1 record for \\"\$hostname\\" is up to date.\\n"
fi
;;
1)
\$verbose && echo_ok
if \$verbose ; then
info "TLSA 2 0 1 record for \\"\$hostname\\" replaced."
else
echo -e "\\n [ Info ]: TLSA 2 0 1 record for \\"\$hostname\\" replaced.\\n"
fi
;;
2)
\$verbose && echo_ok
if \$verbose ; then
info "New TLSA 2 0 1 record for \\"\$hostname\\" added."
else
echo -e "\\n [ Info ]: New TLSA 2 0 1 record for \\"\$hostname\\" added.\\n"
fi
;;
10)
\$verbose && echo_failed
if \$verbose ; then
error "Invalid TLSA record given!"
else
echo -e "\\n [ Error ]: Invalid TLSA record given! \\n"
fi
continue
;;
11)
\$verbose && echo_failed
if \$verbose ; then
error "No zonefile for host \\"\$hostname\\" found!"
else
echo -e "\\n [ Error ]: No zonefile for host \\"\$hostname\\" found! \\n"
fi
continue
;;
20)
\$verbose && echo_failed
if \$verbose ; then
error "Replacing TLSA 2 0 1 record for host \\"\$hostname\\" failed!"
else
echo -e "\\n [ Error ]: Replacing TLSA 2 0 1 record for host \\"\$hostname\\" failed! \\n"
fi
continue
;;
21)
\$verbose && echo_failed
if \$verbose ; then
error "Adding TLSA 2 0 1 record for host \\"\$hostname\\" failed!"
else
echo -e "\\n [ Error ]: Adding TLSA 2 0 1 record for host \\"\$hostname\\" failed! \\n"
fi
continue
;;
99)
\$verbose && echo_failed
if \$verbose ; then
error "Fatal Error!"
else
echo -e "\\n [ Error ]: Fatal Error! \\n"
fi
continue
;;
*)
\$verbose && echo_failed
if \$verbose ; then
error "Unknown exit code from remote script \\"\$renew_tlsa_record\"!"
else
echo -e "\\n [ Error ]: Unknown exit code from remote script \\"\$renew_tlsa_record\"! \\n"
fi
continue
;;
esac
fi # if ! \${generate_tlsa_201}
# - Generate TLSA 2 0 2 record
# -
\$verbose && echononl " Generate \\"TLSA 2 0 2\\" record from root certificate (root.ca).."
if ! \${generate_tlsa_202} ; then
\$verbose && echo_skipped
else
tlsa_record_202=\$(
printf "_%s._tcp.%s. \$ttl_202 IN TLSA 2 0 2 %s\\n" \\
\${_tmp_arr[1]} \\
\${_tmp_arr[0]} \\
\$(openssl x509 -in ${DH_BASE_DIR}/certs/\${_tmp_arr[0]}/chain.pem -outform DER |
openssl dgst -sha512 -binary |
hexdump -ve '/1 "%02x"')
)
if [[ \$? -eq 0 ]] ; then
\$verbose && echo_ok
else
\$verbose && echo_failed
if \$verbose ; then
error "Generating \\"TLSA 2 0 2\\" record failed! "
else
echo -e "\\n [ Error ]: Generating \\"TLSA 2 0 2\\" record failed! \\n"
fi
continue
fi
# - Add/Renew Record in concerning zone file
# -
\$verbose && echononl " Add/Renew Record in concerning zone file.."
ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\
"sudo \$renew_tlsa_record \$tlsa_record_202 > /dev/null 2>&1"
ret_val=\$?
case \$ret_val in
0)
\$verbose && echo_skipped
if \$verbose ; then
info "TLSA 2 0 2 record for \\"\$hostname\\" is up to date."
else
echo -e "\\n [ Info ]: TLSA 2 0 2 record for \\"\$hostname\\" is up to date.\\n"
fi
;;
1)
\$verbose && echo_ok
if \$verbose ; then
info "TLSA 2 0 2 record for \\"\$hostname\\" replaced."
else
echo -e "\\n [ Info ]: TLSA 2 0 2 record for \\"\$hostname\\" replaced.\\n"
fi
;;
2)
\$verbose && echo_ok
if \$verbose ; then
info "New TLSA 2 0 2 record for \\"\$hostname\\" added."
else
echo -e "\\n [ Info ]: New TLSA 2 0 2 record for \\"\$hostname\\" added.\\n"
fi
;;
10)
\$verbose && echo_failed
if \$verbose ; then
error "Invalid TLSA record given!"
else
echo -e "\\n [ Error ]: Invalid TLSA record given! \\n"
fi
continue
;;
11)
\$verbose && echo_failed
if \$verbose ; then
error "No zonefile for host \\"\$hostname\\" found!"
else
echo -e "\\n [ Error ]: No zonefile for host \\"\$hostname\\" found! \\n"
fi
continue
;;
20)
\$verbose && echo_failed
if \$verbose ; then
error "Replacing TLSA 2 0 2 record for host \\"\$hostname\\" failed!"
else
echo -e "\\n [ Error ]: Replacing TLSA 2 0 2 record for host \\"\$hostname\\" failed! \\n"
fi
continue
;;
21)
\$verbose && echo_failed
if \$verbose ; then
error "Adding TLSA 2 0 2 record for host \\"\$hostname\\" failed!"
else
echo -e "\\n [ Error ]: Adding TLSA 2 0 2 record for host \\"\$hostname\\" failed! \\n"
fi
continue
;;
99)
\$verbose && echo_failed
if \$verbose ; then
error "Fatal Error!"
else
echo -e "\\n [ Error ]: Fatal Error! \\n"
fi
continue
;;
*)
\$verbose && echo_failed
if \$verbose ; then
error "Unknown exit code from remote script \\"\$renew_tlsa_record\"!"
else
echo -e "\\n [ Error ]: Unknown exit code from remote script \\"\$renew_tlsa_record\"! \\n"
fi
continue
;;
esac
fi # if ! \${generate_tlsa_202} ; then
# - To avoid multiple reloading og one and the same zone, we only
# - collect the zones, having to reload, at this time and do the
# - reloading later.
if ! containsElement \$domain \${zone_to_reload_arr[@]} ; then
zone_to_reload_arr+=("\$domain")
fi
fi
done
done
fi
# - Nothing to do if al is up tp date
# -
#if ! \$certs_updated && ! grep -q -i "error:" \$_logfile 2> /dev/null ; then
if ! \$certs_updated && ! \$certs_processed && \$_successfully_finished_script ; then
if \$verbose ; then
info "All Certificates are up to date."
echo ""
fi
rm -f \$_logfile
exit 0
fi
# - Reload zones if needed (updated certificate which supports
# - TLSA Record)
# -
if [[ \${#zone_to_reload_arr[@]} -gt 0 ]] ; then
for _zone in \${zone_to_reload_arr[@]} ; do
# - Increase serial in concerning zone file and reload zone
# -
\$verbose && echononl " Set new serial for zone \\"\$_zone\\" and also reload zone.."
ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\
"sudo \$set_new_serial_script \$_zone > /dev/null 2>&1"
ret_val=\$?
case \$ret_val in
0)
\$verbose && echo_ok
if \$verbose ; then
info "Serial is replaced and Zone is reloaded (\$_zone)."
else
echo -e "\\n [ Info ]: Serial is replaced and Zone is reloaded (\$_zone).\\n"
fi
;;
10)
\$verbose && echo_failed
if \$verbose ; then
error "Invalid Hostname/Domain given!"
else
echo -e "\\n [ Error ]: Invalid Hostname/Domain given! \\n"
fi
;;
11)
\$verbose && echo_failed
if \$verbose ; then
error "No zonefile found!"
else
echo -e "\\n [ Error ]: No zonefile found! \\n"
fi
;;
12)
\$verbose && echo_failed
if \$verbose ; then
error "Determin new Serial failed!"
else
echo -e "\\n [ Error ]: Determin new Serial failed! \\n"
fi
;;
13)
\$verbose && echo_failed
if \$verbose ; then
error "Increasing serial failed!"
else
echo -e "\\n [ Error ]: Increasing serial failed! \\n"
fi
;;
14)
\$verbose && echo_failed
if \$verbose ; then
error "Reloading Zone failed!"
else
echo -e "\\n [ Error ]: Reloading Zone failed! \\n"
fi
;;
15)
\$verbose && echo_failed
if \$verbose ; then
error "Hostname/Domain not supported!"
else
echo -e "\\n [ Error ]: Hostname/Domain not supported! \\n"
fi
;;
99)
\$verbose && echo_failed
if \$verbose ; then
error "Fatal Error!"
else
echo -e "\\n [ Error ]: Fatal Error! \\n"
fi
continue
;;
*)
\$verbose && echo_failed
if \$verbose ; then
error "Unknown exit code from remote script \\"\$set_new_serial_script \$_zone\"!"
else
echo -e "\\n [ Error ]: Unknown exit code from remote script \\"\$set_new_serial_script \$_zone\"! \\n"
fi
continue
;;
esac
done
fi
# ---
# --- Restart Services
# ---
if \$certs_updated ; then
if \$restart_apache ; then
if [[ -x "$apache_control_script" ]]; then
$apache_control_script graceful > /dev/null 2>&1
if [[ \$? -gt 0 ]]; then
if \$verbose ; then
error "Restarting Apache Webserver failed!"
else
echo -e "\\n [ Error ]: Restarting Apache Webserver failed! \\n"
fi
else
if \$verbose ; then
info "Apache Webserver restarted."
else
echo -e "\\n [ Info ]: Apache Webserver restarted.\\n"
fi
fi
else
if \$verbose ; then
warn "Apache Control Script (apachectl) not found. Take care to restart webservice manually"
else
echo -e "\\n [ Warn ]: Apache Control Script (apachectl) not found. Take care to restart webservice manually"
fi
fi
fi
if \$restart_gitlab ; then
if [[ -x "$gitlab_ctl_script" ]]; then
$gitlab_ctl_script hup > /dev/null 2>&1
if [[ \$? -gt 0 ]]; then
if \$verbose ; then
error "Graceful restart of GitLab Services (sending HUP signal) failed!"
else
echo -e "\\n [ Error ]: Graceful restart of GitLab Services (sending HUP signal) failed! \\n"
fi
else
if \$verbose ; then
info "GitLab Services reloaded."
else
echo -e "\\n [ Info ]: GitLab Services reloaded.\\n"
fi
fi
else
if \$verbose ; then
warn "GitLab Control Script (gitlab-ctl) not found. Take care to restart service manually"
else
echo -e "\\n [ Warn ]: GitLab Control Script (gitlab-ctl) not found. Take care to restart service manually"
fi
fi
fi
if \$restart_postfix ; then
if \$systemd_supported ; then
\$systemctl reload postfix > /dev/null 2>&1
else
/etc/init.d/postfix reload > /dev/null 2>&1
fi
if [[ \$? -gt 0 ]]; then
if \$verbose ; then
error "Reloading Postfix Service failed!"
else
echo -e "\\n [ Error ]: Reloading Postfix Service failed! \\n"
fi
else
if \$verbose ; then
info "Postfix service successfully reloaded."
else
echo -e "\\n [ Info ]: Postfix service successfully reloaded.\\n"
fi
fi
fi
if \$restart_dovecot ; then
if \$systemd_supported ; then
\$systemctl restart dovecot > /dev/null 2>&1
else
/etc/init.d/dovecot restart > /dev/null 2>&1
fi
if [[ \$? -gt 0 ]]; then
if \$verbose ; then
error "Reloading Dovecot Service failed!"
else
echo -e "\\n [ Error ]: Reloading Dovecot Service failed! \\n"
fi
else
if \$verbose ; then
info "Dovecot service successfully reloaded."
else
echo -e "\\n [ Info ]: Dovecot service successfully reloaded.\\n"
fi
fi
fi
if \$restart_pureftpd ; then
if \$systemd_supported ; then
\$systemctl restart pure-ftpd > /dev/null 2>&1
else
/etc/init.d/pure-ftpd restart > /dev/null 2>&1
fi
if [[ \$? -gt 0 ]]; then
if \$verbose ; then
error "Restarting PureFTP Server failed!"
else
echo -e "\\n [ Error ]: Restarting PureFTP Server failed! \\n"
fi
else
if \$verbose ; then
info "PureFTP Server restarted."
else
echo -e "\\n [ Info ]: PureFTP Server restarted.\\n"
fi
fi
fi
if \$restart_nginx ; then
if \$systemd_supported ; then
\$systemctl restart nginx > /dev/null 2>&1
else
/etc/init.d/nginx restart > /dev/null 2>&1
fi
if [[ \$? -gt 0 ]]; then
if \$verbose ; then
error "Restarting Nginx Webserver failed!"
else
echo -e "\\n [ Error ]: Restarting Nginx Webserver failed! \\n"
fi
else
if \$verbose ; then
info "Nginx Webserver restarted."
else
echo -e "\\n [ Info ]: Nginx Webserver restarted.\\n"
fi
fi
fi
fi
if [[ -n "\$_invalid_challenge" ]] ; then
echo ""
echo ""
echo "Certificates NOT been created - invalid challenge:"
echo "=================================================="
echo ""
for _hostname in \$_invalid_challenge ; do
echo " \$_hostname"
done
echo ""
fi
if [[ -n "\$_http_request_failed" ]] ; then
echo ""
echo ""
echo "Certificates NOT been created - http request failed:"
echo "===================================================="
echo ""
for _hostname in \$_http_request_failed ; do
echo " \$_hostname"
done
echo ""
fi
if [[ -n "\$_successfully_created_hosts" ]] ; then
echo ""
echo ""
echo "Certificates successfully created:"
echo "=================================="
echo ""
for _hostname in \$_successfully_created_hosts ; do
echo " https://\$_hostname"
done
echo ""
fi
if [[ -n "\$_too_many_certs_err_msg" ]] ; then
echo ""
echo ""
echo "Creating NEW Certificates failed - too many certificates already issued"
echo "========================================================================"
echo ""
echo -e "\$_too_many_certs_err_msg"
echo ""
fi
if ! \$_successfully_finished_script || grep -i "error:" \$_logfile > /dev/null 2>&1 || grep -i "$ERR_MSG_TOO_MANY_CERTS" \$_logfile > /dev/null 2>&1 ; then
cp -a \$_logfile /var/log/ > /dev/null 2>&1
if \$verbose ; then
error "Creating (some) Certificates failed!\\n\\t See also /var/log/\$(basename \$_logfile)"
else
echo -e "\\n[ Error ]: Creating (some) Certificates failed!"
echo -e " See also /var/log/\$(basename \$_logfile) \\n"
echo ""
echo "Output message from dehydrated script:"
echo "======================================"
echo ""
cat \$_logfile
echo ""
fi
fi
rm -f \$_logfile
\$verbose && echo ""
exit 0
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
echononl " Make Cron Script \"$DH_CRON_SCRIPT executable.."
chmod 700 $DH_CRON_SCRIPT
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
if [[ -f "${DH_CRON_SCRIPT}.$_date" ]] ; then
diff $DH_CRON_SCRIPT ${DH_CRON_SCRIPT}.$_date > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
info "Cronjob has not changed.\n\t Removing previously created backup.."
rm -f ${DH_CRON_SCRIPT}.$_date
fi
fi
if [[ "$DH_CRON_TYPE" = "user" ]]; then
# Cronjob for dehydrated main script (ordering certificates)
#
echononl " Activate dehydrated cronjob for $(basename "$DH_CRON_SCRIPT") for root user .."
