From 7d8b364859c5d5a82b214c8b01a97ee87a408b5d Mon Sep 17 00:00:00 2001 From: Christoph Date: Mon, 29 Nov 2021 18:51:42 +0100 Subject: [PATCH] 'loolwsd' service was (changed and) renamed to 'coolwsd'. so we add script 'check_cert_coolwsd.sh'. --- check_cert_coolwsd.sh | 422 ++++++++++++++++++++++++++++ conf/check_cert_coolwsd.conf.sample | 73 +++++ 2 files changed, 495 insertions(+) create mode 100755 check_cert_coolwsd.sh create mode 100644 conf/check_cert_coolwsd.conf.sample diff --git a/check_cert_coolwsd.sh b/check_cert_coolwsd.sh new file mode 100755 index 0000000..3f9a137 --- /dev/null +++ b/check_cert_coolwsd.sh @@ -0,0 +1,422 @@ +#!/usr/bin/env bash + +# ---------- +# - +# - Script checks, Whether certificate/chain/key for ColaboraOnline service loolwsd +# - is up to date. If newer versions than the installed ones found, script changes +# - the installed keys/certs to the latest version. +# - +# ---------- + +script_name="$(basename $(realpath $0))" +working_dir="$(dirname $(realpath $0))" + +conf_file="${working_dir}/conf/${script_name%%.*}.conf" + +LOCK_DIR="/tmp/$(basename $0).$$.LOCK" +log_file="${LOCK_DIR}/${script_name%%.*}.log" + + +# ------------- +# --- Some functions +# ------------- + +clean_up() { + + # Perform program exit housekeeping + rm -rf "$LOCK_DIR" + exit $1 +} + +echononl(){ + if $terminal ; then + echo X\\c > /tmp/shprompt$$ + if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then + echo -e -n "$*\\c" 1>&2 + else + echo -e -n "$*" 1>&2 + fi + rm /tmp/shprompt$$ + fi +} + +fatal(){ + echo "" + if $terminal ; then + echo -e " [ \033[31m\033[1mFatal\033[m ]: $*" + echo "" + echo -e " \033[31m\033[1mScript was interupted\033[m!" + else + echo " [ Fatal ]: $*" + echo "" + echo " Script was terminated...." + fi + echo "" + clean_up 1 +} + +error() { + echo "" + if $terminal ; then + echo -e " [ \033[31m\033[1mError\033[m ]: $*" + else + echo " [ Error ]: $*" + fi + echo "" +} + +warn() { + echo "" + if $terminal ; then + echo -e " [ \033[33m\033[1mWarning\033[m ]: $*" + else + echo " [ Warning ]: $*" + fi + echo "" +} + +info() { + if $terminal ; then + echo "" + echo -e " [ \033[32m\033[1mInfo\033[m ]: $*" + echo "" + fi +} + +echo_failed(){ + if $terminal ; then + echo -e "\033[75G[ \033[1;31mfailed\033[m ]" + fi +} + +echo_done() { + if $terminal ; then + echo -e "\033[75G[ \033[32mok\033[m ]" + fi +} + + + +# ---------- +# - Jobhandling +# ---------- + +# - If job already runs, stop execution.. +# - +if mkdir "$LOCK_DIR" 2> /dev/null ; then + + # - Remove lockdir when the script finishes, or when it receives a signal + # - + trap clean_up SIGHUP SIGINT SIGTERM + +else + + msg="A previos instance of script \"`basename $0`\" seems already be running." + + echo "" + if $terminal ; then + echo -e "[ \033[31m\033[1mFatal\033[m ]: $msg" + echo "" + echo -e " \033[31m\033[1mScript was interupted\033[m!" + else + echo " [ Fatal ]: $msg" + echo "" + echo " Script was interupted!" + fi + echo + + exit 1 + +fi + + + +# ------------- +# --- Some checks +# ------------- + +# - Running in a terminal? +# - +if [[ -t 1 ]] ; then + terminal=true +else + terminal=false +fi + +# - Systemd supported ? +# - +systemd_supported=false +systemd=$(which systemd) +systemctl=$(which systemctl) + +if [[ -n "$systemd" ]] && [[ -n "$systemctl" ]] ; then + systemd_supported=true +fi + + + +# ========== +# - Begin Main Script +# ========== + +# ---------- +# - Headline +# ---------- + +if $terminal ; then + echo "" + echo -e "\033[1m----------\033[m" + echo -e "\033[32m\033[1mRunning script \033[m\033[1m$script_name\033[32m .. \033[m" + echo -e "\033[1m----------\033[m" +fi + + + +# ---------- +# Read Configurations from $conf_file +# ---------- + + +# - Give your default values here +# - + +DEFAULT_SERVICE_NAME="coolwsd" +DEFAULT_SERVICE_USER="cool" +DEFAULT_SERVICE_GROUP="cool" +DEFAULT_SERVICE_CERT_DIR="/etc/coolwsd" +DEFAULT_LE_BASE_CERT_DIR="/var/lib/dehydrated/certs" + +DEFAULT_HAS_SERVICE_CHAIN=true + + +if [[ -f "$conf_file" ]]; then + source "$conf_file" +else + warn "No configuration file '$conf_file' present.