From 07608977bfbf5a5a3e6f5bc94649e3cc323db72a Mon Sep 17 00:00:00 2001 From: David Schroeder Date: Sun, 16 Jul 2023 20:59:22 -0500 Subject: [PATCH] update --- defaults.inc | 1 + inc/certs.inc | 58 ++++++++++++++++---------------------- inc/sites.inc | 18 ++++++------ nodemgmt-scripts.sh | 10 +++---- templates/nginx.proxy.site | 4 +-- templates/nginx.ssl.site | 4 +-- 6 files changed, 43 insertions(+), 52 deletions(-) diff --git a/defaults.inc b/defaults.inc index 117ad361..8f2839cd 100755 --- a/defaults.inc +++ b/defaults.inc @@ -48,6 +48,7 @@ if [ -f ${NM_FOLDER}/defaults.local.inc ]; then for ntype in "${NM_NODE_TYPES[@]}"; do + echo "NTYPE: $ntype" arr ${ntype}_HOSTS arr ${ntype}_SERVICES_CHECK arr ${ntype}_DOCKERS_CHECK diff --git a/inc/certs.inc b/inc/certs.inc index e661a32b..658d7825 100755 --- a/inc/certs.inc +++ b/inc/certs.inc @@ -18,32 +18,22 @@ NEWCERT(){ echo -e "${idsCL[LightGreen]}Requesting Certificate for '${idsCL[Yellow]}${NEW_CERT}${idsCL[LightGreen]}'...${idsCL[Default]}" echo - # echo -en "${idsCL[LightYellow]}Stopping other Webservers... ${idsCL[Default]}" - # for nip in "${WEB_HOSTS[@]}"; do - # if [[ $(/sbin/ip -o -4 addr list eth0 | awk '{print $4}' | cut -d/ -f1) != *"${nip}"* ]]; then - # # `ssh root@${nip} service nginx stop` - # # SERVICE nginx stop ${nip} - # fi - # done - # echo -e "${idsCL[Green]}Completed${idsCL[Default]}" - # echo - $CERT_DAEMON certonly --webroot -w /opt/lb-data/letsencrypt-acme-challenge -d ${NEW_CERT} # $CERT_DAEMON certonly --dry-run --webroot -w /var/www/html -d ${NEW_CERT} - chown -R root:le /opt/lb-data/letsencrypt - chmod -R 6775 /opt/lb-data/letsencrypt + chown -R root:le ${NM_CERTPATH} + chmod -R 6775 ${NM_CERTPATH} - if [ -d /opt/lb-data/letsencrypt/live/${MAIN_CERT} ]; then + if [ -d ${NM_CERTPATH}/live/${MAIN_CERT} ]; then - touch /opt/lb-data/letsencrypt/live/${MAIN_CERT}/newcert + touch ${NM_CERTPATH}/live/${MAIN_CERT}/newcert if [ -f /opt/lb-data/nginx/sites-enabled/${MAIN_CERT}.conf ]; then rm -f ${NM_FOLDER}/cert-request.lastrun daterun=`date +%Y-%m-%d-%H-%M-%S` echo -e "${NEW_CERT}\n${daterun}" > ${NM_FOLDER}/cert-request.lastrun - yes | cp -rfH ${NM_FOLDER}/cert-request.lastrun /opt/lb-data/letsencrypt/cert-request.lastrun + yes | cp -rfH ${NM_FOLDER}/cert-request.lastrun ${NM_CERTPATH}/cert-request.lastrun DIVIDER true - if [ "${2}" != "newsite" ]; then + if [ "${2}" != "newsite" ] && [ "${NM_HOSTS['LB']}" != "" ]; then echo -e -n "${idsCL[LightCyan]}Reload NGINX on LB Nodes (Y/n): ${idsCL[Default]}" read -n 1 NGINXRELOAD if [[ ${NGINXRELOAD} =~ ^[Nn]$ ]]; then @@ -57,12 +47,12 @@ NEWCERT(){ if [[ $(/sbin/ip -o -4 addr list eth0 | awk '{print $4}' | cut -d/ -f1) != *"${nip}"* ]]; then checked=false until [ "${checked}" = "" ]; do - checked=`ssh root@${nip} "[ ! -f /opt/lb-data/letsencrypt/live/${MAIN_CERT}/newcert ] && echo '.'"` + checked=`ssh root@${nip} "[ ! -f ${NM_CERTPATH}/live/${MAIN_CERT}/newcert ] && echo '.'"` done fi fi done - rm -f /opt/lb-data/letsencrypt/live/${MAIN_CERT}/newcert + rm -f ${NM_CERTPATH}/live/${MAIN_CERT}/newcert echo -e "${idsCL[Green]}Completed${idsCL[Default]}" echo @@ -110,14 +100,14 @@ DEL-SSL(){ DEL_SSL=${1} fi if [ ! -z ${DEL_SSL+x} ] && [ "${DEL_SSL}" != "" ]; then - if [ -d /etc/letsencrypt/live/${DEL_SSL} ]; then + if [ -d ${NM_CERTPATH}/live/${DEL_SSL} ]; then echo -e "${idsCL[LightRed]}Deleting the SSL certificates for '${idsCL[Red]}${DEL_SSL}${idsCL[LightRed]}'...${idsCL[Default]}" echo echo -en "${idsCL[LightRed]}Removing Files and Folders... ${idsCL[Default]}" - rm -rf /etc/letsencrypt/archive/${DEL_SSL} - rm -rf /etc/letsencrypt/live/${DEL_SSL} - rm -f /etc/letsencrypt/renewal/${DEL_SSL}.conf + rm -rf ${NM_CERTPATH}/archive/${DEL_SSL} + rm -rf ${NM_CERTPATH}/live/${DEL_SSL} + rm -f ${NM_CERTPATH}/renewal/${DEL_SSL}.conf echo -e "${idsCL[Green]}OK${idsCL[Default]}" echo @@ -147,11 +137,11 @@ CERTRENEW(){ # $CERT_DAEMON renew --force-renewal --preferred-chain "ISRG Root X1" --webroot -w /var/www/html 2>&1 | tee ${NM_FOLDER}/cert-renewal.lastrun # $CERT_DAEMON --dry-run --preferred-chain "ISRG Root X1" renew --webroot -w /var/www/html 2>&1 | tee ${NM_FOLDER}/cert-renewal.lastrun CONCAT_SSL - chown -R root:letsencrypt /etc/letsencrypt 2>&1 | tee -a ${NM_FOLDER}/cert-renewal.lastrun - chmod -R 6775 /etc/letsencrypt 2>&1 | tee -a ${NM_FOLDER}/cert-renewal.lastrun - yes | cp -rfH ${NM_FOLDER}/cert-renewal.lastrun /etc/letsencrypt/cert-renewal.lastrun + chown -R root:letsencrypt ${NM_CERTPATH} 2>&1 | tee -a ${NM_FOLDER}/cert-renewal.lastrun + chmod -R 6775 ${NM_CERTPATH} 2>&1 | tee -a ${NM_FOLDER}/cert-renewal.lastrun + yes | cp -rfH ${NM_FOLDER}/cert-renewal.lastrun ${NM_CERTPATH}/cert-renewal.lastrun daterun=`date +%Y-%m-%d-%H-%M-%S` - echo -e "${daterun}" >> /etc/letsencrypt/cert-renewal.lastrun + echo -e "${daterun}" >> ${NM_CERTPATH}/cert-renewal.lastrun DIVIDER true echo -en "${idsCL[LightCyan]}Starting Webserver-Node2 Back up...${idsCL[Default]}" ssh root@webserver-node2.scity.us service nginx start @@ -171,18 +161,18 @@ NIGHTLYRENEW(){ sleep 5 $CERT_DAEMON renew --webroot -w /var/www/html &>> ${NM_FOLDER}/cert-renewal.lastrun CONCAT_SSL - chown -R root:letsencrypt /etc/letsencrypt &>> ${NM_FOLDER}/cert-renewal.lastrun - chmod -R 6775 /etc/letsencrypt &>> ${NM_FOLDER}/cert-renewal.lastrun - yes | cp -rfH ${NM_FOLDER}/cert-renewal.lastrun /etc/letsencrypt/cert-renewal.lastrun + chown -R root:letsencrypt ${NM_CERTPATH} &>> ${NM_FOLDER}/cert-renewal.lastrun + chmod -R 6775 ${NM_CERTPATH} &>> ${NM_FOLDER}/cert-renewal.lastrun + yes | cp -rfH ${NM_FOLDER}/cert-renewal.lastrun ${NM_CERTPATH}/cert-renewal.lastrun daterun=`date +%Y-%m-%d-%H-%M-%S` - echo -e "${daterun}" >> /etc/letsencrypt/cert-renewal.lastrun + echo -e "${daterun}" >> ${NM_CERTPATH}/cert-renewal.lastrun ssh root@webserver-node2.scity.us service nginx start SERVICE nginx reload web &>> ${NM_FOLDER}/cert-renewal.lastrun } CONCAT_SSL(){ rm -f /tmp/ssllist - for certdir in /etc/letsencrypt/live/*/ ; do echo $certdir; done > /tmp/ssllist + for certdir in ${NM_CERTPATH}/live/*/ ; do echo $certdir; done > /tmp/ssllist for certdir in $( ${certdir}fullcert.pem @@ -203,11 +193,11 @@ LISTCERTS(){ if [ ! -z ${LOCAL_SERVICES+x} ]; then NCMD="ssh root@${LB_HOSTS[0]}" #${NCMD} rm -f /tmp/ssllist - #${NCMD} 'for certdir in /etc/letsencrypt/live/*/ ; do echo $certdir; done' > /tmp/ssllist + #${NCMD} 'for certdir in ${NM_CERTPATH}/live/*/ ; do echo $certdir; done' > /tmp/ssllist else NCMD='' rm -f /tmp/ssllist - #for certdir in /etc/letsencrypt/live/*/ ; do echo $certdir; done > /tmp/ssllist + #for certdir in ${NM_CERTPATH}/live/*/ ; do echo $certdir; done > /tmp/ssllist fi if [ -z $action ] || [ "${action}" = "gui" ]; then DIVIDER true @@ -222,7 +212,7 @@ LISTCERTS(){ c=0; spc2=''; until [ $c = ${cw} ]; do spc2="${spc2} "; c=`expr $c + 1`; done #ssldir=$(${NCMD} find /opt/nginx-proxy/ssl/* -type l) - ssldir=$(${NCMD} find /opt/lb-data/letsencrypt/live/* -type d) + ssldir=$(${NCMD} find ${NM_CERTPATH}/live/* -type d) for certdir in ${ssldir[@]}; do SUBJECT=$(${NCMD} openssl x509 -in ${certdir}/cert.pem -noout -subject|grep -oP '(?<=CN = )[^,]+'|sort -uV) SUBJECTNAMES=$(${NCMD} openssl x509 -in ${certdir}/cert.pem -noout -text|grep -oP '(?<=DNS:|IP Address:)[^,]+'|sort -uV) diff --git a/inc/sites.inc b/inc/sites.inc index 04b568b6..911a4d46 100755 --- a/inc/sites.inc +++ b/inc/sites.inc @@ -47,9 +47,9 @@ DELSITE(){ ssh root@10.10.1.120 rm -f /etc/nginx/sites-enabled/${DEL_SITE}* >/dev/null 2>&1 ssh root@10.10.10.80 rm -f /etc/nginx/sites-enabled/${DEL_SITE}* >/dev/null 2>&1 if [ "${DEL_SSL}" == "yes" ]; then - ssh root@10.10.10.80 rm -rf /etc/letsencrypt/archive/${DEL_SITE} >/dev/null 2>&1 - ssh root@10.10.10.80 rm -rf /etc/letsencrypt/live/${DEL_SITE} >/dev/null 2>&1 - ssh root@10.10.10.80 rm -f /etc/letsencrypt/renewal/${DEL_SITE}.conf >/dev/null 2>&1 + ssh root@10.10.10.80 rm -rf ${NM_CERTPATH}/archive/${DEL_SITE} >/dev/null 2>&1 + ssh root@10.10.10.80 rm -rf ${NM_CERTPATH}/live/${DEL_SITE} >/dev/null 2>&1 + ssh root@10.10.10.80 rm -f ${NM_CERTPATH}/renewal/${DEL_SITE}.conf >/dev/null 2>&1 fi echo -e "${idsCL[Green]}Done${idsCL[Default]}" echo @@ -82,9 +82,9 @@ DELSITE(){ # ${NCMD} rm -rf /var/www/${DEL_SITE} # #fi # if [ "${DEL_SSL}" = "yes" ]; then - # ${NCMD} rm -rf /etc/letsencrypt/archive/${DEL_SITE} - # ${NCMD} rm -rf /etc/letsencrypt/live/${DEL_SITE} - # ${NCMD} rm -f /etc/letsencrypt/renewal/${DEL_SITE}.conf + # ${NCMD} rm -rf ${NM_CERTPATH}/archive/${DEL_SITE} + # ${NCMD} rm -rf ${NM_CERTPATH}/live/${DEL_SITE} + # ${NCMD} rm -f ${NM_CERTPATH}/renewal/${DEL_SITE}.conf # fi # echo -e "${idsCL[Green]}OK${idsCL[Default]}" # else @@ -366,8 +366,8 @@ NEWSITE(){ if [ "${CREATE_SSL}" = "yes" ]; then echo -e " - ssl_certificate_key /etc/letsencrypt/live/${MAIN_SITE}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${MAIN_SITE}/privkey.pem; + ssl_certificate_key ${NM_CERTPATH}/live/${MAIN_SITE}/fullchain.pem; + ssl_certificate_key ${NM_CERTPATH}/live/${MAIN_SITE}/privkey.pem; include conf.d/include/ssl-ciphers.conf;" >> ${nginxconfig} fi echo -e " @@ -464,7 +464,7 @@ NEWSITE(){ # fi # fi # done - # rm -f /opt/lb-data/letsencrypt/live/${MAIN_CERT}/newcert + # rm -f ${NM_CERTPATH}/live/${MAIN_CERT}/newcert # echo -e "${idsCL[Green]}Completed${idsCL[Default]}" echo diff --git a/nodemgmt-scripts.sh b/nodemgmt-scripts.sh index a16e3802..767160b6 100755 --- a/nodemgmt-scripts.sh +++ b/nodemgmt-scripts.sh @@ -138,8 +138,8 @@ SET-PERMISSIONS(){ fi echo -e "${idsCL[Yellow]}Setting folder permissions for MySQL-Node${nid} (${nip})${idsCL[Default]}" echo -en "${idsCL[Cyan]}LetsEncrypt Certs ${idsCL[Default]}" - ${NCMD} chown -R root:letsencrypt /etc/letsencrypt - ${NCMD} chmod -R 6775 /etc/letsencrypt + ${NCMD} chown -R root:letsencrypt ${NM_CERTPATH} + ${NCMD} chmod -R 6775 ${NM_CERTPATH} echo -e "${idsCL[Green]}Complete${idsCL[Default]}" echo fi @@ -178,8 +178,8 @@ SET-PERMISSIONS(){ ${NCMD} chmod -R 750 /home/git echo -e "${idsCL[Green]}Complete${idsCL[Def ault]}" echo -en "${idsCL[Cyan]}LetsEncrypt Certs ${idsCL[Default]}" - ${NCMD} chown -R root:letsencrypt /etc/letsencrypt - ${NCMD} chmod -R 6775 /etc/letsencrypt + ${NCMD} chown -R root:letsencrypt ${NM_CERTPATH} + ${NCMD} chmod -R 6775 ${NM_CERTPATH} echo -e "${idsCL[Green]}Complete${idsCL[Default]}" echo -en "${idsCL[Cyan]}PowerDNS-Admin ${idsCL[Default]}" ${NCMD} chown -R www-data:www-data /opt/powerdns-admin @@ -405,7 +405,7 @@ NODEUPDATE() { VCENTER-SSL(){ VCHOSTNAME='vcenter.scity.us' - #BASECERTDIR="/etc/letsencrypt/live" + #BASECERTDIR="${NM_CERTPATH}/live" BASECERTDIR="/opt/nginx-proxy/ssl" CERTDIR="${BASECERTDIR}/${VCHOSTNAME}" SERVER="https://${VCHOSTNAME}" diff --git a/templates/nginx.proxy.site b/templates/nginx.proxy.site index f799a220..6cc771ce 100644 --- a/templates/nginx.proxy.site +++ b/templates/nginx.proxy.site @@ -12,8 +12,8 @@ server { include conf.d/include/letsencrypt-acme-challenge.conf; include conf.d/include/ssl-ciphers.conf; - #ssl_certificate /opt/lb-data/letsencrypt/live/<>/fullchain.pem; - #ssl_certificate_key /opt/lb-data/letsencrypt/live/<>/privkey.pem; + #ssl_certificate ${NM_CERTPATH}/live/<>/fullchain.pem; + #ssl_certificate_key ${NM_CERTPATH}/live/<>/privkey.pem; access_log /var/log/nginx/<>.proxy.log proxy; error_log /var/log/nginx/<>.error.log warn; diff --git a/templates/nginx.ssl.site b/templates/nginx.ssl.site index d2595f3a..89e1f8cf 100755 --- a/templates/nginx.ssl.site +++ b/templates/nginx.ssl.site @@ -9,8 +9,8 @@ server { access_log /var/log/nginx/<>-access.log; error_log /var/log/nginx/<>-error.log warn; - ssl_certificate /etc/letsencrypt/live/<>/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/<>/privkey.pem; + ssl_certificate ${NM_CERTPATH}/live/<>/fullchain.pem; + ssl_certificate_key ${NM_CERTPATH}/live/<>/privkey.pem; include conf.d/include/ssl-ciphers.conf; index index.php index.html index.htm;