voltron/NodeMgmt
1
1
Fork 0
Code Issues Pull Requests Releases 1 Activity

update

Browse Source
This commit is contained in:
David Schroeder
2023-11-23 09:54:11 -06:00
parent 51e02a5cae
commit 0f212a7150
3 changed files with 15 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
defaults.inc
View File

@@ -1,5 +1,5 @@
#!/usr/bin/env bash #!/usr/bin/env bash
VERS='4.15.11-11222023' VERS='4.15.12-11232023'
noheader=' service status-check nightlyrephp7.3-fpm,new backup report check checkcerts gitea update-nodes copynpmcerts singleservercheck update-dyndns backup-offsitepfsense gui nightlyreview update log ' noheader=' service status-check nightlyrephp7.3-fpm,new backup report check checkcerts gitea update-nodes copynpmcerts singleservercheck update-dyndns backup-offsitepfsense gui nightlyreview update log '
CERT_DAEMON='/snap/bin/certbot' CERT_DAEMON='/snap/bin/certbot'

61
inc/certs.inc
View File

@@ -1,6 +1,11 @@
#!/usr/bin/env bash #!/usr/bin/env bash
CERTAUTH="--webroot --webroot-path ${NM_CERTPATH}/letsencrypt-acme-challenge"
CERTSERVER="https://acme-v02.api.letsencrypt.org/directory"
CERTCHAIN="ISRG Root X1"
NEWCERT(){ NEWCERT(){
CERTTEST=0; CERTEXPAND="" CERTTEST=0; CERTEXPAND=""; CERTENC='ecdsa'
if [ "${3}" != "" ] && ([ "${3}" == "0" ] || [ "${3}" == "1" ]); then if [ "${3}" != "" ] && ([ "${3}" == "0" ] || [ "${3}" == "1" ]); then
NEW_CERT=${1} NEW_CERT=${1}
NEWSITE=${2} NEWSITE=${2}
@@ -11,10 +16,12 @@ NEWCERT(){
-t|-test) CERTTEST=1;; -t|-test) CERTTEST=1;;
-newsite) NEWSITE=true;; -newsite) NEWSITE=true;;
-expand) CERTEXPAND='--expand';; -expand) CERTEXPAND='--expand';;
-rsa) CERTENC='rsa';;
-h|-help|--help) -h|-help|--help)
echo -e "Usage: ${idsCL[Yellow]}[nodemgmt or nmg] newcert {hostname}${idsCL[Default]} {" echo -e "Usage: ${idsCL[Yellow]}[nodemgmt or nmg] newcert {hostname}${idsCL[Default]} {"
width=35 width=35
printf "%-${width}s- %s\n" " {hostname}" "(optional: enter hostname for new cert, comma-delimited for multiple)" printf "%-${width}s- %s\n" " {hostname}" "(optional: enter hostname for new cert, comma-delimited for multiple)"
printf "%-${width}s- %s\n" " -rsa" "(request rsa cert instead of default ecdsa)"
printf "%-${width}s- %s\n" " -t|-test" "(enables dry-run mode for CertBot)" printf "%-${width}s- %s\n" " -t|-test" "(enables dry-run mode for CertBot)"
echo -e "}\n" echo -e "}\n"
exit 0;; exit 0;;
@@ -46,13 +53,8 @@ NEWCERT(){
echo -e "${idsCL[LightGreen]}Requesting Certificate for '${idsCL[Yellow]}${NEW_CERT}${idsCL[LightGreen]}'...${idsCL[Default]}" echo -e "${idsCL[LightGreen]}Requesting Certificate for '${idsCL[Yellow]}${NEW_CERT}${idsCL[LightGreen]}'...${idsCL[Default]}"
