Subversion Repositories ALCASAR

#!/bin/bash

#

# $Id: alcasar-importcert.sh 2295 2017-06-21 09:05:02Z tom.houdayer $

#

# alcasar-importcert.sh

# by Raphaël, Hugo, Clément, Bettyna & rexy

#

# This script is distributed under the Gnu General Public License (GPL)

#

# Script permettant

# - d'importer des certificats sur Alcasar

# - de revenir au certificat par default

#

# This script allows

# - to import a certificate in Alcasar

# - to go back to the default certificate

SED="/bin/sed -ri"

DIR_CERT="/etc/pki/tls"

CONF_FILE="/usr/local/etc/alcasar.conf"

PRIVATE_IP_MASK=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2`

PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`

usage="Usage: alcasar-importcert.sh -i /path/to/certificate.crt -k /path/to/privatekey.key [-c /path/to/serverchain.crt]\n       alcasar-importcert.sh -d (restore default certificate)"

nb_args=$#

arg1=$1

function defaultNdd()

{

	$SED "s/^HOSTNAME=.*/HOSTNAME=alcasar/g" /usr/local/etc/alcasar.conf

	$SED "s/^DOMAIN=.*/DOMAIN=localdomain/g" /usr/local/etc/alcasar.conf

	cat <<EOF > /etc/hosts

127.0.0.1	localhost

$PRIVATE_IP	alcasar alcasar.localdomain

EOF

	$SED "s/^locationname.*/locationname\talcasar.localdomain/g" /etc/chilli.conf

	$SED "s/^uamserver.*/uamserver\thttps:\/\/alcasar.localdomain\/intercept.php/g" /etc/chilli.conf

	$SED "s/^radiusnasid.*/radiusnasid\talcasar.localdomain/g" /etc/chilli.conf

	$SED "s/^uamallowed.*/uamallowed\talcasar,alcasar.localdomain/g" /etc/chilli.conf

	$SED "s/^ServerName.*/ServerName alcasar.localdomain/g" /etc/httpd/conf/httpd.conf

	hostnamectl set-hostname alcasar.localdomain

	$SED "s/^\tErrorDocument.*/\tErrorDocument 404 https:\/\/alcasar.localdomain\//g" /etc/httpd/conf/webapps.d/alcasar.conf

	$SED "s/^\tAuthDigestDomain.*/\tAuthDigestDomain alcasar.localdomain/g" /etc/httpd/conf/webapps.d/alcasar.conf

	$SED "s/^    ServerName.*/    ServerName alcasar.localdomain/g" /etc/httpd/conf/sites.d/00_default_vhosts.conf /etc/httpd/conf/sites.d/00_default_ssl_vhost.conf

}

function defaultCert()

{

	mv -f $DIR_CERT/certs/alcasar.crt.old $DIR_CERT/certs/alcasar.crt

	mv -f $DIR_CERT/private/alcasar.key.old $DIR_CERT/private/alcasar.key

	if [ -f $DIR_CERT/certs/server-chain.crt.old ]

	then

		mv $DIR_CERT/certs/server-chain.crt.old $DIR_CERT/certs/server-chain.crt

	fi

}

function domainName() # change the domain name in the conf files

{

	fqdn=$(openssl x509 -noout -subject -in $cert | sed -n '/^subject/s/^.*CN=//p' | cut -d'/' -f 1)

	#check if there is a wildcard in $fqdn

	if [[ $fqdn == *"*"* ]];

	then

		hostname="alcasar"

		fqdn=${fqdn/"*"/$hostname}

	else

		hostname=`echo $fqdn | awk -F'.' '{ print $1 }'`

	fi

	domain=`echo $fqdn | awk -F'.' '{$1="";OFS=".";print $0}' | sed 's/^.//'`

	echo "fqdn=$fqdn hostname=$hostname domain=$domain"

	#check fqdn format      

	if [[ "$fqdn" != "" && "$domain" != "" ]];

	then

		$SED "s/^HOSTNAME=.*/HOSTNAME=$hostname/g" /usr/local/etc/alcasar.conf

		$SED "s/^DOMAIN=.*/DOMAIN=$domain/g" /usr/local/etc/alcasar.conf

		domainNames="alcasar.localdomain $hostname $fqdn"

		if [ "$hostname" != "alcasar" ]; then domainNames="alcasar $domainNames"; fi

		cat <<EOF > /etc/hosts

127.0.0.1	localhost

$PRIVATE_IP	$domainNames

EOF

		$SED "s/^locationname.*/locationname\t$fqdn/g" /etc/chilli.conf

		$SED "s/^uamserver.*/uamserver\thttps:\/\/$fqdn\/intercept.php/g" /etc/chilli.conf

