From 079e38226c94c213c0ea13e3b9d38fc82d8f3448 Mon Sep 17 00:00:00 2001 From: David Schroeder Date: Wed, 22 Nov 2023 23:32:39 -0600 Subject: [PATCH] update --- defaults.inc | 2 +- inc/certs.inc | 109 +++++++++++++++++++++++++++++++++++++++++++- nodemgmt-scripts.sh | 81 -------------------------------- 3 files changed, 109 insertions(+), 83 deletions(-) diff --git a/defaults.inc b/defaults.inc index f1cb37b6..7f130687 100755 --- a/defaults.inc +++ b/defaults.inc @@ -1,5 +1,5 @@ #!/usr/bin/env bash -VERS='4.15.9-11222023' +VERS='4.15.10-11222023' noheader=' service status-check nightlyrephp7.3-fpm,new backup report check checkcerts gitea update-nodes copynpmcerts singleservercheck update-dyndns backup-offsitepfsense gui nightlyreview update log ' CERT_DAEMON='/snap/bin/certbot' diff --git a/inc/certs.inc b/inc/certs.inc index 0b027eab..eaa093f7 100755 --- a/inc/certs.inc +++ b/inc/certs.inc @@ -621,6 +621,88 @@ CHECK-CERTS(){ fi } +VCENTER-SSL(){ + [ "${NM_VC_ACMEFOLDER}" == "" ] && NM_VC_ACMEFOLDER="/root/.acme.sh" + [ "${NM_VC_ACMESCRIPT}" == "" ] && NM_VC_ACMESCRIPT="acme.sh" + + if [ "${NM_VC_HOSTNAME}" != "" ] && [ "${NM_VC_USER}" != "" ] && [ "${NM_VC_PASS}" != "" ] && [ "${NM_WPDNS_KEY}" != "" ]; then + VCSERVER="https://${NM_VC_HOSTNAME}" + + VC_CERT="${NM_VC_ACMEFOLDER}/${NM_VC_HOSTNAME}/${NM_VC_HOSTNAME}.cer" + VC_KEY="${NM_VC_ACMEFOLDER}/${NM_VC_HOSTNAME}/${NM_VC_HOSTNAME}.key" + VC_CHAIN="${NM_VC_ACMEFOLDER}/${NM_VC_HOSTNAME}/fullchain.cer" + + echo -en "${idsCL[LightCyan]}Checking days left on vCenter cert... ${idsCL[Default]}" + VCCERTDAYS=$(${NM_FOLDER}/ssl-cert-check/ssl-cert-check -p 443 -s ${NM_VC_HOSTNAME} -N) + VCCERTDAYS=${VCCERTDAYS#*=} + + if [ "${VCCERTDAYS}" -gt "29" ]; then + if [ "${1}" == "force" ]; then + echo -e "${idsCL[Yellow]}${VCCERTDAYS} days left, forcing certificate update${idsCL[Default]}" + echo + else + echo -e "${idsCL[Green]}${VCCERTDAYS} days left, Certificate is still valid, no need to update${idsCL[Default]}" + echo + exit 0 + fi + else + echo -e "${idsCL[Yellow]}${VCCERTDAYS} days left, Certificate needs to be updated${idsCL[Default]}" + echo + fi + + echo '#!/usr/bin/env bash' >| /tmp/vcenter-update-ssl.sh + echo "export PDNS_Url='https://wdns.scity.us' +export PDNS_Token='${NM_WPDNS_KEY}' +# export PDNS_ServerId='localhost' +export PDNS_ServerId='scity.us' +export PDNS_Ttl=60 + " >> /tmp/vcenter-update-ssl.sh + + if ssh -q root@${NM_VC_HOSTNAME} [ ! -d ${NM_VC_ACMEFOLDER} ]; then + echo -e "${idsCL[Yellow]}Installing acme.sh scripts on vCenter${idsCL[Default]}\n" + ssh -q root@${NM_VC_HOSTNAME} "wget -O - https://get.acme.sh | sh" + echo -e "\n${idsCL[LightGreen]}Requesting new certificate ...