\n + Loading default values.." +fi + +if [[ -z "$HOSTNAME_CO" ]]; then + fatal "Hostname of webservice ColaboraOnline not given (parameter 'HOSTNAME_CO')!" +fi + +[[ -z "$SERVICE_NAME" ]] && SERVICE_NAME="$DEFAULT_SERVICE_NAME" +[[ -z "$SERVICE_USER" ]] && SERVICE_USER="$DEFAULT_SERVICE_USER" +[[ -z "$SERVICE_GROUP" ]] && SERVICE_GROUP="$DEFAULT_SERVICE_GROUP" +[[ -z "$SERVICE_CERT_DIR" ]] && SERVICE_CERT_DIR="$DEFAULT_SERVICE_CERT_DIR" +[[ -z "$LE_BASE_CERT_DIR" ]] && LE_BASE_CERT_DIR="$DEFAULT_LE_BASE_CERT_DIR" +[[ -z "$HAS_SERVICE_CHAIN" ]] && HAS_SERVICE_CHAIN="$DEFAULT_HAS_SERVICE_CHAIN" + +# - Let's encrypt cert directory +# - +LE_CERT_DIR_SERVICE="${LE_BASE_CERT_DIR}/$HOSTNAME_CO" + +# - Latest cert/chain/key +# - +cert_newest="${LE_CERT_DIR_SERVICE}/cert.pem" +chain_newest="${LE_CERT_DIR_SERVICE}/chain.pem" +key_newest="${LE_CERT_DIR_SERVICE}/privkey.pem" + + +# - Installed cert/chain/key +# - +cert_installed="${SERVICE_CERT_DIR}/cert.pem" +chain_installed="${SERVICE_CERT_DIR}/ca-chain.cert.pem" +key_installed="${SERVICE_CERT_DIR}/key.pem" + +# ------------- +# - Don't run script, if any given path for cert/key does not exists +# ------------- + +if [[ ! -f "$cert_newest" ]] ; then + fatal "Newest Certificate '$cert_newest' not found!" +elif [[ ! -f "$key_newest" ]] ; then + fatal "Newest Key '$key_newest' not found!" +elif $HAS_SERVICE_CHAIN && [[ ! -f "$chain_newest" ]]; then + fatal "Newest chain file '$chain_newest' not found!" +fi + +if [[ ! -f "$cert_installed" ]] ; then + touch "$cert_installed" +fi +if [[ ! -f "$key_installed" ]]; then + touch "$key_installed" +fi +if $HAS_SERVICE_CHAIN && [[ ! -f "$chain_installed" ]]; then + touch "$chain_installed" +fi + + + +# ------------- +# - Check if keys/certs are up to date, change them if needed. +# ------------- + +if $terminal ; then + echo "" + echo "" + echo -e "\033[37m\033[1m Check if keys/certs are up to date, change them if needed..\033[m" + echo "" +fi + +restart_service=false +#check_string_ps="[[:digit:]]\ lua[[:digit:]].[[:digit:]] /usr/bin/loolwsd" + + +if ! diff "$(realpath "$cert_installed")" "$(realpath "$cert_newest")" > /dev/null 2>&1 ; then + + _failed=false + + warn "Certificate for service $SERVICE_NAME at '$HOSTNAME_CO' is outdated! + + Try to update certificate and key.." + echononl " Update certificat for $SERVICE_NAME at '$HOSTNAME_CO'" + > $log_file + + if [[ -f "$cert_installed" ]] ; then + rm "$cert_installed" >> $log_file 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + fi + + cp -a "$(realpath "$cert_newest")" "$(dirname "$cert_installed")" >> $log_file 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + chown ${SERVICE_USER}:$SERVICE_GROUP "$(dirname "$cert_installed")/$(basename "$(realpath "$cert_newest")")" >> $log_file 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + ln -s "$(basename "$(realpath "$cert_newest")")" "$cert_installed" >> $log_file 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + if $_failed ; then + echo_failed + error "$(cat "$log_file")" + else + echo_done + fi + + if ! $_failed ; then + + _failed=false + + echononl " Update key for $SERVICE_NAME at '$HOSTNAME_CO'" + + if [[ -f "$key_installed" ]]; then + rm "$key_installed" >> $log_file 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + fi + + cp -a "$(realpath "$key_newest")" "$(dirname "$key_installed")" >> $log_file 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + chown ${SERVICE_USER}:$SERVICE_GROUP "$(dirname "$key_installed")/$(basename "$(realpath "$key_newest")")" >> $log_file 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + ln -s "$(basename "$(realpath "$key_newest")")" "$key_installed" >> $log_file 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + if $_failed ; then + echo_failed + error "$(cat "$log_file")" + else + echo_done + fi + + fi + + if ! $_failed && $HAS_SERVICE_CHAIN; then + + _failed=false + + echononl " Update chain for $SERVICE_NAME at '$HOSTNAME_CO'" + + if [[ -f "$chain_installed" ]]; then + rm "$chain_installed" >> $log_file 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + fi + + cp -a "$(realpath "$chain_newest")" "$(dirname "$chain_installed")" >> $log_file 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + chown ${SERVICE_USER}:$SERVICE_GROUP "$(dirname "$chain_installed")/$(basename "$(realpath "$chain_newest")")" >> $log_file 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + ln -s "$(basename "$(realpath "$chain_newest")")" "$chain_installed" >> $log_file 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + if $_failed ; then + echo_failed + error "$(cat "$log_file")" + else + echo_done + restart_service=true + fi + fi + + if ! $_failed ; then + + # - Restart 'loolwsd' service + # - + echo "" + echononl " Restart Service '$SERVICE_NAME'.." + if $systemd_supported ; then + + systemctl restart loolwsd > $log_file 2>&1 + + if [[ $? -eq 0 ]]; then + echo_done + else + echo_failed + error "For more informations see log output at '$log_file'." + fi + else + + /etc/init.d/loolwsd restart > $log_file 2>&1 + + if [[ $? -eq 0 ]]; then + echo_done + else + echo_failed + error "For more informations see log output at '$log_file'." + fi + fi + + if $terminal ; then + info "Certificate/Chain/Key for service $SERVICE_NAME at '$HOSTNAME_CO' is now up to date" + else + echo "" + echo " [ Info ]: Certificate/Chain/Key for $SERVICE_NAME at '$HOSTNAME_CO' is now up to date" + echo "" + fi + else + error "Updating Certificate/Chain/Key for service $SERVICE_NAME at '$HOSTNAME_CO' failed!" + fi + +else + info "Certificate/Chain/Key for service $SERVICE_NAME at '$HOSTNAME_CO' is up to date!" +fi + +clean_up 0 diff --git a/conf/check_cert_coolwsd.conf.sample b/conf/check_cert_coolwsd.conf.sample new file mode 100644 index 0000000..e4d4b20 --- /dev/null +++ b/conf/check_cert_coolwsd.conf.sample @@ -0,0 +1,73 @@ +# ---------- +# Settings for script check_cert_loolwsd.sh +# ---------- + +# - HOSTNAME_CO +# - +# - Hostname of webservice ColaboraOnline +# - +# - Note: this parameter has no default value, but is required. +# - +# - Example: +# - +# - HOSTNAME_CO="co-01.oopen.de" +# - +HOSTNAME_CO="" + + +# - +# - SERVICE_NAME +# - +# - Name of the ColaboraOnline service, usually 'loolwsd +# - +# - Defaults to SERVICE_NAME="loolwsd" +# - +#SERVICE_NAME="coolwsd" + + +# - SERVICE_CERT_DIR +# - +# - Directory holding the certs/key for the service +# - +# - Defaults to SERVICE_CERT_DIR="/etc/loolwsd" +# - +#SERVICE_CERT_DIR="/etc/loolwsd" + + +# - SERVICE_USER +# - +# - User of service $SERVICE_NAME +# - +# - Defaults to SERVICE_USER="lool" +# - +#SERVICE_USER="cool" + + +# - SERVICE_GROUP +# - +# - User of service $SERVICE_NAME +# - +# - Defaults to SERVICE_GROUP="lool" +# - +#SERVICE_GROUP="cool" + + +# - HAS_SERVICE_CHAIN +# - +# - Possible values: true or false +# - +# - If Service has an seperate file for certificate chain, then +# - set UPDATE_SERVICE_CHAIN to 'true' +# - +# - Defaults to UPDATE_SERVICE_CHAIN=true +# - +#HAS_SERVICE_CHAIN=true + + +# - LE_BASE_CERT_DIR +# - +# - Base directory of Let's Encrypt certs/key +# - +# - Defaults to LE_BASE_CERT_DIR="/var/lib/dehydrated/certs" +# - +#LE_BASE_CERT_DIR="/var/lib/dehydrated/certs"