many small fixes; added stage test and md5 match

2353823a · Hahn Axel (hahn) · b6fcb9b6 · 2353823a · 2353823a
Commit 2353823a authored 4 years ago by Hahn Axel (hahn)
--- a/cm.sh
+++ b/cm.sh
@@ -58,25 +58,37 @@ function _certMustNotExist(){
 # known directory (based on CM_diracme - see inc_config.sh)
 # used in public_add and public_renew
 function _certTransfer(){
-	_wd "--- acme internal data"
+	_wd "--- acme internal data - ~/.acme.sh/${CM_fqdn}"
 	ls -l ~/.acme.sh/${CM_fqdn}

 	_wd "--- transfer acme.sh files to ${CM_dircerts}"
 	$ACME \
 		--install-cert \
 		-d ${CM_fqdn} \
-		--cert-file       ${CM_dircerts}/${CM_fqdn}.cert.pem  \
-		--fullchain-file  ${CM_dircerts}/${CM_fqdn}.fullchain.pem \
+		--cert-file       ${CM_outfile_cert}  \
+		--fullchain-file  ${CM_outfile_chain} \
+		--ca-file         ${CM_outfile_ca} \
 		|| exit 1
 		# --key-file        ${CM_dircerts}/${CM_fqdn}.key.pem  \

 	_wd "--- copy key to ${CM_dircerts}"
-	cp ${CM_filekey} ${CM_dircerts}/${CM_fqdn}.key.pem
+	cp ${CM_filekey} ${CM_outfile_key}

 	_wd "--- content of output dir $CM_dircerts:"
 	ls -l $CM_dircerts/*
 }

+# internal function; show md5 hashsums for certificate, csr and key
+# for visual comparison if the match
+# TODO: script a comparison to write out MATCH or FAIL
+function _certMatching(){
+	echo
+	echo "--- compare hashes to see if they match"
+	echo -n "cert : "; openssl x509 -noout -modulus -in ${CM_outfile_cert} | openssl md5
+	echo -n "csr  : "; openssl req  -noout -modulus -in ${CM_filecsr}      | openssl md5
+	echo -n "key  : "; openssl rsa  -noout -modulus -in ${CM_outfile_key}  | openssl md5
+	echo
+}

 # internal function: dig for given fqdn.
 # Function stops if fqdn was not found in DNS.
@@ -143,6 +155,18 @@ function _requiresFqdn(){
 	fi
 }

+function _testStaging(){
+	echo $ACME_Params | grep "\-\-staging" >/dev/null
+	if [ $? -eq 0 ]; then
+		_wd "Using LE STAGE environment ..."
+		_wd "You can test and mess around. Do not use certs in production."
+	else
+		_wd "Using LE LIVE environment for production."
+		_wd "Be careful with count of connects to LE servers."
+	fi
+	echo
+}
+
 # set update message in a file
 # param  string(s)  message
 function _update(){
@@ -171,13 +195,20 @@ function public_add(){
 	_wd "--- create output dir $dircerts"
 	mkdir -p "${CM_dircerts}" 2>/dev/null

-	# _wd "--- domains in csr"
+	_wd "--- csr data"
 	$ACME --showcsr  --csr $CM_filecsr || exit 1

 	_wd "--- create certificate"
-	$ACME --signcsr --force --csr $CM_filecsr $ACME_Params || exit 1
+	$ACME --signcsr --csr $CM_filecsr $ACME_Params 
+	if [ $? -ne 0 ]; then
+		echo "ERROR: adding cert failed. Trying to delete internal data ..."
+		public_delete $CM_fqdn
+		exit 1
+	fi
+	# $ACME --issue -d $CM_fqdn $ACME_Params || exit 1

 	_certTransfer
+	_certMatching

 	_update "added $CM_fqdn $*"
 }
@@ -192,7 +223,9 @@ function public_delete(){
 	# TODO: revoke it too??
 	# $ACME --revoke -d ${CM_fqdn} || exit 2

