| 2260 |
tom.houday |
1 |
#!/bin/bash
|
| 2223 |
tom.houday |
2 |
#
|
|
|
3 |
# $Id: alcasar-importcert.sh 2261 2017-05-29 20:04:37Z tom.houdayer $
|
|
|
4 |
#
|
| 1710 |
richard |
5 |
# alcasar-importcert.sh
|
| 1736 |
richard |
6 |
# by Raphaël, Hugo, Clément, Bettyna & rexy
|
| 2223 |
tom.houday |
7 |
#
|
| 1710 |
richard |
8 |
# This script is distributed under the Gnu General Public License (GPL)
|
| 2223 |
tom.houday |
9 |
#
|
| 1710 |
richard |
10 |
# Script permettant
|
|
|
11 |
# - d'importer des certificats sur Alcasar
|
| 1733 |
richard |
12 |
# - de revenir au certificat par default
|
| 2223 |
tom.houday |
13 |
#
|
| 1710 |
richard |
14 |
# This script allows
|
| 1733 |
richard |
15 |
# - to import a certificate in Alcasar
|
|
|
16 |
# - to go back to the default certificate
|
| 1710 |
richard |
17 |
|
|
|
18 |
SED="/bin/sed -ri"
|
|
|
19 |
DIR_CERT="/etc/pki/tls"
|
| 1736 |
richard |
20 |
CONF_FILE="/usr/local/etc/alcasar.conf"
|
| 2260 |
tom.houday |
21 |
PRIVATE_IP_MASK=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2`
|
| 1736 |
richard |
22 |
PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`
|
| 1710 |
richard |
23 |
|
| 2260 |
tom.houday |
24 |
usage="Usage: alcasar-importcert.sh -i /path/to/certificate.crt -k /path/to/privatekey.key [-c /path/to/serverchain.crt]\n alcasar-importcert.sh -d (restore default certificate)"
|
| 1710 |
richard |
25 |
nb_args=$#
|
| 1733 |
richard |
26 |
arg1=$1
|
| 1710 |
richard |
27 |
|
| 1733 |
richard |
28 |
function defaultNdd()
|
|
|
29 |
{
|
| 1758 |
richard |
30 |
$SED "s/^HOSTNAME=.*/HOSTNAME=alcasar/g" /usr/local/etc/alcasar.conf
|
|
|
31 |
$SED "s/^DOMAIN=.*/DOMAIN=localdomain/g" /usr/local/etc/alcasar.conf
|
| 1963 |
richard |
32 |
cat <<EOF > /etc/hosts
|
|
|
33 |
127.0.0.1 localhost
|
|
|
34 |
$PRIVATE_IP alcasar alcasar.localdomain
|
|
|
35 |
EOF
|
|
|
36 |
$SED "s/^locationname.*/locationname\talcasar.localdomain/g" /etc/chilli.conf
|
|
|
37 |
$SED "s/^uamserver.*/uamserver\thttps:\/\/alcasar.localdomain\/intercept.php/g" /etc/chilli.conf
|
|
|
38 |
$SED "s/^radiusnasid.*/radiusnasid\talcasar.localdomain/g" /etc/chilli.conf
|
|
|
39 |
$SED "s/^uamallowed.*/uamallowed\talcasar,alcasar.localdomain/g" /etc/chilli.conf
|
| 1758 |
richard |
40 |
$SED "s/^ServerName.*/ServerName alcasar.localdomain/g" /etc/httpd/conf/httpd.conf
|
| 1740 |
richard |
41 |
hostnamectl set-hostname alcasar.localdomain
|
|
|
42 |
$SED "s/^\tErrorDocument.*/\tErrorDocument 404 https:\/\/alcasar.localdomain\//g" /etc/httpd/conf/webapps.d/alcasar.conf
|
| 1747 |
