Subversion Repositories ALCASAR

Rev

Rev 1765 | Rev 1941 | Go to most recent revision | Details | Compare with Previous | Last modification | View Log

Rev Author Line No. Line
1710 richard 1
#!/bin/sh
2
 
3
# alcasar-importcert.sh
1736 richard 4
# by Raphaël, Hugo, Clément, Bettyna & rexy
1710 richard 5
 
6
# This script is distributed under the Gnu General Public License (GPL)
7
 
8
# Script permettant
9
# - d'importer des certificats sur Alcasar
1733 richard 10
# - de revenir au certificat par default
1710 richard 11
 
12
# This script allows
1733 richard 13
# - to import a certificate in Alcasar
14
# - to go back to the default certificate
1710 richard 15
 
16
SED="/bin/sed -ri"
17
DIR_CERT="/etc/pki/tls"
1736 richard 18
CONF_FILE="/usr/local/etc/alcasar.conf"
19
PRIVATE_IP_MASK=`grep PRIVATE_IP $CONF_FILE|cut -d"=" -f2`
20
PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`
1747 richard 21
DEFAULT_FQDN='alcasar.localdomain'
1710 richard 22
 
1733 richard 23
usage="Usage: alcasar-importcert.sh -i /path/to/certificate.crt -k /path/to/privatekey.key (-c /path/to/serverchain.crt) || alcasar-importcert.sh -d (Cette utilisation permet de revenir au certificat par default)"
1710 richard 24
nb_args=$#
1733 richard 25
arg1=$1
1710 richard 26
 
1733 richard 27
 
28
function defaultNdd()
29
{
1758 richard 30
	$SED "s/^HOSTNAME=.*/HOSTNAME=alcasar/g" /usr/local/etc/alcasar.conf
31
	$SED "s/^DOMAIN=.*/DOMAIN=localdomain/g" /usr/local/etc/alcasar.conf
32
	$SED "s/\.([a-zA-Z][a-zA-Z0-9-]+(\.[a-z]{2,4})?)/.localdomain/g" /etc/hosts
33
	$SED "s/alcasar\.([a-zA-Z0-9-]+(\.[a-z]{2,4})?)/alcasar.localdomain/g" /etc/chilli.conf
34
	$SED "s/^domain.*/domain\t\tlocaldomain/g" /etc/chilli.conf
35
	$SED "s/^ServerName.*/ServerName alcasar.localdomain/g" /etc/httpd/conf/httpd.conf
1736 richard 36
	$SED "s/^domain=.*/domain=localdomain/g" /etc/dnsmasq.conf /etc/dnsmasq-blackhole.conf /etc/dnsmasq-blacklist.conf /etc/dnsmasq-whitelist.conf
1740 richard 37
	hostnamectl set-hostname alcasar.localdomain
38
	$SED "s/^\tErrorDocument.*/\tErrorDocument 404 https:\/\/alcasar.localdomain\//g" /etc/httpd/conf/webapps.d/alcasar.conf
1747 richard 39
	$SED "s/^\tAuthDigestDomain.*/\tAuthDigestDomain alcasar.localdomain/g" /etc/httpd/conf/webapps.d/alcasar.conf
40
	$SED "s/^    ServerName.*/    ServerName alcasar.localdomain/g" /etc/httpd/conf/sites.d/00_default_vhosts.conf /etc/httpd/conf/sites.d/00_default_ssl_vhost.conf
1733 richard 41
}
42
 
43
function defaultCert()
44
{
1740 richard 45
	mv -f $DIR_CERT/certs/alcasar.crt.old $DIR_CERT/certs/alcasar.crt
46
	mv -f $DIR_CERT/private/alcasar.key.old $DIR_CERT/private/alcasar.key
47
	if [ -f $DIR_CERT/certs/server-chain.crt.old ]
1733 richard 48
	then
1740 richard 49
		mv $DIR_CERT/certs/server-chain.crt.old $DIR_CERT/certs/server-chain.crt
1743 clement.si 50
	#else 
51
	#	rm -f $DIR_CERT/certs/server-chain.crt
1733 richard 52
	fi
53
}
54
 
1710 richard 55
function domainName() # change the domain name in the conf files
56
{
57
 
1744 clement.si 58
	fqdn=$(openssl x509 -noout -subject -in $cert | sed -n '/^subject/s/^.*CN=//p' | cut -d'/' -f 1)
1934 raphael.pi 59
 
60
        #check if there is a wildcard in $fqdn
61
        mystar='*'
62
        if [[ $fqdn == *"${mystar}"* ]];
63
        then
64
                hostname="alcasar"
65
                fqdn=${fqdn/$mystar/$hostname}
66
        else
67
                hostname=`echo $fqdn | awk -F'.' '{ print $1 }'`
68
        fi
69
        domain=`echo $fqdn | awk -F'.' '{$1="";OFS=".";print $0}' |sed 's/^.//'`
70
        echo "fqdn=$fqdn hostname=$hostname domain=$domain"
71
 
72
        #check fqdn format      
73
        if [[ "$fqdn" != "" && "$domain" != "" && "$hostname" == "alcasar" ]];
1733 richard 74
	then
1758 richard 75
		$SED "s/^HOSTNAME=.*/HOSTNAME=$hostname/g" /usr/local/etc/alcasar.conf
1736 richard 76
		$SED "s/^DOMAIN=.*/DOMAIN=$domain/g" /usr/local/etc/alcasar.conf
77
		cat <<EOF > /etc/hosts
78
127.0.0.1	localhost
79
$PRIVATE_IP	$fqdn $hostname
80
EOF
81
		$SED "s/^domain.*/domain\t\t$domain/g" /etc/chilli.conf
82
		$SED "s/^locationname.*/locationname\t$fqdn/g" /etc/chilli.conf
83
		$SED "s/^uamserver.*/uamserver\thttps:\/\/$fqdn\/intercept.php/g" /etc/chilli.conf
84
		$SED "s/^radiusnasid.*/radiusnasid\t$fqdn/g" /etc/chilli.conf
85
		$SED "s/^uamallowed.*/uamallowed\t$hostname,$fqdn/g" /etc/chilli.conf
86
		$SED "s/^ServerName.*/ServerName $fqdn/g" /etc/httpd/conf/httpd.conf
87
		$SED "s/^domain=.*/domain=$domain/g" /etc/dnsmasq.conf /etc/dnsmasq-blackhole.conf /etc/dnsmasq-blacklist.conf /etc/dnsmasq-whitelist.conf
1740 richard 88
		hostnamectl set-hostname $fqdn
89
		$SED "s/^\tErrorDocument.*/\tErrorDocument 404 https:\/\/$fqdn\//g" /etc/httpd/conf/webapps.d/alcasar.conf
1747 richard 90
		$SED "s/^\tAuthDigestDomain.*/\tAuthDigestDomain $fqdn/g" /etc/httpd/conf/webapps.d/alcasar.conf
91
		$SED "s/^    ServerName.*/    ServerName $fqdn/g" /etc/httpd/conf/sites.d/00_default_vhosts.conf /etc/httpd/conf/sites.d/00_default_ssl_vhost.conf /etc/httpd/conf/vhosts-ssl.default
1710 richard 92
	fi
93
}
94
 
95
function certImport()
96
{
1740 richard 97
	if [ ! -f "$DIR_CERT/certs/alcasar.crt.old" ]
1710 richard 98
	then
99
		echo "Backup of old cert (alcasar.crt)"
1740 richard 100
		mv $DIR_CERT/certs/alcasar.crt $DIR_CERT/certs/alcasar.crt.old
1710 richard 101
	fi
1740 richard 102
	if [ ! -f "$DIR_CERT/private/alcasar.key.old" ]
1710 richard 103
	then
104
		echo "Backup of old private key (alcasar.key)"
1740 richard 105
		mv $DIR_CERT/private/alcasar.key $DIR_CERT/private/alcasar.key.old
1710 richard 106
	fi
1740 richard 107
	cp $cert $DIR_CERT/certs/alcasar.crt
108
	cp $key $DIR_CERT/private/alcasar.key
1733 richard 109
 
