voltron/NodeMgmt
1
1
Fork 0
Code Issues Pull Requests Releases 1 Activity
Files
4869252802bc85a7824854de89de2ebfb45deef1
NodeMgmt/inc/certs.inc
David Schroeder 4869252802 Update certs.inc
2023-11-22 23:41:35 -06:00

744 lines
28 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
NEWCERT(){
CERTTEST=0; CERTEXPAND=""
if [ "${3}" != "" ] && ([ "${3}" == "0" ] || [ "${3}" == "1" ]); then
NEW_CERT=${1}
NEWSITE=${2}
CERTTEST=${3}
else
while [ $# -gt 0 ]; do
case "${1}" in
-t|-test) CERTTEST=1;;
-newsite) NEWSITE=true;;
-expand) CERTEXPAND='--expand';;
-h|-help|--help)
echo -e "Usage: ${idsCL[Yellow]}[nodemgmt or nmg] newcert {hostname}${idsCL[Default]} {"
width=35
printf "%-${width}s- %s\n" " {hostname}" "(optional: enter hostname for new cert, comma-delimited for multiple)"
printf "%-${width}s- %s\n" " -t|-test" "(enables dry-run mode for CertBot)"
echo -e "}\n"
exit 0;;
*) NEW_CERT=${1};;
esac
shift
done
fi
if [ "${NEW_CERT}" == "" ]; then
until [ "${NEW_CERT}" != "" ]; do
echo -en "\n${idsCL[LightCyan]}Create certificate for what name (comma seperated for mutiple) : ${idsCL[Default]}"
read NEW_CERT
echo
done
fi
echo
if [[ ${NEW_CERT} == *","* ]]; then
IFS=','; NEW_CERTS=(${NEW_CERT}); unset IFS
MAIN_CERT=${NEW_CERTS[0]}
else
MAIN_CERT=${NEW_CERT}
fi
if [ "${NEW_CERT}" != "" ]; then
if [ ${CERTTEST} -eq 1 ]; then
echo -e "${idsCL[LightYellow]}${idsST[Bold]}### REQUESTING CERT IN TEST MODE ###${idsST[Reset]}${idsCL[Default]}"
echo
fi
echo -e "${idsCL[LightGreen]}Requesting Certificate for '${idsCL[Yellow]}${NEW_CERT}${idsCL[LightGreen]}'...${idsCL[Default]}"
echo
# $CERT_DAEMON certonly --webroot -w ${NM_CERTPATH}/letsencrypt-acme-challenge -d ${NEW_CERT}
# $CERT_DAEMON certonly --webroot --preferred-chain "ISRG Root X1" -w ${NM_CERTPATH}/letsencrypt-acme-challenge -d ${NEW_CERT}
if [ ${CERTTEST} -eq 1 ]; then
$CERT_DAEMON certonly ${CERTEXPAND} --dry-run --webroot --preferred-chain "ISRG Root X1" -w ${NM_CERTPATH}/letsencrypt-acme-challenge -d ${NEW_CERT}
else
$CERT_DAEMON certonly ${CERTEXPAND} --webroot --preferred-chain "ISRG Root X1" -w ${NM_CERTPATH}/letsencrypt-acme-challenge -d ${NEW_CERT}
fi
chown -R root:le ${NM_CERTPATH}
chmod -R 6775 ${NM_CERTPATH}
if [ -d ${NM_CERTPATH}/live/${MAIN_CERT} ]; then
echo -e "$(date +%Y-%m-%d-%H-%M-%S) - ${NEW_CERT}" >> ${NM_LOGFOLDER}/cert.requests
if [ -f ${NM_NGINXPATH}/sites-enabled/${MAIN_CERT}.conf ]; then
sed -i "s/#ssl_certificate/ssl_certificate/g" ${NM_NGINXPATH}/sites-enabled/${MAIN_CERT}.conf
DIVIDER true
if [ "${NEWSITE}" != "true" ]; then
echo -e -n "${idsCL[LightCyan]}Restart NGINX on all Nodes (Y/n): ${idsCL[Default]}"
read -n 1 NGINXRELOAD
if [[ ${NGINXRELOAD} =~ ^[Nn]$ ]]; then
tmp=''
else
echo
SERVICE_MGMT nginx restart
fi
fi
fi
echo
echo -e "${idsCL[Green]}Certificate has been successfully created for '${idsCL[Yellow]}${NEW_CERT}${idsCL[Green]}'...${idsCL[Default]}"
elif [ ${CERTTEST} -eq 1 ]; then
echo -e "${idsCL[Yellow]}Ran in Test Mode, did not generate SSL for '${idsCL[LightCyan]}${NEW_CERT}${idsCL[Yellow]}'...${idsCL[Default]}"
else
echo
echo -e "${idsCL[Red]}Certificate could not be created for '${idsCL[Yellow]}${NEW_CERT}${idsCL[Red]}'...${idsCL[Default]}"
fi
echo
if [ -z $action ] || [ "${action}" = "gui" ]; then
DIVIDER true
ENTER2CONTINUE
fi
else
echo "You havent entered a site address."