		$SED "s/^radiusnasid.*/radiusnasid\t$fqdn/g" /etc/chilli.conf

		$SED "s/^uamallowed.*/uamallowed\t$hostname,$fqdn/g" /etc/chilli.conf

		$SED "s/^ServerName.*/ServerName $fqdn/g" /etc/httpd/conf/httpd.conf

		hostnamectl set-hostname $fqdn

		$SED "s/^\tErrorDocument.*/\tErrorDocument 404 https:\/\/$fqdn\//g" /etc/httpd/conf/webapps.d/alcasar.conf

		$SED "s/^\tAuthDigestDomain.*/\tAuthDigestDomain $fqdn/g" /etc/httpd/conf/webapps.d/alcasar.conf

		$SED "s/^    ServerName.*/    ServerName $fqdn/g" /etc/httpd/conf/sites.d/00_default_vhosts.conf /etc/httpd/conf/sites.d/00_default_ssl_vhost.conf /etc/httpd/conf/vhosts-ssl.default

	fi

}

function certImport()

{

	if [ ! -f "$DIR_CERT/certs/alcasar.crt.old" ]

	then

		echo "Backup of old cert (alcasar.crt)"

		mv $DIR_CERT/certs/alcasar.crt $DIR_CERT/certs/alcasar.crt.old

	fi

	if [ ! -f "$DIR_CERT/private/alcasar.key.old" ]

	then

		echo "Backup of old private key (alcasar.key)"

		mv $DIR_CERT/private/alcasar.key $DIR_CERT/private/alcasar.key.old

	fi

	cp $cert $DIR_CERT/certs/alcasar.crt

	cp $key $DIR_CERT/private/alcasar.key

	chown root:apache $DIR_CERT/certs/alcasar.crt

	chown root:apache $DIR_CERT/private/alcasar.key

	chmod 750 $DIR_CERT/certs/alcasar.crt

	chmod 750 $DIR_CERT/private/alcasar.key

	if [ "$sc" != "" ]

	then

		echo "cert-chain exists"

		if [ ! -f "$DIR_CERT/certs/server-chain.crt.old" ]

		then

			echo "Backup of old cert-chain (server-chain.crt)"

			mv $DIR_CERT/certs/server-chain.crt $DIR_CERT/certs/server-chain.crt.old

		fi

		cp $sc $DIR_CERT/certs/server-chain.crt

		chown root:apache $DIR_CERT/certs/server-chain.crt

		chmod 750 $DIR_CERT/certs/server-chain.crt

	fi

}

if [ $nb_args -eq 0 ]

then

	echo -e "$usage"

	exit 1

fi

case $arg1 in

	-\? | -h* | --h*)

		echo -e "$usage"

		exit 0

		;;

	-i)

		arg3=$3

		arg5=$5

		cert=$2

		key=$4

		sc=$6

		if [ "$cert" == "" ] || [ "$key" == "" ]

		then

			echo -e "$usage"

			exit 1

		fi

		if [ ! -f "$cert" ] || [ ! -f "$key" ]

		then

			echo "Certificate and/or private key not found"

			exit 1

		fi

		if [ ${cert: -4} != ".crt" ] && [ ${cert: -4} != ".cer" ]

		then

			echo "Invalid certificate file"

			exit 1

		fi

		if [ ${key: -4} != ".key" ]

		then

			echo "Invalid private key"

			exit 1

		fi

		if [ "$arg5" != "-c" ] || [ -z "$sc" ]

		then

			echo "No server-chain given"

			echo "Importing certificate $cert with private key $key"

			sc=""

		else

			if [ ! -f "$sc" ]

			then

				echo "Server-chain certificate not found"

				exit 1

			fi

			if [ ${sc: -4} != ".crt" ] && [ ${sc: -4} != ".cer" ]

			then

				echo "Invalid server-chain certificate file"

				exit 1

			fi

			echo "Importing certificate $cert with private key $key and server-chain $sc"

		fi

		domainName $cert

		certImport $cert $key $sc

		for services in chilli dnsmasq dnsmasq-blackhole dnsmasq-blacklist dnsmasq-whitelist httpd

		do

			echo "restarting $services"; systemctl restart $services; sleep 1

		done

		;;

	-d)

		if [ -f "/etc/pki/tls/certs/alcasar.crt.old" -a -f "/etc/pki/tls/private/alcasar.key.old" ]

		then

			echo "Restoring default certificate"

			defaultCert

			defaultNdd

			for services in chilli dnsmasq dnsmasq-blackhole dnsmasq-blacklist dnsmasq-whitelist httpd

			do

				echo "restarting $services"; systemctl restart $services; sleep 1

			done

		fi

		;;

	*)

		echo -e "$usage"

		;;

esac