voltron/NodeMgmt
1
1
Fork 0
Code Issues Pull Requests Releases 1 Activity

update

Browse Source
This commit is contained in:
David Schroeder
2023-11-23 09:54:11 -06:00
parent 51e02a5cae
commit 0f212a7150
3 changed files with 15 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

61
inc/certs.inc
View File

@@ -1,6 +1,11 @@
#!/usr/bin/env bash
CERTAUTH="--webroot --webroot-path ${NM_CERTPATH}/letsencrypt-acme-challenge"
CERTSERVER="https://acme-v02.api.letsencrypt.org/directory"
CERTCHAIN="ISRG Root X1"
NEWCERT(){
CERTTEST=0; CERTEXPAND=""
CERTTEST=0; CERTEXPAND=""; CERTENC='ecdsa'
if [ "${3}" != "" ] && ([ "${3}" == "0" ] || [ "${3}" == "1" ]); then
NEW_CERT=${1}
NEWSITE=${2}
@@ -11,10 +16,12 @@ NEWCERT(){
-t|-test) CERTTEST=1;;
-newsite) NEWSITE=true;;
-expand) CERTEXPAND='--expand';;
-rsa) CERTENC='rsa';;
-h|-help|--help)
echo -e "Usage: ${idsCL[Yellow]}[nodemgmt or nmg] newcert {hostname}${idsCL[Default]} {"
width=35
printf "%-${width}s- %s\n" " {hostname}" "(optional: enter hostname for new cert, comma-delimited for multiple)"
printf "%-${width}s- %s\n" " -rsa" "(request rsa cert instead of default ecdsa)"
printf "%-${width}s- %s\n" " -t|-test" "(enables dry-run mode for CertBot)"
echo -e "}\n"
exit 0;;
@@ -46,13 +53,8 @@ NEWCERT(){
echo -e "${idsCL[LightGreen]}Requesting Certificate for '${idsCL[Yellow]}${NEW_CERT}${idsCL[LightGreen]}'...${idsCL[Default]}"
echo
# $CERT_DAEMON certonly --webroot -w ${NM_CERTPATH}/letsencrypt-acme-challenge -d ${NEW_CERT}
# $CERT_DAEMON certonly --webroot --preferred-chain "ISRG Root X1" -w ${NM_CERTPATH}/letsencrypt-acme-challenge -d ${NEW_CERT}
if [ ${CERTTEST} -eq 1 ]; then
$CERT_DAEMON certonly ${CERTEXPAND} --dry-run --webroot --preferred-chain "ISRG Root X1" -w ${NM_CERTPATH}/letsencrypt-acme-challenge -d ${NEW_CERT}
else
$CERT_DAEMON certonly ${CERTEXPAND} --webroot --preferred-chain "ISRG Root X1" -w ${NM_CERTPATH}/letsencrypt-acme-challenge -d ${NEW_CERT}
fi
[ ${CERTTEST} -eq 1 ] && DRYRUN='--dry-run' || DRYRUN=''
${CERT_DAEMON} certonly ${CERTEXPAND} ${DRYRUN} --key-type ${CERTENC} --server ${CERTSERVER} --preferred-chain "${CERTCHAIN}" ${CERTAUTH} -d ${NEW_CERT}
chown -R root:le ${NM_CERTPATH}
chmod -R 6775 ${NM_CERTPATH}
@@ -132,9 +134,7 @@ CERTRENEW(){
sleep 5
mv -f ${NM_LOGFOLDER}/cert-renewal1.lastrun ${NM_LOGFOLDER}/cert-renewal2.lastrun >/dev/null 2>&1
mv -f ${NM_LOGFOLDER}/cert-renewal.lastrun ${NM_LOGFOLDER}/cert-renewal1.lastrun >/dev/null 2>&1
$CERT_DAEMON renew --webroot -w ${NM_CERTPATH}/letsencrypt-acme-challenge > ${NM_LOGFOLDER}/cert-renewal.lastrun
