compare hashes; remove FQDN from altnames; logging

cm.sh

@@ -12,7 +12,8 @@
 # - acme.sh client
 #
 # ----------------------------------------------------------------------
-# 2021-02-02
+# 2021-02-02  <axel.hahn@iml.unibe.ch>  first lines
+# 2021-02-10  <axel.hahn@iml.unibe.ch>  compare hashes, logging
 # ======================================================================
 
 
@@ -24,9 +25,12 @@
 
 selfdir="$( dirname $0 )"
 touchfile="${selfdir}/log/lastchange.txt"
-logfile="${selfdir}/log/certmanager-$( date +"%Y%M%d" ).log"
+# logfile="${selfdir}/log/certmanager-$( date +"%Y%m%d" ).log"
+logfile="${selfdir}/log/certmanager.log"
 line="_______________________________________________________________________________"
+
 showdebug=1
+writelog=1
 
 
 # ----------------------------------------------------------------------
@@ -35,10 +39,21 @@ showdebug=1
 #
 # ----------------------------------------------------------------------
 
+# internal function; list certificates incl. creation date and renew date
+function _listCerts(){
+	$ACME --list	
+}
+
+# internal function; checks if a certificate for a given FQDN already exists
+# used in _certMustExist, _certMustNotExist
+# param  string  FQDN
 function _certExists(){
 	_listCerts | awk '{ print $1 }' | grep "^${CM_fqdn}$" >/dev/null
 }
 
+# internal function; a certificate of a given FQDN must exist - otherwise
+# the script will be aborted
+# param  string  FQDN
 function _certMustExist(){
 	_certExists
 	if [ $? -ne 0 ]; then
@@ -46,6 +61,10 @@ function _certMustExist(){
 		exit 1
 	fi
 }
+
+# internal function; a certificate of a given FQDN must not exist - otherwise
+# the script will be aborted
+# param  string  FQDN
 function _certMustNotExist(){
 	_certExists
 	if [ $? -eq 0 ]; then
@@ -57,6 +76,7 @@ function _certMustNotExist(){
 # internal function: transfer generated/ updated cert data to a
 # known directory (based on CM_diracme - see inc_config.sh)
 # used in public_add and public_renew
+# used in ADD and RENEW action
 function _certTransfer(){
 	_wd "--- acme internal data - ~/.acme.sh/${CM_fqdn}"
 	ls -l ~/.acme.sh/${CM_fqdn}
@@ -80,13 +100,21 @@ function _certTransfer(){
 
 # internal function; show md5 hashsums for certificate, csr and key
 # for visual comparison if the match
-# TODO: script a comparison to write out MATCH or FAIL
 function _certMatching(){
+	local md5_cert=$( openssl x509 -noout -modulus -in ${CM_outfile_cert} | openssl md5 | cut -f 2 -d " " )
+	local md5_csr=$(  openssl req  -noout -modulus -in ${CM_filecsr}      | openssl md5 | cut -f 2 -d " " )
+	local md5_key=$(  openssl rsa  -noout -modulus -in ${CM_outfile_key}  | openssl md5 | cut -f 2 -d " " )
+
 	echo
-	echo "--- compare hashes to see if they match"
-	echo -n "cert : "; openssl x509 -noout -modulus -in ${CM_outfile_cert} | openssl md5
-	echo -n "csr  : "; openssl req  -noout -modulus -in ${CM_filecsr}      | openssl md5
-	echo -n "key  : "; openssl rsa  -noout -modulus -in ${CM_outfile_key}  | openssl md5
+	echo "--- compare hashes"
+	echo "cert : $md5_cert"
+	echo "csr  : $md5_csr"
+	echo "key  : $md5_key"
+	if [ "$md5_key" = "$md5_cert" -a "$md5_key" = "$md5_csr" ]; then
+		echo "OK, they match :-)"
+	else
+		echo "ERROR: they do NOT MATCH!"
+	fi
 	echo
 }
 
@@ -121,8 +149,9 @@ function _gencsr(){
 	_checkDig $CM_fqdn
 	for myalt in $*
 	do
-		altdns="${altdns},DNS:$myalt"
+		altdns="${altdns}DNS:$myalt,"
 	done
+	altdns=$( echo $altdns | sed "s#,\$##" )
     _wd "--- $CM_fqdn"
 	_wd "DNS alternative names: $altdns"
 
@@ -143,11 +172,8 @@ function _gencsr(){
 	ls -ltr $CM_filecnf $CM_filekey $CM_filecsr
 }
 
-# internal function; list certificates incl. creation date and renew date
-function _listCerts(){
-	$ACME --list	
-}
-
+# internal function; check if a required 2nd CLI parameter was given
+# if not the script will abort
 function _requiresFqdn(){
 	if [ -z "$CM_fqdn" ]; then
 		echo "ERROR: 2nd parameter must be a FQDN for Main_Domain."
@@ -155,6 +181,9 @@ function _requiresFqdn(){
 	fi
 }
 
+# internal function; it shows a message if the current instance uses a stage
+# server. It shows a message that it is allowed to test arround ... or to be 
+# careful with LE requests on a production system
 function _testStaging(){
 	echo $ACME_Params | grep "\-\-staging" >/dev/null
 	if [ $? -eq 0 ]; then
@@ -170,7 +199,8 @@ function _testStaging(){
 # set update message in a file
 # param  string(s)  message
 function _update(){
-	echo $( date ) $* > ${touchfile}
+	echo "[$( date )] $*" > ${touchfile}
+	test ${writelog} && echo "[$( date )] $*" >> ${logfile}
 }
 
 # write debug output if showdebug is set to 1
@@ -220,7 +250,7 @@ function public_add-or-renew(){
 	_requiresFqdn
 	_certExists
 	if [ $? -eq 0 ]; then
-		_wd "--- cert was found ... renew it"
+		_wd "--- cert was found ... renew it (ignore --force - it comes from acme.sh)"
 		public_renew
 	else
 		_wd "--- cert does mot exist ... add it"
@@ -242,7 +272,7 @@ function public_delete(){
 	$ACME --remove -d ${CM_fqdn} $ACME_Params
 	_wd "--- delete local data"
 	rm -rf ${CM_dircerts} ${CM_filecnf} ${CM_filekey} ${CM_filecsr} ~/.acme.sh/${CM_fqdn}
-	_update "deleted  ${CM_fqdn}"
+	_update "deleted ${CM_fqdn}"
 }
 
 
@@ -264,7 +294,7 @@ function public_renew(){
 	_certTransfer
 	_certMatching
 
-	_update "renew ${CM_fqdn}"
+	_update "renewed ${CM_fqdn}"
 }
 
 #

readme.md

@@ -2,11 +2,11 @@
 
 Wrapper for acme.sh to create Let's Encrypt certificates based on CSR files using DNS authentication
 
-source: https://git-repo.iml.unibe.ch/open-source/iml-certman
+source: <https://git-repo.iml.unibe.ch/open-source/iml-certman>
 
 ## Installation
 
-* Install acme.sh client: https://github.com/acmesh-official/acme.sh
+* Install acme.sh client: <https://github.com/acmesh-official/acme.sh>
 * Clone or extract files of iml-certman
 * Make your changes by copying *dist files to file without ".dist" extension and edit
   * inc_config.sh

templates/csr.txt.dist

@@ -26,7 +26,7 @@ UNITNAME = Department for magic things
 FQDN = __FQDN__
 
 # subjectAltName entries: to add DNS aliases to the CSR, delete
-ALTNAMES = DNS:$FQDN__ALTNAMES__
+ALTNAMES = __ALTNAMES__
 
 
 [ req ]