richard |
43 |
$SED "s/^\tAuthDigestDomain.*/\tAuthDigestDomain alcasar.localdomain/g" /etc/httpd/conf/webapps.d/alcasar.conf
|
|
|
44 |
$SED "s/^ ServerName.*/ ServerName alcasar.localdomain/g" /etc/httpd/conf/sites.d/00_default_vhosts.conf /etc/httpd/conf/sites.d/00_default_ssl_vhost.conf
|
| 1733 |
richard |
45 |
}
|
|
|
46 |
|
|
|
47 |
function defaultCert()
|
|
|
48 |
{
|
| 1740 |
richard |
49 |
mv -f $DIR_CERT/certs/alcasar.crt.old $DIR_CERT/certs/alcasar.crt
|
|
|
50 |
mv -f $DIR_CERT/private/alcasar.key.old $DIR_CERT/private/alcasar.key
|
|
|
51 |
if [ -f $DIR_CERT/certs/server-chain.crt.old ]
|
| 1733 |
richard |
52 |
then
|
| 1740 |
richard |
53 |
mv $DIR_CERT/certs/server-chain.crt.old $DIR_CERT/certs/server-chain.crt
|
| 1733 |
richard |
54 |
fi
|
|
|
55 |
}
|
|
|
56 |
|
| 1710 |
richard |
57 |
function domainName() # change the domain name in the conf files
|
|
|
58 |
{
|
| 1744 |
clement.si |
59 |
fqdn=$(openssl x509 -noout -subject -in $cert | sed -n '/^subject/s/^.*CN=//p' | cut -d'/' -f 1)
|
| 1934 |
raphael.pi |
60 |
|
| 2260 |
tom.houday |
61 |
#check if there is a wildcard in $fqdn
|
|
|
62 |
if [[ $fqdn == *"*"* ]];
|
|
|
63 |
then
|
|
|
64 |
hostname="alcasar"
|
|
|
65 |
fqdn=${fqdn/"*"/$hostname}
|
|
|
66 |
else
|
|
|
67 |
hostname=`echo $fqdn | awk -F'.' '{ print $1 }'`
|
|
|
68 |
fi
|
|
|
69 |
domain=`echo $fqdn | awk -F'.' '{$1="";OFS=".";print $0}' | sed 's/^.//'`
|
|
|
70 |
echo "fqdn=$fqdn hostname=$hostname domain=$domain"
|
| 1934 |
raphael.pi |
71 |
|
| 2260 |
tom.houday |
72 |
#check fqdn format
|
|
|
73 |
if [[ "$fqdn" != "" && "$domain" != "" && "$hostname" == "alcasar" ]];
|
| 1733 |
richard |
74 |
then
|
| 1758 |
richard |
75 |
$SED "s/^HOSTNAME=.*/HOSTNAME=$hostname/g" /usr/local/etc/alcasar.conf
|
| 1736 |
richard |
76 |
$SED "s/^DOMAIN=.*/DOMAIN=$domain/g" /usr/local/etc/alcasar.conf
|
|
|
77 |
cat <<EOF > /etc/hosts
|
|
|
78 |
127.0.0.1 localhost
|
| 1963 |
richard |
79 |
$PRIVATE_IP $hostname $hostname.localdomain $fqdn
|
| 1736 |
richard |
80 |
EOF
|
|
|
81 |
$SED "s/^locationname.*/locationname\t$fqdn/g" /etc/chilli.conf
|
|
|
82 |
$SED "s/^uamserver.*/uamserver\thttps:\/\/$fqdn\/intercept.php/g" /etc/chilli.conf
|
|
|
83 |
$SED "s/^radiusnasid.*/radiusnasid\t$fqdn/g" /etc/chilli.conf
|
|
|
84 |
$SED "s/^uamallowed.*/uamallowed\t$hostname,$fqdn/g" /etc/chilli.conf
|
|
|
85 |
$SED "s/^ServerName.*/ServerName $fqdn/g" /etc/httpd/conf/httpd.conf
|
| 1740 |
richard |
86 |
hostnamectl set-hostname $fqdn
|
|
|
87 |
$SED "s/^\tErrorDocument.*/\tErrorDocument 404 https:\/\/$fqdn\//g" /etc/httpd/conf/webapps.d/alcasar.conf
