script/nextcloud
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add cron script for updating ssl key/cert/chain of ColaboraOnline Service loolwsd.

Browse Source
This commit is contained in:
Christoph 2019-02-16 04:25:30 +01:00
parent d507e536dc
commit 86318dd37a
2 changed files with 495 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

422
check_cert_loolwsd.sh Executable file
View File

@ -0,0 +1,422 @@
#!/usr/bin/env bash
# ----------
# -
# - Script checks, Whether certificate/chain/key for ColaboraOnline service loolwsd
# - is up to date. If newer versions than the installed ones found, script changes
# - the installed keys/certs to the latest version.
# -
# ----------
script_name="$(basename $(realpath $0))"
working_dir="$(dirname $(realpath $0))"
conf_file="${working_dir}/conf/${script_name%%.*}.conf"
LOCK_DIR="/tmp/$(basename $0).$$.LOCK"
log_file="${LOCK_DIR}/${script_name%%.*}.log"
# -------------
# --- Some functions
# -------------
clean_up() {
# Perform program exit housekeeping
rm -rf "$LOCK_DIR"
exit $1
}
echononl(){
if $terminal ; then
echo X\\c > /tmp/shprompt$$
if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then
echo -e -n "$*\\c" 1>&2
else
echo -e -n "$*" 1>&2
fi
rm /tmp/shprompt$$
fi
}
fatal(){
echo ""
if $terminal ; then
echo -e " [ \033[31m\033[1mFatal\033[m ]: $*"
echo ""
echo -e " \033[31m\033[1mScript was interupted\033[m!"
else
echo " [ Fatal ]: $*"
echo ""
echo " Script was terminated...."
fi
echo ""
clean_up 1
}
error() {
echo ""
if $terminal ; then
echo -e " [ \033[31m\033[1mError\033[m ]: $*"
else
echo " [ Error ]: $*"
fi
echo ""
}
warn() {
echo ""
if $terminal ; then
echo -e " [ \033[33m\033[1mWarning\033[m ]: $*"
else
echo " [ Warning ]: $*"
fi
echo ""
}
info() {
if $terminal ; then
echo ""
echo -e " [ \033[32m\033[1mInfo\033[m ]: $*"
echo ""
fi
}
echo_failed(){
if $terminal ; then
echo -e "\033[75G[ \033[1;31mfailed\033[m ]"
fi
}
echo_done() {
if $terminal ; then
echo -e "\033[75G[ \033[32mok\033[m ]"
fi
}
# ----------
# - Jobhandling
# ----------
# - If job already runs, stop execution..
# -
if mkdir "$LOCK_DIR" 2> /dev/null ; then
# - Remove lockdir when the script finishes, or when it receives a signal
# -
trap clean_up SIGHUP SIGINT SIGTERM
else
msg="A previos instance of script \"`basename $0`\" seems already be running."
echo ""
if $terminal ; then
echo -e "[ \033[31m\033[1mFatal\033[m ]: $msg"
echo ""
echo -e " \033[31m\033[1mScript was interupted\033[m!"
else
echo " [ Fatal ]: $msg"
echo ""
echo " Script was interupted!"
fi
echo
exit 1
fi
# -------------
# --- Some checks
# -------------
# - Running in a terminal?
# -
if [[ -t 1 ]] ; then
terminal=true
else
terminal=false
fi
# - Systemd supported ?
# -
systemd_supported=false
systemd=$(which systemd)
systemctl=$(which systemctl)
if [[ -n "$systemd" ]] && [[ -n "$systemctl" ]] ; then
systemd_supported=true
fi
# ==========
# - Begin Main Script
# ==========
# ----------
# - Headline
# ----------
if $terminal ; then
echo ""
echo -e "\033[1m----------\033[m"
echo -e "\033[32m\033[1mRunning script \033[m\033[1m$script_name\033[32m .. \033[m"
echo -e "\033[1m----------\033[m"
fi
# ----------
# Read Configurations from $conf_file
# ----------
# - Give your default values here
# -
DEFAULT_SERVICE_NAME="loolwsd"
DEFAULT_SERVICE_USER="lool"
DEFAULT_SERVICE_GROUP="lool"
DEFAULT_SERVICE_CERT_DIR="/etc/loolwsd"
DEFAULT_LE_BASE_CERT_DIR="/var/lib/dehydrated/certs"
DEFAULT_HAS_SERVICE_CHAIN=true
if [[ -f "$conf_file" ]]; then
source "$conf_file"
else
warn "No configuration file '$conf_file' present.\n
Loading default values.."
fi
if [[ -z "$HOSTNAME_CO" ]]; then
fatal "Hostname of webservice ColaboraOnline not given (parameter 'HOSTNAME_CO')!"
fi
[[ -z "$SERVICE_NAME" ]] && SERVICE_NAME="$DEFAULT_SERVICE_NAME"
[[ -z "$SERVICE_USER" ]] && SERVICE_USER="$DEFAULT_SERVICE_USER"
[[ -z "$SERVICE_GROUP" ]] && SERVICE_GROUP="$DEFAULT_SERVICE_GROUP"
[[ -z "$SERVICE_CERT_DIR" ]] && SERVICE_CERT_DIR="$DEFAULT_SERVICE_CERT_DIR"
[[ -z "$LE_BASE_CERT_DIR" ]] && LE_BASE_CERT_DIR="$DEFAULT_LE_BASE_CERT_DIR"
[[ -z "$HAS_SERVICE_CHAIN" ]] && HAS_SERVICE_CHAIN="$DEFAULT_HAS_SERVICE_CHAIN"
# - Let's encrypt cert directory
# -
LE_CERT_DIR_SERVICE="${LE_BASE_CERT_DIR}/$HOSTNAME_CO"
# - Latest cert/chain/key
# -
cert_newest="${LE_CERT_DIR_SERVICE}/cert.pem"
chain_newest="${LE_CERT_DIR_SERVICE}/chain.pem"
key_newest="${LE_CERT_DIR_SERVICE}/privkey.pem"
