Skip to content
Snippets Groups Projects
Commit 5b1e79d4 authored by Hahn Axel (hahn)'s avatar Hahn Axel (hahn)
Browse files

ensure: all fqdn must match those in certificate

parent c759966a
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
cm.sh
+ 59
14
View file @ 5b1e79d4
......@@ -15,6 +15,7 @@
# 2021-02-02 <axel.hahn@iml.unibe.ch> first lines
# 2021-02-10 <axel.hahn@iml.unibe.ch> compare hashes, logging
# 2021-02-12 <axel.hahn@iml.unibe.ch> added self test
# 2021-02-17 <axel.hahn@iml.unibe.ch> ensure checks list of aliases; new: optional host filter before adding a cert
# ======================================================================
......@@ -179,6 +180,17 @@ function _gencsr(){
ls -ltr $CM_filecnf $CM_filekey $CM_filecsr
}
# internal function; get a sorted list of DNS aliases in the current cert
function _getAliases(){
_sortWords $(
openssl x509 -noout -text -in ${CM_outfile_cert} \
| grep -E "(DNS:)" \
| sed "s#^\ *##g" \
| sed "s#DNS:##g" \
| sed "s#,##g"
)
}
# internal function; check if a required 2nd CLI parameter was given
# if not the script will abort
function _requiresFqdn(){
......@@ -232,6 +244,12 @@ function _setenv(){
# echo $CM_fqdn; set | grep "^CM_"; echo
}
# internal function; helper: sort words in alphabetic order
function _sortWords(){
echo $* | tr " " "\n" | sort | tr "\n" " "
}
# ----------------------------------------------------------------------
#
# PUBLIC FUNCTIONS
......@@ -244,6 +262,15 @@ function _setenv(){
function public_add(){
_requiresFqdn
_certMustNotExist
for myhost in $( echo $CM_fqdn $*)
do
echo $myhost | grep "$CM_certmatch" >/dev/null
if [ $? -ne 0 ]; then
echo "ERROR: host $myhost does not match [$CM_certmatch]."
exit 1
fi
done
_gencsr $CM_fqdn $*
_wd "--- create output dir $dircerts"
......@@ -270,12 +297,24 @@ function public_add(){
#
# pulic function ADD OR RENEW certificate
#
function public_add-or-renew(){
function public_ensure(){
_requiresFqdn
_certExists
if [ $? -eq 0 ]; then
_wd "--- cert was found ... renew it (ignore --force - it comes from acme.sh)"
public_renew $*
_wd "--- cert $CM_fqdn was found ... compare aliases"
local _newAliases=$( _sortWords $CM_fqdn $* )
local _certAliases=$( _getAliases )
_wd "from params: $_newAliases"
_wd "inside cert: $_certAliases"
if [ "$_newAliases" = "$_certAliases" ]; then
_wd "--- DNS aliases match ... renew it (ignore --force - it comes from acme.sh)"
public_renew $*
else
_wd "--- DNS aliases do NOT match ... deleting cert and create a new one"
public_delete $*
public_add $*
fi
else
_wd "--- cert does mot exist ... add it"
public_add $*
......@@ -290,7 +329,8 @@ function public_delete(){
_certMustExist
# TODO: revoke it too??
# $ACME --revoke -d ${CM_fqdn}
_wd "--- revoke cert"
$ACME --revoke -d ${CM_fqdn}
_wd "--- delete ACME.SH data"
$ACME --remove -d ${CM_fqdn} $ACME_Params
......@@ -426,15 +466,15 @@ function public_show(){
_certMustExist
ls -l ${CM_filecsr} ${CM_dircerts}/*
_certMatching
echo $line
echo CSR $CM_filecsr
openssl req -noout -text -in $CM_filecsr | grep -E "(Subject:|DNS:)"
openssl req -noout -text -in $CM_filecsr | grep -E "(Subject:|DNS:)" | sed "s#^\ *##g"
echo $line
echo Cert ${CM_outfile_cert}
# openssl x509 -noout -text -in ${CM_outfile_cert}
openssl x509 -noout -text -in ${CM_outfile_cert} | grep -E "(Issuer:|Subject:|DNS:)"
_certMatching
openssl x509 -noout -text -in ${CM_outfile_cert} | grep -E "(Issuer:|Subject:|Not\ |DNS:)"| sed "s#^\ *##g"
}
......@@ -506,13 +546,17 @@ The ACTIONs for SINGLE certificate handlings are:
same certificate.
