|
|
cc2683 |
#!/bin/bash
|
|
|
cc2683 |
|
|
|
cc2683 |
set -e
|
|
|
cc2683 |
|
|
|
356442 |
ACMEUSER="bw"
|
|
|
356442 |
WWWGROUP="www-data"
|
|
|
cc2683 |
|
|
|
356442 |
CERTS_DIR="$1"
|
|
|
356442 |
SUBJ="$2"
|
|
|
356442 |
EXT="$3"
|
|
|
d2c4c5 |
TMP_DIR="/tmp"
|
|
|
356442 |
|
|
|
356442 |
if [ -z "$CERTS_DIR" ] || [ -z "$SUBJ" ]; then
|
|
|
7bd19b |
echo "Usage:"
|
|
|
7bd19b |
echo "$0 \\"
|
|
|
7bd19b |
echo " /mysite/certs/dir/ \\"
|
|
|
7bd19b |
echo " /CN=mysite.com \\"
|
|
|
7bd19b |
echo " subjectAltName=DNS:mysite.com,DNS:www.mysite.com"
|
|
|
cc2683 |
exit 0
|
|
|
cc2683 |
fi
|
|
|
cc2683 |
|
|
|
356442 |
|
|
|
cc2683 |
BASE_DIR=$(cd `dirname "$0"`; pwd)
|
|
|
cc2683 |
NAME=`date +%Y-%m-%d--%H-%M-%S--%N`
|
|
|
cc2683 |
PREFIX="$CERTS_DIR/$NAME"
|
|
|
d2c4c5 |
TMP_PREFIX="$TMP_DIR/$NAME"
|
|
|
cc2683 |
|
|
|
356442 |
if openssl x509 -checkend 864000 -noout -in "$CERTS_DIR/public.crt"; then
|
|
|
356442 |
echo " -------------------------------------------- "
|
|
|
356442 |
echo " certifiate is actual now ($NAME) "
|
|
|
356442 |
echo " -------------------------------------------- "
|
|
|
356442 |
exit 0
|
|
|
356442 |
fi
|
|
|
356442 |
|
|
|
cc2683 |
echo " -------------------------------------------- "
|
|
|
cc2683 |
echo " begin $PREFIX "
|
|
|
cc2683 |
echo " -------------------------------------------- "
|
|
|
cc2683 |
|
|
|
cc2683 |
mkdir -p "$CERTS_DIR"
|
|
|
7bd19b |
openssl req -newkey rsa:4096 -sha512 -nodes \
|
|
|
7bd19b |
-keyout "$PREFIX.key" \
|
|
|
7bd19b |
-out "$PREFIX.csr" \
|
|
|
7bd19b |
-subj "$SUBJ" \
|
|
|
7bd19b |
-reqexts san \
|
|
|
7bd19b |
-config <(echo '[req]'; echo 'distinguished_name=req'; echo '[san]'; echo $EXT)
|
|
|
cc2683 |
sudo -u "$ACMEUSER" "$BASE_DIR/sign-cert.py" "$PREFIX.csr" "$PREFIX.crt"
|
|
|
cc2683 |
|
|
|
cc2683 |
echo "compare modulus"
|
|
|
356442 |
MODULUS_CRT=`openssl x509 -noout -modulus -in "$PREFIX.crt"`
|
|
|
356442 |
MODULUS_KEY=`openssl rsa -noout -modulus -in "$PREFIX.key"`
|
|
|
356442 |
if [ "$MODULUS_CRT" != "$MODULUS_KEY" ]; then
|
|
|
cc2683 |
echo "ERROR: modulus of certificate do not matches modulus of key"
|
|
|
cc2683 |
exit 1
|
|
|
cc2683 |
fi
|
|
|
cc2683 |
echo "ok"
|
|
|
cc2683 |
|
|
|
356442 |
echo "verify certificate"
|
|
|
d2c4c5 |
openssl verify -CAfile "$PREFIX.crt" "$TMP_PREFIX.crt"
|
|
|
d2c4c5 |
cp "$TMP_PREFIX.crt" "$PREFIX.crt"
|
|
|
d2c4c5 |
rm "$TMP_PREFIX.crt"
|
|
|
d2c4c5 |
|
|
|
d2c4c5 |
|
|
|
d2c4c5 |
#chown root:root "$PREFIX.crt"
|
|
|
d2c4c5 |
#chmod 644 "$PREFIX.crt"
|
|
|
d2c4c5 |
|
|
|
356442 |
|
|
|
356442 |
echo "update symlinks"
|
|
|
356442 |
chown :$WWWGROUP "$PREFIX.key"
|
|
|
356442 |
chmod g+r "$PREFIX.key"
|
|
|
cc2683 |
cd "$CERTS_DIR"
|
|
|
356442 |
ln -fs "$NAME.key" "private.key"
|
|
|
356442 |
ln -fs "$NAME.crt" "public.crt"
|
|
|
356442 |
|
|
|
0d4a12 |
service nginx configtest
|
|
|
356442 |
service nginx reload
|
|
|
cc2683 |
|
|
|
cc2683 |
echo " -------------------------------------------- "
|
|
|
cc2683 |
echo " done $PREFIX "
|
|
|
cc2683 |
echo " -------------------------------------------- "
|