${idsCL[Default]}\n" + echo "${NM_VC_ACMEFOLDER}/${NM_VC_ACMESCRIPT} --server letsencrypt -k 2048 --preferred-chain 'ISRG Root X1' --issue --dns dns_pdns -d ${NM_VC_HOSTNAME}" >> /tmp/vcenter-update-ssl.sh + else + echo -e "${idsCL[Green]}Verified acme.sh scripts are installed on vCenter, checking for updates${idsCL[Default]}\n" + ssh -q root@${NM_VC_HOSTNAME} "${NM_VC_ACMEFOLDER}/${NM_VC_ACMESCRIPT} --upgrade" + echo -e "\n${idsCL[LightGreen]}Renewing certificate ...${idsCL[Default]}\n" + if [ "${1}" == "force" ]; then + echo "${NM_VC_ACMEFOLDER}/${NM_VC_ACMESCRIPT} --renew-all --force" >> /tmp/vcenter-update-ssl.sh + else + echo "${NM_VC_ACMEFOLDER}/${NM_VC_ACMESCRIPT} --renew-all" >> /tmp/vcenter-update-ssl.sh + fi + fi + + scp -q /tmp/vcenter-update-ssl.sh root@${NM_VC_HOSTNAME}:/tmp/vcenter-update-ssl.sh + ssh -q root@${NM_VC_HOSTNAME} "bash /tmp/vcenter-update-ssl.sh" + + LIVEMD5=$(ssh -q root@${NM_VC_HOSTNAME} "md5sum /etc/vmware-rhttpproxy/ssl/rui.crt | cut -d\ -f1") + CURRENTMD5=$(ssh -q root@${NM_VC_HOSTNAME} "md5sum ${VC_CERT} | cut -d\ -f1") + if [ "$LIVEMD5" == "$CURRENTMD5" ] && [ "${1}" != "force" ]; then + echo -e "${idsCL[Yellow]}Certificates remains the same, no newer certificates exist${idsCL[Default]}" + echo + exit 0 + fi + + echo -e "${idsCL[LightGreen]}Updating certificates on vCenter... ${idsCL[Default]}" + echo -e "${idsCL[LightCyan]}This process make take up to 10mins${idsCL[Default]}" + echo + + ssh -q root@${NM_VC_HOSTNAME} "(printf '1\n%s\n' '${NM_VC_USER}'; sleep 1; printf '%s\n' '${NM_VC_PASS}'; sleep 1; printf '2\n'; sleep 1; printf '%s\n%s\n%s\ny\n\n' '${VC_CERT}' '${VC_KEY}' '${VC_CHAIN}') | setsid /usr/lib/vmware-vmca/bin/certificate-manager" + + SENDNOTICE "vCenter SSL Updated" "Refresh/rescan any systems connecting to vcenter like Veeam" + + ssh -q root@${NM_VC_HOSTNAME} "rm -f /tmp/vcenter-update-ssl.sh" + rm -f /tmp/vcenter-update-ssl.sh + + echo -e "\n${idsCL[Green]}The vCenter certifcate has been updated${idsCL[Default]}" + echo -e "${idsCL[LightCyan]}Don't forget to re-scan the vCenter connection in Veeam${idsCL[Default]}\n" + else + echo -e "${idsCL[Yellow]}vCenter info not configured in 'defaults.local.inc'${idsCL[Default]}\n" + fi +} + UPGRADECERTS(){ ssldir=$(${NCMD} find ${NM_CERTPATH}/live/* -type d) @@ -638,8 +720,33 @@ UPGRADECERTS(){ else allnames="${SUBJECT},$SUBJECTNAMES" fi - echo "$certdir = $allnames " + + $CERT_DAEMON certonly --expand --preferred-chain "ISRG Root X1" --key-type rsa --server https://acme-staging-v02.api.letsencrypt.org/directory --webroot --webroot-path ${NM_CERTPATH}/letsencrypt-acme-challenge -d ${allnames} + + + if [ -d ${NM_CERTPATH}/live/${MAIN_CERT} ]; then + echo + echo -e "${idsCL[Green]}Certificate has been successfully created for '${idsCL[Yellow]}${NEW_CERT}${idsCL[Green]}'...${idsCL[Default]}" + else + echo + echo -e "${idsCL[Red]}Certificate could not be created for '${idsCL[Yellow]}${NEW_CERT}${idsCL[Red]}'...${idsCL[Default]}" + fi + done + + chown -R root:le ${NM_CERTPATH} + chmod -R 6775 ${NM_CERTPATH} + + echo -e -n "${idsCL[LightCyan]}Restart NGINX on all Nodes (Y/n): ${idsCL[Default]}" + read -n 1 NGINXRELOAD + if [[ ${NGINXRELOAD} =~ ^[Nn]$ ]]; then + tmp='' + else + echo + SERVICE_MGMT nginx restart + fi + + } diff --git a/nodemgmt-scripts.sh b/nodemgmt-scripts.sh index 457cbd08..a59d0423 100755 --- a/nodemgmt-scripts.sh +++ b/nodemgmt-scripts.sh @@ -395,87 +395,6 @@ NODEUPDATE() { echo } -VCENTER-SSL(){ - [ "${NM_VC_ACMEFOLDER}" == "" ] && NM_VC_ACMEFOLDER="/root/.acme.sh" - [ "${NM_VC_ACMESCRIPT}" == "" ] && NM_VC_ACMESCRIPT="acme.sh" - - if [ "${NM_VC_HOSTNAME}" != "" ] && [ "${NM_VC_USER}" != "" ] && [ "${NM_VC_PASS}" != "" ] && [ "${NM_WPDNS_KEY}" != "" ]; then - VCSERVER="https://${NM_VC_HOSTNAME}" - - VC_CERT="${NM_VC_ACMEFOLDER}/${NM_VC_HOSTNAME}/${NM_VC_HOSTNAME}.cer" - VC_KEY="${NM_VC_ACMEFOLDER}/${NM_VC_HOSTNAME}/${NM_VC_HOSTNAME}.key" - VC_CHAIN="${NM_VC_ACMEFOLDER}/${NM_VC_HOSTNAME}/fullchain.cer" - - echo -en "${idsCL[LightCyan]}Checking days left on vCenter cert... ${idsCL[Default]}" - VCCERTDAYS=$(${NM_FOLDER}/ssl-cert-check/ssl-cert-check -p 443 -s ${NM_VC_HOSTNAME} -N) - VCCERTDAYS=${VCCERTDAYS#*=} - - if [ "${VCCERTDAYS}" -gt "29" ]; then - if [ "${1}" == "force" ]; then - echo -e "${idsCL[Yellow]}${VCCERTDAYS} days left, forcing certificate update${idsCL[Default]}" - echo - else - echo -e "${idsCL[Green]}${VCCERTDAYS} days left, Certificate is still valid, no need to update${idsCL[Default]}" - echo - exit 0 - fi - else - echo -e "${idsCL[Yellow]}${VCCERTDAYS} days left, Certificate needs to be updated${idsCL[Default]}" - echo - fi - - echo '#!/usr/bin/env bash' >| /tmp/vcenter-update-ssl.sh - echo "export PDNS_Url='https://wdns.scity.us' -export PDNS_Token='${NM_WPDNS_KEY}' -# export PDNS_ServerId='localhost' -export PDNS_ServerId='scity.us' -export PDNS_Ttl=60 - " >> /tmp/vcenter-update-ssl.sh - - if ssh -q root@${NM_VC_HOSTNAME} [ ! -d ${NM_VC_ACMEFOLDER} ]; then - echo -e "${idsCL[Yellow]}Installing acme.sh scripts on vCenter${idsCL[Default]}\n" - ssh -q root@${NM_VC_HOSTNAME} "wget -O - https://get.acme.sh | sh" - echo -e "\n${idsCL[LightGreen]}Requesting new certificate ...${idsCL[Default]}\n" - echo "${NM_VC_ACMEFOLDER}/${NM_VC_ACMESCRIPT} --server letsencrypt -k 2048 --preferred-chain 'ISRG Root X1' --issue --dns dns_pdns -d ${NM_VC_HOSTNAME}" >> /tmp/vcenter-update-ssl.sh - else - echo -e "${idsCL[Green]}Verified acme.sh scripts are installed on vCenter, checking for updates${idsCL[Default]}\n" - ssh -q root@${NM_VC_HOSTNAME} "${NM_VC_ACMEFOLDER}/${NM_VC_ACMESCRIPT} --upgrade" - echo -e "\n${idsCL[LightGreen]}Renewing certificate ...${idsCL[Default]}\n" - if [ "${1}" == "force" ]; then - echo "${NM_VC_ACMEFOLDER}/${NM_VC_ACMESCRIPT} --renew-all --force" >> /tmp/vcenter-update-ssl.sh - else - echo "${NM_VC_ACMEFOLDER}/${NM_VC_ACMESCRIPT} --renew-all" >> /tmp/vcenter-update-ssl.sh - fi - fi - - scp -q /tmp/vcenter-update-ssl.sh root@${NM_VC_HOSTNAME}:/tmp/vcenter-update-ssl.sh - ssh -q root@${NM_VC_HOSTNAME} "bash /tmp/vcenter-update-ssl.sh" - - LIVEMD5=$(ssh -q root@${NM_VC_HOSTNAME} "md5sum /etc/vmware-rhttpproxy/ssl/rui.crt | cut -d\ -f1") - CURRENTMD5=$(ssh -q root@${NM_VC_HOSTNAME} "md5sum ${VC_CERT} | cut -d\ -f1") - if [ "$LIVEMD5" == "$CURRENTMD5" ] && [ "${1}" != "force" ]; then - echo -e "${idsCL[Yellow]}Certificates remains the same, no newer certificates exist${idsCL[Default]}" - echo - exit 0 - fi - - echo -e "${idsCL[LightGreen]}Updating certificates on vCenter... ${idsCL[Default]}" - echo -e "${idsCL[LightCyan]}This process make take up to 10mins${idsCL[Default]}" - echo - - ssh -q root@${NM_VC_HOSTNAME} "(printf '1\n%s\n' '${NM_VC_USER}'; sleep 1; printf '%s\n' '${NM_VC_PASS}'; sleep 1; printf '2\n'; sleep 1; printf '%s\n%s\n%s\ny\n\n' '${VC_CERT}' '${VC_KEY}' '${VC_CHAIN}') | setsid /usr/lib/vmware-vmca/bin/certificate-manager" - - SENDNOTICE "vCenter SSL Updated" "Refresh/rescan any systems connecting to vcenter like Veeam" - - ssh -q root@${NM_VC_HOSTNAME} "rm -f /tmp/vcenter-update-ssl.sh" - rm -f /tmp/vcenter-update-ssl.sh - - echo -e "\n${idsCL[Green]}The vCenter certifcate has been updated${idsCL[Default]}" - echo -e "${idsCL[LightCyan]}Don't forget to re-scan the vCenter connection in Veeam${idsCL[Default]}\n" - else - echo -e "${idsCL[Yellow]}vCenter info not configured in 'defaults.local.inc'${idsCL[Default]}\n" - fi -} ADD_LOGROTATE_CRONTAB(){ if ! crontab -l | grep -q "${NM_FOLDER}/tmp-logrotate"; then (crontab -l ; echo "0 */1 * * * logrotate -f ${NM_FOLDER}/tmp-logrotate") >/dev/null 2>&1 | crontab -