#!/usr/bin/env bash

NEWCERT(){
	echo
	if [ -z ${1+x} ]; then
		echo -e -n "${idsCL[LightCyan]}Create certificate for what name (comma seperated for mutiple) : ${idsCL[Default]}"
		read NEW_CERT
		echo
	else
		NEW_CERT=${1}
	fi
	if [[ ${NEW_CERT} == *","* ]]; then
		IFS=','; NEW_CERTS=(${NEW_CERT}); unset IFS
		MAIN_CERT=${NEW_CERTS[0]}
	else
		MAIN_CERT=${NEW_CERT}
	fi
	if [ "${NEW_CERT}" != "" ]; then
		echo -e "${idsCL[LightGreen]}Requesting Certificate for '${idsCL[Yellow]}${NEW_CERT}${idsCL[LightGreen]}'...${idsCL[Default]}"
		echo ""
		
		# echo -en "${idsCL[LightYellow]}Stopping other Webservers... ${idsCL[Default]}"
		# for nip in "${WEB_HOSTS[@]}"; do
		# 	if [[ $(/sbin/ip -o -4 addr list eth0 | awk '{print $4}' | cut -d/ -f1) != *"${nip}"* ]]; then
		# 		# `ssh root@${nip} service nginx stop`
		# 		# SERVICE nginx stop ${nip}
		# 	fi
		# done
		# echo -e "${idsCL[Green]}Completed${idsCL[Default]}"
		# echo
		
		$CERT_DAEMON certonly --webroot -w /opt/lb-data/letsencrypt-acme-challenge -d ${NEW_CERT}
		# $CERT_DAEMON certonly --dry-run --webroot -w /var/www/html -d ${NEW_CERT}
		
		chown -R root:le /opt/lb-data/letsencrypt
		chmod -R 6775 /opt/lb-data/letsencrypt
		
		if [ -d /opt/lb-data/letsencrypt/live/${MAIN_CERT} ]; then

			touch /opt/lb-data/letsencrypt/live/${MAIN_CERT}/newcert
			if [ -f /opt/lb-data/nginx/sites-enabled/${MAIN_CERT}.conf ]; then
				rm -f  ${FOLDER}/cert-request.lastrun
				daterun=`date +%Y-%m-%d-%H-%M-%S`
				echo -e "${NEW_CERT}\n${daterun}" > ${FOLDER}/cert-request.lastrun
				yes | cp -rfH ${FOLDER}/cert-request.lastrun /opt/lb-data/letsencrypt/cert-request.lastrun
				DIVIDER true
				echo -e -n "${idsCL[LightCyan]}Reload NGINX on LB Nodes (Y/n): ${idsCL[Default]}"
				read -n 1 NGINXRELOAD
				if [[ ${NGINXRELOAD} =~ ^[Nn]$ ]]; then
					tmp=''
				else
					echo
					echo -en "${idsCL[LightYellow]}Waiting for Cert replication across the nodes... ${idsCL[Default]}"
					for nip in "${LB_HOSTS[@]}"; do
						checkhost=$(CHECK_HOST ${nip})
						if [ "${checkhost}" != "false" ]; then
							if [[ $(/sbin/ip -o -4 addr list eth0 | awk '{print $4}' | cut -d/ -f1) != *"${nip}"* ]]; then
								checked=false
								until [ "${checked}" = "" ]; do
									checked=`ssh root@${nip} "[ ! -f /opt/lb-data/letsencrypt/live/${MAIN_CERT}/newcert ] && echo '.'"`
								done
							fi
						fi
					done
					rm -f /opt/lb-data/letsencrypt/live/${MAIN_CERT}/newcert
					echo -e "${idsCL[Green]}Completed${idsCL[Default]}"
				
					echo
					SERVICE nginx restart
				fi
			fi
			echo
			echo -e "${idsCL[Green]}Certificate has been successfully created for '${idsCL[Yellow]}${NEW_CERT}${idsCL[Green]}'...${idsCL[Default]}"
		else
			echo
			echo -e "${idsCL[Red]}Certificate could not be created for '${idsCL[Yellow]}${NEW_CERT}${idsCL[Red]}'...${idsCL[Default]}"
		fi
		
