voltron/NodeMgmt
1
1
Fork 0
Code Issues Pull Requests Releases 1 Activity
Files
c35401f5579b16c31e926a0e44909c6257f2b2bd
NodeMgmt/inc/certs.inc
David Schroeder c35401f557 update
2023-07-16 22:22:16 -05:00

429 lines
15 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
NEWCERT(){
echo
if [ -z ${1+x} ]; then
echo -e -n "${idsCL[LightCyan]}Create certificate for what name (comma seperated for mutiple) : ${idsCL[Default]}"
read NEW_CERT
echo
else
NEW_CERT=${1}
fi
if [[ ${NEW_CERT} == *","* ]]; then
IFS=','; NEW_CERTS=(${NEW_CERT}); unset IFS
MAIN_CERT=${NEW_CERTS[0]}
else
MAIN_CERT=${NEW_CERT}
fi
if [ "${NEW_CERT}" != "" ]; then
echo -e "${idsCL[LightGreen]}Requesting Certificate for '${idsCL[Yellow]}${NEW_CERT}${idsCL[LightGreen]}'...${idsCL[Default]}"
echo
$CERT_DAEMON certonly --webroot -w ${NM_CERTPATH}/letsencrypt-acme-challenge -d ${NEW_CERT}
# $CERT_DAEMON certonly --dry-run --webroot -w /var/www/html -d ${NEW_CERT}
chown -R root:le ${NM_CERTPATH}
chmod -R 6775 ${NM_CERTPATH}
if [ -d ${NM_CERTPATH}/live/${MAIN_CERT} ]; then
touch ${NM_CERTPATH}/live/${MAIN_CERT}/newcert
if [ -f ${NM_NGINXPATH}/sites-enabled/${MAIN_CERT}.conf ]; then
rm -f ${NM_FOLDER}/cert-request.lastrun
daterun=`date +%Y-%m-%d-%H-%M-%S`
echo -e "${NEW_CERT}\n${daterun}" > ${NM_FOLDER}/cert-request.lastrun
yes | cp -rfH ${NM_FOLDER}/cert-request.lastrun ${NM_CERTPATH}/cert-request.lastrun
DIVIDER true
if [ "${2}" != "newsite" ] && [ "${NM_HOSTS['LB']}" != "" ]; then
echo -e -n "${idsCL[LightCyan]}Reload NGINX on LB Nodes (Y/n): ${idsCL[Default]}"
read -n 1 NGINXRELOAD
if [[ ${NGINXRELOAD} =~ ^[Nn]$ ]]; then
tmp=''
else
echo
echo -en "${idsCL[LightYellow]}Waiting for Cert replication across the nodes... ${idsCL[Default]}"
for nip in "${LB_HOSTS[@]}"; do
checkhost=$(CHECK_HOST ${nip})
if [ "${checkhost}" != "false" ]; then
if [[ $(/sbin/ip -o -4 addr list eth0 | awk '{print $4}' | cut -d/ -f1) != *"${nip}"* ]]; then
checked=false
until [ "${checked}" = "" ]; do
checked=`ssh root@${nip} "[ ! -f ${NM_CERTPATH}/live/${MAIN_CERT}/newcert ] && echo '.'"`
done
fi
fi
done
rm -f ${NM_CERTPATH}/live/${MAIN_CERT}/newcert
echo -e "${idsCL[Green]}Completed${idsCL[Default]}"
echo
SERVICE nginx restart
fi
fi
fi
echo
echo -e "${idsCL[Green]}Certificate has been successfully created for '${idsCL[Yellow]}${NEW_CERT}${idsCL[Green]}'...${idsCL[Default]}"
else
echo
echo -e "${idsCL[Red]}Certificate could not be created for '${idsCL[Yellow]}${NEW_CERT}${idsCL[Red]}'...${idsCL[Default]}"
fi
# echo
# echo -en "${idsCL[LightYellow]}Starting other Webservers... ${idsCL[Default]}"
# for nip in "${WEB_HOSTS[@]}"; do
# if [[ $(/sbin/ip -o -4 addr list eth0 | awk '{print $4}' | cut -d/ -f1) != *"${nip}"* ]]; then
# `ssh root@${nip} service nginx start`
# # SERVICE nginx start ${nip}
# fi
# done
# echo -e "${idsCL[Green]}Completed${idsCL[Default]}"
echo
if [ -z $action ] || [ "${action}" = "gui" ]; then
DIVIDER true
ENTER2CONTINUE
fi
else
echo "You havent entered a site address."