_success=true
_cur_cron=`mktemp`
[[ $? -ne 0 ]] && _success=false
crontab -u root -l > $_cur_cron
[[ $? -ne 0 ]] && _success=false
if ! $success ; then
echo_failed
else
if grep `basename $DH_CRON_SCRIPT` $_cur_cron > /dev/null 2>&1 ; then
echo_skipped
info "Cronjob for $(basename "$DH_CRON_SCRIPT") already activated."
else
_success=true
cat <<EOF >> $_cur_cron
# - Generate/Renew Let's Encrypt Certificates if needed (using dehydrated script)
# -
23 05 * * * $DH_CRON_SCRIPT
EOF
[[ $? -ne 0 ]] && _success=false
crontab -u root $_cur_cron
[[ $? -ne 0 ]] && _success=false
if $success ; then
echo_ok
else
echo_failed
fi
fi # if grep `basename $DH_CRON_SCRIPT`
fi # if ! $success ; then
rm -f $_cur_cron
# - Check, whether a system based dehydrated cron exists in /etc/cron.d
# -
if grep -l `basename $DH_CRON_SCRIPT` /etc/cron.d/* > /dev/null 2>&1 ; then
warn "A system based dehydrated cronjob already exists in /etc/cron.d/\n\t Deleteing this one now.."
_success=true
echononl " Delete dehydrated cronjob in /etc/cron.d/.."
for _file in $(grep -l `basename $DH_CRON_SCRIPT` /etc/cron.d/*) ; do
rm -f $_file > /dev/null 2>&1
[[ $? -ne 0 ]] && _success=false
done
if $success ; then
echo_ok
else
echo_failed
fi
fi # if grep `basename $DH_CRON_SCRIPT` /etc/cron.d/*
# Cronjob for dehydrated update vhosts script (change ssl directives)
#
echononl " Activate dehydrated cronjob for $(basename "$DH_UPDATE_SSL_DIRECTIVES_SCRIPT") for root user .."
_success=true
_cur_cron=`mktemp`
[[ $? -ne 0 ]] && _success=false
crontab -u root -l > $_cur_cron
[[ $? -ne 0 ]] && _success=false
if ! $success ; then
echo_failed
else
if grep `basename $DH_UPDATE_SSL_DIRECTIVES_SCRIPT` $_cur_cron > /dev/null 2>&1 ; then
echo_skipped
info "Cronjob for $(basename "$DH_UPDATE_SSL_DIRECTIVES_SCRIPT") already activated."
else
_success=true
cat <<EOF >> $_cur_cron
# - Check whether all certificates are included in the VHOST configurations
# -
33 05 * * * $DH_UPDATE_SSL_DIRECTIVES_SCRIPT
EOF
[[ $? -ne 0 ]] && _success=false
crontab -u root $_cur_cron
[[ $? -ne 0 ]] && _success=false
if $success ; then
echo_ok
else
echo_failed
fi
fi # if grep `basename $DH_UPDATE_SSL_DIRECTIVES_SCRIPT`
fi # if ! $success ; then
rm -f $_cur_cron
# - Check, whether a system based update vhosts script exists in /etc/cron.d
# -
if grep -l `basename $DH_UPDATE_SSL_DIRECTIVES_SCRIPT` /etc/cron.d/* > /dev/null 2>&1 ; then
warn "A system based update vhost cronjob already exists in /etc/cron.d/\n\t Deleteing this one now.."
_success=true
echononl " Delete update vhost cronjob in /etc/cron.d/.."
for _file in $(grep -l `basename $DH_UPDATE_SSL_DIRECTIVES_SCRIPT` /etc/cron.d/*) ; do
rm -f $_file > /dev/null 2>&1
[[ $? -ne 0 ]] && _success=false
done
if $success ; then
echo_ok
else
echo_failed
fi
fi # if grep `basename $DH_CHANGE_SSL_DIRECTIVES_SCRIPT` /etc/cron.d/*
# - Remove crontjob's for old (and noe renamed) script $DH_CHANGE_SSL_DIRECTIVES_SCRIPT
# -
if crontab -l | grep `basename $DH_CHANGE_SSL_DIRECTIVES_SCRIPT` > /dev/null 2>&1 ; then
warn "Dehydrated's update vhost cronjob is also activated for root user.\n\t Deleting now.."
echononl " Delete dehydrated's update vhost cronjob for user root.."
_success=true
_cur_cron=`mktemp`
[[ $? -ne 0 ]] && _success=false
crontab -u root -l > $_cur_cron
[[ $? -ne 0 ]] && _success=false
sed -i "/`basename $DH_CHANGE_SSL_DIRECTIVES_SCRIPT`/d" $_cur_cron > /dev/null 2>&1
[[ $? -ne 0 ]] && _success=false
crontab -u root $_cur_cron
[[ $? -ne 0 ]] && _success=false
if $success ; then
echo_ok
else
echo_failed
fi
fi # if crontab -l | grep `basename $DH_CHANGE_SSL_DIRECTIVES_SCRIPT`
elif [[ "$DH_CRON_TYPE" = "system" ]]; then
echononl " Activate dehydrated cronjob in /etc/cron.d/"
if grep -q $(basename "${DH_CRON_SCRIPT}") /etc/cron.d/* 2> /dev/null \
&& grep -q $(basename "${DH_UPDATE_SSL_DIRECTIVES_SCRIPT}") /etc/cron.d/* 2> /dev/null ; then
echo_skipped
info "Cronjobs already activated."
else
cat <<EOF > /etc/cron.d/dehydrated
# - Generate/Renew Let's Encrypt Certificates if needed (using dehydrated script)
# -
21 05 * * * root $DH_CRON_SCRIPT
# - Check whether all certificates are included in the VHOST configurations
# -
31 05 * * * root $DH_UPDATE_SSL_DIRECTIVES_SCRIPT
EOF
if [[ $? -eq 0 ]]; then
echo_ok
else
echo_skipped
fi
fi # if grep `basename $DH_CRON_SCRIPT`
# - Check, whether a dehydrated cron job exists for user root
# -
if crontab -l | grep `basename $DH_CRON_SCRIPT` > /dev/null 2>&1 ; then
warn "Dehydrated cronjob is also activated for root user.\n\t Deleting now.."
echononl " Delete dehydrated cronjob for user root.."
_success=true
_cur_cron=`mktemp`
[[ $? -ne 0 ]] && _success=false
crontab -u root -l > $_cur_cron
[[ $? -ne 0 ]] && _success=false
sed -i "/`basename $DH_CRON_SCRIPT`/d" $_cur_cron > /dev/null 2>&1
[[ $? -ne 0 ]] && _success=false
crontab -u root $_cur_cron
[[ $? -ne 0 ]] && _success=false
if $success ; then
echo_ok
else
echo_failed
fi
fi # if crontab -l | grep `basename $DH_CRON_SCRIPT`
# - Check, whether a dehydrated's update vhost cron job exists for user root
# -
if crontab -l | grep `basename $DH_UPDATE_SSL_DIRECTIVES_SCRIPT` > /dev/null 2>&1 ; then
warn "Dehydrated's update vhost cronjob is also activated for root user.\n\t Deleting now.."
echononl " Delete dehydrated's update vhost cronjob for user root.."