		# echo
		# echo -en "${idsCL[LightYellow]}Starting other Webservers... ${idsCL[Default]}"
		# for nip in "${WEB_HOSTS[@]}"; do
		# 	if [[ $(/sbin/ip -o -4 addr list eth0 | awk '{print $4}' | cut -d/ -f1) != *"${nip}"* ]]; then
		# 		`ssh root@${nip} service nginx start`
		# 		# SERVICE nginx start ${nip}
		# 	fi
		# done
		# echo -e "${idsCL[Green]}Completed${idsCL[Default]}"
		
		echo ""
		if [ -z $action ] || [ "${action}" = "gui" ]; then
			DIVIDER true
			ENTER2CONTINUE
		fi
	else
		echo "You havent entered a site address."
		sleep 1
		NEWCERT
		exit 0
	fi
}

DEL-SSL(){
	if [ -z ${1+x} ]; then
		echo -e -n "${idsCL[LightCyan]}Delete what SSL site address: ${idsCL[Default]}"
		read DEL_SSL
		echo ""
	else
		DEL_SSL=${1}
	fi
	if [ ! -z ${DEL_SSL+x} ] && [ "${DEL_SSL}" != "" ]; then
		if [ -d /etc/letsencrypt/live/${DEL_SSL} ]; then 
			echo -e "${idsCL[LightRed]}Deleting the SSL certificates for '${idsCL[Red]}${DEL_SSL}${idsCL[LightRed]}'...${idsCL[Default]}"
			echo ""
	
			echo -en "${idsCL[LightRed]}Removing Files and Folders... ${idsCL[Default]}"
			rm -rf /etc/letsencrypt/archive/${DEL_SSL}
			rm -rf /etc/letsencrypt/live/${DEL_SSL}
			rm -f /etc/letsencrypt/renewal/${DEL_SSL}.conf
			echo -e "${idsCL[Green]}OK${idsCL[Default]}"
			echo ""
		
			
		else
			echo -e "${idsCL[LightRed]}The SSL files folder for '${idsCL[Red]}${DEL_SSL}${idsCL[LightRed]}' could not be found.${idsCL[Default]}"
			exit 1
		fi
		if [ "${timeout}" != "true" ]; then
			echo -e "${idsCL[Green]}Completed${idsCL[Default]}"
		fi
		echo
		# SERVICE nginx reload
		echo -e "${idsCL[LightRed]}The SSL certificate has been removed fromt be nodes.${idsCL[Default]}"
	fi
}

