#!/usr/bin/env bash CERTAUTH="--webroot --webroot-path ${NM_CERTPATH}/letsencrypt-acme-challenge" CERTSERVER="https://acme-v02.api.letsencrypt.org/directory" CERTCHAIN="ISRG Root X1" NEWCERT(){ CERTTEST=0; CERTEXPAND=""; CERTENC='ecdsa' if [ "${3}" != "" ] && ([ "${3}" == "0" ] || [ "${3}" == "1" ]); then NEW_CERT=${1} NEWSITE=${2} CERTTEST=${3} else while [ $# -gt 0 ]; do case "${1}" in -t|-test) CERTTEST=1;; -newsite) NEWSITE=true;; -expand) CERTEXPAND='--expand';; -rsa) CERTENC='rsa';; -h|-help|--help) echo -e "Usage: ${idsCL[Yellow]}[nodemgmt or nmg] newcert {hostname}${idsCL[Default]} {" width=35 printf "%-${width}s- %s\n" " {hostname}" "(optional: enter hostname for new cert, comma-delimited for multiple)" printf "%-${width}s- %s\n" " -rsa" "(request rsa cert instead of default ecdsa)" printf "%-${width}s- %s\n" " -t|-test" "(enables dry-run mode for CertBot)" echo -e "}\n" exit 0;; *) NEW_CERT=${1};; esac shift done fi if [ "${NEW_CERT}" == "" ]; then until [ "${NEW_CERT}" != "" ]; do echo -en "\n${idsCL[LightCyan]}Create certificate for what name (comma seperated for mutiple) : ${idsCL[Default]}" read NEW_CERT echo done fi echo if [[ ${NEW_CERT} == *","* ]]; then IFS=','; NEW_CERTS=(${NEW_CERT}); unset IFS MAIN_CERT=${NEW_CERTS[0]} else MAIN_CERT=${NEW_CERT} fi if [ "${NEW_CERT}" != "" ]; then if [ ${CERTTEST} -eq 1 ]; then echo -e "${idsCL[LightYellow]}${idsST[Bold]}### REQUESTING CERT IN TEST MODE ###${idsST[Reset]}${idsCL[Default]}" echo fi echo -e "${idsCL[LightGreen]}Requesting Certificate for '${idsCL[Yellow]}${NEW_CERT}${idsCL[LightGreen]}'...${idsCL[Default]}" echo [ ${CERTTEST} -eq 1 ] && DRYRUN='--dry-run' || DRYRUN='' ${CERT_DAEMON} certonly ${CERTEXPAND} ${DRYRUN} --key-type ${CERTENC} --server ${CERTSERVER} --preferred-chain "${CERTCHAIN}" ${CERTAUTH} -d ${NEW_CERT} chown -R root:le ${NM_CERTPATH} chmod -R 6775 ${NM_CERTPATH} if [ -d ${NM_CERTPATH}/live/${MAIN_CERT} ]; then echo -e "$(date +%Y-%m-%d-%H-%M-%S) - ${NEW_CERT}" >> ${NM_LOGFOLDER}/cert.requests if [ -f ${NM_NGINXPATH}/sites-enabled/${MAIN_CERT}.conf ]; then sed -i "s/#ssl_certificate/ssl_certificate/g" ${NM_NGINXPATH}/sites-enabled/${MAIN_CERT}.conf sed -i "s/#listen 443/listen 443/g" ${NM_NGINXPATH}/sites-enabled/${MAIN_CERT}.conf sed -i "s/#include conf.d\/include\/ssl-ciphers.conf/include conf.d\/include\/ssl-ciphers.conf/g" ${NM_NGINXPATH}/sites-enabled/${MAIN_CERT}.conf sed -i "s/#include conf.d\/include\/force-ssl.conf/include conf.d\/include\/force-ssl.conf/g" ${NM_NGINXPATH}/sites-enabled/${MAIN_CERT}.conf DIVIDER true if [ "${NEWSITE}" != "true" ]; then echo -e -n "${idsCL[LightCyan]}Restart NGINX on all Nodes (Y/n): ${idsCL[Default]}" read -n 1 NGINXRELOAD if [[ ${NGINXRELOAD} =~ ^[Nn]$ ]]; then tmp='' else echo SERVICE_MGMT nginx restart fi fi fi echo echo -e "${idsCL[Green]}Certificate has been successfully created for '${idsCL[Yellow]}${NEW_CERT}${idsCL[Green]}'...${idsCL[Default]}" elif [ ${CERTTEST} -eq 1 ]; then echo -e "${idsCL[Yellow]}Ran in Test Mode, did not generate SSL for '${idsCL[LightCyan]}${NEW_CERT}${idsCL[Yellow]}'...${idsCL[Default]}" else echo echo -e "${idsCL[Red]}Certificate could not be created for '${idsCL[Yellow]}${NEW_CERT}${idsCL[Red]}'...${idsCL[Default]}" fi echo if [ -z ${NMG_ACTION} ] || [ "${NMG_ACTION}" = "gui" ]; then DIVIDER true ENTER2CONTINUE fi else echo "You havent entered a site address." sleep 1 NEWCERT exit 0 fi } DEL-SSL(){ if [ -z ${1+x} ]; then until [ "${DEL_SSL}" != "" ]; do echo -e -n "${idsCL[LightCyan]}Delete what SSL site address: ${idsCL[Default]}" read DEL_SSL echo done else DEL_SSL=${1} fi if [ ! -z ${DEL_SSL+x} ] && [ "${DEL_SSL}" != "" ]; then if [ -d ${NM_CERTPATH}/live/${DEL_SSL} ]; then echo -e "${idsCL[LightRed]}Deleting the SSL certificates for '${idsCL[Red]}${DEL_SSL}${idsCL[LightRed]}'...${idsCL[Default]}" echo echo -en "${idsCL[LightRed]}Removing Files and Folders... ${idsCL[Default]}" rm -rf ${NM_CERTPATH}/archive/${DEL_SSL} >/dev/null 2&>1 rm -rf ${NM_CERTPATH}/live/${DEL_SSL} >/dev/null 2&>1 rm -f ${NM_CERTPATH}/renewal/${DEL_SSL}.conf >/dev/null 2&>1 [ -f ${NM_FOLDER}/conf/ssl-domain-checks.conf ] && sed -i "/${SUBJECT}/d" ${NM_FOLDER}/conf/ssl-domain-checks.conf >/dev/null 2&>1 echo -e "${idsCL[Green]}OK${idsCL[Default]}" echo -e "\n${idsCL[LightRed]}The SSL certificate has been fully removed from the node(s).${idsCL[Default]}" else echo -e "\n${idsCL[LightRed]}The SSL files folder for '${idsCL[Red]}${DEL_SSL}${idsCL[LightRed]}' could not be found.${idsCL[Default]}" fi fi } CERTRENEW(){ echo echo -e "${idsCL[LightGreen]}Renewing Certificates...${idsCL[Default]}" echo sleep 5 mv -f ${NM_LOGFOLDER}/cert-renewal1.lastrun ${NM_LOGFOLDER}/cert-renewal2.lastrun >/dev/null 2>&1 mv -f ${NM_LOGFOLDER}/cert-renewal.lastrun ${NM_LOGFOLDER}/cert-renewal1.lastrun >/dev/null 2>&1 ${CERT_DAEMON} renew ${CERTAUTH} > ${NM_LOGFOLDER}/cert-renewal.lastrun CONCAT_SSL chown -R root:le ${NM_CERTPATH} >> ${NM_LOGFOLDER}/cert-renewal.lastrun chmod -R 6775 ${NM_CERTPATH} >> ${NM_LOGFOLDER}/cert-renewal.lastrun daterun=`date +%Y-%m-%d-%H-%M-%S` echo -e "${daterun}" >> ${NM_LOGFOLDER}/cert-renewal.lastrun DIVIDER true echo SERVICE_MGMT nginx reload >> ${NM_LOGFOLDER}/cert-renewal.lastrun echo -e "${idsCL[LightGreen]}The certificates have been renewed.