_success=true
_cur_cron=`mktemp`
[[ $? -ne 0 ]] && _success=false
crontab -u root -l > $_cur_cron
[[ $? -ne 0 ]] && _success=false
sed -i "/`basename $DH_UPDATE_SSL_DIRECTIVES_SCRIPT`/d" $_cur_cron > /dev/null 2>&1
[[ $? -ne 0 ]] && _success=false
crontab -u root $_cur_cron
[[ $? -ne 0 ]] && _success=false
if $success ; then
echo_ok
else
echo_failed
fi
fi # if crontab -l | grep `basename $DH_UPDATE_SSL_DIRECTIVES_SCRIPT`
fi
echononl " Create directory ${DH_BASE_DIR}/tools (if not exists)."
if [[ ! -d "${DH_BASE_DIR}/tools" ]] ; then
mkdir ${DH_BASE_DIR}/tools > /dev/null 2>&1
if [[ $? -eq 0 ]]; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
# - Sript create_domains_file.sh
#
if [[ -f "${DH_BASE_DIR}/tools/create_domains_file.sh" ]]; then
# - Backup existing script create_domains_file.sh
# -
echononl " Backup ${DH_BASE_DIR}/tools/create_domains_file.sh.."
cp -a ${DH_BASE_DIR}/tools/create_domains_file.sh ${DH_BASE_DIR}/tools/create_domains_file.sh.$_date > /dev/null 2>&1
if [[ $? -eq 0 ]]; then
echo_ok
else
echo_failed
fi
fi
echononl " Install script \"create_domains_file.sh\" into ${DH_BASE_DIR}/tools/"
cat <<EOF > ${DH_BASE_DIR}/tools/create_domains_file.sh
#!/usr/bin/env bash
# - Creates "domains.txt" die for dehydrated script (let's encrypt)
# -
_DH_BASE_DIR=$DH_BASE_DIR
_APACHE_VHOST_DIR=$APACHE_VHOST_DIR
_NGINX_VHOST_DIR=$NGINX_VHOST_DIR
# -------------
# --- Some functions
# -------------
echononl(){
echo X\\\\c > /tmp/shprompt\$\$
if [ \`wc -c /tmp/shprompt\$\$ | awk '{print \$1}'\` -eq 1 ]; then
echo -e -n "\$*\\\\c" 1>&2
else
echo -e -n "\$*" 1>&2
fi
rm /tmp/shprompt\$\$
}
fatal(){
echo ""
echo -e "fataler Fehler: \$*"
echo ""
echo -e "\t\033[31m\033[1mInstalllation wird abgebrochen\033[m\033[m"
echo ""
exit 1
}
error(){
echo ""
echo -e "\t[ \033[31m\033[1mFehler\033[m ]: \$*"
echo ""
}
warn (){
echo ""
echo -e "\t[ \033[33m\033[1mWarning\033[m ]: \$*"
echo ""
}
info (){
echo ""
echo -e "\t[ \033[32m\033[1mInfo\033[m ]: \$*"
echo ""
}
echo_done() {
echo -e "\033[75G[ \033[32mdone\033[m ]"
}
echo_ok() {
echo -e "\033[75G[ \033[32mok\033[m ]"
}
echo_warning() {
echo -e "\033[75G[ \033[33m\033[1mwarn\033[m ]"
}
echo_failed(){
echo -e "\033[75G[ \033[1;31mfailed\033[m ]"
}
echo_skipped() {
echo -e "\033[75G[ \033[33m\033[1mskipped\033[m ]"
}
## - Check if a given array (parameter 2) contains a given string (parameter 1)
## -
containsElement () {
local e
for e in "\${@:2}"; do [[ "\$e" == "\$1" ]] && return 0; done
return 1
}
clear
echo ""
echo -e "\033[21G\033[32mGets ServerName and ServerAlias(es) from Apache VHost Configuration\033[m"
echo -e "\033[21G\033[32mand adde them to dehydrated's \"domains.txt\" file\033[m"
echo ""
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Insert DH Base directory"
echo ""
echo ""
DH_BASE_DIR=
while [[ "X\$DH_BASE_DIR" = "X" ]]; do
echononl "DH Configuration Directory [\$_DH_BASE_DIR]: "
read DH_BASE_DIR
if [[ "X\$DH_BASE_DIR" = "X" ]]; then
DH_BASE_DIR=\$_DH_BASE_DIR
fi
done
SCRIPT_INSTALL_DIR=\${DH_BASE_DIR}/tools
DOMAINS_TXT_FILE=\${DH_BASE_DIR}/domains.txt
if [[ ! -d "\$_APACHE_VHOST_DIR" ]]; then
if [[ -d "/etc/apache2/sites-available" ]]; then
_VHOST_DIR=/etc/apache2/conf-available
elif [[ -d "/usr/local/apache2/conf/vhosts" ]]; then
if [[ -d "/usr/local/apache2/conf/vhosts/0" ]]; then
_VHOST_DIR=/usr/local/apache2/conf/vhosts/0
else
_VHOST_DIR=/usr/local/apache2/conf/vhosts
fi
fi
else
_VHOST_DIR=\$_APACHE_VHOST_DIR
fi
if [[ ! -d "\$_NGINX_VHOST_DIR" ]]; then
if [[ -d "/etc/nginx/sites-available" ]]; then
_VHOST_DIR=\$_NGINX_VHOST_DIR
fi
else
_VHOST_DIR=\$_NGINX_VHOST_DIR
fi
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Insert VHost Directory"
echo ""
echo ""
VHOST_DIR=
while [[ "X\$VHOST_DIR" = "X" ]]; do
echononl "VHost Directory [\$_VHOST_DIR]: "
read VHOST_DIR
if [ "X\$VHOST_DIR" = "Xnone" -o "X\$VHOST_DIR" = "XNone" ]; then
warn "Webserver Configuration will be ommited"
VHOST_DIR=
break
elif [[ "X\$VHOST_DIR" = "X" ]]; then
VHOST_DIR=\$_VHOST_DIR
fi
done
if [[ ! -d "\$VHOST_DIR" ]]; then
fatal "No Webserver VHost Configuration directory found!"
fi
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Sites without creating a certificate for"
echo ""
echo "Insert only siteames configured as \"ServerName\" (NOT ServerAlias) in VHost configuration"
echo ""
echo "Insert a blank seperated list of names or leave empty for none."
echo ""
SITES_WITHOUT_CERTS=
echononl "Sites without certificate: "
read SITES_WITHOUT_CERTS
echo ""
echo ""
echo -e "#\033[32m --------------------\033[m"
echo -e "#\033[32m --- Starts Script the following Parameters \033[m"
echo -e "#\033[32m --------------------\033[m"
echo ""
echo "DH Base Directory.............: \$DH_BASE_DIR"
echo "DH domains.txt file...........: \$DOMAINS_TXT_FILE"
echo ""
echo "Script Installation Directory.: \${DH_BASE_DIR}/tools"
echo ""
echo "Vhosts Directory..............: \$VHOST_DIR"
echo ""
echo "Sites without Certificate.....: \$SITES_WITHOUT_CERTS"
echo ""
echononl "Start with that configuration? [yes/no]: "
read OK
while [ "X\$OK" != "Xyes" -a "X\$OK" != "XYes" -a "X\$OK" != "XNo" -a "X\$OK" != "Xno" ]
do
echononl "wrong entry! [yes/no] :"
read OK
done
[ \$OK = "Yes" -o \$OK = "yes" ] || fatal "Change parameters and restart script: \`basename \$0\`"
declare -a SITE_WITHOUT_CERTS_arr
for _site in \$SITES_WITHOUT_CERTS ; do
SITE_WITHOUT_CERTS_arr+=("\${_site}")
done
_date=\`date +%Y-%m-%d-%H%M\`
echo ""
echononl " Save existing file \`basename \$DOMAINS_TXT_FILE\`"
if [[ -f "\$DOMAINS_TXT_FILE" ]]; then
cp -a \$DOMAINS_TXT_FILE \$DOMAINS_TXT_FILE.\`date +%Y-%m-%d-%H%M\`
if [[ \$? = 0 ]]; then
echo_ok
else
echo_failed
fi
fi
echo ""
declare -a vhost_file_arr
echononl " Create Array of VHost configuration files.."
while IFS='' read -r -d '' filename ; do
if [[ \`basename \$filename\` =~ ^00 ]] ; then
continue
elif ! grep SSLCertificate \$filename > /dev/null 2>&1 && ! grep ssl_certificate \$filename > /dev/null 2>&1; then
continue
elif containsElement \`basename \${filename%.*}\` \${SITE_WITHOUT_CERTS_arr[@]} ; then
continue
else
vhost_file_arr+=("\`realpath \$filename\`")
fi
done < <(find \$VHOST_DIR -mindepth 1 -maxdepth 1 -name "*.conf" -print0)
if [[ \$? -eq 0 ]]; then
echo_ok
else
echo_failed
fi
declare -i number_errors=0
for file in \${vhost_file_arr[@]} ; do
#echo \$file
_server_name=""
_server_name_failed=false
# - Create empty array
_server_aliases_arr=()
_server_alias=""
number_errors=0
more_aliases=false
echo ""
echononl " Get ServerName/ServerAlias from file \"\`basename \$file\`\""
while read line ; do
# - Get ServerName Apache
if echo \$line | grep -e "^\s*ServerName" > /dev/null ; then
_server_name_tmp=\`echo \$line | awk '{print\$2}'\`
if [ -z "\$_server_name" ]; then
_server_name=\$_server_name_tmp
elif [ "\$_server_name" != "\$_server_name_tmp" ]; then
if [ \$number_errors -eq 0 ]; then
echo "[ Error ]: Misconfigured ServerName in file \"\$file\""
fi
#error "Misconfigured ServerName"
_server_name_failed=true
let number_errors++
fi
continue
fi
# - Get Server Names (also Aliases) Nginx
if echo \$line | grep -e "^\s*server_name" > /dev/null ; then
_server_name_tmp=\`echo \$line | sed -e "s/server_name//" | sed "s/;//" | sed "s/^\s*//" | sed "s/\s*$//"\`
if [[ -z "\$_server_name_tmp" ]] ; then
if [ \$number_errors -eq 0 ]; then
echo "[ Error ]: Misconfigured ServerName in file \"\$file\""
fi
_server_name_failed=true
let number_errors++
continue
fi
_server_name=\`echo \$_server_name_tmp | awk '{print\$1}'\`
_server_alias_tmp=\${_server_name_tmp#\$_server_name}
for _alias in \$_server_alias_tmp ; do
containsElement "\$_alias" "\${_server_aliases_arr[@]}" && continue
_server_aliases_arr+=("\$_alias")
done
if ! echo \$line | grep ";" > /dev/null 2>&1 ; then
more_aliases=true
continue
else
more_aliases=false
fi
fi
if \$more_aliases ; then
_server_aliases_tmp=\`echo \$line | sed "s/;//" | sed "s/^\s*//" | sed "s/\s*$//"\`
for _alias in \$_server_aliases_tmp ; do
containsElement "\$_alias" "\${_server_aliases_arr[@]}" && continue
_server_aliases_arr+=("\$_alias")
done
if echo \$line | grep ";" > /dev/null 2>&1 ; then
more_aliases=false
else
continue
fi
fi
containsElement \$_server_name \${SITE_WITHOUT_CERTS_arr[@]} && continue
# - Get ServerAlias
if echo \$line | grep -e "^\s*ServerAlias" > /dev/null ; then
_server_alias_tmp=\`echo \$line | awk '{print\$2}'\`
if [ \${#_server_aliases_arr[@]} -eq 0 ] ; then
for _alias in \$_server_alias_tmp ; do
_server_aliases_arr+=("\$_alias")
done
else
for _alias in \$_server_alias_tmp ; do
containsElement "\$_alias" "\${_server_aliases_arr[@]}" && continue
_server_aliases_arr+=("\$_alias")
done
fi
continue
fi
done < \$file
if [[ \$number_errors -eq 0 ]]; then
echo_ok
else
echo_done
fi
add_to_domains=false
echononl " Add Servernames to \"\$DOMAINS_TXT_FILE\".."
if ! grep -e "^\$_server_name" \$DOMAINS_TXT_FILE > /dev/null 2>&1 ; then
add_to_domains=true
else
for _alias in \${_server_aliases_arr[@]} ; do
if ! grep -e "^\$_server_name.*\$_alias" \$DOMAINS_TXT_FILE > /dev/null 2>&1 ; then
sed -i "/^\$_server_name/d" \$DOMAINS_TXT_FILE
add_to_domains=true
fi
done
fi
if \$add_to_domains ; then
echo "\$_server_name \${_server_aliases_arr[@]}" >> \$DOMAINS_TXT_FILE
if [[ \$? -eq 0 ]] ; then
echo_ok
else
echo_done
fi
else
echo_skipped
fi
done
if [[ -f "\${DOMAINS_TXT_FILE}.\$_date" ]]; then
diff \$DOMAINS_TXT_FILE \${DOMAINS_TXT_FILE}.\$_date > /dev/null 2>&1
if [[ \$? -eq 0 ]] ; then
info "\$DOMAINS_TXT_FILE was already up to date.\n\t Deleting previously created backup.."
rm -f \${DOMAINS_TXT_FILE}.\$_date
else
echo ""
echononl "Sort \$DOMAINS_TXT_FILE.."
_success=true
_tmpfile=\`mktemp\`
if [[ \$? -eq 0 ]]; then
cat \$DOMAINS_TXT_FILE | sort -u > \$_tmpfile
[[ \$? -ne 0 ]] && _success=false
cp -a \$_tmpfile \$DOMAINS_TXT_FILE
[[ \$? -ne 0 ]] && _success=false
if \$_success ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
warn "\$DOMAINS_TXT_FILE left unsorted.."
fi
fi
fi
echo
exit 0
EOF
if [[ $? -eq 0 ]]; then
echo_ok
else
echo_failed
fi
echononl " Make \"${DH_BASE_DIR}/tools/create_domains_file.sh\" executable.."
chmod 755 ${DH_BASE_DIR}/tools/create_domains_file.sh
if [[ $? -eq 0 ]]; then
echo_ok
else
echo_failed
fi
if [[ -f "${DH_BASE_DIR}/tools/create_domains_file.sh.$_date" ]]; then
diff ${DH_BASE_DIR}/tools/create_domains_file.sh ${DH_BASE_DIR}/tools/create_domains_file.sh.$_date > /dev/null 2>&1
if [[ $? -eq 0 ]]; then
info "Script create_domains_file.sh has not change.\n\t Removing previously created backup.."
echononl " Remove ${DH_BASE_DIR}/tools/create_domains_file.sh.$_date.."
rm -f ${DH_BASE_DIR}/tools/create_domains_file.sh.$_date
if [[ $? -eq 0 ]]; then
echo_ok
else
echo_failed
fi
fi
fi
# - Backup outdated sript change_ssl_directives.sh
#
echononl " Backup outdated script '$(basename "${DH_CHANGE_SSL_DIRECTIVES_SCRIPT}")'.."
if [[ -f "${DH_CHANGE_SSL_DIRECTIVES_SCRIPT}" ]]; then
mv "${DH_CHANGE_SSL_DIRECTIVES_SCRIPT}" "${DH_CHANGE_SSL_DIRECTIVES_SCRIPT}.$_date" > /dev/null 2>&1
if [[ $? -eq 0 ]]; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
# - Backup Sript update_ssl_directives.sh
#
if [[ -f "${DH_UPDATE_SSL_DIRECTIVES_SCRIPT}" ]]; then
# - Backup existing script change_ssl_directives.sh
# -
echononl " Backup ${DH_UPDATE_SSL_DIRECTIVES_SCRIPT}.."
cp -a "${DH_UPDATE_SSL_DIRECTIVES_SCRIPT}" "${DH_UPDATE_SSL_DIRECTIVES_SCRIPT}.$_date" > /dev/null 2>&1
if [[ $? -eq 0 ]]; then
echo_ok
else
echo_failed
fi
fi
echononl " Install script \"$(basename "${DH_UPDATE_SSL_DIRECTIVES_SCRIPT}")\" into ${DH_BASE_DIR}/tools/"
cat <<EOF > ${DH_UPDATE_SSL_DIRECTIVES_SCRIPT}
#!/usr/bin/env bash
# - Changes "SSLCertificate.."-lines in vhost configuration
_DH_BASE_DIR=$DH_BASE_DIR
_APACHE_VHOST_DIR=$APACHE_VHOST_DIR
_NGINX_VHOST_DIR=$NGINX_VHOST_DIR
if [[ -n "\$_APACHE_VHOST_DIR" ]] ; then
if [[ ! -d "\$_APACHE_VHOST_DIR" ]]; then
if [[ -d "/etc/apache2/sites-available" ]]; then
_VHOST_DIR=/etc/apache2/conf-available
elif [[ -d "/usr/local/apache2/conf/vhosts" ]]; then
if [[ -d "/usr/local/apache2/conf/vhosts/0" ]]; then
_VHOST_DIR=/usr/local/apache2/conf/vhosts/0
else
_VHOST_DIR=/usr/local/apache2/conf/vhosts
fi
fi
else
_VHOST_DIR=\$_APACHE_VHOST_DIR
fi
fi
if [[ -n "\$_NGINX_VHOST_DIR" ]] ; then
if [[ ! -d "\$_NGINX_VHOST_DIR" ]]; then
if [[ -d "/etc/nginx/sites-available" ]]; then
_VHOST_DIR=\$_NGINX_VHOST_DIR
fi
else
_VHOST_DIR=\$_NGINX_VHOST_DIR
fi
fi
_apache_debian_install=false
# -------------
# --- Some functions
# -------------
echononl(){
if \$terminal ; then
echo X\\\\c > /tmp/shprompt\$\$
if [ \`wc -c /tmp/shprompt\$\$ | awk '{print \$1}'\` -eq 1 ]; then
echo -e -n "\$*\\\\c" 1>&2
else
echo -e -n "\$*" 1>&2
fi
rm /tmp/shprompt\$\$
fi
}
fatal(){
echo ""
echo -e "fataler Fehler: \$*"
echo ""
echo -e "\t\033[31m\033[1mInstalllation wird abgebrochen\033[m\033[m"
echo ""
exit 1
}
error(){
echo ""
if \$terminal ; then
echo -e "\t[ \033[31m\033[1mFehler\033[m ]: \$*"
else
echo "[ Error ]: \$*"
fi
echo ""
}
warn (){
if \$terminal ; then
echo ""
echo -e "\t[ \033[33m\033[1mWarning\033[m ]: \$*"
echo ""
fi
}
info (){
if \$terminal ; then
echo ""
echo -e "\t[ \033[32m\033[1mInfo\033[m ]: \$*"
echo ""
fi
}
echo_done() {
if \$terminal ; then
echo -e "\033[75G[ \033[32mdone\033[m ]"
fi
}
echo_ok() {
if \$terminal ; then
echo -e "\033[75G[ \033[32mok\033[m ]"
fi
}
echo_warning() {
if \$terminal ; then
echo -e "\033[75G[ \033[33m\033[1mwarn\033[m ]"
fi
}
echo_failed(){
if \$terminal ; then
echo -e "\033[75G[ \033[1;31mfailed\033[m ]"
fi
}
echo_skipped() {
if \$terminal ; then
echo -e "\033[75G[ \033[37m\033[1mskipped\033[m ]"
fi
}
blank_line() {
if \$terminal ; then
echo ""
fi
}
## - Check if a given array (parameter 2) contains a given string (parameter 1)
## -
containsElement () {
local e
for e in "\${@:2}"; do [[ "\$e" == "\$1" ]] && return 0; done
return 1
}
# -------------
# --- Check some prerequisites
# -------------
# - Running in a terminal?
# -
if [[ -t 1 ]] ; then
terminal=true
else
terminal=false
fi
# -------------
# - Read Commanline Arguments
# -------------
# If option '-q' is present, be silent, even if running in a terminal
#
while getopts q opt ; do
case \$opt in
q) terminal=false ;;
esac
done
if \$terminal ; then
clear
echo ""
echo -e "\033[21G\033[32mChanges SSLCertificate directives at apache vhost configurations\033[m"
echo -e "\033[21G\033[32mto their appropriate path to Let's Encrypt Certificate/Key.\033[m"
echo ""
fi
if \$terminal ; then
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Insert DH Base directory"
echo ""
echo ""
DH_BASE_DIR=
while [[ "X\$DH_BASE_DIR" = "X" ]]; do
echononl "DH Configuration Directory [\$_DH_BASE_DIR]: "
read DH_BASE_DIR
if [[ "X\$DH_BASE_DIR" = "X" ]]; then
DH_BASE_DIR=\$_DH_BASE_DIR
fi
done
SCRIPT_INSTALL_DIR=\${DH_BASE_DIR}/tools
DOMAINS_TXT_FILE=\${DH_BASE_DIR}/domains.txt
if [[ ! -f "\$DOMAINS_TXT_FILE" ]] ; then
fatal "Domain file \"\`basename \$DOMAINS_TXT_FILE\`\" not found!"
fi
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Insert VHost Directory"
echo ""
echo ""
VHOST_DIR=
while [[ "X\$VHOST_DIR" = "X" ]]; do
echononl "VHost Directory [\$_VHOST_DIR]: "
read VHOST_DIR
if [ "X\$VHOST_DIR" = "Xnone" -o "X\$VHOST_DIR" = "XNone" ]; then
warn "Webserver Configuration will be ommited"
VHOST_DIR=
break
elif [[ "X\$VHOST_DIR" = "X" ]]; then
VHOST_DIR=\$_VHOST_DIR
fi
done
if [[ ! -d "\$VHOST_DIR" ]]; then
fatal "No Webserver VHost Configuration directory found!"
fi
echo ""
echo ""
echo -e "#\033[32m --------------------\033[m"
echo -e "#\033[32m --- Starts Script the following Parameters \033[m"
echo -e "#\033[32m --------------------\033[m"
echo ""
echo "DH Base Directory.............: \$DH_BASE_DIR"
echo "DH domains.txt file...........: \$DOMAINS_TXT_FILE"
echo ""
echo "Script Installation Directory.: \${DH_BASE_DIR}/tools"
echo ""
echo "Vhosts Directory..............: \$VHOST_DIR"
echo ""
echononl "Start with that configuration? [yes/no]: "
read OK
while [ "X\$OK" != "Xyes" -a "X\$OK" != "XYes" -a "X\$OK" != "XNo" -a "X\$OK" != "Xno" ]
do
echononl "wrong entry! [yes/no] :"
read OK
done
[ \$OK = "Yes" -o \$OK = "yes" ] || fatal "Change parameters and restart script: \`basename \$0\`"
else
DH_BASE_DIR=\$_DH_BASE_DIR
DOMAINS_TXT_FILE=\${DH_BASE_DIR}/domains.txt
if [[ ! -f "\$DOMAINS_TXT_FILE" ]] ; then
fatal "Domain file \"\`basename \$DOMAINS_TXT_FILE\`\" not found!"
fi
VHOST_DIR=\$_VHOST_DIR
fi
_date=\`date +%Y-%m-%d-%H%M\`
if [[ "\$VHOST_DIR" = "/etc/apache2/sites-enabled" ]] ; then
APACHE_VHOST_DIR="/etc/apache2/sites-available"
VHOST_DIR=\$APACHE_VHOST_DIR
fi
if [[ "\$VHOST_DIR" = "/etc/nginx/sites-enabled" ]] ; then
NGINX_VHOST_DIR="/etc/nginx/sites-available"
VHOST_DIR=\$NGINX_VHOST_DIR
fi
blank_line
echononl " Backup existing VHost Directory .."
if [[ "\$(dirname \$VHOST_DIR)" =~ vhosts?/?\$ ]] ; then
BACKUP_SRC_DIR="\$(dirname \$VHOST_DIR)"
else
BACKUP_SRC_DIR="\$VHOST_DIR"
fi
cp -a "\$BACKUP_SRC_DIR" "\${BACKUP_SRC_DIR}.\$_date"
if [[ \$? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
blank_line
declare -a vhost_file_arr
while IFS=' ' read -r site_server_name rest ; do
unset vhost_file_arr
if [[ "\$VHOST_DIR" =~ apache ]]; then
while IFS=' ' read filename_site ; do
#if ! \$_apache_debian_install ; then
# [[ -h "\$filename_site" ]] && continue
#fi
if ! containsElement \`realpath \$filename_site\` \${vhost_file_arr[@]} ; then
vhost_file_arr+=("\`realpath \$filename_site\`")
fi
done < <(grep -s -l -E "ServerName\s+\${site_server_name}" \${VHOST_DIR}/*)
else
while IFS=' ' read filename_site ; do
#if ! \$_apache_debian_install ; then
# [[ -h "\$filename_site" ]] && continue
#fi
if ! containsElement \`realpath \$filename_site\` \${vhost_file_arr[@]} ; then
vhost_file_arr+=("\`realpath \$filename_site\`")
fi
done < <(grep -s -l -E "server_name\s+\${site_server_name}" \${VHOST_DIR}/*)
fi
echononl " Adjust entries for \"\${site_server_name}\" .."
if [[ \${#vhost_file_arr[@]} -eq 0 ]]; then
echo_skipped
warn "No vhost configuration found for \$site_server_name"
else
_cert_dir=\${DH_BASE_DIR}/certs/\${site_server_name}
if [[ ! -h "\${_cert_dir}/fullchain.pem" ]] ; then
echo_skipped
warn "No certificate found for \$site_server_name"
continue
fi
if [[ ! -h "\${_cert_dir}/privkey.pem" ]] ; then
echo_skipped
warn "No private key found for \$site_server_name"
continue
fi
failed=false
_ssl_directive_changed=false
if [[ "\$VHOST_DIR" =~ apache ]]; then
# - Apache or nginx ?
# -
for _name in \${vhost_file_arr[@]} ; do
if ! grep -q -i -E "\s*SSLCertificateFile\s*\${_cert_dir}/fullchain.pem" \$_name 2> /dev/null ; then
perl -i -n -p -e s"#^(\s*)SSLCertificateFile.*#\1SSLCertificateFile \${_cert_dir}/fullchain.pem#" \$_name
[[ \$? -ne 0 ]] && failed=true
_ssl_directive_changed=true
fi
if ! grep -q -i -E "\s*SSLCertificateKeyFile\s+\${_cert_dir}/privkey.pem" \$_name 2> /dev/null ; then
perl -i -n -p -e s"#^(\s*)SSLCertificateKeyFile.*#\1SSLCertificateKeyFile \${_cert_dir}/privkey.pem#" \$_name
[[ \$? -ne 0 ]] && failed=true
_ssl_directive_changed=true
fi
if grep -q -i -E "\s*/SSLCertificateChainFile" \$_name 2> /dev/null ; then
sed -i '/SSLCertificateChainFile/d' \$_name
[[ \$? -ne 0 ]] && failed=true
_ssl_directive_changed=true
fi
done
else
for _name in \${vhost_file_arr[@]} ; do
if ! grep -q -i -E "\s*\s*ssl_certificate\s+\${_cert_dir}/fullchain.pem" \$_name 2> /dev/null ; then
perl -i -n -p -e s"#^(\s*)ssl_certificate\s+.*#\1ssl_certificate \${_cert_dir}/fullchain.pem;#" \$_name
[[ \$? -ne 0 ]] && failed=true
_ssl_directive_changed=true
fi
if ! grep -q -i -E "\s*\s*ssl_certificate_key\s+\${_cert_dir}/privkey.pem" \$_name 2> /dev/null ; then
perl -i -n -p -e s"#^(\s*)ssl_certificate_key\s+.*#\1ssl_certificate_key \${_cert_dir}/privkey.pem;#" \$_name
[[ \$? -ne 0 ]] && failed=true
_ssl_directive_changed=true
fi
done
fi
if \$_ssl_directive_changed ; then
if \$failed ; then
echo_failed
else
echo_ok
fi
else
echo_skipped
fi
fi
done < <(cat \$DOMAINS_TXT_FILE)
if [[ -d "\${BACKUP_SRC_DIR}.\$_date" ]]; then
diff -Nur "\$BACKUP_SRC_DIR" "\${BACKUP_SRC_DIR}.\$_date" > /dev/null 2>&1
if [[ \$? -eq 0 ]]; then
info "No VHosts configuration has changed.\n\t Removing previously created backup"
echononl "Delete \"\${BACKUP_SRC_DIR}.\$_date\".."
rm -rf "\${BACKUP_SRC_DIR}.\$_date"
if [[ \$? -eq 0 ]]; then
echo_ok
else
echo_failed
fi
else
if [[ "\$VHOST_DIR" =~ apache ]]; then
if [[ -x "$apache_control_script" ]]; then
$apache_control_script graceful > /dev/null 2>&1
if [[ \$? -gt 0 ]]; then
if \$terminal ; then
error "Restarting Apache Webserver failed!"
fi
else
if \$terminal ; then
info "Apache Webserver restarted."
fi
fi
else
if \$terminal ; then
warn "Apache Control Script (apachectl) not found. Take care to restart webservice manually"
else
echo -e "\\n [ Warn ]: Apache Control Script (apachectl) not found. Take care to restart webservice manually"
fi
fi
else
if [[ -x "$nginx_init_script" ]]; then
$nginx_init_script restart > /dev/null 2>&1
if [[ \$? -gt 0 ]]; then
if \$terminal ; then
error "Restarting Nginx Webserver failed!"
fi
else
if \$terminal ; then
info "Nginx Webserver restarted."
fi
fi
else
if \$terminal ; then
warn "Nginx Init Script ($nginx_init_script) not found. Take care to restart webservice manually"
else
echo -e "\\n [ Warn ]: Nginx INIT Script ($nginx_init_script) not found. Take care to restart webservice manually"
fi
fi
fi
fi
fi
blank_line
exit
EOF
if [[ $? -eq 0 ]]; then
echo_ok
else
echo_failed
fi
echononl " Make \"${DH_UPDATE_SSL_DIRECTIVES_SCRIPT}\" executable.."
chmod 755 "${DH_UPDATE_SSL_DIRECTIVES_SCRIPT}"
if [[ $? -eq 0 ]]; then
echo_ok
else
echo_failed
fi
if [[ -f "${DH_UPDATE_SSL_DIRECTIVES_SCRIPT}.$_date" ]]; then
diff "${DH_UPDATE_SSL_DIRECTIVES_SCRIPT}" "${DH_UPDATE_SSL_DIRECTIVES_SCRIPT}.$_date" > /dev/null 2>&1
if [[ $? -eq 0 ]]; then
info "Script $(basename "${DH_UPDATE_SSL_DIRECTIVES_SCRIPT}") has not change.\n\t Removing previously created backup.."
echononl " Remove ${DH_UPDATE_SSL_DIRECTIVES_SCRIPT}.$_date.."
rm -f "${DH_UPDATE_SSL_DIRECTIVES_SCRIPT}.$_date"
if [[ $? -eq 0 ]]; then
echo_ok
else
echo_failed
fi
fi
fi
# - Sript dh_tlsgen.sh
#
if [[ -f "${DH_BASE_DIR}/tools/dh_tlsgen.sh" ]]; then
# - Backup existing script dh_tlsgen.sh
# -
echononl " Backup ${DH_BASE_DIR}/tools/dh_tlsgen.sh.."
cp -a ${DH_BASE_DIR}/tools/dh_tlsgen.sh ${DH_BASE_DIR}/tools/dh_tlsgen.sh.$_date > /dev/null 2>&1
if [[ $? -eq 0 ]]; then
echo_ok
else
echo_failed
fi
fi
echononl " Install script \"dh_tlsgen.sh\" into ${DH_BASE_DIR}/tools/"
cat <<EOF > ${DH_BASE_DIR}/tools/dh_tlsgen.sh
#!/usr/bin/env bash
## ------------------------------------------------------------------------------
## --- All Configurations will be done in ${DH_CONF_DIR}/dehydrated_cron.conf
## ------------------------------------------------------------------------------
if [[ -f "${DH_CONF_DIR}/dehydrated_cron.conf" ]]; then
source ${DH_CONF_DIR}/dehydrated_cron.conf
else
echo
echo -e " [ Error ]: No Configuration File found. Exiting now!"
echo
exit 1
fi
if [[ \$# -ne 1 ]] ; then
echo -e "\n usage: \$(basename "\$0") <hostname:port>\n"
exit
fi
CUR_IFS=\$IFS
IFS=":"
_tmp_arr=(\$@)
IFS=\$CUR_IFS
port=\${_tmp_arr[1]}
hostname=\${_tmp_arr[0]}
cert=${DH_BASE_DIR}/certs/\${hostname}/cert.pem
tlsa_record_311=\$(
printf "_%s._tcp.%s. \${ttl_311} IN TLSA 3 1 1 %s\n" \\
\$port \\
\$hostname \\
"\$(openssl x509 -in \$cert -noout -pubkey |
openssl pkey -pubin -outform DER |
openssl dgst -sha256 -binary |
hexdump -ve '/1 "%02x"')"
)
cert=${DH_BASE_DIR}/certs/\${hostname}/cert.pem
tlsa_record_301=\$(
printf "_%s._tcp.%s. \${ttl_301} IN TLSA 3 0 1 %s\n" \\
\$port \\
\$hostname \\
"\$(openssl x509 -in \$cert -outform DER |
openssl dgst -sha256 -binary |
hexdump -ve '/1 "%02x"')"
)
cert=${DH_BASE_DIR}/certs/\${hostname}/chain.pem
tlsa_record_211_chain=\$(
printf "_%s._tcp.%s. \${ttl_211} IN TLSA 2 1 1 %s\n" \\
\$port \\
\$hostname \\
"\$(openssl x509 -in \$cert -noout -pubkey |
openssl pkey -pubin -outform DER |
openssl dgst -sha256 -binary |
hexdump -ve '/1 "%02x"')"
)
cert=${DH_BASE_DIR}/certs/\${hostname}/chain.pem
tlsa_record_201_chain=\$(
printf "_%s._tcp.%s. \${ttl_201} IN TLSA 2 0 1 %s\n" \\
\$port \\
\$hostname \\
"\$(openssl x509 -in \$cert -outform DER |
openssl dgst -sha256 -binary |
hexdump -ve '/1 "%02x"')"
)
cert=${DH_BASE_DIR}/certs/\${hostname}/chain.pem
tlsa_record_202_chain=\$(
printf "_%s._tcp.%s. \${ttl_202} IN TLSA 2 0 2 %s\n" \\
\$port \\
\$hostname \\
"\$(openssl x509 -in \$cert -outform DER |
openssl dgst -sha512 -binary |
hexdump -ve '/1 "%02x"')"
)
tlsa_record_211_root=""
cert=${DH_BASE_DIR}/certs/\${hostname}/root.ca
if [[ -f "\$cert" ]]; then
tlsa_record_211_root=\$(
printf "_%s._tcp.%s. \${ttl_211} IN TLSA 2 1 1 %s\n" \\
\$port \\
\$hostname \\
"\$(openssl x509 -in \$cert -noout -pubkey |
openssl pkey -pubin -outform DER |
openssl dgst -sha256 -binary |
hexdump -ve '/1 "%02x"')"
)
fi
echo ""
echo "TLSA 3 1 1 certificate"
echo "======================"
echo "\$tlsa_record_311"
echo ""
echo "TLSA 3 0 1 certificate"
echo "======================"
echo "\$tlsa_record_301"
echo ""
echo "TLSA 2 1 1 chain"
echo "================"
echo "\$tlsa_record_211_chain"
echo ""
echo "TLSA 2 0 1 chain"
echo "================"
echo "\$tlsa_record_201_chain"
echo ""
echo "TLSA 2 0 2 chain"
echo "================"
echo "\$tlsa_record_202_chain"
echo ""
if [[ -n "\$tlsa_record_211_root" ]]; then
echo "TLSA 2 1 1 root"
echo "==============="
echo "\$tlsa_record_211_root"
echo ""
fi
exit 0
EOF
if [[ $? -eq 0 ]]; then
echo_ok
else
echo_failed
fi
echononl " Make \"${DH_BASE_DIR}/tools/dh_tlsgen.sh\" executable.."
chmod 755 ${DH_BASE_DIR}/tools/dh_tlsgen.sh
if [[ $? -eq 0 ]]; then
echo_ok
else
echo_failed
fi
if [[ -f "${DH_BASE_DIR}/tools/dh_tlsgen.sh.$_date" ]]; then
diff ${DH_BASE_DIR}/tools/dh_tlsgen.sh ${DH_BASE_DIR}/tools/dh_tlsgen.sh.$_date > /dev/null 2>&1
if [[ $? -eq 0 ]]; then
info "Script dh_tlsgen.sh has not change.\n\t Removing previously created backup.."
echononl " Remove ${DH_BASE_DIR}/tools/dh_tlsgen.sh.$_date.."
rm -f ${DH_BASE_DIR}/tools/dh_tlsgen.sh.$_date
if [[ $? -eq 0 ]]; then
echo_ok
else
echo_failed
fi
fi
fi
echo ""
exit 0
Reference in New Issue View Git Blame Copy Permalink