CERTRENEW(){
	echo -en "${idsCL[LightCyan]}Stopping Webserver-Node2...${idsCL[Default]}"
	ssh root@webserver-node2.scity.us service nginx stop
	echo -e "${idsCL[LightGreen]} Completed${idsCL[Default]}"
	echo
	echo -e "${idsCL[LightGreen]}Renewing Certificates...${idsCL[Default]}"
	echo
	sleep 5
	$CERT_DAEMON renew --webroot -w /var/www/html 2>&1 | tee ${FOLDER}/cert-renewal.lastrun
	# $CERT_DAEMON renew --force-renewal  --preferred-chain "ISRG Root X1" --webroot -w /var/www/html 2>&1 | tee ${FOLDER}/cert-renewal.lastrun
    # $CERT_DAEMON --dry-run  --preferred-chain "ISRG Root X1" renew --webroot -w /var/www/html 2>&1 | tee ${FOLDER}/cert-renewal.lastrun
	CONCAT_SSL
	chown -R root:letsencrypt /etc/letsencrypt 2>&1 | tee -a ${FOLDER}/cert-renewal.lastrun
	chmod -R 6775 /etc/letsencrypt 2>&1 | tee -a ${FOLDER}/cert-renewal.lastrun
	yes | cp -rfH ${FOLDER}/cert-renewal.lastrun /etc/letsencrypt/cert-renewal.lastrun
	daterun=`date +%Y-%m-%d-%H-%M-%S`
	echo -e "${daterun}" >> /etc/letsencrypt/cert-renewal.lastrun
	DIVIDER true
	echo -en "${idsCL[LightCyan]}Starting Webserver-Node2 Back up...${idsCL[Default]}"
	ssh root@webserver-node2.scity.us service nginx start
	echo -e "${idsCL[LightGreen]} Completed${idsCL[Default]}"
	echo
	SERVICE nginx restart 2>&1 | tee -a ${FOLDER}/cert-renewal.lastrun
	echo -e "${idsCL[LightGreen]}The certificates have been renewed.${idsCL[Default]}"
	echo ""
	if [ -z $action ] || [ "${action}" = "gui" ]; then
		DIVIDER true
		ENTER2CONTINUE
	fi
}
NIGHTLYRENEW(){
	rm -f ${FOLDER}/cert-renewal.lastrun
	ssh root@webserver-node2.scity.us service nginx stop
	sleep 5
	$CERT_DAEMON renew --webroot -w /var/www/html &>> ${FOLDER}/cert-renewal.lastrun
	CONCAT_SSL
	chown -R root:letsencrypt /etc/letsencrypt &>> ${FOLDER}/cert-renewal.lastrun
	chmod -R 6775 /etc/letsencrypt &>> ${FOLDER}/cert-renewal.lastrun
	yes | cp -rfH ${FOLDER}/cert-renewal.lastrun /etc/letsencrypt/cert-renewal.lastrun
	daterun=`date +%Y-%m-%d-%H-%M-%S`
	echo -e "${daterun}" >> /etc/letsencrypt/cert-renewal.lastrun
	ssh root@webserver-node2.scity.us service nginx start
	SERVICE nginx reload web &>> ${FOLDER}/cert-renewal.lastrun
}

CONCAT_SSL(){
	rm -f /tmp/ssllist
	for certdir in /etc/letsencrypt/live/*/ ; do echo $certdir; done > /tmp/ssllist
	for certdir in $(</tmp/ssllist); do
		rm -f ${certdir}fullcert.pem
		cat ${certdir}privkey.pem ${certdir}fullchain.pem > ${certdir}fullcert.pem
	done
}

LISTCERTS(){
	declare -i cw; declare -i spc1; declare -i c
	declare -A CHECKCERT_DOMAINS
	IFS=$'\n'
	for LINE in `egrep -v '(^#|^$)' ${FOLDER}/ssl-cert-check/ssldomains`; do
	    HOST=${LINE%% *}
	    PORT=${LINE#* }
	    IFS=" "
		CHECKCERT_DOMAINS[${HOST}]=${PORT}
	done
	unset IFS
	if [ ! -z ${LOCAL_SERVICES+x} ]; then
		NCMD="ssh root@${LB_HOSTS[0]}"
		#${NCMD} rm -f /tmp/ssllist
		#${NCMD} 'for certdir in /etc/letsencrypt/live/*/ ; do echo $certdir; done' > /tmp/ssllist
	else
		NCMD=''
		rm -f /tmp/ssllist
		#for certdir in /etc/letsencrypt/live/*/ ; do echo $certdir; done > /tmp/ssllist
	fi
	if [ -z $action ] || [ "${action}" = "gui" ]; then
		DIVIDER true
	fi
	echo 
	echo -e "${idsCL[LightGreen]}Current Certificates on Node...${idsCL[Default]}"
	DIVIDER false yellow 120
	echo -e "Subject Name               Monitored   Expires      Alternate Subject Names"
	DIVIDER false yellow 120
	
	cw=30; 
	c=0; spc2=''; until [ $c = ${cw} ]; do spc2="${spc2} "; c=`expr $c + 1`; done
	