sleep 1
NEWCERT
exit 0
fi
}
DEL-SSL(){
if [ -z ${1+x} ]; then
until [ "${DEL_SSL}" != "" ]; do
echo -e -n "${idsCL[LightCyan]}Delete what SSL site address: ${idsCL[Default]}"
read DEL_SSL
echo
done
else
DEL_SSL=${1}
fi
if [ ! -z ${DEL_SSL+x} ] && [ "${DEL_SSL}" != "" ]; then
if [ -d ${NM_CERTPATH}/live/${DEL_SSL} ]; then
echo -e "${idsCL[LightRed]}Deleting the SSL certificates for '${idsCL[Red]}${DEL_SSL}${idsCL[LightRed]}'...${idsCL[Default]}"
echo
echo -en "${idsCL[LightRed]}Removing Files and Folders... ${idsCL[Default]}"
rm -rf ${NM_CERTPATH}/archive/${DEL_SSL} >/dev/null 2&>1
rm -rf ${NM_CERTPATH}/live/${DEL_SSL} >/dev/null 2&>1
rm -f ${NM_CERTPATH}/renewal/${DEL_SSL}.conf >/dev/null 2&>1
[ -f ${NM_FOLDER}/conf/ssl-domain-checks.conf ] && sed -i "/${SUBJECT}/d" ${NM_FOLDER}/conf/ssl-domain-checks.conf >/dev/null 2&>1
echo -e "${idsCL[Green]}OK${idsCL[Default]}"
echo -e "\n${idsCL[LightRed]}The SSL certificate has been fully removed from the node(s).${idsCL[Default]}"
else
echo -e "\n${idsCL[LightRed]}The SSL files folder for '${idsCL[Red]}${DEL_SSL}${idsCL[LightRed]}' could not be found.${idsCL[Default]}"
fi
fi
}
CERTRENEW(){
echo
echo -e "${idsCL[LightGreen]}Renewing Certificates...${idsCL[Default]}"
echo
sleep 5
mv -f ${NM_LOGFOLDER}/cert-renewal1.lastrun ${NM_LOGFOLDER}/cert-renewal2.lastrun >/dev/null 2>&1
mv -f ${NM_LOGFOLDER}/cert-renewal.lastrun ${NM_LOGFOLDER}/cert-renewal1.lastrun >/dev/null 2>&1
$CERT_DAEMON renew --webroot -w ${NM_CERTPATH}/letsencrypt-acme-challenge > ${NM_LOGFOLDER}/cert-renewal.lastrun
# $CERT_DAEMON renew --force-renewal --preferred-chain "ISRG Root X1" --webroot -w ${NM_CERTPATH}/letsencrypt-acme-challenge 2>&1 | tee ${NM_LOGFOLDER}/cert-renewal.lastrun
# $CERT_DAEMON --dry-run --preferred-chain "ISRG Root X1" renew --webroot -w ${NM_CERTPATH}/letsencrypt-acme-challenge 2>&1 | tee ${NM_LOGFOLDER}/cert-renewal.lastrun
CONCAT_SSL
chown -R root:le ${NM_CERTPATH} >> ${NM_LOGFOLDER}/cert-renewal.lastrun
chmod -R 6775 ${NM_CERTPATH} >> ${NM_LOGFOLDER}/cert-renewal.lastrun
daterun=`date +%Y-%m-%d-%H-%M-%S`
echo -e "${daterun}" >> ${NM_LOGFOLDER}/cert-renewal.lastrun
DIVIDER true
echo
SERVICE_MGMT nginx reload >> ${NM_LOGFOLDER}/cert-renewal.lastrun
echo -e "${idsCL[LightGreen]}The certificates have been renewed.${idsCL[Default]}"
echo
if [ -z $action ] || [ "${action}" = "gui" ]; then
DIVIDER true
ENTER2CONTINUE
fi
}
NIGHTLYRENEW(){
$CERT_DAEMON renew --webroot -w ${NM_CERTPATH}/letsencrypt-acme-challenge
CONCAT_SSL
chown -R root:le ${NM_CERTPATH}
chmod -R 6775 ${NM_CERTPATH}
SERVICE_MGMT nginx reload
}
CONCAT_SSL(){
rm -f /tmp/ssllist
for certdir in ${NM_CERTPATH}/live/*/ ; do echo $certdir; done > /tmp/ssllist
for certdir in $(</tmp/ssllist); do
rm -f ${certdir}fullcert.pem
cat ${certdir}privkey.pem ${certdir}fullchain.pem > ${certdir}fullcert.pem
done
}
LISTCERTS(){
EDIT=0; SEARCH=0
while [ $# -gt 0 ]; do
case "${1}" in
-e|-edit) EDIT=1;;
-s|-search) SEARCH=${2};;
-h | -help | --help)
echo -e "Usage: ${idsCL[Yellow]}[nodemgmt or nmg] certs${idsCL[Default]} {"
width=35
printf "%-${width}s- %s\n" " -e|-edit" "(enables edit mode)"
printf "%-${width}s- %s\n" " -s|-search {search}" "(narrows list to cert names containing {search})"
echo -e "}\n"
exit 0;;
esac
shift
done
declare -i cw; declare -i spc1; declare -i c; declare -A CHECKCERT_DOMAINS