sleep 1
NEWCERT
exit 0
fi
}
DEL-SSL(){
if [ -z ${1+x} ]; then
echo -e -n "${idsCL[LightCyan]}Delete what SSL site address: ${idsCL[Default]}"
read DEL_SSL
echo
else
DEL_SSL=${1}
fi
if [ ! -z ${DEL_SSL+x} ] && [ "${DEL_SSL}" != "" ]; then
if [ -d ${NM_CERTPATH}/live/${DEL_SSL} ]; then
echo -e "${idsCL[LightRed]}Deleting the SSL certificates for '${idsCL[Red]}${DEL_SSL}${idsCL[LightRed]}'...${idsCL[Default]}"
echo
echo -en "${idsCL[LightRed]}Removing Files and Folders... ${idsCL[Default]}"
rm -rf ${NM_CERTPATH}/archive/${DEL_SSL}
rm -rf ${NM_CERTPATH}/live/${DEL_SSL}
rm -f ${NM_CERTPATH}/renewal/${DEL_SSL}.conf
echo -e "${idsCL[Green]}OK${idsCL[Default]}"
echo
else
echo -e "${idsCL[LightRed]}The SSL files folder for '${idsCL[Red]}${DEL_SSL}${idsCL[LightRed]}' could not be found.${idsCL[Default]}"
exit 1
fi
if [ "${timeout}" != "true" ]; then
echo -e "${idsCL[Green]}Completed${idsCL[Default]}"
fi
echo
echo -e "${idsCL[LightRed]}The SSL certificate has been removed fromt be nodes.${idsCL[Default]}"
fi
}
CERTRENEW(){
# echo -en "${idsCL[LightCyan]}Stopping Webserver-Node2...${idsCL[Default]}"
# ssh root@webserver-node2.scity.us service nginx stop
# echo -e "${idsCL[LightGreen]} Completed${idsCL[Default]}"
echo
echo -e "${idsCL[LightGreen]}Renewing Certificates...${idsCL[Default]}"
echo
sleep 5
$CERT_DAEMON renew --webroot -w /var/www/html 2>&1 | tee ${NM_FOLDER}/cert-renewal.lastrun
# $CERT_DAEMON renew --force-renewal --preferred-chain "ISRG Root X1" --webroot -w /var/www/html 2>&1 | tee ${NM_FOLDER}/cert-renewal.lastrun
# $CERT_DAEMON --dry-run --preferred-chain "ISRG Root X1" renew --webroot -w /var/www/html 2>&1 | tee ${NM_FOLDER}/cert-renewal.lastrun
CONCAT_SSL
chown -R root:le ${NM_CERTPATH} 2>&1 | tee -a ${NM_FOLDER}/cert-renewal.lastrun
chmod -R 6775 ${NM_CERTPATH} 2>&1 | tee -a ${NM_FOLDER}/cert-renewal.lastrun
yes | cp -rfH ${NM_FOLDER}/cert-renewal.lastrun ${NM_CERTPATH}/cert-renewal.lastrun
daterun=`date +%Y-%m-%d-%H-%M-%S`
echo -e "${daterun}" >> ${NM_CERTPATH}/cert-renewal.lastrun
DIVIDER true
# echo -en "${idsCL[LightCyan]}Starting Webserver-Node2 Back up...${idsCL[Default]}"
# ssh root@webserver-node2.scity.us service nginx start
# echo -e "${idsCL[LightGreen]} Completed${idsCL[Default]}"
echo
SERVICE nginx restart 2>&1 | tee -a ${NM_FOLDER}/cert-renewal.lastrun
echo -e "${idsCL[LightGreen]}The certificates have been renewed.${idsCL[Default]}"
echo
if [ -z $action ] || [ "${action}" = "gui" ]; then
DIVIDER true
ENTER2CONTINUE
fi
}
NIGHTLYRENEW(){
# rm -f ${NM_FOLDER}/cert-renewal.lastrun
# ssh root@webserver-node2.scity.us service nginx stop
# sleep 5
$CERT_DAEMON renew --webroot -w /var/www/html &>> ${NM_FOLDER}/cert-renewal.lastrun
CONCAT_SSL
chown -R root:le ${NM_CERTPATH} &>> ${NM_FOLDER}/cert-renewal.lastrun
chmod -R 6775 ${NM_CERTPATH} &>> ${NM_FOLDER}/cert-renewal.lastrun
yes | cp -rfH ${NM_FOLDER}/cert-renewal.lastrun ${NM_CERTPATH}/cert-renewal.lastrun
daterun=`date +%Y-%m-%d-%H-%M-%S`