	#ssldir=$(${NCMD} find /opt/nginx-proxy/ssl/* -type l)
	ssldir=$(${NCMD} find /opt/lb-data/letsencrypt/live/* -type d)
	for certdir in ${ssldir[@]}; do
		SUBJECT=$(${NCMD} openssl x509 -in ${certdir}/cert.pem -noout -subject|grep -oP '(?<=CN = )[^,]+'|sort -uV)
		SUBJECTNAMES=$(${NCMD} openssl x509 -in ${certdir}/cert.pem -noout -text|grep -oP '(?<=DNS:|IP Address:)[^,]+'|sort -uV)
		CERTEXPIRE=$(date -d "$(: | ${NCMD} openssl x509 -in ${certdir}/cert.pem -text | grep 'Not After' |awk '{print $4,$5,$7}')" '+%s');

		SUBJECTNAMES=${SUBJECTNAMES//$'\n'/, }
		# SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/\n/, /g")
		SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/${SUBJECT}, //g")
		SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/, ${SUBJECT}//g")
		SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/${SUBJECT}//g")
		IFS=', '; SUBJECT_NAMES=(${SUBJECTNAMES}); unset IFS
		DAYS=14; DUEIN=$(($(date +%s) + (86400*$DAYS)));
		
		c=0; spc=''
		spc1=${cw}-${#SUBJECT}
		until [ $c = ${spc1} ]; do spc="${spc} "; c=`expr $c + 1`; done
		if [ $CERTEXPIRE -le $DUEIN ]; then
			date="${idsST[Bold]}${idsCL[Red]}$(date -d @${CERTEXPIRE} '+%m-%d-%Y')${idsST[Reset]}${idsCL[Default]}"
			SENDNOTICE "SSL Expiring" "${SUBJECT} expires on ${date}" 1
		else
			date="${idsCL[Green]}$(date -d @${CERTEXPIRE} '+%m-%d-%Y')${idsCL[Default]}"
		fi
		
		if [ "${CHECKCERT_DOMAINS[${SUBJECT}]}" = "" ]; then
			monitored='No '
		else
			monitored="${idsCL[Green]}Yes${idsCL[Default]}"
		fi
		if [ ${#SUBJECT_NAMES[@]} -lt 4 ]; then
			echo -e "${idsCL[Cyan]}${SUBJECT}${idsCL[Default]}${spc}${monitored}     ${date}    ${SUBJECTNAMES}"
		elif [ ${#SUBJECT_NAMES[@]} -lt 7 ]; then
			echo -e "${idsCL[Cyan]}${SUBJECT}${idsCL[Default]}${spc}${monitored}     ${date}    ${SUBJECT_NAMES[0]}, ${SUBJECT_NAMES[1]}, ${SUBJECT_NAMES[2]}"
			echo -e "${spc2}                      ${SUBJECT_NAMES[3]}, ${SUBJECT_NAMES[4]}, ${SUBJECT_NAMES[5]}"

		fi
		DIVIDER false darkGray 120
	done
	echo 
	if [ -z $action ] || [ "${action}" = "gui" ]; then
		DIVIDER true
		ENTER2CONTINUE
	fi
	echo ""
}

LISTCERTS_NPM(){
	declare -i cw; declare -i spc1; declare -i c
	declare -A CHECKCERT_DOMAINS
	IFS=$'\n'
	for LINE in `egrep -v '(^#|^$)' ${FOLDER}/ssl-cert-check/ssldomains`; do
	    HOST=${LINE%% *}
	    PORT=${LINE#* }
	    IFS=" "
		CHECKCERT_DOMAINS[${HOST}]=${PORT}
	done
	unset IFS
	if [ ! -z ${LOCAL_SERVICES+x} ]; then
		NCMD="ssh root@${MYSQL_HOSTS[0]}"
		${NCMD} rm -f /tmp/ssllist
		${NCMD} 'for certdir in /opt/nginx-proxy/letsencrypt/live/*/ ; do echo $certdir; done' > /tmp/ssllist
	else
		NCMD=''
		rm -f /tmp/ssllist
		for certdir in /opt/nginx-proxy/letsencrypt/live/*/ ; do echo $certdir; done > /tmp/ssllist
	fi
	if [ -z $action ] || [ "${action}" = "gui" ]; then
		DIVIDER true
	fi
	echo 
	echo -e "${idsCL[LightGreen]}Current Certificates on Node...${idsCL[Default]}"
	DIVIDER false yellow 120
	echo -e "Subject Name               Monitored   Expires      Alternate Subject Names"
	DIVIDER false yellow 120
	