|
| 1747 |
richard |
88 |
$SED "s/^\tAuthDigestDomain.*/\tAuthDigestDomain $fqdn/g" /etc/httpd/conf/webapps.d/alcasar.conf
|
|
|
89 |
$SED "s/^ ServerName.*/ ServerName $fqdn/g" /etc/httpd/conf/sites.d/00_default_vhosts.conf /etc/httpd/conf/sites.d/00_default_ssl_vhost.conf /etc/httpd/conf/vhosts-ssl.default
|
| 1710 |
richard |
90 |
fi
|
|
|
91 |
}
|
|
|
92 |
|
|
|
93 |
function certImport()
|
|
|
94 |
{
|
| 1740 |
richard |
95 |
if [ ! -f "$DIR_CERT/certs/alcasar.crt.old" ]
|
| 1710 |
richard |
96 |
then
|
|
|
97 |
echo "Backup of old cert (alcasar.crt)"
|
| 1740 |
richard |
98 |
mv $DIR_CERT/certs/alcasar.crt $DIR_CERT/certs/alcasar.crt.old
|
| 1710 |
richard |
99 |
fi
|
| 1740 |
richard |
100 |
if [ ! -f "$DIR_CERT/private/alcasar.key.old" ]
|
| 1710 |
richard |
101 |
then
|
|
|
102 |
echo "Backup of old private key (alcasar.key)"
|
| 1740 |
richard |
103 |
mv $DIR_CERT/private/alcasar.key $DIR_CERT/private/alcasar.key.old
|
| 1710 |
richard |
104 |
fi
|
| 2260 |
tom.houday |
105 |
|
| 1740 |
richard |
106 |
cp $cert $DIR_CERT/certs/alcasar.crt
|
|
|
107 |
cp $key $DIR_CERT/private/alcasar.key
|
| 1733 |
richard |
108 |
|
| 1740 |
richard |
109 |
chown root:apache $DIR_CERT/certs/alcasar.crt
|
|
|
110 |
chown root:apache $DIR_CERT/private/alcasar.key
|
| 1710 |
richard |
111 |
|
| 1740 |
richard |
112 |
chmod 750 $DIR_CERT/certs/alcasar.crt
|
|
|
113 |
chmod 750 $DIR_CERT/private/alcasar.key
|
| 2260 |
tom.houday |
114 |
|
| 1710 |
richard |
115 |
if [ "$sc" != "" ]
|
|
|
116 |
then
|
|
|
117 |
echo "cert-chain exists"
|
| 1740 |
richard |
118 |
if [ ! -f "$DIR_CERT/certs/server-chain.crt.old" ]
|
| 1710 |
richard |
119 |
then
|
|
|
120 |
echo "Backup of old cert-chain (server-chain.crt)"
|
| 1740 |
richard |
121 |
mv $DIR_CERT/certs/server-chain.crt $DIR_CERT/certs/server-chain.crt.old
|
| 1710 |
richard |
122 |
fi
|
| 1740 |
richard |
123 |
cp $sc $DIR_CERT/certs/server-chain.crt
|
|
|
124 |
chown root:apache $DIR_CERT/certs/server-chain.crt
|
|
|
125 |
chmod 750 $DIR_CERT/certs/server-chain.crt
|
| 1710 |
richard |
126 |
fi
|
|
|
127 |
}
|
|
|
128 |
|
| 1733 |
richard |
129 |
|
|
|
130 |
if [ $nb_args -eq 0 ]
|
| 1710 |
richard |
131 |
then
|
| 2260 |
tom.houday |
132 |
echo -e "$usage"
|
| 1733 |
richard |
133 |
exit 1
|
| 1710 |
richard |
134 |
fi
|
|
|
135 |
|
| 1733 |
richard |
136 |
case $arg1 in
|
| 1710 |
richard |
137 |
-\? | -h* | --h*)
|
| 2260 |
tom.houday |
138 |
echo -e "$usage"
|
| 1710 |
richard |
139 |
exit 0
|
|
|
140 |
;;
|
|
|
141 |
-i)
|
| 1733 |
richard |
142 |
arg3=$3
|
|
|
143 |
arg5=$5
|
|
|
144 |
cert=$2
|
|
|
145 |
key=$4
|
|
|
146 |
sc=$6
|
|
|
147 |
|
|
|
148 |
if [ "$cert" == "" ] || [ "$key" == "" ]
|
|
|
149 |
then
|
| 2260 |
tom.houday |
150 |
echo -e "$usage"
|
| 1733 |
richard |
151 |
exit 1
|
|
|
152 |
fi
|
|
|
153 |
|
| 2260 |
tom.houday |
154 |
if [ ! -f "$cert" ] || [ ! -f "$key" ]
|
| 1733 |
richard |
155 |
then
|
|
|
156 |
echo "Certificate and/or private key not found"
|
|
|
157 |
exit 1
|
|
|
158 |
fi
|
|
|
159 |
|
| 2261 |
tom.houday |
160 |
if [ ${cert: -4} != ".crt" ] && [ ${cert: -4} != ".cer" ]
|
| 1733 |
richard |
161 |
then
|
|
|
162 |
echo "Invalid certificate file"
|
|
|
163 |
exit 1
|
|
|
164 |
fi
|
|
|
165 |
|
|
|
166 |
if [ ${key: -4} != ".key" ]
|
|
|
167 |
then
|
|
|
168 |
echo "Invalid private key"
|
|
|
169 |
exit 1
|
|
|
170 |
fi
|
|
|
171 |
|
| 2261 |
tom.houday |
172 |
if [ "$arg5" != "-c" ] || [ -z "$sc" ]
|
| 1733 |
richard |
173 |
then
|
|
|
174 |
echo "No server-chain given"
|
|
|
175 |
echo "Importing certificate $cert with private key $key"
|
|
|
176 |
sc=""
|
|
|
177 |
else
|
| 2261 |
tom.houday |
178 |
if [ ! -f "$sc" ]
|
|
|
179 |
then
|
|
|
180 |
echo "Server-chain certificate not found"
|
|
|
181 |
exit 1
|
|
|
182 |
fi
|
|
|
183 |
if [ ${sc: -4} != ".crt" ] && [ ${sc: -4} != ".cer" ]
|
|
|
184 |
then
|
|
|
185 |
echo "Invalid server-chain certificate file"
|
|
|
186 |
exit 1
|
|
|
187 |
fi
|
| 1733 |
richard |
188 |
echo "Importing certificate $cert with private key $key and server-chain $sc"
|
|
|
189 |
fi
|
|
|
190 |
domainName $cert
|
|
|
191 |
certImport $cert $key $sc
|
| 1765 |
richard |
192 |
for services in chilli dnsmasq dnsmasq-blackhole dnsmasq-blacklist dnsmasq-whitelist httpd
|
| 1740 |
richard |
193 |
do
|
|
|
194 |
echo "restarting $services"; systemctl restart $services; sleep 1
|
|
|
195 |
done
|
| 1710 |
richard |
196 |
;;
|
| 1733 |
richard |
197 |
-d)
|
|
|
198 |
if [ -f "/etc/pki/tls/certs/alcasar.crt.old" -a -f "/etc/pki/tls/private/alcasar.key.old" ]
|
|
|
199 |
then
|
|
|
200 |
echo "Restoring default certificate"
|
|
|
201 |
defaultCert
|
|
|
202 |
defaultNdd
|
| 1765 |
richard |
203 |
for services in chilli dnsmasq dnsmasq-blackhole dnsmasq-blacklist dnsmasq-whitelist httpd
|
| 1740 |
richard |
204 |
do
|
|
|
205 |
echo "restarting $services"; systemctl restart $services; sleep 1
|
|
|
206 |
done
|
| 1733 |
richard |
207 |
fi
|
|
|
208 |
;;
|
| 1710 |
richard |
209 |
*)
|
| 2260 |
tom.houday |
210 |
echo -e "$usage"
|
| 1710 |
richard |
211 |
;;
|
|
|
212 |
esac
|