# - Installed cert/chain/key
# -
cert_installed="${SERVICE_CERT_DIR}/cert.pem"
chain_installed="${SERVICE_CERT_DIR}/ca-chain.cert.pem"
key_installed="${SERVICE_CERT_DIR}/key.pem"
# -------------
# - Don't run script, if any given path for cert/key does not exists
# -------------
if [[ ! -f "$cert_newest" ]] ; then
fatal "Newest Certificate '$cert_newest' not found!"
elif [[ ! -f "$key_newest" ]] ; then
fatal "Newest Key '$key_newest' not found!"
elif $HAS_SERVICE_CHAIN && [[ ! -f "$chain_newest" ]]; then
fatal "Newest chain file '$chain_newest' not found!"
fi
if [[ ! -f "$cert_installed" ]] ; then
touch "$cert_installed"
fi
if [[ ! -f "$key_installed" ]]; then
touch "$key_installed"
fi
if $HAS_SERVICE_CHAIN && [[ ! -f "$chain_installed" ]]; then
touch "$chain_installed"
fi
# -------------
# - Check if keys/certs are up to date, change them if needed.
# -------------
if $terminal ; then
echo ""
echo ""
echo -e "\033[37m\033[1m Check if keys/certs are up to date, change them if needed..\033[m"
echo ""
fi
restart_service=false
#check_string_ps="[[:digit:]]\ lua[[:digit:]].[[:digit:]] /usr/bin/loolwsd"
if ! diff "$(realpath "$cert_installed")" "$(realpath "$cert_newest")" > /dev/null 2>&1 ; then
_failed=false
warn "Certificate for service $SERVICE_NAME at '$HOSTNAME_CO' is outdated!
Try to update certificate and key.."
echononl " Update certificat for $SERVICE_NAME at '$HOSTNAME_CO'"
> $log_file
if [[ -f "$cert_installed" ]] ; then
rm "$cert_installed" >> $log_file 2>&1
if [[ $? -ne 0 ]]; then
_failed=true
fi
fi
cp -a "$(realpath "$cert_newest")" "$(dirname "$cert_installed")" >> $log_file 2>&1
if [[ $? -ne 0 ]]; then
_failed=true
fi
chown ${SERVICE_USER}:$SERVICE_GROUP "$(dirname "$cert_installed")/$(basename "$(realpath "$cert_newest")")" >> $log_file 2>&1
if [[ $? -ne 0 ]]; then
_failed=true
fi
ln -s "$(basename "$(realpath "$cert_newest")")" "$cert_installed" >> $log_file 2>&1
if [[ $? -ne 0 ]]; then
_failed=true
fi
if $_failed ; then
echo_failed
error "$(cat "$log_file")"
else
echo_done
fi
if ! $_failed ; then
_failed=false
echononl " Update key for $SERVICE_NAME at '$HOSTNAME_CO'"
if [[ -f "$key_installed" ]]; then
rm "$key_installed" >> $log_file 2>&1
if [[ $? -ne 0 ]]; then
_failed=true
fi
fi
cp -a "$(realpath "$key_newest")" "$(dirname "$key_installed")" >> $log_file 2>&1
if [[ $? -ne 0 ]]; then
_failed=true
fi
chown ${SERVICE_USER}:$SERVICE_GROUP "$(dirname "$key_installed")/$(basename "$(realpath "$key_newest")")" >> $log_file 2>&1
if [[ $? -ne 0 ]]; then
_failed=true
fi
ln -s "$(basename "$(realpath "$key_newest")")" "$key_installed" >> $log_file 2>&1
if [[ $? -ne 0 ]]; then
_failed=true
fi
if $_failed ; then
echo_failed
error "$(cat "$log_file")"
else
echo_done
fi
fi
if ! $_failed && $HAS_SERVICE_CHAIN; then
_failed=false
echononl " Update chain for $SERVICE_NAME at '$HOSTNAME_CO'"
if [[ -f "$chain_installed" ]]; then
rm "$chain_installed" >> $log_file 2>&1
if [[ $? -ne 0 ]]; then
_failed=true
fi
fi
cp -a "$(realpath "$chain_newest")" "$(dirname "$chain_installed")" >> $log_file 2>&1
if [[ $? -ne 0 ]]; then
_failed=true
fi
chown ${SERVICE_USER}:$SERVICE_GROUP "$(dirname "$chain_installed")/$(basename "$(realpath "$chain_newest")")" >> $log_file 2>&1
if [[ $? -ne 0 ]]; then
_failed=true
fi
ln -s "$(basename "$(realpath "$chain_newest")")" "$chain_installed" >> $log_file 2>&1
if [[ $? -ne 0 ]]; then
_failed=true
fi
if $_failed ; then
echo_failed
error "$(cat "$log_file")"
else
echo_done
restart_service=true
fi
fi
if ! $_failed ; then
# - Restart 'loolwsd' service
# -
echo ""
echononl " Restart Service '$SERVICE_NAME'.."
if $systemd_supported ; then
systemctl restart loolwsd > $log_file 2>&1
if [[ $? -eq 0 ]]; then
echo_done
else
echo_failed
error "For more informations see log output at '$log_file'."
fi
else
/etc/init.d/loolwsd restart > $log_file 2>&1
if [[ $? -eq 0 ]]; then
echo_done
else
echo_failed
error "For more informations see log output at '$log_file'."
fi
fi
if $terminal ; then
info "Certificate/Chain/Key for service $SERVICE_NAME at '$HOSTNAME_CO' is now up to date"
else
echo ""
echo " [ Info ]: Certificate/Chain/Key for $SERVICE_NAME at '$HOSTNAME_CO' is now up to date"
echo ""
fi
else
error "Updating Certificate/Chain/Key for service $SERVICE_NAME at '$HOSTNAME_CO' failed!"
fi
else
info "Certificate/Chain/Key for service $SERVICE_NAME at '$HOSTNAME_CO' is up to date!"
fi
clean_up 0