	cw=30; 
	c=0; spc2=''; until [ $c = ${cw} ]; do spc2="${spc2} "; c=`expr $c + 1`; done
	for certdir in $(</tmp/ssllist); do
		SUBJECT=$(${NCMD} openssl x509 -in ${certdir}cert.pem -noout -subject|grep -oP '(?<=CN = )[^,]+'|sort -uV)
		SUBJECTNAMES=$(${NCMD} openssl x509 -in ${certdir}cert.pem -noout -text|grep -oP '(?<=DNS:|IP Address:)[^,]+'|sort -uV)
		CERTEXPIRE=$(date -d "$(: | ${NCMD} openssl x509 -in ${certdir}cert.pem -text | grep 'Not After' |awk '{print $4,$5,$7}')" '+%s');

		SUBJECTNAMES=${SUBJECTNAMES//$'\n'/, }
		# SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/\n/, /g")
		SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/${SUBJECT}, //g")
		SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/, ${SUBJECT}//g")
		SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/${SUBJECT}//g")
		IFS=', '; SUBJECT_NAMES=(${SUBJECTNAMES}); unset IFS
		DAYS=14; DUEIN=$(($(date +%s) + (86400*$DAYS)));
		
		c=0; spc=''
		spc1=${cw}-${#SUBJECT}
		until [ $c = ${spc1} ]; do spc="${spc} "; c=`expr $c + 1`; done
		if [ $DUEIN -gt $CERTEXPIRE ]; then
			date="${idsST[Bold]}${idsCL[Red]}$(date -d @${CERTEXPIRE} '+%m-%d-%Y')${idsST[Reset]}${idsCL[Default]}"
		else
			date="${idsCL[Green]}$(date -d @${CERTEXPIRE} '+%m-%d-%Y')${idsCL[Default]}"
		fi
		
		if [ "${CHECKCERT_DOMAINS[${SUBJECT}]}" = "" ]; then
			monitored='No '
		else
			monitored="${idsCL[Green]}Yes${idsCL[Default]}"
		fi
		if [ ${#SUBJECT_NAMES[@]} -lt 4 ]; then
			echo -e "${idsCL[Cyan]}${SUBJECT}${idsCL[Default]}${spc}${monitored}     ${date}    ${SUBJECTNAMES}"
		elif [ ${#SUBJECT_NAMES[@]} -lt 7 ]; then
			echo -e "${idsCL[Cyan]}${SUBJECT}${idsCL[Default]}${spc}${monitored}     ${date}    ${SUBJECT_NAMES[0]}, ${SUBJECT_NAMES[1]}, ${SUBJECT_NAMES[2]}"
			echo -e "${spc2}                      ${SUBJECT_NAMES[3]}, ${SUBJECT_NAMES[4]}, ${SUBJECT_NAMES[5]}"

		fi
		DIVIDER false darkGray 120
	done
	echo 
	if [ -z $action ] || [ "${action}" = "gui" ]; then
		DIVIDER true
		ENTER2CONTINUE
	fi
	echo ""
}
COPYCERTS_NPM(){
	ssldir='/opt/nginx-proxy/ssl'
	
	if [ "${1}" = "reset" ]; then
		echo "Resetting ... Deleting all SSL symlink folders"
		ssldirs=$(find ${ssldir} -type l)
		for certdir in ${ssldirs[@]}; do
			rm ${certdir}
		done
	else
		baddirs=$(find $ssldir -type l ! -exec test -e {} \; -print)
		for od in ${baddirs[@]}; do
			echo "Removing bad symlink folder ... ${od}"
			rm -f ${od}
		done
	fi
	
	if [ -z $action ] || [ "${action}" = "gui" ]; then
		DIVIDER true
	fi
	
	ssls=$(find /opt/nginx-proxy/letsencrypt/live/* -type d)
	for certdir in ${ssls[@]}; do
		SUBJECT=$(openssl x509 -in ${certdir}/cert.pem -noout -subject|grep -oP '(?<=CN = )[^,]+'|sort -uV)
		if [ ! -L ${ssldir}/${SUBJECT} ]; then
			echo "${SUBJECT} ... creating"
			/bin/ln -s ${certdir} ${ssldir}/${SUBJECT}
		fi
	done
	
	if [ -z $action ] || [ "${action}" = "gui" ]; then
		echo
		DIVIDER true
		ENTER2CONTINUE
		echo
	fi
}

CHECK_NPMCERTS(){
	ssls=$(find /opt/nginx-proxy/letsencrypt/live/* -type d)
	
	for certdir in ${ssls[@]}; do
		SUBJECT=$(openssl x509 -in ${certdir}/cert.pem -noout -subject|grep -oP '(?<=CN = )[^,]+'|sort -uV)
		ENDDATE=$(openssl x509 -in ${certdir}/cert.pem -noout -enddate | awk -F '=' '{print $2}')
		DAYS=$(dateutils.ddiff today "$(date --date="${ENDDATE}" '+%F')" -f '%d')
		
		c=0; cw=35; spc=''
		spc1=`expr ${cw} - ${#SUBJECT}`
		until [ $c = ${spc1} ]; do spc="${spc} "; c=`expr $c + 1`; done
		[ ${DAYS} -lt 0 ] && spc=${spc::-1}
		
		if [ ${DAYS} -lt 24 ]; then
			echo "${SUBJECT}:${spc}${DAYS} days remaining"
		fi
		
	done
	
	echo
	
}

CHECK-CERTS(){
	if [ "${1}" == "check" ]; then
		rm -f ${FOLDER}/ssl-cert-check.lastrun
		${FOLDER}/ssl-cert-check/ssl-cert-check -f ${FOLDER}/ssl-cert-check/ssldomains > ${FOLDER}/ssl-cert-check.lastrun
		SSLLOG="$(cat ${FOLDER}/ssl-cert-check.lastrun)"
		SENDNOTICE "SSL Certs Check" "SSL Certs Check\n$SSLLOG"
	else
		# ${FOLDER}/ssl-cert-check/ssl-cert-check -f ${FOLDER}/ssl-cert-check/ssldomains
	    IFS=$'\n'
	    for LINE in `egrep -v '(^#|^$)' ${FOLDER}/ssl-cert-check/ssldomains`;  do
	        HOST=${LINE%% *}
	        PORT=${LINE#* }
			CERTINFO=$(${FOLDER}/ssl-cert-check/ssl-cert-check -p ${PORT} -s ${HOST} -N)
			CERTVALID=$(echo ${CERTINFO} | awk -F' valid' '{print $1}')
			CERTVALID=${CERTVALID: -1}
			CERTDAYS=${CERTINFO#*days=}
			if [ "${CERTVALID}" == "0" ] || [ "${CERTVALID}" == "E" ]; then
				printf "%-30s: %s\n" "${HOST}" "SSL is not valid"
				SENDNOTICE "SSL Not Valid" "The (${HOST}) SSL is not valid" 1
				
			elif [ ${CERTDAYS} -lt 1 ]; then
				printf "%-30s: %s\n" "${HOST}" "SSL Expired! (${CERTDAYS} days)"
				SENDNOTICE "SSL Expired" "The (${HOST}) SSL is expired!! (${CERTDAYS} days)" 2
				
			elif [ ${CERTDAYS} -lt 15 ]; then
				printf "%-30s: %s\n" "${HOST}" "SSL is expiring in $CERTDAYS days!"
				SENDNOTICE "SSL Expiring" "The (${HOST}) SSL is expiring in ${CERTDAYS} days" 1

			else
				printf "%-30s: %s\n" "${HOST}" "SSL is valid for ${CERTDAYS} days"
			fi
	    done
		unset IFS
	fi
}