Skip to content
Snippets Groups Projects
Commit 2353823a authored by Hahn Axel (hahn)'s avatar Hahn Axel (hahn)
Browse files

many small fixes; added stage test and md5 match

parent b6fcb9b6
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
cm.sh
+ 59
17
View file @ 2353823a
...@@ -58,25 +58,37 @@ function _certMustNotExist(){ ...@@ -58,25 +58,37 @@ function _certMustNotExist(){
# known directory (based on CM_diracme - see inc_config.sh) # known directory (based on CM_diracme - see inc_config.sh)
# used in public_add and public_renew # used in public_add and public_renew
function _certTransfer(){ function _certTransfer(){
_wd "--- acme internal data" _wd "--- acme internal data - ~/.acme.sh/${CM_fqdn}"
ls -l ~/.acme.sh/${CM_fqdn} ls -l ~/.acme.sh/${CM_fqdn}
_wd "--- transfer acme.sh files to ${CM_dircerts}" _wd "--- transfer acme.sh files to ${CM_dircerts}"
$ACME \ $ACME \
--install-cert \ --install-cert \
-d ${CM_fqdn} \ -d ${CM_fqdn} \
--cert-file ${CM_dircerts}/${CM_fqdn}.cert.pem \ --cert-file ${CM_outfile_cert} \
--fullchain-file ${CM_dircerts}/${CM_fqdn}.fullchain.pem \ --fullchain-file ${CM_outfile_chain} \
--ca-file ${CM_outfile_ca} \
|| exit 1 || exit 1
# --key-file ${CM_dircerts}/${CM_fqdn}.key.pem \ # --key-file ${CM_dircerts}/${CM_fqdn}.key.pem \
_wd "--- copy key to ${CM_dircerts}" _wd "--- copy key to ${CM_dircerts}"
cp ${CM_filekey} ${CM_dircerts}/${CM_fqdn}.key.pem cp ${CM_filekey} ${CM_outfile_key}
_wd "--- content of output dir $CM_dircerts:" _wd "--- content of output dir $CM_dircerts:"
ls -l $CM_dircerts/* ls -l $CM_dircerts/*
} }
# internal function; show md5 hashsums for certificate, csr and key
# for visual comparison if the match
# TODO: script a comparison to write out MATCH or FAIL
function _certMatching(){
echo
echo "--- compare hashes to see if they match"
echo -n "cert : "; openssl x509 -noout -modulus -in ${CM_outfile_cert} | openssl md5
echo -n "csr : "; openssl req -noout -modulus -in ${CM_filecsr} | openssl md5
echo -n "key : "; openssl rsa -noout -modulus -in ${CM_outfile_key} | openssl md5
echo
}
# internal function: dig for given fqdn. # internal function: dig for given fqdn.
# Function stops if fqdn was not found in DNS. # Function stops if fqdn was not found in DNS.
...@@ -143,6 +155,18 @@ function _requiresFqdn(){ ...@@ -143,6 +155,18 @@ function _requiresFqdn(){
fi fi
} }
function _testStaging(){
echo $ACME_Params | grep "\-\-staging" >/dev/null
if [ $? -eq 0 ]; then
_wd "Using LE STAGE environment ..."
_wd "You can test and mess around. Do not use certs in production."
else
_wd "Using LE LIVE environment for production."
_wd "Be careful with count of connects to LE servers."
fi
echo
}
# set update message in a file # set update message in a file
# param string(s) message # param string(s) message
function _update(){ function _update(){
...@@ -171,13 +195,20 @@ function public_add(){ ...@@ -171,13 +195,20 @@ function public_add(){
_wd "--- create output dir $dircerts" _wd "--- create output dir $dircerts"
mkdir -p "${CM_dircerts}" 2>/dev/null mkdir -p "${CM_dircerts}" 2>/dev/null
# _wd "--- domains in csr" _wd "--- csr data"
$ACME --showcsr --csr $CM_filecsr || exit 1 $ACME --showcsr --csr $CM_filecsr || exit 1
_wd "--- create certificate" _wd "--- create certificate"
$ACME --signcsr --force --csr $CM_filecsr $ACME_Params || exit 1 $ACME --signcsr --csr $CM_filecsr $ACME_Params
if [ $? -ne 0 ]; then
echo "ERROR: adding cert failed. Trying to delete internal data ..."
public_delete $CM_fqdn
exit 1
fi
# $ACME --issue -d $CM_fqdn $ACME_Params || exit 1
_certTransfer _certTransfer
_certMatching
_update "added $CM_fqdn $*" _update "added $CM_fqdn $*"
} }
...@@ -192,7 +223,9 @@ function public_delete(){ ...@@ -192,7 +223,9 @@ function public_delete(){
# TODO: revoke it too?? # TODO: revoke it too??
# $ACME --revoke -d ${CM_fqdn} || exit 2 # $ACME --revoke -d ${CM_fqdn} || exit 2
$ACME --remove -d ${CM_fqdn} || exit 2 _wd "--- delete ACME.SH data"
$ACME --remove -d ${CM_fqdn} $ACME_Params
_wd "--- delete local data"
rm -rf ${CM_dircerts} ${CM_filecnf} ${CM_filekey} ${CM_filecsr} ~/.acme.sh/${CM_fqdn} rm -rf ${CM_dircerts} ${CM_filecnf} ${CM_filekey} ${CM_filecsr} ~/.acme.sh/${CM_fqdn}
_update "deleted ${CM_fqdn}" _update "deleted ${CM_fqdn}"
} }
...@@ -211,8 +244,11 @@ function public_list(){ ...@@ -211,8 +244,11 @@ function public_list(){
function public_renew(){ function public_renew(){
_requiresFqdn _requiresFqdn
_certMustExist _certMustExist
$ACME --renew --force -d ${CM_fqdn} || exit 2 $ACME --renew -d ${CM_fqdn} $ACME_Params || exit 2
_certTransfer _certTransfer
_certMatching
_update "renew ${CM_fqdn}" _update "renew ${CM_fqdn}"
} }
...@@ -225,12 +261,14 @@ function public_show(){ ...@@ -225,12 +261,14 @@ function public_show(){
ls -l ${CM_filecsr} ${CM_dircerts}/* ls -l ${CM_filecsr} ${CM_dircerts}/*
echo $line echo $line
echo $CM_filecsr echo CSR $CM_filecsr
openssl req -noout -text -in $CM_filecsr openssl req -noout -text -in $CM_filecsr | grep -E "(Subject:|DNS:)"
echo $line echo $line
echo ${CM_dircerts}/${CM_fqdn}.cert.pem echo Cert ${CM_outfile_cert}
openssl x509 -noout -text -in ${CM_dircerts}/${CM_fqdn}.cert.pem # openssl x509 -noout -text -in ${CM_outfile_cert}
openssl x509 -noout -text -in ${CM_outfile_cert} | grep -E "(Issuer:|Subject:|DNS:)"
_certMatching
} }
...@@ -254,9 +292,7 @@ ENDOFHEADER ...@@ -254,9 +292,7 @@ ENDOFHEADER
which openssl >/dev/null || exit 1 which openssl >/dev/null || exit 1
. ./inc_config.sh . ./inc_config.sh
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo "ERROR: loading the config failed." echo "ERROR: loading the config failed."
echo "Copy the inc_config.sh.dist to inc_config.sh and make your settings in it." echo "Copy the inc_config.sh.dist to inc_config.sh and make your settings in it."
...@@ -264,7 +300,7 @@ if [ $? -ne 0 ]; then ...@@ -264,7 +300,7 @@ if [ $? -ne 0 ]; then
exit 1 exit 1
fi fi
_testStaging
grep "function\ public_$1" $0 >/dev/null grep "function\ public_$1" $0 >/dev/null
if [ $# -gt 0 -a $? -eq 0 ]; then if [ $# -gt 0 -a $? -eq 0 ]; then
...@@ -287,9 +323,12 @@ if [ $# -gt 0 -a $? -eq 0 ]; then ...@@ -287,9 +323,12 @@ if [ $# -gt 0 -a $? -eq 0 ]; then
CM_filekey="${CM_dircsr}/${CM_fqdn}.key" CM_filekey="${CM_dircsr}/${CM_fqdn}.key"
CM_dircerts="${CM_diracme}/${CM_fqdn}" CM_dircerts="${CM_diracme}/${CM_fqdn}"
CM_outfile_cert=${CM_dircerts}/${CM_fqdn}.cert.cer
CM_outfile_chain=${CM_dircerts}/${CM_fqdn}.fullchain.cer
CM_outfile_key=${CM_dircerts}/${CM_fqdn}.key.pem
CM_outfile_ca=${CM_dircerts}/${CM_fqdn}.ca.cer
# echo $CM_fqdn # echo $CM_fqdn; set | grep "^CM_"; echo
# set | grep "^CM_"
_wd "A C T I O N -->> $action <<--" _wd "A C T I O N -->> $action <<--"
eval "public_$action $*" eval "public_$action $*"
...@@ -326,3 +365,6 @@ ACTIONs for all certs ...@@ -326,3 +365,6 @@ ACTIONs for all certs
EOF EOF
fi fi
echo
_testStaging
\ No newline at end of file
templates/csr.txt.dist
+ 12
5
View file @ 2353823a
...@@ -3,13 +3,19 @@ ...@@ -3,13 +3,19 @@
# openssl req -new -config myserver.cnf -keyout myserver.key -out myserver.csr # openssl req -new -config myserver.cnf -keyout myserver.key -out myserver.csr
# on the command line. # on the command line.
# (1) the name of your location # state as 2 letter code
COUNTRY = CH
# state
STATE = Bern
# the name of your location
LOCATION = Anywhere LOCATION = Anywhere
# (2) the name of your organization # the name of your organization
ORGNAME = My company ORGNAME = My company
# (3) the name of your organization unit # the name of your organization unit
UNITNAME = Department for magic things UNITNAME = Department for magic things
...@@ -33,12 +39,13 @@ req_extensions = req_ext ...@@ -33,12 +39,13 @@ req_extensions = req_ext
[ dn ] [ dn ]
C = CH C = $COUNTRY
ST = Bern ST = $STATE
L = $LOCATION L = $LOCATION
O = $ORGNAME O = $ORGNAME
OU = $UNITNAME OU = $UNITNAME
CN = $FQDN CN = $FQDN
# emailAddress=webmaster@example.com
[ req_ext ] [ req_ext ]
subjectAltName = $ALTNAMES subjectAltName = $ALTNAMES
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment