From 461a6909395813d903d242a87d23ea6b385a3385 Mon Sep 17 00:00:00 2001 From: Christoph Date: Wed, 21 Jun 2023 11:59:29 +0200 Subject: [PATCH] Add support for OpenSSL 3.x for creating DH parameter. --- generate-DH-parameters.sh | 274 ++++++++++++++++++++++++++++++++++++++ install_nginx.sh | 30 ++++- 2 files changed, 302 insertions(+), 2 deletions(-) create mode 100755 generate-DH-parameters.sh diff --git a/generate-DH-parameters.sh b/generate-DH-parameters.sh new file mode 100755 index 0000000..3529cd1 --- /dev/null +++ b/generate-DH-parameters.sh @@ -0,0 +1,274 @@ +#!/usr/bin/env bash + +script_name="$(basename $(realpath $0))" +working_dir="$(dirname $(realpath $0))" + +log_file="${LOCK_DIR}/${script_name%%.*}.log" + +backup_date="$(date +%Y-%m-%d-%H%M)" + +# ---------- +# Base Function(s) +# ---------- + +clean_up() { + + # Perform program exit housekeeping + rm -rf "$LOCK_DIR" + blank_line + exit $1 +} + +echononl(){ + if $terminal ; then + echo X\\c > /tmp/shprompt$$ + if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then + echo -e -n " $*\\c" 1>&2 + else + echo -e -n " $*" 1>&2 + fi + rm /tmp/shprompt$$ + fi +} + +fatal(){ + echo "" + if $terminal ; then + echo -e " [ \033[31m\033[1mFatal\033[m ] $*" + else + echo -e " [ Fatal ] $*" + fi + echo "" + if $terminal ; then + echo -e " \033[1mScript terminated\033[m.." + else + echo -e " Script terminated.." + fi + echo "" + rm -rf $LOCK_DIR + exit 1 +} + +error (){ + echo "" + if $terminal ; then + echo -e " [ \033[31m\033[1mError\033[m ] $*" + else + echo " [ Error ] $*" + fi + echo "" +} + +warn (){ + if $LOGGING || $terminal ; then + echo "" + if $terminal ; then + echo -e " [ \033[33m\033[1mWarn\033[m ] $*" + else + echo " [ Warn ] $*" + fi + echo "" + fi +} + +info (){ + if $LOGGING || $terminal ; then + echo "" + if $terminal ; then + echo -e " [ \033[32m\033[1mInfo\033[m ] $*" + else + echo " [ Info ] $*" + fi + echo "" + fi +} + +ok (){ + if $LOGGING || $terminal ; then + echo "" + if $terminal ; then + echo -e " [ \033[32m\033[1mOk\033[m ] $*" + else + echo " [ Ok ] $*" + fi + echo "" + fi +} + +echo_done() { + if $terminal ; then + echo -e "\033[75G[ \033[32mdone\033[m ]" + fi +} +echo_ok() { + if $terminal ; then + echo -e "\033[75G[ \033[32mok\033[m ]" + fi +} +echo_failed(){ + if $terminal ; then + echo -e "\033[75G[ \033[1;31mfailed\033[m ]" + fi +} +echo_skipped() { + if $terminal ; then + echo -e "\033[75G[ \033[33m\033[1mskipped\033[m ]" + fi +} +blank_line() { + if $terminal ; then + echo "" + fi +} +echo_wait(){ + if $terminal ; then + echo -en "\033[75G[ \033[5m\033[1m...\033[m ]" + fi +} + +trim() { + local var="$*" + var="${var#"${var%%[![:space:]]*}"}" # remove leading whitespace characters + var="${var%"${var##*[![:space:]]}"}" # remove trailing whitespace characters + echo -n "$var" +} + +get_openssl_version() { + + OPENSSL_VERSION="$(openssl version|awk '{print $2}' | grep -o -E "[0-9]+\.[0-9]+\.[0-9]")" + + OPENSSL_MAIN_VERSION=`echo $OPENSSL_VERSION | cut -d '.' -f1,2` + OPENSSL_MAJOR_VERSION=`echo $OPENSSL_VERSION | cut -d '.' -f1` + OPENSSL_MINOR_VERSION=`echo $OPENSSL_VERSION | cut -d '.' -f2` + OPENSSL_PATCH_LEVEL=`echo $OPENSSL_VERSION | cut -d '.' -f3` + + if [[ -n "${OPENSSL_VERSION}" ]] ; then + return 0 + else + return 1 + fi +} + +# ---------- +# - Jobhandling +# ---------- + +# - Run 'clean_up' for signals SIGHUP SIGINT SIGTERM +# - +trap clean_up SIGHUP SIGINT SIGTERM + +# - Create lock directory '$LOCK_DIR" +# +mkdir "$LOCK_DIR" + + +# ---------- +# - Some checks .. +# ---------- + +# - Running in a terminal? +# - +if [[ -t 1 ]] ; then + terminal=true +else + terminal=false +fi + + +# ========== +# - Begin Main Script +# ========== + +# ---------- +# - Headline +# ---------- + +if $terminal ; then + echo "" + echo -e "\033[1m----------\033[m" + echo -e "\033[32m\033[1mRunning script \033[m\033[1m$script_name\033[32m .. \033[m" + echo -e "\033[1m----------\033[m" +fi + +restart_nginx_service=false + +if [[ ! -d "/etc/nginx" ]] ; then + fatal "No Nginx installation found!" +fi + +if [[ ${OPENSSL_MAJOR_VERSION} -gt 1 ]]; then + + if [[ -f "/etc/nginx/ssl/dhparam.pem" ]]; then + + echononl "Stop Nginx WebsService" + systemctl stop nginx > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + echo_failed + error "$(cat $log_file)" + else + echo_ok + fi + + echononl "Backup existing 'dhparam.pem' file.." + mv "/etc/nginx/ssl/dhparam.pem" "/etc/nginx/ssl/dhparam.pem.${backup_date}" > ${log_file} 2>&1 + if [[ $? -ne 0 ]] ; then + echo_failed + error "$(cat $log_file)" + else + restart_nginx_service=true + echo_ok + fi + fi + echononl "Generate a dhparam.pem file - \033[5m\033[1mmay take a lon time\033[m .." + openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 > ${log_file} 2>&1 + if [[ $? -ne 0 ]] ; then + echo_failed + error "$(cat $log_file)" + else + echo_ok + fi + + if $restart_nginx_service ; then + + echononl "Start Nginx WebsService" + systemctl start nginx > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + echo_failed + error "$(cat $log_file)" + else + echo_ok + fi + fi + +elif [[ -f "/etc/nginx/ssl/dhparam.pem" ]]; then + echononl "Generate a dhparam.pem file .." + echo_skipped +else + echononl "Cretae directory '/etc/nginx/ssl'.." + if [[ ! -d "/etc/nginx/ssl" ]] ; then + mkdir /etc/nginx/ssl > ${log_file} 2>&1 + if [[ $? -ne 0 ]] ; then + echo_failed + error "$(cat $log_file)" + else + echo_ok + + echononl "Generate a dhparam.pem file with parameter '-dsaparam'.." + openssl dhparam -dsaparam -out /etc/nginx/ssl/dhparam.pem 2048 >> ${log_file} 2>&1 + if [[ $? -ne 0 ]] ; then + _failed=true + fi + if $_failed ; then + echo_failed + error "$(cat $log_file)" + else + echo_ok + fi + + fi + else + echo_skipped + fi +fi + +clean_up 0 diff --git a/install_nginx.sh b/install_nginx.sh index 631602f..12370a2 100755 --- a/install_nginx.sh +++ b/install_nginx.sh @@ -135,6 +135,22 @@ blank_line() { fi } +get_openssl_version() { + + OPENSSL_VERSION="$(openssl version|awk '{print $2}' | grep -o -E "[0-9]+\.[0-9]+\.[0-9]")" + + OPENSSL_MAIN_VERSION=`echo $OPENSSL_VERSION | cut -d '.' -f1,2` + OPENSSL_MAJOR_VERSION=`echo $OPENSSL_VERSION | cut -d '.' -f1` + OPENSSL_MINOR_VERSION=`echo $OPENSSL_VERSION | cut -d '.' -f2` + OPENSSL_PATCH_LEVEL=`echo $OPENSSL_VERSION | cut -d '.' -f3` + + if [[ -n "${OPENSSL_VERSION}" ]] ; then + return 0 + else + return 1 + fi +} + # ---------- @@ -230,10 +246,20 @@ done blank_line _failed=false -echononl "Generate a dhparam.pem file.." -if [[ -f "/etc/nginx/ssl/dhparam.pem" ]]; then +if [[ ${OPENSSL_MAJOR_VERSION} -gt 1 ]]; then + echononl "Generate a dhparam.pem file - \033[5m\033[1mmay take a lon time\033[m .." + openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 > ${log_file} 2>&1 + if [[ $? -ne 0 ]] ; then + echo_failed + error "$(cat $log_file)" + else + echo_ok + fi +elif [[ -f "/etc/nginx/ssl/dhparam.pem" ]]; then + echononl "Generate a dhparam.pem file .." echo_skipped else + echononl "Generate a dhparam.pem file with parameter '-dsaparam'.." if [[ ! -d "/etc/nginx/ssl" ]] ; then mkdir /etc/nginx/ssl > ${log_file} 2>&1 if [[ $? -ne 0 ]] ; then