Subversion Repositories ALCASAR

Rev

Rev 2554 | Rev 2813 | Go to most recent revision | Details | Compare with Previous | Last modification | View Log

Rev Author Line No. Line
2260 tom.houday 1
#!/bin/bash
2223 tom.houday 2
#
3
# $Id: alcasar-importcert.sh 2688 2019-01-18 23:15:49Z lucas.echard $
4
#
1710 richard 5
# alcasar-importcert.sh
1736 richard 6
# by Raphaël, Hugo, Clément, Bettyna & rexy
2223 tom.houday 7
#
1710 richard 8
# This script is distributed under the Gnu General Public License (GPL)
2223 tom.houday 9
#
1710 richard 10
# Script permettant
11
# - d'importer des certificats sur Alcasar
1733 richard 12
# - de revenir au certificat par default
2223 tom.houday 13
#
1710 richard 14
# This script allows
1733 richard 15
# - to import a certificate in Alcasar
16
# - to go back to the default certificate
1710 richard 17
 
18
SED="/bin/sed -ri"
19
DIR_CERT="/etc/pki/tls"
1736 richard 20
CONF_FILE="/usr/local/etc/alcasar.conf"
2260 tom.houday 21
PRIVATE_IP_MASK=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2`
1736 richard 22
PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`
1710 richard 23
 
2260 tom.houday 24
usage="Usage: alcasar-importcert.sh -i /path/to/certificate.crt -k /path/to/privatekey.key [-c /path/to/serverchain.crt]\n       alcasar-importcert.sh -d (restore default certificate)"
1710 richard 25
nb_args=$#
1733 richard 26
arg1=$1
1710 richard 27
 
1733 richard 28
function defaultNdd()
29
{
1758 richard 30
	$SED "s/^HOSTNAME=.*/HOSTNAME=alcasar/g" /usr/local/etc/alcasar.conf
31
	$SED "s/^DOMAIN=.*/DOMAIN=localdomain/g" /usr/local/etc/alcasar.conf
2309 tom.houday 32
	/usr/local/bin/alcasar-conf.sh --apply
1733 richard 33
}
34
 
35
function defaultCert()
36
{
1740 richard 37
	mv -f $DIR_CERT/certs/alcasar.crt.old $DIR_CERT/certs/alcasar.crt
38
	mv -f $DIR_CERT/private/alcasar.key.old $DIR_CERT/private/alcasar.key
39
	if [ -f $DIR_CERT/certs/server-chain.crt.old ]
1733 richard 40
	then
1740 richard 41
		mv $DIR_CERT/certs/server-chain.crt.old $DIR_CERT/certs/server-chain.crt
1733 richard 42
	fi
2554 lucas.echa 43
 
44
	(cat $DIR_CERT/private/alcasar.key; echo; cat $DIR_CERT/certs/alcasar.crt) > $DIR_CERT/private/alcasar.pem
45
 
2488 lucas.echa 46
	chown root:apache $DIR_CERT/private/alcasar.pem
47
	chmod 750 $DIR_CERT/private/alcasar.pem
1733 richard 48
}
49
 
1710 richard 50
function domainName() # change the domain name in the conf files
51
{
1744 clement.si 52
	fqdn=$(openssl x509 -noout -subject -in $cert | sed -n '/^subject/s/^.*CN=//p' | cut -d'/' -f 1)
1934 raphael.pi 53
 
2260 tom.houday 54
	#check if there is a wildcard in $fqdn
55
	if [[ $fqdn == *"*"* ]];
56
	then
57
		hostname="alcasar"
58
		fqdn=${fqdn/"*"/$hostname}
59
	else
2472 tom.houday 60
		hostname=$(echo $fqdn | cut -d'.' -f1)
2260 tom.houday 61
	fi
2472 tom.houday 62
	domain=$(echo $fqdn | cut -d'.' -f2-)
2260 tom.houday 63
	echo "fqdn=$fqdn hostname=$hostname domain=$domain"
1934 raphael.pi 64
 
2454 tom.houday 65
	#check fqdn format
2309 tom.houday 66
	if [[ "$fqdn" != "" && "$domain" != "" ]]; then
1758 richard 67
		$SED "s/^HOSTNAME=.*/HOSTNAME=$hostname/g" /usr/local/etc/alcasar.conf
1736 richard 68
		$SED "s/^DOMAIN=.*/DOMAIN=$domain/g" /usr/local/etc/alcasar.conf
2309 tom.houday 69
		/usr/local/bin/alcasar-conf.sh --apply
1710 richard 70
	fi
71
}
72
 
73
function certImport()
74
{
1740 richard 75
	if [ ! -f "$DIR_CERT/certs/alcasar.crt.old" ]
1710 richard 76
	then
77
		echo "Backup of old cert (alcasar.crt)"
1740 richard 78
		mv $DIR_CERT/certs/alcasar.crt $DIR_CERT/certs/alcasar.crt.old
1710 richard 79
	fi
1740 richard 80
	if [ ! -f "$DIR_CERT/private/alcasar.key.old" ]
1710 richard 81
	then
82
		echo "Backup of old private key (alcasar.key)"
1740 richard 83
		mv $DIR_CERT/private/alcasar.key $DIR_CERT/private/alcasar.key.old
1710 richard 84
	fi
2260 tom.houday 85
 
