#!/bin/bash

set -e

ACMEUSER="$1"
CERTS_DIR="$2"
SUBJ="$3"
EXT="$4"

if [ -z "$ACMEUSER" ] || [ -z "$CERTS_DIR" ] || [ -z "$SUBJ" ]; then
  echo "Usage:"
  echo "$0 \\"
  echo "    acmeuser \\"
  echo "    /mysite/certs/dir/ \\"
  echo "    /CN=mysite.com \\"
  echo "    subjectAltName=DNS:mysite.com,DNS:www.mysite.com"
  exit 0
fi

BASE_DIR=$(cd `dirname "$0"`; pwd)
NAME=`date +%Y-%m-%d--%H-%M-%S--%N`
PREFIX="$CERTS_DIR/$NAME"

echo " -------------------------------------------- "
echo " begin $PREFIX "
echo " -------------------------------------------- "

mkdir -p "$CERTS_DIR"
openssl req -newkey rsa:4096 -sha512 -nodes \
  -keyout "$PREFIX.key" \
  -out "$PREFIX.csr" \
  -subj "$SUBJ" \
  -reqexts san \
  -config <(echo '[req]'; echo 'distinguished_name=req'; echo '[san]'; echo $EXT)
sudo -u "$ACMEUSER" "$BASE_DIR/sign-cert.py" "$PREFIX.csr" "$PREFIX.crt"

echo "compare modulus"
MUDULUS_CRT=`openssl x509 -noout -modulus -in "$PREFIX.csr"`
MUDULUS_KEY=`openssl rsa -noout -modulus -in "$PREFIX.key"`
if [ "$MODULUS_CRT" != "$MUDULUS_KEY" ]; then
  echo "ERROR: modulus of certificate do not matches modulus of key"
  exit 1
fi
echo "ok"

cd "$CERTS_DIR"
ln -fs "$PREFIX.key" "private.key"
ln -fs "$PREFIX.key" "public.crt"

echo " -------------------------------------------- "
echo " done $PREFIX "
echo " -------------------------------------------- "