echo -e "${daterun}" >> ${NM_CERTPATH}/cert-renewal.lastrun
# ssh root@webserver-node2.scity.us service nginx start
SERVICE nginx reload web &>> ${NM_FOLDER}/cert-renewal.lastrun
}
CONCAT_SSL(){
rm -f /tmp/ssllist
for certdir in ${NM_CERTPATH}/live/*/ ; do echo $certdir; done > /tmp/ssllist
for certdir in $(</tmp/ssllist); do
rm -f ${certdir}fullcert.pem
cat ${certdir}privkey.pem ${certdir}fullchain.pem > ${certdir}fullcert.pem
done
}
LISTCERTS(){
declare -i cw; declare -i spc1; declare -i c
declare -A CHECKCERT_DOMAINS
IFS=$'\n'
for LINE in `egrep -v '(^#|^$)' ${NM_FOLDER}/ssl-domain-checks.conf`; do
HOST=${LINE%% *}
PORT=${LINE#* }
IFS=" "
CHECKCERT_DOMAINS[${HOST}]=${PORT}
done
unset IFS
if [ ! -z ${LOCAL_SERVICES+x} ]; then
NCMD="ssh root@${LB_HOSTS[0]}"
#${NCMD} rm -f /tmp/ssllist
#${NCMD} 'for certdir in ${NM_CERTPATH}/live/*/ ; do echo $certdir; done' > /tmp/ssllist
else
NCMD=''
rm -f /tmp/ssllist
#for certdir in ${NM_CERTPATH}/live/*/ ; do echo $certdir; done > /tmp/ssllist
fi
if [ -z $action ] || [ "${action}" = "gui" ]; then
DIVIDER true
fi
echo
echo -e "${idsCL[LightGreen]}Current Certificates on Node...${idsCL[Default]}"
DIVIDER false yellow 120
echo -e "Subject Name Monitored Expires Alternate Subject Names"
DIVIDER false yellow 120
cw=30;
c=0; spc2=''; until [ $c = ${cw} ]; do spc2="${spc2} "; c=`expr $c + 1`; done
#ssldir=$(${NCMD} find /opt/nginx-proxy/ssl/* -type l)
ssldir=$(${NCMD} find ${NM_CERTPATH}/live/* -type d)
for certdir in ${ssldir[@]}; do
SUBJECT=$(${NCMD} openssl x509 -in ${certdir}/cert.pem -noout -subject|grep -oP '(?<=CN = )[^,]+'|sort -uV)
SUBJECTNAMES=$(${NCMD} openssl x509 -in ${certdir}/cert.pem -noout -text|grep -oP '(?<=DNS:|IP Address:)[^,]+'|sort -uV)
CERTEXPIRE=$(date -d "$(: | ${NCMD} openssl x509 -in ${certdir}/cert.pem -text | grep 'Not After' |awk '{print $4,$5,$7}')" '+%s');
SUBJECTNAMES=${SUBJECTNAMES//$'\n'/, }
# SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/\n/, /g")
SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/${SUBJECT}, //g")
SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/, ${SUBJECT}//g")
SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/${SUBJECT}//g")
IFS=', '; SUBJECT_NAMES=(${SUBJECTNAMES}); unset IFS
DAYS=14; DUEIN=$(($(date +%s) + (86400*$DAYS)));
c=0; spc=''
spc1=${cw}-${#SUBJECT}
until [ $c = ${spc1} ]; do spc="${spc} "; c=`expr $c + 1`; done
if [ $CERTEXPIRE -le $DUEIN ]; then
date="${idsST[Bold]}${idsCL[Red]}$(date -d @${CERTEXPIRE} '+%m-%d-%Y')${idsST[Reset]}${idsCL[Default]}"
SENDNOTICE "SSL Expiring" "${SUBJECT} expires on ${date}" 1
else
date="${idsCL[Green]}$(date -d @${CERTEXPIRE} '+%m-%d-%Y')${idsCL[Default]}"
fi
if [ "${CHECKCERT_DOMAINS[${SUBJECT}]}" = "" ]; then
monitored='No '
else
monitored="${idsCL[Green]}Yes${idsCL[Default]}"
fi
if [ ${#SUBJECT_NAMES[@]} -lt 4 ]; then
echo -e "${idsCL[Cyan]}${SUBJECT}${idsCL[Default]}${spc}${monitored} ${date} ${SUBJECTNAMES}"
elif [ ${#SUBJECT_NAMES[@]} -lt 7 ]; then
echo -e "${idsCL[Cyan]}${SUBJECT}${idsCL[Default]}${spc}${monitored} ${date} ${SUBJECT_NAMES[0]}, ${SUBJECT_NAMES[1]}, ${SUBJECT_NAMES[2]}"
echo -e "${spc2} ${SUBJECT_NAMES[3]}, ${SUBJECT_NAMES[4]}, ${SUBJECT_NAMES[5]}"
fi
DIVIDER false darkGray 120
done
echo
if [ -z $action ] || [ "${action}" = "gui" ]; then
DIVIDER true
ENTER2CONTINUE
fi
echo
}
LISTCERTS_NPM(){
declare -i cw; declare -i spc1; declare -i c
declare -A CHECKCERT_DOMAINS
IFS=$'\n'
for LINE in `egrep -v '(^#|^$)' ${NM_FOLDER}/ssl-domain-checks.conf`; do
HOST=${LINE%% *}
PORT=${LINE#* }
IFS=" "
CHECKCERT_DOMAINS[${HOST}]=${PORT}
done
unset IFS
if [ ! -z ${LOCAL_SERVICES+x} ]; then
NCMD="ssh root@${MYSQL_HOSTS[0]}"
${NCMD} rm -f /tmp/ssllist
${NCMD} 'for certdir in /opt/nginx-proxy/letsencrypt/live/*/ ; do echo $certdir; done' > /tmp/ssllist
else
NCMD=''
rm -f /tmp/ssllist
for certdir in /opt/nginx-proxy/letsencrypt/live/*/ ; do echo $certdir; done > /tmp/ssllist
fi
if [ -z $action ] || [ "${action}" = "gui" ]; then
DIVIDER true
fi
echo
echo -e "${idsCL[LightGreen]}Current Certificates on Node...${idsCL[Default]}"
DIVIDER false yellow 120
echo -e "Subject Name Monitored Expires Alternate Subject Names"
DIVIDER false yellow 120
cw=30;
c=0; spc2=''; until [ $c = ${cw} ]; do spc2="${spc2} "; c=`expr $c + 1`; done
for certdir in $(</tmp/ssllist); do
SUBJECT=$(${NCMD} openssl x509 -in ${certdir}cert.pem -noout -subject|grep -oP '(?<=CN = )[^,]+'|sort -uV)
SUBJECTNAMES=$(${NCMD} openssl x509 -in ${certdir}cert.pem -noout -text|grep -oP '(?<=DNS:|IP Address:)[^,]+'|sort -uV)
CERTEXPIRE=$(date -d "$(: | ${NCMD} openssl x509 -in ${certdir}cert.pem -text | grep 'Not After' |awk '{print $4,$5,$7}')" '+%s');
SUBJECTNAMES=${SUBJECTNAMES//$'\n'/, }
# SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/\n/, /g")
SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/${SUBJECT}, //g")
SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/, ${SUBJECT}//g")
SUBJECTNAMES=$(echo $SUBJECTNAMES | sed "s/${SUBJECT}//g")
IFS=', '; SUBJECT_NAMES=(${SUBJECTNAMES}); unset IFS
DAYS=14; DUEIN=$(($(date +%s) + (86400*$DAYS)));
c=0; spc=''
spc1=${cw}-${#SUBJECT}
until [ $c = ${spc1} ]; do spc="${spc} "; c=`expr $c + 1`; done
if [ $DUEIN -gt $CERTEXPIRE ]; then
date="${idsST[Bold]}${idsCL[Red]}$(date -d @${CERTEXPIRE} '+%m-%d-%Y')${idsST[Reset]}${idsCL[Default]}"
else
date="${idsCL[Green]}$(date -d @${CERTEXPIRE} '+%m-%d-%Y')${idsCL[Default]}"
fi
if [ "${CHECKCERT_DOMAINS[${SUBJECT}]}" = "" ]; then
monitored='No '
else
monitored="${idsCL[Green]}Yes${idsCL[Default]}"
fi
if [ ${#SUBJECT_NAMES[@]} -lt 4 ]; then
echo -e "${idsCL[Cyan]}${SUBJECT}${idsCL[Default]}${spc}${monitored} ${date} ${SUBJECTNAMES}"
elif [ ${#SUBJECT_NAMES[@]} -lt 7 ]; then
echo -e "${idsCL[Cyan]}${SUBJECT}${idsCL[Default]}${spc}${monitored} ${date} ${SUBJECT_NAMES[0]}, ${SUBJECT_NAMES[1]}, ${SUBJECT_NAMES[2]}"
echo -e "${spc2} ${SUBJECT_NAMES[3]}, ${SUBJECT_NAMES[4]}, ${SUBJECT_NAMES[5]}"
fi
DIVIDER false darkGray 120