${idsCL[Default]}" echo if [ -z ${NMG_ACTION} ] || [ "${NMG_ACTION}" = "gui" ]; then DIVIDER true ENTER2CONTINUE fi } NIGHTLYRENEW(){ ${CERT_DAEMON} renew ${CERTAUTH} CONCAT_SSL chown -R root:le ${NM_CERTPATH} chmod -R 6775 ${NM_CERTPATH} SERVICE_MGMT nginx reload } CONCAT_SSL(){ rm -f /tmp/ssllist for certdir in ${NM_CERTPATH}/live/*/ ; do echo $certdir; done > /tmp/ssllist for certdir in $( ${certdir}fullcert.pem done } LISTCERTS(){ EDIT=0; SEARCH=0 while [ $# -gt 0 ]; do case "${1}" in -e|-edit) EDIT=1;; -s|-search) SEARCH=${2};; -h | -help | --help) echo -e "Usage: ${idsCL[Yellow]}[nodemgmt or nmg] certs${idsCL[Default]} {" width=35 printf "%-${width}s- %s\n" " -e|-edit" "(enables edit mode)" printf "%-${width}s- %s\n" " -s|-search {search}" "(narrows list to cert names containing {search})" echo -e "}\n" exit 0;; esac shift done declare -i cw; declare -i spc1; declare -i c; declare -A CHECKCERT_DOMAINS if [ -f ${NM_FOLDER}/conf/ssl-domain-checks.conf ]; then IFS=$'\n' for LINE in `egrep -v '(^#|^$)' ${NM_FOLDER}/conf/ssl-domain-checks.conf`; do HOST=${LINE%% *} PORT=${LINE#* } IFS=" " CHECKCERT_DOMAINS[${HOST}]=${PORT} done unset IFS fi # if [ ! -z ${LOCAL_SERVICES+x} ]; then # NCMD="ssh root@${NM_HOSTS['LB'][0]}" # #${NCMD} rm -f /tmp/ssllist # #${NCMD} 'for certdir in ${NM_CERTPATH}/live/*/ ; do echo $certdir; done' > /tmp/ssllist # else NCMD='' rm -f /tmp/ssllist # #for certdir in ${NM_CERTPATH}/live/*/ ; do echo $certdir; done > /tmp/ssllist # fi if [ -z ${NMG_ACTION} ] || [ "${NMG_ACTION}" = "gui" ]; then DIVIDER true fi echo -e "\033[K${idsCL[LightGreen]}Current Certificates on Node...${idsCL[Default]}" cw=34; c=0; spc2=''; until [ $c = ${cw} ]; do spc2="${spc2} "; c=`expr $c + 1`; done [ ${EDIT} -eq 1 ] && lenh="##) " || lenh="" if [ "${SEARCH}" != "0" ]; then ssldir=$(${NCMD} find ${NM_CERTPATH}/live/*${SEARCH,,}* -type d) else ssldir=$(${NCMD} find ${NM_CERTPATH}/live/* -type d) fi i=1 for certdir in ${ssldir[@]}; do if (( i % 12 == 0 )) || [ $i = 1 ]; then DIVIDER false yellow 120 echo -e "${lenh}${idsCL[Yellow]}Subject Name Monitored Expires Alternate Subject Names${idsCL[Default]}" DIVIDER false yellow 120 else DIVIDER false darkGray 120 fi SUBJECT=$(${NCMD} openssl x509 -in ${certdir}/cert.pem -noout -subject|grep -oP '(?<=CN = )[^,]+'|sort -uV) SUBJECTNAMES=$(${NCMD} openssl x509 -in ${certdir}/cert.pem -noout -text|grep -oP '(?<=DNS:|IP Address:)[^,]+'|sort -uV) CERTEXPIRE=$(date -d "$(: | ${NCMD} openssl x509 -in ${certdir}/cert.pem -text | grep 'Not After' |awk '{print $4,$5,$7}')" '+%s'); SUBJECTNAMES=${SUBJECTNAMES//$'\n'/, } # SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/\n/, /g") SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/${SUBJECT}, //g") SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/, ${SUBJECT}//g") SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/${SUBJECT}//g") IFS=', '; SUBJECT_NAMES=(${SUBJECTNAMES}); unset IFS DAYS=14; DUEIN=$(($(date +%s) + (86400*$DAYS))); c=0; spc='' spc1=${cw}-${#SUBJECT} until [ $c = ${spc1} ]; do spc="${spc} "; c=`expr $c + 1`; done