1740 richard 86
	cp $cert $DIR_CERT/certs/alcasar.crt
87
	cp $key $DIR_CERT/private/alcasar.key
1733 richard 88
 
2554 lucas.echa 89
	(cat $DIR_CERT/private/alcasar.key; echo; cat $DIR_CERT/certs/alcasar.crt) > $DIR_CERT/private/alcasar.pem
90
 
1740 richard 91
	chown root:apache $DIR_CERT/certs/alcasar.crt
92
	chown root:apache $DIR_CERT/private/alcasar.key
2488 lucas.echa 93
	chown root:apache $DIR_CERT/private/alcasar.pem
1710 richard 94
 
1740 richard 95
	chmod 750 $DIR_CERT/certs/alcasar.crt
96
	chmod 750 $DIR_CERT/private/alcasar.key
2488 lucas.echa 97
	chmod 750 $DIR_CERT/private/alcasar.pem
2260 tom.houday 98
 
1710 richard 99
	if [ "$sc" != "" ]
100
	then
101
		echo "cert-chain exists"
1740 richard 102
		if [ ! -f "$DIR_CERT/certs/server-chain.crt.old" ]
1710 richard 103
		then
104
			echo "Backup of old cert-chain (server-chain.crt)"
1740 richard 105
			mv $DIR_CERT/certs/server-chain.crt $DIR_CERT/certs/server-chain.crt.old
1710 richard 106
		fi
1740 richard 107
		cp $sc $DIR_CERT/certs/server-chain.crt
108
		chown root:apache $DIR_CERT/certs/server-chain.crt
109
		chmod 750 $DIR_CERT/certs/server-chain.crt
1710 richard 110
	fi
111
}
112
 
1733 richard 113
 
114
if [ $nb_args -eq 0 ]
1710 richard 115
then
2260 tom.houday 116
	echo -e "$usage"
1733 richard 117
	exit 1
1710 richard 118
fi
119
 
1733 richard 120
case $arg1 in
1710 richard 121
	-\? | -h* | --h*)
2260 tom.houday 122
		echo -e "$usage"
1710 richard 123
		exit 0
124
		;;
125
	-i)
1733 richard 126
		arg3=$3
127
		arg5=$5
128
		cert=$2
129
		key=$4
130
		sc=$6
131
 
132
		if [ "$cert" == "" ] || [ "$key" == "" ]
133
		then
2260 tom.houday 134
			echo -e "$usage"
1733 richard 135
			exit 1
136
		fi
137
 
2260 tom.houday 138
		if [ ! -f "$cert" ] || [ ! -f "$key" ]
1733 richard 139
		then
140
			echo "Certificate and/or private key not found"
141
			exit 1
142
		fi
143
 
2261 tom.houday 144
		if [ ${cert: -4} != ".crt" ] && [ ${cert: -4} != ".cer" ]
1733 richard 145
		then
146
			echo "Invalid certificate file"
147
			exit 1
148
		fi
149
 
150
		if [ ${key: -4} != ".key" ]
151
		then
152
			echo "Invalid private key"
153
			exit 1
154
		fi
155
 
2261 tom.houday 156
		if [ "$arg5" != "-c" ] || [ -z "$sc" ]
1733 richard 157
		then
158
			echo "No server-chain given"
159
			echo "Importing certificate $cert with private key $key"
160
			sc=""
161
		else
2261 tom.houday 162
			if [ ! -f "$sc" ]
163
			then
164
				echo "Server-chain certificate not found"
165
				exit 1
166
			fi
167
			if [ ${sc: -4} != ".crt" ] && [ ${sc: -4} != ".cer" ]
168
			then
169
				echo "Invalid server-chain certificate file"
170
				exit 1
171
			fi
1733 richard 172
			echo "Importing certificate $cert with private key $key and server-chain $sc"
173
		fi
174
		domainName $cert
175
		certImport $cert $key $sc
2688 lucas.echa 176
		for services in chilli unbound unbound-blackhole unbound-blacklist unbound-whitelist dnsmasq-whitelist lighttpd
1740 richard 177
		do
178
			echo "restarting $services"; systemctl restart $services; sleep 1
179
		done
1710 richard 180
		;;
1733 richard 181
	-d)
182
		if [ -f "/etc/pki/tls/certs/alcasar.crt.old" -a -f "/etc/pki/tls/private/alcasar.key.old" ]
183
		then
184
			echo "Restoring default certificate"
185
			defaultCert
186
			defaultNdd
2688 lucas.echa 187
			for services in chilli unbound unbound-blackhole unbound-blacklist unbound-whitelist dnsmasq-whitelist lighttpd
1740 richard 188
			do
189
				echo "restarting $services"; systemctl restart $services; sleep 1
190
			done
1733 richard 191
		fi
192
		;;
1710 richard 193
	*)
2260 tom.houday 194
		echo -e "$usage"
1710 richard 195
		;;
196
esac