echo echo
# $CERT_DAEMON certonly --webroot -w ${NM_CERTPATH}/letsencrypt-acme-challenge -d ${NEW_CERT} [ ${CERTTEST} -eq 1 ] && DRYRUN='--dry-run' || DRYRUN=''
# $CERT_DAEMON certonly --webroot --preferred-chain "ISRG Root X1" -w ${NM_CERTPATH}/letsencrypt-acme-challenge -d ${NEW_CERT} ${CERT_DAEMON} certonly ${CERTEXPAND} ${DRYRUN} --key-type ${CERTENC} --server ${CERTSERVER} --preferred-chain "${CERTCHAIN}" ${CERTAUTH} -d ${NEW_CERT}
if [ ${CERTTEST} -eq 1 ]; then
$CERT_DAEMON certonly ${CERTEXPAND} --dry-run --webroot --preferred-chain "ISRG Root X1" -w ${NM_CERTPATH}/letsencrypt-acme-challenge -d ${NEW_CERT}
else
$CERT_DAEMON certonly ${CERTEXPAND} --webroot --preferred-chain "ISRG Root X1" -w ${NM_CERTPATH}/letsencrypt-acme-challenge -d ${NEW_CERT}
fi
chown -R root:le ${NM_CERTPATH} chown -R root:le ${NM_CERTPATH}
chmod -R 6775 ${NM_CERTPATH} chmod -R 6775 ${NM_CERTPATH}
@@ -132,9 +134,7 @@ CERTRENEW(){
sleep 5 sleep 5
mv -f ${NM_LOGFOLDER}/cert-renewal1.lastrun ${NM_LOGFOLDER}/cert-renewal2.lastrun >/dev/null 2>&1 mv -f ${NM_LOGFOLDER}/cert-renewal1.lastrun ${NM_LOGFOLDER}/cert-renewal2.lastrun >/dev/null 2>&1
mv -f ${NM_LOGFOLDER}/cert-renewal.lastrun ${NM_LOGFOLDER}/cert-renewal1.lastrun >/dev/null 2>&1 mv -f ${NM_LOGFOLDER}/cert-renewal.lastrun ${NM_LOGFOLDER}/cert-renewal1.lastrun >/dev/null 2>&1
$CERT_DAEMON renew --webroot -w ${NM_CERTPATH}/letsencrypt-acme-challenge > ${NM_LOGFOLDER}/cert-renewal.lastrun ${CERT_DAEMON} renew ${CERTAUTH} > ${NM_LOGFOLDER}/cert-renewal.lastrun
# $CERT_DAEMON renew --force-renewal --preferred-chain "ISRG Root X1" --webroot -w ${NM_CERTPATH}/letsencrypt-acme-challenge 2>&1 | tee ${NM_LOGFOLDER}/cert-renewal.lastrun
# $CERT_DAEMON --dry-run --preferred-chain "ISRG Root X1" renew --webroot -w ${NM_CERTPATH}/letsencrypt-acme-challenge 2>&1 | tee ${NM_LOGFOLDER}/cert-renewal.lastrun
CONCAT_SSL CONCAT_SSL
chown -R root:le ${NM_CERTPATH} >> ${NM_LOGFOLDER}/cert-renewal.lastrun chown -R root:le ${NM_CERTPATH} >> ${NM_LOGFOLDER}/cert-renewal.lastrun
chmod -R 6775 ${NM_CERTPATH} >> ${NM_LOGFOLDER}/cert-renewal.lastrun chmod -R 6775 ${NM_CERTPATH} >> ${NM_LOGFOLDER}/cert-renewal.lastrun
@@ -151,7 +151,7 @@ CERTRENEW(){
fi fi
} }
NIGHTLYRENEW(){ NIGHTLYRENEW(){
$CERT_DAEMON renew --webroot -w ${NM_CERTPATH}/letsencrypt-acme-challenge ${CERT_DAEMON} renew ${CERTAUTH}
CONCAT_SSL CONCAT_SSL
chown -R root:le ${NM_CERTPATH} chown -R root:le ${NM_CERTPATH}
chmod -R 6775 ${NM_CERTPATH} chmod -R 6775 ${NM_CERTPATH}
@@ -163,7 +163,7 @@ CONCAT_SSL(){
for certdir in ${NM_CERTPATH}/live/*/ ; do echo $certdir; done > /tmp/ssllist for certdir in ${NM_CERTPATH}/live/*/ ; do echo $certdir; done > /tmp/ssllist
for certdir in $(</tmp/ssllist); do for certdir in $(</tmp/ssllist); do
rm -f ${certdir}fullcert.pem rm -f ${certdir}fullcert.pem
cat ${certdir}privkey.pem ${certdir}fullchain.pem > ${certdir}fullcert.pem # cat ${certdir}privkey.pem ${certdir}fullchain.pem > ${certdir}fullcert.pem
done done
} }
@@ -703,41 +703,6 @@ export PDNS_Ttl=60
fi fi
} }
UPGRADECERTS(){
ssldir=$(${NCMD} find ${NM_CERTPATH}/live/* -type d)
for certdir in ${ssldir[@]}; do
SUBJECT=$(${NCMD} openssl x509 -in ${certdir}/cert.pem -noout -subject|grep -oP '(?<=CN = )[^,]+'|sort -uV)
SUBJECTNAMES=$(${NCMD} openssl x509 -in ${certdir}/cert.pem -noout -text|grep -oP '(?<=DNS:|IP Address:)[^,]+'|sort -uV)
SUBJECTNAMES=${SUBJECTNAMES//$'\n'/, }
# SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/\n/, /g")
SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/, ${SUBJECT}//g")
SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/${SUBJECT}, //g")
SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/${SUBJECT}//g")
[ "${SUBJECTNAMES}" == "" ] && allnames=${SUBJECT} || allnames="${SUBJECT},$SUBJECTNAMES"
echo -e "${idsCL[LightGreen]}Certificate upgrading for '${idsCL[Yellow]}${SUBJECT}${idsCL[Green]}'${idsCL[Default]}"
echo -e "${idsCL[Green]}All SSL Hostnames: '${idsCL[Yellow]}${allnames}${idsCL[Green]}'${idsCL[Default]}"
$CERT_DAEMON certonly --preferred-chain "ISRG Root X1" --key-type rsa --server https://acme-v02.api.letsencrypt.org/directory --webroot --webroot-path ${NM_CERTPATH}/letsencrypt-acme-challenge -d ${allnames}
echo
done
chown -R root:le ${NM_CERTPATH}
chmod -R 6775 ${NM_CERTPATH}
echo -e -n "${idsCL[LightCyan]}Restart NGINX on all Nodes (Y/n): ${idsCL[Default]}"
read -n 1 NGINXRELOAD
if [[ ${NGINXRELOAD} =~ ^[Nn]$ ]]; then
tmp=''
else
echo
SERVICE_MGMT nginx restart
fi
}

4
nodemgmt-scripts.sh
View File

@@ -778,9 +778,7 @@ GUI(){
listcerts-npm) LISTCERTS_NPM;; listcerts-npm) LISTCERTS_NPM;;
copynpmcerts) COPYCERTS_NPM ${2};; copynpmcerts) COPYCERTS_NPM ${2};;
checknpmcerts) CHECK_NPMCERTS;; checknpmcerts) CHECK_NPMCERTS;;
checkcerts) CHECK-CERTS ${2} ${3} ${4} ${5} ${6};; checkcerts) CHECK-CERTS ${2} ${3} ${4} ${5} ${6};;
upgradecerts) UPGRADECERTS ${2} ${3} ${4};;
nightlyrenew) nightlyrenew)
if [ "${2}" == "q" ]; then if [ "${2}" == "q" ]; then
exec 3>&1 >>${NM_LOGFOLDER}/cert-renewal.lastrun 2>&1 exec 3>&1 >>${NM_LOGFOLDER}/cert-renewal.lastrun 2>&1