73
conf/check_cert_loolwsd.conf.sample Normal file
View File

@ -0,0 +1,73 @@
# ----------
# Settings for script check_cert_loolwsd.sh
# ----------
# - HOSTNAME_CO
# -
# - Hostname of webservice ColaboraOnline
# -
# - Note: this parameter has no default value, but is required.
# -
# - Example:
# -
# - HOSTNAME_CO="co-01.oopen.de"
# -
HOSTNAME_CO=""
# -
# - SERVICE_NAME
# -
# - Name of the ColaboraOnline service, usually 'loolwsd
# -
# - Defaults to SERVICE_NAME="loolwsd"
# -
#SERVICE_NAME="loolwsd"
# - SERVICE_CERT_DIR
# -
# - Directory holding the certs/key for the service
# -
# - Defaults to SERVICE_CERT_DIR="/etc/loolwsd"
# -
#SERVICE_CERT_DIR="/etc/loolwsd"
# - SERVICE_USER
# -
# - User of service $SERVICE_NAME
# -
# - Defaults to SERVICE_USER="lool"
# -
#SERVICE_USER="lool"
# - SERVICE_GROUP
# -
# - User of service $SERVICE_NAME
# -
# - Defaults to SERVICE_GROUP="lool"
# -
#SERVICE_GROUP="lool"
# - HAS_SERVICE_CHAIN
# -
# - Possible values: true or false
# -
# - If Service has an seperate file for certificate chain, then
# - set UPDATE_SERVICE_CHAIN to 'true'
# -
# - Defaults to UPDATE_SERVICE_CHAIN=true
# -
#HAS_SERVICE_CHAIN=true
# - LE_BASE_CERT_DIR
# -
# - Base directory of Let's Encrypt certs/key
# -
# - Defaults to LE_BASE_CERT_DIR="/var/lib/dehydrated/certs"
# -
#LE_BASE_CERT_DIR="/var/lib/dehydrated/certs"