-	$ACME --remove -d ${CM_fqdn} || exit 2
+	_wd "--- delete ACME.SH data"
+	$ACME --remove -d ${CM_fqdn} $ACME_Params
+	_wd "--- delete local data"
 	rm -rf ${CM_dircerts} ${CM_filecnf} ${CM_filekey} ${CM_filecsr} ~/.acme.sh/${CM_fqdn}
 	_update "deleted  ${CM_fqdn}"
 }
@@ -211,8 +244,11 @@ function public_list(){
 function public_renew(){
 	_requiresFqdn
 	_certMustExist
-	$ACME --renew --force -d ${CM_fqdn} || exit 2
+	$ACME --renew -d ${CM_fqdn} $ACME_Params || exit 2
+
 	_certTransfer
+	_certMatching
+
 	_update "renew ${CM_fqdn}"
 }

@@ -225,12 +261,14 @@ function public_show(){

 	ls -l ${CM_filecsr} ${CM_dircerts}/*
 	echo $line
-	echo $CM_filecsr
-	openssl req -noout -text -in $CM_filecsr
+	echo CSR $CM_filecsr
+	openssl req -noout -text -in $CM_filecsr | grep -E "(Subject:|DNS:)"

 	echo $line
-	echo ${CM_dircerts}/${CM_fqdn}.cert.pem
-	openssl x509 -noout -text -in ${CM_dircerts}/${CM_fqdn}.cert.pem
+	echo Cert ${CM_outfile_cert}
+	# openssl x509 -noout -text -in ${CM_outfile_cert}
+	openssl x509 -noout -text -in ${CM_outfile_cert} | grep -E "(Issuer:|Subject:|DNS:)"
+	_certMatching
 }


@@ -254,9 +292,7 @@ ENDOFHEADER

 which openssl >/dev/null || exit 1

-
 . ./inc_config.sh
-
 if [ $? -ne 0 ]; then
 	echo "ERROR: loading the config failed."
 	echo "Copy the inc_config.sh.dist to inc_config.sh and make your settings in it."
@@ -264,7 +300,7 @@ if [ $? -ne 0 ]; then
 	exit 1
 fi

-
+_testStaging

 grep "function\ public_$1" $0 >/dev/null 
 if [ $# -gt 0 -a $? -eq 0 ]; then
@@ -287,9 +323,12 @@ if [ $# -gt 0 -a $? -eq 0 ]; then
 	CM_filekey="${CM_dircsr}/${CM_fqdn}.key"

 	CM_dircerts="${CM_diracme}/${CM_fqdn}"
+	CM_outfile_cert=${CM_dircerts}/${CM_fqdn}.cert.cer
+	CM_outfile_chain=${CM_dircerts}/${CM_fqdn}.fullchain.cer
+	CM_outfile_key=${CM_dircerts}/${CM_fqdn}.key.pem
+	CM_outfile_ca=${CM_dircerts}/${CM_fqdn}.ca.cer

-	# echo $CM_fqdn
-	# set | grep "^CM_"
+	# echo $CM_fqdn; set | grep "^CM_"; echo

 	_wd "A C T I O N -->> $action <<--"
 	eval "public_$action $*"
@@ -326,3 +365,6 @@ ACTIONs for all certs

 EOF
 fi
+
+echo
+_testStaging
\ No newline at end of file
--- a/templates/csr.txt.dist
+++ b/templates/csr.txt.dist
@@ -3,13 +3,19 @@
 # openssl req -new -config myserver.cnf -keyout myserver.key -out myserver.csr
 # on the command line.

-# (1) the name of your location
+# state as 2 letter code
+COUNTRY = CH
+
+# state
+STATE = Bern
+
+# the name of your location
 LOCATION = Anywhere

-# (2) the name of your organization
+# the name of your organization
 ORGNAME = My company

-# (3) the name of your organization unit
+# the name of your organization unit
 UNITNAME = Department for magic things


@@ -33,12 +39,13 @@ req_extensions = req_ext


 [ dn ]
-C = CH
-ST = Bern
+C = $COUNTRY
+ST = $STATE
 L = $LOCATION
 O = $ORGNAME
 OU = $UNITNAME
 CN = $FQDN
+# emailAddress=webmaster@example.com

 [ req_ext ]
 subjectAltName = $ALTNAMES