if [ -f ${NM_FOLDER}/conf/ssl-domain-checks.conf ]; then
IFS=$'\n'
for LINE in `egrep -v '(^#|^$)' ${NM_FOLDER}/conf/ssl-domain-checks.conf`; do
HOST=${LINE%% *}
PORT=${LINE#* }
IFS=" "
CHECKCERT_DOMAINS[${HOST}]=${PORT}
done
unset IFS
fi
# if [ ! -z ${LOCAL_SERVICES+x} ]; then
# NCMD="ssh root@${NM_HOSTS['LB'][0]}"
# #${NCMD} rm -f /tmp/ssllist
# #${NCMD} 'for certdir in ${NM_CERTPATH}/live/*/ ; do echo $certdir; done' > /tmp/ssllist
# else
NCMD=''
rm -f /tmp/ssllist
# #for certdir in ${NM_CERTPATH}/live/*/ ; do echo $certdir; done > /tmp/ssllist
# fi
if [ -z $action ] || [ "${action}" = "gui" ]; then
DIVIDER true
fi
echo -e "\033[K${idsCL[LightGreen]}Current Certificates on Node...${idsCL[Default]}"
cw=34;
c=0; spc2=''; until [ $c = ${cw} ]; do spc2="${spc2} "; c=`expr $c + 1`; done
[ ${EDIT} -eq 1 ] && lenh="##) " || lenh=""
if [ "${SEARCH}" != "0" ]; then
ssldir=$(${NCMD} find ${NM_CERTPATH}/live/*${SEARCH,,}* -type d)
else
ssldir=$(${NCMD} find ${NM_CERTPATH}/live/* -type d)
fi
i=1
for certdir in ${ssldir[@]}; do
if (( i % 12 == 0 )) || [ $i = 1 ]; then
DIVIDER false yellow 120
echo -e "${lenh}${idsCL[Yellow]}Subject Name Monitored Expires Alternate Subject Names${idsCL[Default]}"
DIVIDER false yellow 120
else
DIVIDER false darkGray 120
fi
SUBJECT=$(${NCMD} openssl x509 -in ${certdir}/cert.pem -noout -subject|grep -oP '(?<=CN = )[^,]+'|sort -uV)
SUBJECTNAMES=$(${NCMD} openssl x509 -in ${certdir}/cert.pem -noout -text|grep -oP '(?<=DNS:|IP Address:)[^,]+'|sort -uV)
CERTEXPIRE=$(date -d "$(: | ${NCMD} openssl x509 -in ${certdir}/cert.pem -text | grep 'Not After' |awk '{print $4,$5,$7}')" '+%s');
SUBJECTNAMES=${SUBJECTNAMES//$'\n'/, }
# SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/\n/, /g")
SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/${SUBJECT}, //g")
SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/, ${SUBJECT}//g")
SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/${SUBJECT}//g")
IFS=', '; SUBJECT_NAMES=(${SUBJECTNAMES}); unset IFS
DAYS=14; DUEIN=$(($(date +%s) + (86400*$DAYS)));
c=0; spc=''
spc1=${cw}-${#SUBJECT}
until [ $c = ${spc1} ]; do spc="${spc} "; c=`expr $c + 1`; done
if [ $CERTEXPIRE -le $DUEIN ]; then
date="${idsST[Bold]}${idsCL[Red]}$(date -d @${CERTEXPIRE} '+%m-%d-%Y')${idsST[Reset]}${idsCL[Default]}"
SENDNOTICE "SSL Expiring" "${SUBJECT} expires on $(date -d @${CERTEXPIRE} '+%m-%d-%Y')" 1
else
date="${idsCL[Green]}$(date -d @${CERTEXPIRE} '+%m-%d-%Y')${idsCL[Default]}"
fi
[ "${CHECKCERT_DOMAINS[${SUBJECT}]}" != "" ] && monitored="${idsCL[Green]}Yes${idsCL[Default]}" || monitored='No '
[ ${i} -lt 10 ] && ii=" ${i}" || ii=${i}
[ ${EDIT} -eq 1 ] && len="${ii}) " || len=""
if [ ${#SUBJECT_NAMES[@]} -lt 4 ]; then
echo -e "${len}${idsCL[Cyan]}${SUBJECT}${idsCL[Default]}${spc}${monitored} ${date} ${SUBJECTNAMES}"
elif [ ${#SUBJECT_NAMES[@]} -lt 7 ]; then
echo -e "${len}${idsCL[Cyan]}${SUBJECT}${idsCL[Default]}${spc}${monitored} ${date} ${SUBJECT_NAMES[0]}, ${SUBJECT_NAMES[1]}, ${SUBJECT_NAMES[2]}"
echo -e "${spc2} ${SUBJECT_NAMES[3]}, ${SUBJECT_NAMES[4]}, ${SUBJECT_NAMES[5]}"
fi
CERTLIST[${i}]=${SUBJECT}
i=`expr $i + 1`
done
if [ ${EDIT} -eq 1 ]; then
echo
DIVIDER . yellow ${dl}
function exitspacing {
echo -e "\n\033[K\n\033[K"
exit 0
}
trap exitspacing EXIT
while [ "${editc^}" != "E" ]; do
echo -e "\033[K"
echo -e "\033[K"