if [ $CERTEXPIRE -le $DUEIN ]; then date="${idsST[Bold]}${idsCL[Red]}$(date -d @${CERTEXPIRE} '+%m-%d-%Y')${idsST[Reset]}${idsCL[Default]}" SENDNOTICE "SSL Expiring" "${SUBJECT} expires on $(date -d @${CERTEXPIRE} '+%m-%d-%Y')" 1 else date="${idsCL[Green]}$(date -d @${CERTEXPIRE} '+%m-%d-%Y')${idsCL[Default]}" fi [ "${CHECKCERT_DOMAINS[${SUBJECT}]}" != "" ] && monitored="${idsCL[Green]}Yes${idsCL[Default]}" || monitored='No ' [ ${i} -lt 10 ] && ii=" ${i}" || ii=${i} [ ${EDIT} -eq 1 ] && len="${ii}) " || len="" if [ ${#SUBJECT_NAMES[@]} -lt 4 ]; then echo -e "${len}${idsCL[Cyan]}${SUBJECT}${idsCL[Default]}${spc}${monitored} ${date} ${SUBJECTNAMES}" elif [ ${#SUBJECT_NAMES[@]} -lt 7 ]; then echo -e "${len}${idsCL[Cyan]}${SUBJECT}${idsCL[Default]}${spc}${monitored} ${date} ${SUBJECT_NAMES[0]}, ${SUBJECT_NAMES[1]}, ${SUBJECT_NAMES[2]}" echo -e "${spc2} ${SUBJECT_NAMES[3]}, ${SUBJECT_NAMES[4]}, ${SUBJECT_NAMES[5]}" fi CERTLIST[${i}]=${SUBJECT} i=`expr $i + 1` done if [ ${EDIT} -eq 1 ]; then echo DIVIDER . yellow ${dl} function exitspacing { echo -e "\n\033[K\n\033[K" exit 0 } trap exitspacing EXIT while [ "${editc^}" != "E" ]; do echo -e "\033[K" echo -e "\033[K" echo -e "\033[K (${idsCL[Green]}A${idsCL[Default]})dd New Cert, (${idsCL[Green]}R${idsCL[Default]})eload Certs, (${idsCL[Yellow]}E${idsCL[Default]})xit" echo -e "\033[K" echo -e "\033[K" echo -e "\033[K" echo -e "\033[7A" echo -en "\033[K${idsCL[LightCyan]}Enter the cert number you want to edit: ${idsCL[Default]}" read certid echo if [ "${certid^}" == "E" ]; then echo -e "\033[K" exit 0 elif [ "${certid^}" == "A" ]; then echo -en "\033[1A\033[K\r" NEWCERT [ "${SEARCH}" != "0" ] && LISTCERTS -edit -search ${SEARCH} || LISTCERTS -edit exit 0 elif [ "${certid^}" == "R" ]; then [ "${SEARCH}" != "0" ] && LISTCERTS -edit -search ${SEARCH} || LISTCERTS -edit exit 0 elif [ "${certid}" != "" ] && [ "${CERTLIST[${certid}]}" != "" ]; then cert=${CERTLIST[${certid}]} certdir=${NM_CERTPATH}/live/${cert} SUBJECT=$(${NCMD} openssl x509 -in ${certdir}/cert.pem -noout -subject|grep -oP '(?<=CN = )[^,]+'|sort -uV) SUBJECTNAMES=$(${NCMD} openssl x509 -in ${certdir}/cert.pem -noout -text|grep -oP '(?<=DNS:|IP Address:)[^,]+'|sort -uV) CERTEXPIRE=$(date -d "$(: | ${NCMD} openssl x509 -in ${certdir}/cert.pem -text | grep 'Not After' |awk '{print $4,$5,$7}')" '+%s'); SUBJECTNAMES=${SUBJECTNAMES//$'\n'/, } # SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/\n/, /g") SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/${SUBJECT}, //g") SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/, ${SUBJECT}//g") SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/${SUBJECT}//g") SUBJECTNAMES=${SUBJECTNAMES//, /,} oldSUBJECTNAMES=${SUBJECTNAMES} [ "${CHECKCERT_DOMAINS[${SUBJECT}]}" != "" ] && monitored="Yes" || monitored='-' editc=0 until [ "${editc^}" = "C" ]; do echo -e "\033[K ${idsCL[White]} Expires: ${idsCL[Cyan]}$(date -d @${CERTEXPIRE} '+%B %d, %Y')" echo -e "\033[K ${idsCL[White]} Cert Common Name: ${idsCL[Cyan]}${SUBJECT}${idsST[Reset]}" echo echo -e "\033[K ${idsCL[Green]}1) ${idsCL[White]}Cert Alternate Names: ${idsCL[Cyan]}${SUBJECTNAMES//,/, }" echo -e "\033[K ${idsCL[Green]}2) ${idsCL[White]}Monitored: ${idsCL[Cyan]}${monitored}" if [ "${editc}" != "s" ]; then echo -e "\033[K" echo -e "\033[K" echo -e "\033[K" echo -e "\033[K (${idsCL[Green]}S${idsCL[Default]})ave, (${idsCL[Red]}D${idsCL[Default]})elete, (${idsCL[Yellow]}C${idsCL[Default]})ancel, (${idsCL[Yellow]}E${idsCL[Default]})xit" echo -e "\033[K" echo -e "\033[K" echo -e "\033[7A" [ "${con}" != "" ] && echo -en "\n" echo -en "\033[K\n\033[K\r${idsCL[Green]}Enter the item number to edit: ${idsCL[Default]}" read -n 1 editc case "${editc}" in 1) echo -e "\033[K\n\033[K" echo -en "\033[KEnter new Alternate Names (comma-delimited): " read -i "${SUBJECTNAMES}" -e SUBJECTNAMES SUBJECTNAMES=${SUBJECTNAMES//, /,} echo -e "\033[6A"; for (( c=1; c<=6; c++ )); do echo -e "\033[K"; done; echo -e "\033[6A" ;; 2) [ "${monitored}" == "-" ] && monitored='Yes' || monitored='-';; [Dd]) echo -e "\033[K\n\033[K" echo -en "\033[K${idsCL[LightCyan]}Are you sure you wish to delete the cert (y/N): ${idsCL[Default]}" read -n 1 delconfirm case "${delconfirm}" in [Yy]) echo -en "\n\n${idsCL[LightCyan]}Removing certificate ... " DEL-SSL ${cert} >/dev/null 2>&1 echo -e "${idsCL[LightGreen]}Done\n${idsCL[Default]}" [ "${SEARCH}" != "0" ] && LISTCERTS -edit -search ${SEARCH} || LISTCERTS -edit exit 0 ;; *) [ "${delconfirm}" !="" ] && echo echo -e "\033[5A"; for (( c=1; c<=5; c++ )); do echo -e "\033[K"; done; echo -e "\033[5A" ;; esac ;; [Ee]) echo -e "\033[K" exit 0 ;; [Cc]) echo -e "\r\033[K\n\r\033[K\n\r\033[K" echo -e "\033[7A"; for (( c=1; c<=7; c++ )); do echo -e "\r\033[K"; done; echo -e "\033[7A" ;; *) ;; esac [ "${editc}" == "" ] && echo -e "\033[8A" || echo -e "\033[7A" else for (( c=1; c<=5; c++ )); do echo -e "\033[K"; done; echo -e "\033[6A" echo echo -en "\033[K${idsCL[LightCyan]}Confirm changes (Y/n): ${idsCL[Default]}" read -n 1 confirm case "${confirm}" in [Nn]) editc=C echo -e "\r\033[K\n\r\033[K\n\r\033[K" echo -e "\033[12A"; for (( c=1; c<=12; c++ )); do echo -e "\r\033[K"; done; echo -e "\033[13A" ;; *) [ "${confirm}" != "" ] && echo -en "\n" echo -en "\033[1A\033[K\r${idsCL[LightCyan]}Configuring changes ... ${idsCL[Default]}" [ "${SUBJECTNAMES}" != "${oldSUBJECTNAMES}" ] && NEWCERT -expand -newsite ${SUBJECT},${SUBJECTNAMES} >/dev/null 2&>1 if [ "${monitored^^}" == "YES" ]; then if [ "$(grep ${SUBJECT} ${NM_FOLDER}/conf/ssl-domain-checks.conf)" == "" ]; then [ ! -f ${NM_FOLDER}/conf/ssl-domain-checks.conf ] && touch ${NM_FOLDER}/conf/ssl-domain-checks.conf echo "${SUBJECT} 443" >> ${NM_FOLDER}/conf/ssl-domain-checks.conf checkcerts_sorted=$(sort <<< "$(cat ${NM_FOLDER}/conf/ssl-domain-checks.conf)") rm -f ${NM_FOLDER}/conf/ssl-domain-checks.conf >/dev/null 2&>1 echo "${checkcerts_sorted}" > ${NM_FOLDER}/conf/ssl-domain-checks.conf [ "${RUN_NODE_TYPE}" != "NM" ] && scp -q ${NM_FOLDER}/conf/ssl-domain-checks.conf root@${NM_NODEMANAGER}:${NM_FOLDER}/conf/ssl-domain-checks.conf fi else sed -i "/${SUBJECT}/d" ${NM_FOLDER}/conf/ssl-domain-checks.conf >/dev/null 2&>1 [ "${RUN_NODE_TYPE}" != "NM" ] && scp -q ${NM_FOLDER}/conf/ssl-domain-checks.conf root@${NM_NODEMANAGER}:${NM_FOLDER}/conf/ssl-domain-checks.conf fi echo -e "${idsCL[LightGreen]}Done${idsCL[Default]}" echo echo -en "\033[K\r${idsCL[LightCyan]}Continue or Exit (C/e): ${idsCL[Default]}" read -n1 con case "${con}" in [Ee]) # echo -e "\n\033[K\n\033[K" exit 0 ;; *) editc=C echo -e "\r\033[K\n\r\033[K\n\r\033[K" echo -e "\033[13A"; for (( c=1; c<=13; c++ )); do echo -e "\r\033[K"; done; echo -e "\033[15A" [ "${SEARCH}" != "0" ] && LISTCERTS -edit -search ${SEARCH} || LISTCERTS -edit exit 0 ;; esac ;; esac fi done else #no cert echo -e "\033[3A"; for (( c=1; c<=3; c++ )); do echo -e "\r\033[K"; done; echo -e "\033[4A" fi done fi echo if [ -z ${NMG_ACTION} ] || [ "${NMG_ACTION}" = "gui" ]; then DIVIDER true ENTER2CONTINUE fi echo } LISTCERTS_NPM(){ declare -i cw; declare -i spc1; declare -i c declare -A CHECKCERT_DOMAINS IFS=$'\n' for LINE in `egrep -v '(^#|^$)' ${NM_FOLDER}/conf/ssl-domain-checks.conf`; do HOST=${LINE%% *} PORT=${LINE#* } IFS=" " CHECKCERT_DOMAINS[${HOST}]=${PORT} done unset IFS if [ ! -z ${LOCAL_SERVICES+x} ]; then NCMD="ssh root@${MYSQL_HOSTS[0]}" ${NCMD} rm -f /tmp/ssllist ${NCMD} 'for certdir in ${NM_CERTPATH}/live/*/ ; do echo $certdir; done' > /tmp/ssllist else NCMD='' rm -f /tmp/ssllist for certdir in ${NM_CERTPATH}/live/*/ ; do echo $certdir; done > /tmp/ssllist fi if [ -z ${NMG_ACTION} ] || [ "${NMG_ACTION}" = "gui" ]; then DIVIDER true fi echo echo -e "${idsCL[LightGreen]}Current Certificates on Node...${idsCL[Default]}" DIVIDER false yellow 120 echo -e "Subject Name Monitored Expires Alternate Subject Names" DIVIDER false yellow 120 cw=30; c=0; spc2=''; until [ $c = ${cw} ]; do spc2="${spc2} "; c=`expr $c + 1`; done for certdir in $( ${NM_LOGFOLDER}/ssl-cert-check.lastrun SSLLOG="$(cat ${NM_LOGFOLDER}/ssl-cert-check.lastrun)" SENDNOTICE "SSL Certs Check" "SSL Certs Check\n$SSLLOG" else IFS=$'\n' for LINE in `egrep -v '(^#|^$)' ${NM_FOLDER}/conf/ssl-domain-checks.conf`; do HOST=${LINE%% *} PORT=${LINE#* } CERTINFO=$(${NM_FOLDER}/ssl-cert-check/ssl-cert-check -p ${PORT} -s ${HOST} -N) CERTVALID=$(echo "${CERTINFO}" | grep valid | awk -F' valid' '{print $1}') CERTVALID=${CERTVALID: -1} CERTDAYS=${CERTINFO#*days=} if [ "${CERTVALID}" == "0" ] || [ "${CERTVALID}" == "E" ] || [ "$(echo ${CERTINFO} | grep unreadable)" != "" ]; then if [ "$(CHECK_HOST ${HOST})" != "false" ]; then printf "%-30s: %s\n" "${HOST}" "SSL is not valid" SENDNOTICE "SSL Not Valid" "The (${HOST}) SSL is not valid" 1 else printf "%-30s: %s\n" "${HOST}" "Host is Offline" fi elif [ ${CERTDAYS} -lt 1 ]; then printf "%-30s: %s\n" "${HOST}" "SSL Expired! (${CERTDAYS} days)" SENDNOTICE "SSL Expired" "The (${HOST}) SSL is expired!! (${CERTDAYS} days)" 2 elif [ ${CERTDAYS} -lt 15 ]; then printf "%-30s: %s\n" "${HOST}" "SSL is expiring in $CERTDAYS days!" SENDNOTICE "SSL Expiring" "The (${HOST}) SSL is expiring in ${CERTDAYS} days" 1 else printf "%-30s: %s\n" "${HOST}" "SSL is valid for ${CERTDAYS} days" fi done unset IFS fi } VCENTER-SSL(){ [ "${NM_VC_ACMEFOLDER}" == "" ] && NM_VC_ACMEFOLDER="/root/.acme.sh" [ "${NM_VC_ACMESCRIPT}" == "" ] && NM_VC_ACMESCRIPT="acme.sh" if [ "${NM_VC_HOSTNAME}" != "" ] && [ "${NM_VC_USER}" != "" ] && [ "${NM_VC_PASS}" != "" ] && [ "${NM_PDNS_APIKEY}" != "" ]; then VCSERVER="https://${NM_VC_HOSTNAME}" VC_CERT="${NM_VC_ACMEFOLDER}/${NM_VC_HOSTNAME}/${NM_VC_HOSTNAME}.cer" VC_KEY="${NM_VC_ACMEFOLDER}/${NM_VC_HOSTNAME}/${NM_VC_HOSTNAME}.key" VC_CHAIN="${NM_VC_ACMEFOLDER}/${NM_VC_HOSTNAME}/fullchain.cer" echo -en "${idsCL[LightCyan]}Checking days left on vCenter cert... ${idsCL[Default]}" VCCERTDAYS=$(${NM_FOLDER}/ssl-cert-check/ssl-cert-check -p 443 -s ${NM_VC_HOSTNAME} -N) VCCERTDAYS=${VCCERTDAYS#*=} if [ "${VCCERTDAYS}" -gt "29" ]; then if [ "${1}" == "force" ]; then echo -e "${idsCL[Yellow]}${VCCERTDAYS} days left, forcing certificate update${idsCL[Default]}" echo else echo -e "${idsCL[Green]}${VCCERTDAYS} days left, Certificate is still valid, no need to update${idsCL[Default]}" echo exit 0 fi else echo -e "${idsCL[Yellow]}${VCCERTDAYS} days left, Certificate needs to be updated${idsCL[Default]}" echo fi echo '#!/usr/bin/env bash' >| /tmp/vcenter-update-ssl.sh echo "export PDNS_Url='${NM_PDNS_URL}' export PDNS_Token='${NM_PDNS_APIKEY}' export PDNS_Ttl=60 " >> /tmp/vcenter-update-ssl.sh if ssh -q root@${NM_VC_HOSTNAME} [ ! -d ${NM_VC_ACMEFOLDER} ]; then echo -e "${idsCL[Yellow]}Installing acme.sh scripts onto vCenter ... ${idsCL[Default]}\n" until [ "${le_email}" != "" ]; do echo -en "${idsCL[LightCyan]}Enter your email to register with LetsEncrypt: ${idsCL[Default]}" read le_email echo done ssh -q root@${NM_VC_HOSTNAME} "wget -O - https://get.acme.sh | sh -s email=${le_email}" else echo -e "${idsCL[Green]}Verified acme.sh scripts are installed on vCenter, checking for updates ... ${idsCL[Default]}\n" ssh -q root@${NM_VC_HOSTNAME} "${NM_VC_ACMEFOLDER}/${NM_VC_ACMESCRIPT} --upgrade" fi if [ ! -d ${NM_VC_ACMEFOLDER}/${NM_VC_HOSTNAME} ];then echo -e "\n${idsCL[LightGreen]}Requesting new certificate ...