1743 clement.si 110
	rm $cert $key
111
 
1740 richard 112
	chown root:apache $DIR_CERT/certs/alcasar.crt
113
	chown root:apache $DIR_CERT/private/alcasar.key
1710 richard 114
 
1740 richard 115
	chmod 750 $DIR_CERT/certs/alcasar.crt
116
	chmod 750 $DIR_CERT/private/alcasar.key
1710 richard 117
	if [ "$sc" != "" ]
118
	then
119
		echo "cert-chain exists"
1740 richard 120
		if [ ! -f "$DIR_CERT/certs/server-chain.crt.old" ]
1710 richard 121
		then
122
			echo "Backup of old cert-chain (server-chain.crt)"
1740 richard 123
			mv $DIR_CERT/certs/server-chain.crt $DIR_CERT/certs/server-chain.crt.old
1710 richard 124
		fi
1740 richard 125
		cp $sc $DIR_CERT/certs/server-chain.crt
1743 clement.si 126
		rm $sc
1740 richard 127
		chown root:apache $DIR_CERT/certs/server-chain.crt
128
		chmod 750 $DIR_CERT/certs/server-chain.crt
1710 richard 129
	fi
130
}
131
 
1733 richard 132
 
133
if [ $nb_args -eq 0 ]
1710 richard 134
then
1733 richard 135
	echo "$usage"
136
	exit 1
1710 richard 137
fi
138
 
1733 richard 139
case $arg1 in
1710 richard 140
	-\? | -h* | --h*)
141
		echo "$usage"
142
		exit 0
143
		;;
144
	-i)
1733 richard 145
		arg3=$3
146
		arg5=$5
147
		cert=$2
148
		key=$4
149
		sc=$6
150
 
151
		if [ "$cert" == "" ] || [ "$key" == "" ]
152
		then
153
			echo "$usage"
154
			exit 1
155
		fi
156
 
157
		if [ ! -f "$cert" -o ! -f "$key" ]
158
		then
159
			echo "Certificate and/or private key not found"
160
			exit 1
161
		fi
162
 
163
		if [ ${cert: -4} != ".crt" ]
164
		then
165
			echo "Invalid certificate file"
166
			exit 1
167
		fi
168
 
169
		if [ ${key: -4} != ".key" ]
170
		then
171
			echo "Invalid private key"
172
			exit 1
173
		fi
174
 
175
		if [ "$arg5" != "-c" ] || [ ! -f "$sc" ]
176
		then
177
			echo "No server-chain given"
178
			echo "Importing certificate $cert with private key $key"
179
			sc=""
180
		else
181
			echo "Importing certificate $cert with private key $key and server-chain $sc"
182
		fi
183
		domainName $cert
184
		certImport $cert $key $sc
1765 richard 185
		for services in chilli dnsmasq dnsmasq-blackhole dnsmasq-blacklist dnsmasq-whitelist httpd
1740 richard 186
		do
187
			echo "restarting $services"; systemctl restart $services; sleep 1
188
		done
1710 richard 189
		;;
1733 richard 190
	-d)
191
		if [ -f "/etc/pki/tls/certs/alcasar.crt.old" -a -f "/etc/pki/tls/private/alcasar.key.old" ]
192
		then
193
			echo "Restoring default certificate"
194
			defaultCert
195
			defaultNdd
1765 richard 196
			for services in chilli dnsmasq dnsmasq-blackhole dnsmasq-blacklist dnsmasq-whitelist httpd
1740 richard 197
			do
198
				echo "restarting $services"; systemctl restart $services; sleep 1
199
			done
1733 richard 200
		fi
201
		;;
1710 richard 202
	*)
203
		echo "$usage"
204
		;;
205
esac