echo -e "\033[K (${idsCL[Green]}A${idsCL[Default]})dd New Cert, (${idsCL[Green]}R${idsCL[Default]})eload Certs, (${idsCL[Yellow]}E${idsCL[Default]})xit"
echo -e "\033[K"
echo -e "\033[K"
echo -e "\033[K"
echo -e "\033[7A"
echo -en "\033[K${idsCL[LightCyan]}Enter the cert number you want to edit: ${idsCL[Default]}"
read certid
echo
if [ "${certid^}" == "E" ]; then
echo -e "\033[K"
exit 0
elif [ "${certid^}" == "A" ]; then
echo -en "\033[1A\033[K\r"
NEWCERT
[ "${SEARCH}" != "0" ] && LISTCERTS -edit -search ${SEARCH} || LISTCERTS -edit
exit 0
elif [ "${certid^}" == "R" ]; then
[ "${SEARCH}" != "0" ] && LISTCERTS -edit -search ${SEARCH} || LISTCERTS -edit
exit 0
elif [ "${certid}" != "" ] && [ "${CERTLIST[${certid}]}" != "" ]; then
cert=${CERTLIST[${certid}]}
certdir=${NM_CERTPATH}/live/${cert}
SUBJECT=$(${NCMD} openssl x509 -in ${certdir}/cert.pem -noout -subject|grep -oP '(?<=CN = )[^,]+'|sort -uV)
SUBJECTNAMES=$(${NCMD} openssl x509 -in ${certdir}/cert.pem -noout -text|grep -oP '(?<=DNS:|IP Address:)[^,]+'|sort -uV)
CERTEXPIRE=$(date -d "$(: | ${NCMD} openssl x509 -in ${certdir}/cert.pem -text | grep 'Not After' |awk '{print $4,$5,$7}')" '+%s');
SUBJECTNAMES=${SUBJECTNAMES//$'\n'/, }
# SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/\n/, /g")
SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/${SUBJECT}, //g")
SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/, ${SUBJECT}//g")
SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/${SUBJECT}//g")
SUBJECTNAMES=${SUBJECTNAMES//, /,}
oldSUBJECTNAMES=${SUBJECTNAMES}
[ "${CHECKCERT_DOMAINS[${SUBJECT}]}" != "" ] && monitored="Yes" || monitored='-'
editc=0
until [ "${editc^}" = "C" ]; do
echo -e "\033[K ${idsCL[White]} Expires: ${idsCL[Cyan]}$(date -d @${CERTEXPIRE} '+%B %d, %Y')"
echo -e "\033[K ${idsCL[White]} Cert Common Name: ${idsCL[Cyan]}${SUBJECT}${idsST[Reset]}"
echo
echo -e "\033[K ${idsCL[Green]}1) ${idsCL[White]}Cert Alternate Names: ${idsCL[Cyan]}${SUBJECTNAMES//,/, }"
echo -e "\033[K ${idsCL[Green]}2) ${idsCL[White]}Monitored: ${idsCL[Cyan]}${monitored}"
if [ "${editc}" != "s" ]; then
echo -e "\033[K"
echo -e "\033[K"
echo -e "\033[K"
echo -e "\033[K (${idsCL[Green]}S${idsCL[Default]})ave, (${idsCL[Red]}D${idsCL[Default]})elete, (${idsCL[Yellow]}C${idsCL[Default]})ancel, (${idsCL[Yellow]}E${idsCL[Default]})xit"
echo -e "\033[K"
echo -e "\033[K"
echo -e "\033[7A"
[ "${con}" != "" ] && echo -en "\n"
echo -en "\033[K\n\033[K\r${idsCL[Green]}Enter the item number to edit: ${idsCL[Default]}"
read -n 1 editc
case "${editc}" in
1) echo -e "\033[K\n\033[K"
echo -en "\033[KEnter new Alternate Names (comma-delimited): "
read -i "${SUBJECTNAMES}" -e SUBJECTNAMES
SUBJECTNAMES=${SUBJECTNAMES//, /,}
echo -e "\033[6A"; for (( c=1; c<=6; c++ )); do echo -e "\033[K"; done; echo -e "\033[6A"
;;
2) [ "${monitored}" == "-" ] && monitored='Yes' || monitored='-';;
[Dd])
echo -e "\033[K\n\033[K"
echo -en "\033[K${idsCL[LightCyan]}Are you sure you wish to delete the cert (y/N): ${idsCL[Default]}"
read -n 1 delconfirm
case "${delconfirm}" in
[Yy])
echo -en "\n\n${idsCL[LightCyan]}Removing certificate ... "
DEL-SSL ${cert} >/dev/null 2>&1
echo -e "${idsCL[LightGreen]}Done\n${idsCL[Default]}"
[ "${SEARCH}" != "0" ] && LISTCERTS -edit -search ${SEARCH} || LISTCERTS -edit
exit 0
;;
*)
[ "${delconfirm}" !="" ] && echo
echo -e "\033[5A"; for (( c=1; c<=5; c++ )); do echo -e "\033[K"; done; echo -e "\033[5A"
;;
esac
;;
[Ee])
echo -e "\033[K"
exit 0
;;
[Cc])
echo -e "\r\033[K\n\r\033[K\n\r\033[K"
echo -e "\033[7A"; for (( c=1; c<=7; c++ )); do echo -e "\r\033[K"; done; echo -e "\033[7A"
;;
*) ;;
esac
[ "${editc}" == "" ] && echo -e "\033[8A" || echo -e "\033[7A"
else
for (( c=1; c<=5; c++ )); do echo -e "\033[K"; done; echo -e "\033[6A"
echo
echo -en "\033[K${idsCL[LightCyan]}Confirm changes (Y/n): ${idsCL[Default]}"
read -n 1 confirm
case "${confirm}" in
[Nn])
editc=C
echo -e "\r\033[K\n\r\033[K\n\r\033[K"
echo -e "\033[12A"; for (( c=1; c<=12; c++ )); do echo -e "\r\033[K"; done; echo -e "\033[13A"
;;
*)
[ "${confirm}" != "" ] && echo -en "\n"
echo -en "\033[1A\033[K\r${idsCL[LightCyan]}Configuring changes ... ${idsCL[Default]}"
[ "${SUBJECTNAMES}" != "${oldSUBJECTNAMES}" ] && NEWCERT -expand -newsite ${SUBJECT},${SUBJECTNAMES} >/dev/null 2&>1
if [ "${monitored^^}" == "YES" ]; then
if [ "$(grep ${SUBJECT} ${NM_FOLDER}/conf/ssl-domain-checks.conf)" == "" ]; then
[ ! -f ${NM_FOLDER}/conf/ssl-domain-checks.conf ] && touch ${NM_FOLDER}/conf/ssl-domain-checks.conf
echo "${SUBJECT} 443" >> ${NM_FOLDER}/conf/ssl-domain-checks.conf
checkcerts_sorted=$(sort <<< "$(cat ${NM_FOLDER}/conf/ssl-domain-checks.conf)")
rm -f ${NM_FOLDER}/conf/ssl-domain-checks.conf >/dev/null 2&>1
echo "${checkcerts_sorted}" > ${NM_FOLDER}/conf/ssl-domain-checks.conf
[ "${RUN_NODE_TYPE}" != "NM" ] && scp -q ${NM_FOLDER}/conf/ssl-domain-checks.conf root@${NM_NODEMANAGER}:${NM_FOLDER}/conf/ssl-domain-checks.conf
fi
else
sed -i "/${SUBJECT}/d" ${NM_FOLDER}/conf/ssl-domain-checks.conf >/dev/null 2&>1
[ "${RUN_NODE_TYPE}" != "NM" ] && scp -q ${NM_FOLDER}/conf/ssl-domain-checks.conf root@${NM_NODEMANAGER}:${NM_FOLDER}/conf/ssl-domain-checks.conf
fi
echo -e "${idsCL[LightGreen]}Done${idsCL[Default]}"
echo
echo -en "\033[K\r${idsCL[LightCyan]}Continue or Exit (C/e): ${idsCL[Default]}"
read -n1 con
case "${con}" in
[Ee])
# echo -e "\n\033[K\n\033[K"
exit 0
;;
*)
editc=C
echo -e "\r\033[K\n\r\033[K\n\r\033[K"
echo -e "\033[13A"; for (( c=1; c<=13; c++ )); do echo -e "\r\033[K"; done; echo -e "\033[15A"
[ "${SEARCH}" != "0" ] && LISTCERTS -edit -search ${SEARCH} || LISTCERTS -edit
exit 0
;;
esac
;;
esac
fi
done
else #no cert
echo -e "\033[3A"; for (( c=1; c<=3; c++ )); do echo -e "\r\033[K"; done; echo -e "\033[4A"
fi
done
fi
echo
if [ -z $action ] || [ "${action}" = "gui" ]; then
DIVIDER true
ENTER2CONTINUE
fi
echo
}
LISTCERTS_NPM(){
declare -i cw; declare -i spc1; declare -i c
declare -A CHECKCERT_DOMAINS
IFS=$'\n'
for LINE in `egrep -v '(^#|^$)' ${NM_FOLDER}/conf/ssl-domain-checks.conf`; do
HOST=${LINE%% *}
PORT=${LINE#* }
IFS=" "
CHECKCERT_DOMAINS[${HOST}]=${PORT}
done
unset IFS
if [ ! -z ${LOCAL_SERVICES+x} ]; then
NCMD="ssh root@${MYSQL_HOSTS[0]}"
${NCMD} rm -f /tmp/ssllist
${NCMD} 'for certdir in ${NM_CERTPATH}/live/*/ ; do echo $certdir; done' > /tmp/ssllist
else
NCMD=''
rm -f /tmp/ssllist
for certdir in ${NM_CERTPATH}/live/*/ ; do echo $certdir; done > /tmp/ssllist
fi
if [ -z $action ] || [ "${action}" = "gui" ]; then
DIVIDER true
fi
echo
echo -e "${idsCL[LightGreen]}Current Certificates on Node...${idsCL[Default]}"
DIVIDER false yellow 120
echo -e "Subject Name Monitored Expires Alternate Subject Names"
DIVIDER false yellow 120
cw=30;