${idsCL[Default]}\n" echo "export PDNS_ServerId='localhost'" >> /tmp/vcenter-update-ssl.sh echo "${NM_VC_ACMEFOLDER}/${NM_VC_ACMESCRIPT} --server letsencrypt -k 2048 --preferred-chain 'ISRG Root X1' --issue --dns dns_pdns -d ${NM_VC_HOSTNAME}" >> /tmp/vcenter-update-ssl.sh else echo -e "\n${idsCL[LightGreen]}Renewing certificate ...${idsCL[Default]}\n" if [ "${1}" == "force" ]; then echo "${NM_VC_ACMEFOLDER}/${NM_VC_ACMESCRIPT} --renew-all --force" >> /tmp/vcenter-update-ssl.sh else echo "${NM_VC_ACMEFOLDER}/${NM_VC_ACMESCRIPT} --renew-all" >> /tmp/vcenter-update-ssl.sh fi fi ssh -q root@${NM_VC_HOSTNAME} 'sed -i "/PDNS_Token/d" /root/.acme.sh/account.conf' ssh -q root@${NM_VC_HOSTNAME} 'sed -i "/PDNS_Url/d" /root/.acme.sh/account.conf' scp -q /tmp/vcenter-update-ssl.sh root@${NM_VC_HOSTNAME}:/tmp/vcenter-update-ssl.sh ssh -q root@${NM_VC_HOSTNAME} "bash /tmp/vcenter-update-ssl.sh" if [ ! -f ${NM_VC_ACMEFOLDER}/${NM_VC_HOSTNAME}/${NM_VC_HOSTNAME}.cer ]; then echo -e "${idsCL[LightYellow]}No certificate was created${idsCL[Default]}\n" exit 0 elif [ $(expr `date +%s` - $(stat -c %Y ${NM_VC_ACMEFOLDER}/${NM_VC_HOSTNAME}/${NM_VC_HOSTNAME}.cer)) -ge 600 ]; then echo -e "${idsCL[LightYellow]}The certificate was unable to be updated${idsCL[Default]}\n" exit 0 else LIVEMD5=$(ssh -q root@${NM_VC_HOSTNAME} "md5sum /etc/vmware-rhttpproxy/ssl/rui.crt | cut -d\ -f1") CURRENTMD5=$(ssh -q root@${NM_VC_HOSTNAME} "md5sum ${VC_CERT} | cut -d\ -f1") if [ "$LIVEMD5" == "$CURRENTMD5" ] && [ "${1}" != "force" ]; then echo -e "${idsCL[LightYellow]}Certificates remains the same, no newer certificates exist${idsCL[Default]}\n" exit 0 fi fi echo -e "${idsCL[LightGreen]}Updating certificates on vCenter... ${idsCL[Default]}" echo -e "${idsCL[LightCyan]}This process make take up to 10mins${idsCL[Default]}" echo ssh -q root@${NM_VC_HOSTNAME} "(printf '1\n%s\n' '${NM_VC_USER}'; sleep 1; printf '%s\n' '${NM_VC_PASS}'; sleep 1; printf '2\n'; sleep 1; printf '%s\n%s\n%s\ny\n\n' '${VC_CERT}' '${VC_KEY}' '${VC_CHAIN}') | setsid /usr/lib/vmware-vmca/bin/certificate-manager" SENDNOTICE "vCenter SSL Updated" "Refresh/Reconnect any systems connecting to vCenter, like Veeam Dummy!" echo "$(date +%Y-%m-%d-%H-%M-%S) VCENTER SSL HAS BEEN UPDATED" >> ${NM_LOGFOLDER}/vc-ssl.log ssh -q root@${NM_VC_HOSTNAME} "rm -f /tmp/vcenter-update-ssl.sh" rm -f /tmp/vcenter-update-ssl.sh echo -e "\n${idsCL[Green]}The vCenter certifcate has been updated${idsCL[Default]}" echo -e "${idsCL[LightCyan]}Don't forget to redo the vCenter connection in Veeam${idsCL[Default]}\n" else echo -e "${idsCL[LightYellow]}vCenter info not configured in 'defaults.local.inc'${idsCL[Default]}\n" fi }