diff --git a/cm.sh b/cm.sh index 319239f9911299003c07bc81bd13f29246c62fe4..72c040a260ce57209d08dc4d436753429bbbeedf 100755 --- a/cm.sh +++ b/cm.sh @@ -12,7 +12,8 @@ # - acme.sh client # # ---------------------------------------------------------------------- -# 2021-02-02 +# 2021-02-02 <axel.hahn@iml.unibe.ch> first lines +# 2021-02-10 <axel.hahn@iml.unibe.ch> compare hashes, logging # ====================================================================== @@ -24,9 +25,12 @@ selfdir="$( dirname $0 )" touchfile="${selfdir}/log/lastchange.txt" -logfile="${selfdir}/log/certmanager-$( date +"%Y%M%d" ).log" +# logfile="${selfdir}/log/certmanager-$( date +"%Y%m%d" ).log" +logfile="${selfdir}/log/certmanager.log" line="_______________________________________________________________________________" + showdebug=1 +writelog=1 # ---------------------------------------------------------------------- @@ -35,10 +39,21 @@ showdebug=1 # # ---------------------------------------------------------------------- +# internal function; list certificates incl. creation date and renew date +function _listCerts(){ + $ACME --list +} + +# internal function; checks if a certificate for a given FQDN already exists +# used in _certMustExist, _certMustNotExist +# param string FQDN function _certExists(){ _listCerts | awk '{ print $1 }' | grep "^${CM_fqdn}$" >/dev/null } +# internal function; a certificate of a given FQDN must exist - otherwise +# the script will be aborted +# param string FQDN function _certMustExist(){ _certExists if [ $? -ne 0 ]; then @@ -46,6 +61,10 @@ function _certMustExist(){ exit 1 fi } + +# internal function; a certificate of a given FQDN must not exist - otherwise +# the script will be aborted +# param string FQDN function _certMustNotExist(){ _certExists if [ $? -eq 0 ]; then @@ -57,6 +76,7 @@ function _certMustNotExist(){ # internal function: transfer generated/ updated cert data to a # known directory (based on CM_diracme - see inc_config.sh) # used in public_add and public_renew +# used in ADD and RENEW action function _certTransfer(){ _wd "--- acme internal data - ~/.acme.sh/${CM_fqdn}" ls -l ~/.acme.sh/${CM_fqdn} @@ -80,13 +100,21 @@ function _certTransfer(){ # internal function; show md5 hashsums for certificate, csr and key # for visual comparison if the match -# TODO: script a comparison to write out MATCH or FAIL function _certMatching(){ + local md5_cert=$( openssl x509 -noout -modulus -in ${CM_outfile_cert} | openssl md5 | cut -f 2 -d " " ) + local md5_csr=$( openssl req -noout -modulus -in ${CM_filecsr} | openssl md5 | cut -f 2 -d " " ) + local md5_key=$( openssl rsa -noout -modulus -in ${CM_outfile_key} | openssl md5 | cut -f 2 -d " " ) + echo - echo "--- compare hashes to see if they match" - echo -n "cert : "; openssl x509 -noout -modulus -in ${CM_outfile_cert} | openssl md5 - echo -n "csr : "; openssl req -noout -modulus -in ${CM_filecsr} | openssl md5 - echo -n "key : "; openssl rsa -noout -modulus -in ${CM_outfile_key} | openssl md5 + echo "--- compare hashes" + echo "cert : $md5_cert" + echo "csr : $md5_csr" + echo "key : $md5_key" + if [ "$md5_key" = "$md5_cert" -a "$md5_key" = "$md5_csr" ]; then + echo "OK, they match :-)" + else + echo "ERROR: they do NOT MATCH!" + fi echo } @@ -121,8 +149,9 @@ function _gencsr(){ _checkDig $CM_fqdn for myalt in $* do - altdns="${altdns},DNS:$myalt" + altdns="${altdns}DNS:$myalt," done + altdns=$( echo $altdns | sed "s#,\$##" ) _wd "--- $CM_fqdn" _wd "DNS alternative names: $altdns" @@ -143,11 +172,8 @@ function _gencsr(){ ls -ltr $CM_filecnf $CM_filekey $CM_filecsr } -# internal function; list certificates incl. creation date and renew date -function _listCerts(){ - $ACME --list -} - +# internal function; check if a required 2nd CLI parameter was given +# if not the script will abort function _requiresFqdn(){ if [ -z "$CM_fqdn" ]; then echo "ERROR: 2nd parameter must be a FQDN for Main_Domain." @@ -155,6 +181,9 @@ function _requiresFqdn(){ fi } +# internal function; it shows a message if the current instance uses a stage +# server. It shows a message that it is allowed to test arround ... or to be +# careful with LE requests on a production system function _testStaging(){ echo $ACME_Params | grep "\-\-staging" >/dev/null if [ $? -eq 0 ]; then @@ -170,7 +199,8 @@ function _testStaging(){ # set update message in a file # param string(s) message function _update(){ - echo $( date ) $* > ${touchfile} + echo "[$( date )] $*" > ${touchfile} + test ${writelog} && echo "[$( date )] $*" >> ${logfile} } # write debug output if showdebug is set to 1 @@ -220,7 +250,7 @@ function public_add-or-renew(){ _requiresFqdn _certExists if [ $? -eq 0 ]; then - _wd "--- cert was found ... renew it" + _wd "--- cert was found ... renew it (ignore --force - it comes from acme.sh)" public_renew else _wd "--- cert does mot exist ... add it" @@ -242,7 +272,7 @@ function public_delete(){ $ACME --remove -d ${CM_fqdn} $ACME_Params _wd "--- delete local data" rm -rf ${CM_dircerts} ${CM_filecnf} ${CM_filekey} ${CM_filecsr} ~/.acme.sh/${CM_fqdn} - _update "deleted ${CM_fqdn}" + _update "deleted ${CM_fqdn}" } @@ -264,7 +294,7 @@ function public_renew(){ _certTransfer _certMatching - _update "renew ${CM_fqdn}" + _update "renewed ${CM_fqdn}" } # diff --git a/readme.md b/readme.md index 004fd4b537d54516cb24c4808cc0dc1d0819bdab..368e547185ab7832c97664cafb8d3d6ba4cf21e6 100644 --- a/readme.md +++ b/readme.md @@ -2,11 +2,11 @@ Wrapper for acme.sh to create Let's Encrypt certificates based on CSR files using DNS authentication -source: https://git-repo.iml.unibe.ch/open-source/iml-certman +source: <https://git-repo.iml.unibe.ch/open-source/iml-certman> ## Installation -* Install acme.sh client: https://github.com/acmesh-official/acme.sh +* Install acme.sh client: <https://github.com/acmesh-official/acme.sh> * Clone or extract files of iml-certman * Make your changes by copying *dist files to file without ".dist" extension and edit * inc_config.sh diff --git a/templates/csr.txt.dist b/templates/csr.txt.dist index f7b6a54d65bee995631e42d12c31a04723860ae3..c56190abd548cf79ba1491b74c4c2eaf5090c09b 100644 --- a/templates/csr.txt.dist +++ b/templates/csr.txt.dist @@ -26,7 +26,7 @@ UNITNAME = Department for magic things FQDN = __FQDN__ # subjectAltName entries: to add DNS aliases to the CSR, delete -ALTNAMES = DNS:$FQDN__ALTNAMES__ +ALTNAMES = __ALTNAMES__ [ req ]