c=0; spc2=''; until [ $c = ${cw} ]; do spc2="${spc2} "; c=`expr $c + 1`; done
for certdir in $(</tmp/ssllist); do
SUBJECT=$(${NCMD} openssl x509 -in ${certdir}cert.pem -noout -subject|grep -oP '(?<=CN = )[^,]+'|sort -uV)
SUBJECTNAMES=$(${NCMD} openssl x509 -in ${certdir}cert.pem -noout -text|grep -oP '(?<=DNS:|IP Address:)[^,]+'|sort -uV)
CERTEXPIRE=$(date -d "$(: | ${NCMD} openssl x509 -in ${certdir}cert.pem -text | grep 'Not After' |awk '{print $4,$5,$7}')" '+%s');
SUBJECTNAMES=${SUBJECTNAMES//$'\n'/, }
# SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/\n/, /g")
SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/${SUBJECT}, //g")
SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/, ${SUBJECT}//g")
SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/${SUBJECT}//g")
IFS=', '; SUBJECT_NAMES=(${SUBJECTNAMES}); unset IFS
DAYS=14; DUEIN=$(($(date +%s) + (86400*$DAYS)));
c=0; spc=''
spc1=${cw}-${#SUBJECT}
until [ $c = ${spc1} ]; do spc="${spc} "; c=`expr $c + 1`; done
if [ $DUEIN -gt $CERTEXPIRE ]; then
date="${idsST[Bold]}${idsCL[Red]}$(date -d @${CERTEXPIRE} '+%m-%d-%Y')${idsST[Reset]}${idsCL[Default]}"
else
date="${idsCL[Green]}$(date -d @${CERTEXPIRE} '+%m-%d-%Y')${idsCL[Default]}"
fi
if [ "${CHECKCERT_DOMAINS[${SUBJECT}]}" = "" ]; then
monitored='No '
else
monitored="${idsCL[Green]}Yes${idsCL[Default]}"
fi
if [ ${#SUBJECT_NAMES[@]} -lt 4 ]; then
echo -e "${idsCL[Cyan]}${SUBJECT}${idsCL[Default]}${spc}${monitored} ${date} ${SUBJECTNAMES}"
elif [ ${#SUBJECT_NAMES[@]} -lt 7 ]; then
echo -e "${idsCL[Cyan]}${SUBJECT}${idsCL[Default]}${spc}${monitored} ${date} ${SUBJECT_NAMES[0]}, ${SUBJECT_NAMES[1]}, ${SUBJECT_NAMES[2]}"
echo -e "${spc2} ${SUBJECT_NAMES[3]}, ${SUBJECT_NAMES[4]}, ${SUBJECT_NAMES[5]}"
fi
DIVIDER false darkGray 120
done
echo
if [ -z $action ] || [ "${action}" = "gui" ]; then
DIVIDER true
ENTER2CONTINUE
fi
echo
}
COPYCERTS_NPM(){
ssldir='${NM_CERTPATH}/ssl'
if [ "${1}" = "reset" ]; then
echo "Resetting ... Deleting all SSL symlink folders"
ssldirs=$(find ${ssldir} -type l)
for certdir in ${ssldirs[@]}; do
rm ${certdir}
done
else
baddirs=$(find $ssldir -type l ! -exec test -e {} \; -print)
for od in ${baddirs[@]}; do
echo "Removing bad symlink folder ... ${od}"
rm -f ${od}
done
fi
if [ -z $action ] || [ "${action}" = "gui" ]; then
DIVIDER true
fi
ssls=$(find ${NM_CERTPATH}/live/* -type d)
for certdir in ${ssls[@]}; do
SUBJECT=$(openssl x509 -in ${certdir}/cert.pem -noout -subject|grep -oP '(?<=CN = )[^,]+'|sort -uV)
if [ ! -L ${ssldir}/${SUBJECT} ]; then
echo "${SUBJECT} ... creating"
/bin/ln -s ${certdir} ${ssldir}/${SUBJECT}
fi
done
if [ -z $action ] || [ "${action}" = "gui" ]; then
echo
DIVIDER true
ENTER2CONTINUE
echo
fi
}
CHECK_NPMCERTS(){
ssls=$(find ${NM_CERTPATH}/live/* -type d)
for certdir in ${ssls[@]}; do
SUBJECT=$(openssl x509 -in ${certdir}/cert.pem -noout -subject|grep -oP '(?<=CN = )[^,]+'|sort -uV)
ENDDATE=$(openssl x509 -in ${certdir}/cert.pem -noout -enddate | awk -F '=' '{print $2}')
DAYS=$(dateutils.ddiff today "$(date --date="${ENDDATE}" '+%F')" -f '%d')
c=0; cw=35; spc=''
spc1=`expr ${cw} - ${#SUBJECT}`
until [ $c = ${spc1} ]; do spc="${spc} "; c=`expr $c + 1`; done
[ ${DAYS} -lt 0 ] && spc=${spc::-1}
if [ ${DAYS} -lt 24 ]; then
echo "${SUBJECT}:${spc}${DAYS} days remaining"
fi
done
echo
}
CHECK-CERTS(){
if [ "${1}" == "check" ]; then
rm -f ${NM_LOGFOLDER}/ssl-cert-check.lastrun
${NM_FOLDER}/ssl-cert-check/ssl-cert-check -f ${NM_FOLDER}/conf/ssl-domain-checks.conf > ${NM_LOGFOLDER}/ssl-cert-check.lastrun
SSLLOG="$(cat ${NM_LOGFOLDER}/ssl-cert-check.lastrun)"
SENDNOTICE "SSL Certs Check" "SSL Certs Check\n$SSLLOG"
else
IFS=$'\n'
for LINE in `egrep -v '(^#|^$)' ${NM_FOLDER}/conf/ssl-domain-checks.conf`; do
HOST=${LINE%% *}
PORT=${LINE#* }
CERTINFO=$(${NM_FOLDER}/ssl-cert-check/ssl-cert-check -p ${PORT} -s ${HOST} -N)
CERTVALID=$(echo "${CERTINFO}" | grep valid | awk -F' valid' '{print $1}')
CERTVALID=${CERTVALID: -1}
CERTDAYS=${CERTINFO#*days=}
if [ "${CERTVALID}" == "0" ] || [ "${CERTVALID}" == "E" ] || [ "$(echo ${CERTINFO} | grep unreadable)" != "" ]; then
if [ "$(CHECK_HOST ${HOST})" != "false" ]; then
printf "%-30s: %s\n" "${HOST}" "SSL is not valid"
SENDNOTICE "SSL Not Valid" "The (${HOST}) SSL is not valid" 1
else
printf "%-30s: %s\n" "${HOST}" "Host is Offline"
fi
elif [ ${CERTDAYS} -lt 1 ]; then
printf "%-30s: %s\n" "${HOST}" "SSL Expired! (${CERTDAYS} days)"
SENDNOTICE "SSL Expired" "The (${HOST}) SSL is expired!! (${CERTDAYS} days)" 2
elif [ ${CERTDAYS} -lt 15 ]; then
printf "%-30s: %s\n" "${HOST}" "SSL is expiring in $CERTDAYS days!"
SENDNOTICE "SSL Expiring" "The (${HOST}) SSL is expiring in ${CERTDAYS} days" 1
else
printf "%-30s: %s\n" "${HOST}" "SSL is valid for ${CERTDAYS} days"
fi
done
unset IFS
fi
}
VCENTER-SSL(){
[ "${NM_VC_ACMEFOLDER}" == "" ] && NM_VC_ACMEFOLDER="/root/.acme.sh"
[ "${NM_VC_ACMESCRIPT}" == "" ] && NM_VC_ACMESCRIPT="acme.sh"
if [ "${NM_VC_HOSTNAME}" != "" ] && [ "${NM_VC_USER}" != "" ] && [ "${NM_VC_PASS}" != "" ] && [ "${NM_WPDNS_KEY}" != "" ]; then
VCSERVER="https://${NM_VC_HOSTNAME}"
VC_CERT="${NM_VC_ACMEFOLDER}/${NM_VC_HOSTNAME}/${NM_VC_HOSTNAME}.cer"
VC_KEY="${NM_VC_ACMEFOLDER}/${NM_VC_HOSTNAME}/${NM_VC_HOSTNAME}.key"
VC_CHAIN="${NM_VC_ACMEFOLDER}/${NM_VC_HOSTNAME}/fullchain.cer"
echo -en "${idsCL[LightCyan]}Checking days left on vCenter cert... ${idsCL[Default]}"
VCCERTDAYS=$(${NM_FOLDER}/ssl-cert-check/ssl-cert-check -p 443 -s ${NM_VC_HOSTNAME} -N)
VCCERTDAYS=${VCCERTDAYS#*=}
if [ "${VCCERTDAYS}" -gt "29" ]; then
if [ "${1}" == "force" ]; then
echo -e "${idsCL[Yellow]}${VCCERTDAYS} days left, forcing certificate update${idsCL[Default]}"
echo
else
echo -e "${idsCL[Green]}${VCCERTDAYS} days left, Certificate is still valid, no need to update${idsCL[Default]}"
echo
exit 0
fi
else
echo -e "${idsCL[Yellow]}${VCCERTDAYS} days left, Certificate needs to be updated${idsCL[Default]}"
echo
fi
echo '#!/usr/bin/env bash' >| /tmp/vcenter-update-ssl.sh
echo "export PDNS_Url='https://wdns.scity.us'
export PDNS_Token='${NM_WPDNS_KEY}'
# export PDNS_ServerId='localhost'
export PDNS_ServerId='scity.us'
export PDNS_Ttl=60
" >> /tmp/vcenter-update-ssl.sh
if ssh -q root@${NM_VC_HOSTNAME} [ ! -d ${NM_VC_ACMEFOLDER} ]; then
echo -e "${idsCL[Yellow]}Installing acme.sh scripts on vCenter${idsCL[Default]}\n"
ssh -q root@${NM_VC_HOSTNAME} "wget -O - https://get.acme.sh | sh"
echo -e "\n${idsCL[LightGreen]}Requesting new certificate ...${idsCL[Default]}\n"
echo "${NM_VC_ACMEFOLDER}/${NM_VC_ACMESCRIPT} --server letsencrypt -k 2048 --preferred-chain 'ISRG Root X1' --issue --dns dns_pdns -d ${NM_VC_HOSTNAME}" >> /tmp/vcenter-update-ssl.sh
else
echo -e "${idsCL[Green]}Verified acme.sh scripts are installed on vCenter, checking for updates${idsCL[Default]}\n"
ssh -q root@${NM_VC_HOSTNAME} "${NM_VC_ACMEFOLDER}/${NM_VC_ACMESCRIPT} --upgrade"
echo -e "\n${idsCL[LightGreen]}Renewing certificate ...${idsCL[Default]}\n"
if [ "${1}" == "force" ]; then
echo "${NM_VC_ACMEFOLDER}/${NM_VC_ACMESCRIPT} --renew-all --force" >> /tmp/vcenter-update-ssl.sh
else
echo "${NM_VC_ACMEFOLDER}/${NM_VC_ACMESCRIPT} --renew-all" >> /tmp/vcenter-update-ssl.sh
fi
fi
scp -q /tmp/vcenter-update-ssl.sh root@${NM_VC_HOSTNAME}:/tmp/vcenter-update-ssl.sh
ssh -q root@${NM_VC_HOSTNAME} "bash /tmp/vcenter-update-ssl.sh"
LIVEMD5=$(ssh -q root@${NM_VC_HOSTNAME} "md5sum /etc/vmware-rhttpproxy/ssl/rui.crt | cut -d\ -f1")
CURRENTMD5=$(ssh -q root@${NM_VC_HOSTNAME} "md5sum ${VC_CERT} | cut -d\ -f1")
if [ "$LIVEMD5" == "$CURRENTMD5" ] && [ "${1}" != "force" ]; then
echo -e "${idsCL[Yellow]}Certificates remains the same, no newer certificates exist${idsCL[Default]}"
echo
exit 0
fi
echo -e "${idsCL[LightGreen]}Updating certificates on vCenter... ${idsCL[Default]}"
echo -e "${idsCL[LightCyan]}This process make take up to 10mins${idsCL[Default]}"
echo
ssh -q root@${NM_VC_HOSTNAME} "(printf '1\n%s\n' '${NM_VC_USER}'; sleep 1; printf '%s\n' '${NM_VC_PASS}'; sleep 1; printf '2\n'; sleep 1; printf '%s\n%s\n%s\ny\n\n' '${VC_CERT}' '${VC_KEY}' '${VC_CHAIN}') | setsid /usr/lib/vmware-vmca/bin/certificate-manager"
SENDNOTICE "vCenter SSL Updated" "Refresh/rescan any systems connecting to vcenter like Veeam"
ssh -q root@${NM_VC_HOSTNAME} "rm -f /tmp/vcenter-update-ssl.sh"
rm -f /tmp/vcenter-update-ssl.sh
echo -e "\n${idsCL[Green]}The vCenter certifcate has been updated${idsCL[Default]}"
echo -e "${idsCL[LightCyan]}Don't forget to re-scan the vCenter connection in Veeam${idsCL[Default]}\n"
else
echo -e "${idsCL[Yellow]}vCenter info not configured in 'defaults.local.inc'${idsCL[Default]}\n"
fi
}
UPGRADECERTS(){
ssldir=$(${NCMD} find ${NM_CERTPATH}/live/* -type d)
for certdir in ${ssldir[@]}; do
SUBJECT=$(${NCMD} openssl x509 -in ${certdir}/cert.pem -noout -subject|grep -oP '(?<=CN = )[^,]+'|sort -uV)
SUBJECTNAMES=$(${NCMD} openssl x509 -in ${certdir}/cert.pem -noout -text|grep -oP '(?<=DNS:|IP Address:)[^,]+'|sort -uV)
SUBJECTNAMES=${SUBJECTNAMES//$'\n'/, }
# SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/\n/, /g")
SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/, ${SUBJECT}//g")
SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/${SUBJECT}, //g")
SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/${SUBJECT}//g")
[ "${SUBJECTNAMES}" == "" ] && allnames=${SUBJECT} || allnames="${SUBJECT},$SUBJECTNAMES"
echo -e "${idsCL[LightGreen]}Certificate upgrading for '${idsCL[Yellow]}${SUBJECT}${idsCL[Green]}'${idsCL[Default]}"
echo -e "${idsCL[Green]}All SSL Hostnames: '${idsCL[Yellow]}${allnames}${idsCL[Green]}'${idsCL[Default]}"
$CERT_DAEMON certonly --preferred-chain "ISRG Root X1" --key-type ecdsa --server https://acme-v02.api.letsencrypt.org/directory --webroot --webroot-path ${NM_CERTPATH}/letsencrypt-acme-challenge -d ${allnames}
echo
done
chown -R root:le ${NM_CERTPATH}
chmod -R 6775 ${NM_CERTPATH}
echo -e -n "${idsCL[LightCyan]}Restart NGINX on all Nodes (Y/n): ${idsCL[Default]}"
read -n 1 NGINXRELOAD
if [[ ${NGINXRELOAD} =~ ^[Nn]$ ]]; then
tmp=''
else
echo
SERVICE_MGMT nginx restart
fi
}
Reference in New Issue View Git Blame Copy Permalink