# $CERT_DAEMON renew --force-renewal --preferred-chain "ISRG Root X1" --webroot -w ${NM_CERTPATH}/letsencrypt-acme-challenge 2>&1 | tee ${NM_LOGFOLDER}/cert-renewal.lastrun
# $CERT_DAEMON --dry-run --preferred-chain "ISRG Root X1" renew --webroot -w ${NM_CERTPATH}/letsencrypt-acme-challenge 2>&1 | tee ${NM_LOGFOLDER}/cert-renewal.lastrun
${CERT_DAEMON} renew ${CERTAUTH} > ${NM_LOGFOLDER}/cert-renewal.lastrun
CONCAT_SSL
chown -R root:le ${NM_CERTPATH} >> ${NM_LOGFOLDER}/cert-renewal.lastrun
chmod -R 6775 ${NM_CERTPATH} >> ${NM_LOGFOLDER}/cert-renewal.lastrun
@@ -151,7 +151,7 @@ CERTRENEW(){
fi
}
NIGHTLYRENEW(){
$CERT_DAEMON renew --webroot -w ${NM_CERTPATH}/letsencrypt-acme-challenge
${CERT_DAEMON} renew ${CERTAUTH}
CONCAT_SSL
chown -R root:le ${NM_CERTPATH}
chmod -R 6775 ${NM_CERTPATH}
@@ -163,7 +163,7 @@ CONCAT_SSL(){
for certdir in ${NM_CERTPATH}/live/*/ ; do echo $certdir; done > /tmp/ssllist
for certdir in $(</tmp/ssllist); do
rm -f ${certdir}fullcert.pem
cat ${certdir}privkey.pem ${certdir}fullchain.pem > ${certdir}fullcert.pem
# cat ${certdir}privkey.pem ${certdir}fullchain.pem > ${certdir}fullcert.pem
done
}
@@ -703,41 +703,6 @@ export PDNS_Ttl=60
fi
}
UPGRADECERTS(){
ssldir=$(${NCMD} find ${NM_CERTPATH}/live/* -type d)
for certdir in ${ssldir[@]}; do
SUBJECT=$(${NCMD} openssl x509 -in ${certdir}/cert.pem -noout -subject|grep -oP '(?<=CN = )[^,]+'|sort -uV)
SUBJECTNAMES=$(${NCMD} openssl x509 -in ${certdir}/cert.pem -noout -text|grep -oP '(?<=DNS:|IP Address:)[^,]+'|sort -uV)
SUBJECTNAMES=${SUBJECTNAMES//$'\n'/, }
# SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/\n/, /g")
SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/, ${SUBJECT}//g")
SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/${SUBJECT}, //g")
SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/${SUBJECT}//g")
[ "${SUBJECTNAMES}" == "" ] && allnames=${SUBJECT} || allnames="${SUBJECT},$SUBJECTNAMES"
echo -e "${idsCL[LightGreen]}Certificate upgrading for '${idsCL[Yellow]}${SUBJECT}${idsCL[Green]}'${idsCL[Default]}"
echo -e "${idsCL[Green]}All SSL Hostnames: '${idsCL[Yellow]}${allnames}${idsCL[Green]}'${idsCL[Default]}"
$CERT_DAEMON certonly --preferred-chain "ISRG Root X1" --key-type rsa --server https://acme-v02.api.letsencrypt.org/directory --webroot --webroot-path ${NM_CERTPATH}/letsencrypt-acme-challenge -d ${allnames}
echo
done
chown -R root:le ${NM_CERTPATH}
chmod -R 6775 ${NM_CERTPATH}
echo -e -n "${idsCL[LightCyan]}Restart NGINX on all Nodes (Y/n): ${idsCL[Default]}"
read -n 1 NGINXRELOAD
if [[ ${NGINXRELOAD} =~ ^[Nn]$ ]]; then
tmp=''
else
echo
SERVICE_MGMT nginx restart
fi
}