It updates files in ${CM_diracme}
add-or-renew FQDN [.. FQDN-N]
This param is for automation tools like Ansible or Puppet.
It checks if the certificate for first (*) FQDN exists.
If not: add a new cert (see "add").
If so: call renew action (see "renew")
ensure FQDN [.. FQDN-N]
It ensures that a certificate with given aliases exists and is up to date.
This param is for simple usage in automation tools like Ansible or Puppet.
It is required to add all aliases as parameters what is unhandy for
direct usage on cli.
(*) it doesn't verify the DNS aliases
If the cert does not exist it will be created (see "add").
If fqdn and aliases are the same like in the certificate it performs a renew.
If fqdn and aliases differ:
- the current certificate will be rejected + deleted (see "delete")
- a new certificate will be added ()
delete FQDN
delete all files of a given certificate
......@@ -522,7 +566,8 @@ The ACTIONs for SINGLE certificate handlings are:
and update files in ${CM_diracme}
show FQDN
show place of csr + certificate data and show certificate
show place of csr + certificate data and show basic certificate data
(issuer, subject, aliases, ending date)
ACTIONs for ALL certs
......
inc_config.sh.dist
+ 5
0
View file @ 5b1e79d4
......@@ -35,4 +35,9 @@ export ACME=../acme.sh/acme.sh
# place for cnf + csr files
# export CM_dircsr="./csr"
# check domain names before creating a new certificate
# It is used for faster rejection of a hostname or alias for which you
# have no permission
# export CM_certmatch="\.example\.com"
# ----------------------------------------------------------------------
readme.md
+ 15
7
View file @ 5b1e79d4
......@@ -16,6 +16,7 @@ license: GNU GPL 3.0 <http://www.gnu.org/licenses/gpl-3.0.html>
* set path to acme.sh script; the default is a relative path for the suggested contellation below.
* optional: set custom target for generated certificates
* optional: for testing enable Let's Encrypt stage server to prevent running into weekly limits during tests
* optional: set a filter that must match to new certificate and all aliases
* templates/csr.txt
* set location, company and department ... remark: (currently?) it is removed by LE
......@@ -72,13 +73,17 @@ The ACTIONs for SINGLE certificate handlings are:
same certificate.
It updates files in ./certs
add-or-renew FQDN [.. FQDN-N]
This param is for automation tools like Ansible or Puppet.
It checks if the certificate for first (*) FQDN exists.
If not: add a new cert (see "add").
If so: call renew action (see "renew")
ensure FQDN [.. FQDN-N]
It ensures that a certificate with given aliases exists and is up to date.
This param is for simple usage in automation tools like Ansible or Puppet.
It is required to add all aliases as parameters what is unhandy for
direct usage on cli.
(*) it doesn't verify the DNS aliases
If the cert does not exist it will be created (see "add").
If fqdn and aliases are the same like in the certificate it performs a renew.
If fqdn and aliases differ:
- the current certificate will be rejected + deleted (see "delete")
- a new certificate will be added ()
delete FQDN
delete all files of a given certificate
......@@ -88,7 +93,8 @@ The ACTIONs for SINGLE certificate handlings are:
and update files in ./certs
show FQDN
show place of csr + certificate data and show certificate
show place of csr + certificate data and show basic certificate data
(issuer, subject, aliases, ending date)
ACTIONs for ALL certs
......@@ -98,6 +104,7 @@ ACTIONs for ALL certs
renew-all
renew all certificates (fast mode - without --force)
and update files in ./certs
It is useful for a cronjob.
other ACTIONs
......@@ -105,6 +112,7 @@ other ACTIONs
check of health with current setup and requirements.
This command is helpful for initial setups.
DEBUG: Using Let's Encrypt STAGE environment ...
DEBUG: You can test and mess around. Do not use certs in production.
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment