From 0f212a7150f8b6d6b5eef50c8c3a441bc3a8ef85 Mon Sep 17 00:00:00 2001
From: David Schroeder <david@schroedercity.com>
Date: Thu, 23 Nov 2023 09:54:11 -0600
Subject: [PATCH] update

---
 defaults.inc        |  2 +-
 inc/certs.inc       | 61 ++++++++++-----------------------------------
 nodemgmt-scripts.sh |  4 +--
 3 files changed, 15 insertions(+), 52 deletions(-)

diff --git a/defaults.inc b/defaults.inc
index f8f86625..6b458813 100755
--- a/defaults.inc
+++ b/defaults.inc
@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-VERS='4.15.11-11222023'
+VERS='4.15.12-11232023'
 
 noheader=' service status-check nightlyrephp7.3-fpm,new backup report check checkcerts gitea update-nodes copynpmcerts singleservercheck update-dyndns backup-offsitepfsense gui nightlyreview update log '
 CERT_DAEMON='/snap/bin/certbot'
diff --git a/inc/certs.inc b/inc/certs.inc
index 0e0520a0..38f7a8e7 100755
--- a/inc/certs.inc
+++ b/inc/certs.inc
@@ -1,6 +1,11 @@
 #!/usr/bin/env bash
+
+CERTAUTH="--webroot --webroot-path ${NM_CERTPATH}/letsencrypt-acme-challenge"
+CERTSERVER="https://acme-v02.api.letsencrypt.org/directory"
+CERTCHAIN="ISRG Root X1"
+
 NEWCERT(){
-	CERTTEST=0; CERTEXPAND=""
+	CERTTEST=0; CERTEXPAND=""; CERTENC='ecdsa'
 	if [ "${3}" != "" ] && ([ "${3}" == "0" ] || [ "${3}" == "1" ]); then
 		NEW_CERT=${1}
 		NEWSITE=${2}
@@ -11,10 +16,12 @@ NEWCERT(){
 				-t|-test) CERTTEST=1;;
 				-newsite) NEWSITE=true;;
 				-expand) CERTEXPAND='--expand';;
+				-rsa) CERTENC='rsa';;
 				-h|-help|--help)
 					echo -e "Usage: ${idsCL[Yellow]}[nodemgmt or nmg] newcert {hostname}${idsCL[Default]} {"
 					width=35
 					printf "%-${width}s- %s\n" "    {hostname}" "(optional: enter hostname for new cert, comma-delimited for multiple)"
+					printf "%-${width}s- %s\n" "    -rsa" "(request rsa cert instead of default ecdsa)"
 					printf "%-${width}s- %s\n" "    -t|-test" "(enables dry-run mode for CertBot)"
 					echo -e "}\n"
 					exit 0;;
@@ -46,13 +53,8 @@ NEWCERT(){
 		echo -e "${idsCL[LightGreen]}Requesting Certificate for '${idsCL[Yellow]}${NEW_CERT}${idsCL[LightGreen]}'...${idsCL[Default]}"
 		echo 
 		
-		# $CERT_DAEMON certonly --webroot -w ${NM_CERTPATH}/letsencrypt-acme-challenge -d ${NEW_CERT}
-		# $CERT_DAEMON certonly --webroot --preferred-chain "ISRG Root X1" -w ${NM_CERTPATH}/letsencrypt-acme-challenge -d ${NEW_CERT}
-		if [ ${CERTTEST} -eq 1 ]; then
-			$CERT_DAEMON certonly ${CERTEXPAND} --dry-run --webroot --preferred-chain "ISRG Root X1" -w ${NM_CERTPATH}/letsencrypt-acme-challenge -d ${NEW_CERT}
-		else
-			$CERT_DAEMON certonly ${CERTEXPAND} --webroot --preferred-chain "ISRG Root X1" -w ${NM_CERTPATH}/letsencrypt-acme-challenge -d ${NEW_CERT}
-		fi
+		[ ${CERTTEST} -eq 1 ] && DRYRUN='--dry-run' || DRYRUN=''
+		${CERT_DAEMON} certonly ${CERTEXPAND} ${DRYRUN} --key-type ${CERTENC} --server ${CERTSERVER} --preferred-chain "${CERTCHAIN}" ${CERTAUTH} -d ${NEW_CERT}
 				
 		chown -R root:le ${NM_CERTPATH}
 		chmod -R 6775 ${NM_CERTPATH}
@@ -132,9 +134,7 @@ CERTRENEW(){
 	sleep 5
 	mv -f ${NM_LOGFOLDER}/cert-renewal1.lastrun ${NM_LOGFOLDER}/cert-renewal2.lastrun >/dev/null 2>&1
 	mv -f ${NM_LOGFOLDER}/cert-renewal.lastrun ${NM_LOGFOLDER}/cert-renewal1.lastrun >/dev/null 2>&1
-	$CERT_DAEMON renew --webroot -w ${NM_CERTPATH}/letsencrypt-acme-challenge > ${NM_LOGFOLDER}/cert-renewal.lastrun
-	# $CERT_DAEMON renew --force-renewal  --preferred-chain "ISRG Root X1" --webroot -w ${NM_CERTPATH}/letsencrypt-acme-challenge 2>&1 | tee ${NM_LOGFOLDER}/cert-renewal.lastrun
-    # $CERT_DAEMON --dry-run  --preferred-chain "ISRG Root X1" renew --webroot -w ${NM_CERTPATH}/letsencrypt-acme-challenge 2>&1 | tee ${NM_LOGFOLDER}/cert-renewal.lastrun
+	${CERT_DAEMON} renew ${CERTAUTH} > ${NM_LOGFOLDER}/cert-renewal.lastrun
 	CONCAT_SSL
 	chown -R root:le ${NM_CERTPATH} >> ${NM_LOGFOLDER}/cert-renewal.lastrun
 	chmod -R 6775 ${NM_CERTPATH} >> ${NM_LOGFOLDER}/cert-renewal.lastrun
@@ -151,7 +151,7 @@ CERTRENEW(){
 	fi
 }
 NIGHTLYRENEW(){
-	$CERT_DAEMON renew --webroot -w ${NM_CERTPATH}/letsencrypt-acme-challenge
+	${CERT_DAEMON} renew ${CERTAUTH}
 	CONCAT_SSL
 	chown -R root:le ${NM_CERTPATH}
 	chmod -R 6775 ${NM_CERTPATH}
@@ -163,7 +163,7 @@ CONCAT_SSL(){
 	for certdir in ${NM_CERTPATH}/live/*/ ; do echo $certdir; done > /tmp/ssllist
 	for certdir in $(</tmp/ssllist); do
 		rm -f ${certdir}fullcert.pem
-		cat ${certdir}privkey.pem ${certdir}fullchain.pem > ${certdir}fullcert.pem
+		# cat ${certdir}privkey.pem ${certdir}fullchain.pem > ${certdir}fullcert.pem
 	done
 }
 
@@ -703,41 +703,6 @@ export PDNS_Ttl=60
 	fi
 }
 
-UPGRADECERTS(){
-	ssldir=$(${NCMD} find ${NM_CERTPATH}/live/* -type d)
-	
-	for certdir in ${ssldir[@]}; do
-		SUBJECT=$(${NCMD} openssl x509 -in ${certdir}/cert.pem -noout -subject|grep -oP '(?<=CN = )[^,]+'|sort -uV)
-		SUBJECTNAMES=$(${NCMD} openssl x509 -in ${certdir}/cert.pem -noout -text|grep -oP '(?<=DNS:|IP Address:)[^,]+'|sort -uV)
-		SUBJECTNAMES=${SUBJECTNAMES//$'\n'/, }
-		# SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/\n/, /g")
-		SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/, ${SUBJECT}//g")
-		SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/${SUBJECT}, //g")
-		SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/${SUBJECT}//g")
-		
-		[ "${SUBJECTNAMES}" == "" ] && allnames=${SUBJECT} || allnames="${SUBJECT},$SUBJECTNAMES"
-		
-		echo -e "${idsCL[LightGreen]}Certificate upgrading for '${idsCL[Yellow]}${SUBJECT}${idsCL[Green]}'${idsCL[Default]}"
-		echo -e "${idsCL[Green]}All SSL Hostnames: '${idsCL[Yellow]}${allnames}${idsCL[Green]}'${idsCL[Default]}"
-		
-		$CERT_DAEMON certonly --preferred-chain "ISRG Root X1" --key-type rsa --server https://acme-v02.api.letsencrypt.org/directory --webroot --webroot-path ${NM_CERTPATH}/letsencrypt-acme-challenge -d ${allnames}
-		echo
-	done
-	
-	chown -R root:le ${NM_CERTPATH}
-	chmod -R 6775 ${NM_CERTPATH}
-	
-	echo -e -n "${idsCL[LightCyan]}Restart NGINX on all Nodes (Y/n): ${idsCL[Default]}"
-	read -n 1 NGINXRELOAD
-	if [[ ${NGINXRELOAD} =~ ^[Nn]$ ]]; then
-		tmp=''
-	else
-		echo
-		SERVICE_MGMT nginx restart
-	fi
-	
-	
-}
 
 
 
diff --git a/nodemgmt-scripts.sh b/nodemgmt-scripts.sh
index a59d0423..8915e2a6 100755
--- a/nodemgmt-scripts.sh
+++ b/nodemgmt-scripts.sh
@@ -778,9 +778,7 @@ GUI(){
 		listcerts-npm) LISTCERTS_NPM;;
 		copynpmcerts) COPYCERTS_NPM ${2};;
 		checknpmcerts) CHECK_NPMCERTS;;
-		checkcerts) CHECK-CERTS ${2} ${3} ${4} ${5} ${6};;
-		upgradecerts) UPGRADECERTS ${2} ${3} ${4};;
-		
+		checkcerts) CHECK-CERTS ${2} ${3} ${4} ${5} ${6};;		
 		nightlyrenew)
 			if [ "${2}" == "q" ]; then
 				exec 3>&1 >>${NM_LOGFOLDER}/cert-renewal.lastrun 2>&1