done
echo
if [ -z $action ] || [ "${action}" = "gui" ]; then
DIVIDER true
ENTER2CONTINUE
fi
echo
}
COPYCERTS_NPM(){
ssldir='/opt/nginx-proxy/ssl'
if [ "${1}" = "reset" ]; then
echo "Resetting ... Deleting all SSL symlink folders"
ssldirs=$(find ${ssldir} -type l)
for certdir in ${ssldirs[@]}; do
rm ${certdir}
done
else
baddirs=$(find $ssldir -type l ! -exec test -e {} \; -print)
for od in ${baddirs[@]}; do
echo "Removing bad symlink folder ... ${od}"
rm -f ${od}
done
fi
if [ -z $action ] || [ "${action}" = "gui" ]; then
DIVIDER true
fi
ssls=$(find /opt/nginx-proxy/letsencrypt/live/* -type d)
for certdir in ${ssls[@]}; do
SUBJECT=$(openssl x509 -in ${certdir}/cert.pem -noout -subject|grep -oP '(?<=CN = )[^,]+'|sort -uV)
if [ ! -L ${ssldir}/${SUBJECT} ]; then
echo "${SUBJECT} ... creating"
/bin/ln -s ${certdir} ${ssldir}/${SUBJECT}
fi
done
if [ -z $action ] || [ "${action}" = "gui" ]; then
echo
DIVIDER true
ENTER2CONTINUE
echo
fi
}
CHECK_NPMCERTS(){
ssls=$(find /opt/nginx-proxy/letsencrypt/live/* -type d)
for certdir in ${ssls[@]}; do
SUBJECT=$(openssl x509 -in ${certdir}/cert.pem -noout -subject|grep -oP '(?<=CN = )[^,]+'|sort -uV)
ENDDATE=$(openssl x509 -in ${certdir}/cert.pem -noout -enddate | awk -F '=' '{print $2}')
DAYS=$(dateutils.ddiff today "$(date --date="${ENDDATE}" '+%F')" -f '%d')
c=0; cw=35; spc=''
spc1=`expr ${cw} - ${#SUBJECT}`
until [ $c = ${spc1} ]; do spc="${spc} "; c=`expr $c + 1`; done
[ ${DAYS} -lt 0 ] && spc=${spc::-1}
if [ ${DAYS} -lt 24 ]; then
echo "${SUBJECT}:${spc}${DAYS} days remaining"
fi
done
echo
}
CHECK-CERTS(){
if [ "${1}" == "check" ]; then
rm -f ${NM_FOLDER}/ssl-cert-check.lastrun
${NM_FOLDER}/ssl-cert-check/ssl-cert-check -f ${NM_FOLDER}/ssl-domain-checks.conf > ${NM_FOLDER}/ssl-cert-check.lastrun
SSLLOG="$(cat ${NM_FOLDER}/ssl-cert-check.lastrun)"
SENDNOTICE "SSL Certs Check" "SSL Certs Check\n$SSLLOG"
else
# ${NM_FOLDER}/ssl-cert-check/ssl-cert-check -f ${NM_FOLDER}/ssl-domain-checks.conf
IFS=$'\n'
for LINE in `egrep -v '(^#|^$)' ${NM_FOLDER}/ssl-domain-checks.conf`; do
HOST=${LINE%% *}
PORT=${LINE#* }
CERTINFO=$(${NM_FOLDER}/ssl-cert-check/ssl-cert-check -p ${PORT} -s ${HOST} -N)
CERTVALID=$(echo ${CERTINFO} | awk -F' valid' '{print $1}')
CERTVALID=${CERTVALID: -1}
CERTDAYS=${CERTINFO#*days=}
if [ "${CERTVALID}" == "0" ] || [ "${CERTVALID}" == "E" ]; then
printf "%-30s: %s\n" "${HOST}" "SSL is not valid"
SENDNOTICE "SSL Not Valid" "The (${HOST}) SSL is not valid" 1
elif [ ${CERTDAYS} -lt 1 ]; then
printf "%-30s: %s\n" "${HOST}" "SSL Expired! (${CERTDAYS} days)"
SENDNOTICE "SSL Expired" "The (${HOST}) SSL is expired!! (${CERTDAYS} days)" 2
elif [ ${CERTDAYS} -lt 15 ]; then
printf "%-30s: %s\n" "${HOST}" "SSL is expiring in $CERTDAYS days!"
SENDNOTICE "SSL Expiring" "The (${HOST}) SSL is expiring in ${CERTDAYS} days" 1
else
printf "%-30s: %s\n" "${HOST}" "SSL is valid for ${CERTDAYS} days"
fi
done
unset IFS
fi
}
Reference in New Issue View Git Blame Copy Permalink