ensure: all fqdn must match those in certificate

cm.sh

@@ -15,6 +15,7 @@
 # 2021-02-02  <axel.hahn@iml.unibe.ch>  first lines
 # 2021-02-10  <axel.hahn@iml.unibe.ch>  compare hashes, logging
 # 2021-02-12  <axel.hahn@iml.unibe.ch>  added self test
+# 2021-02-17  <axel.hahn@iml.unibe.ch>  ensure checks list of aliases; new: optional host filter before adding a cert
 # ======================================================================
 
 
@@ -179,6 +180,17 @@ function _gencsr(){
 	ls -ltr $CM_filecnf $CM_filekey $CM_filecsr
 }
 
+# internal function; get a sorted list of DNS aliases in the current cert
+function _getAliases(){
+	_sortWords $(
+		openssl x509 -noout -text -in ${CM_outfile_cert} \
+			| grep -E "(DNS:)" \
+			| sed "s#^\ *##g"  \
+			| sed "s#DNS:##g"  \
+			| sed "s#,##g"
+	)
+}
+
 # internal function; check if a required 2nd CLI parameter was given
 # if not the script will abort
 function _requiresFqdn(){
@@ -232,6 +244,12 @@ function _setenv(){
 	# echo $CM_fqdn; set | grep "^CM_"; echo
 
 }
+# internal function; helper: sort words in alphabetic order
+function _sortWords(){
+	echo $* | tr " " "\n" | sort | tr "\n" " "
+}
+
+
 # ----------------------------------------------------------------------
 #
 # PUBLIC FUNCTIONS
@@ -244,6 +262,15 @@ function _setenv(){
 function public_add(){
 	_requiresFqdn
 	_certMustNotExist
+
+	for myhost in $( echo $CM_fqdn $*)
+	do 
+		echo $myhost | grep "$CM_certmatch" >/dev/null
+		if [ $? -ne 0 ]; then
+			echo "ERROR: host $myhost does not match [$CM_certmatch]."
+			exit 1
+		fi
+	done
 	_gencsr $CM_fqdn $*
 
 	_wd "--- create output dir $dircerts"
@@ -270,12 +297,24 @@ function public_add(){
 #
 # pulic function ADD OR RENEW certificate
 # 
-function public_add-or-renew(){
+function public_ensure(){
 	_requiresFqdn
 	_certExists
 	if [ $? -eq 0 ]; then
-		_wd "--- cert was found ... renew it (ignore --force - it comes from acme.sh)"
-		public_renew $*
+		_wd "--- cert $CM_fqdn was found ... compare aliases"
+		local _newAliases=$( _sortWords $CM_fqdn $* )
+		local _certAliases=$( _getAliases )
+
+		_wd "from params: $_newAliases"
+		_wd "inside cert: $_certAliases"
+		if [ "$_newAliases" = "$_certAliases" ]; then
+			_wd "--- DNS aliases match ... renew it (ignore --force - it comes from acme.sh)"
+			public_renew $*
+		else
+			_wd "--- DNS aliases do NOT match ... deleting cert and create a new one"
+			public_delete $*
+			public_add $*
+		fi
 	else
 		_wd "--- cert does mot exist ... add it"
 		public_add $*
@@ -290,7 +329,8 @@ function public_delete(){
 	_certMustExist
 
 	# TODO: revoke it too??
-	# $ACME --revoke -d ${CM_fqdn}
+	_wd "--- revoke cert"
+	$ACME --revoke -d ${CM_fqdn}
 
 	_wd "--- delete ACME.SH data"
 	$ACME --remove -d ${CM_fqdn} $ACME_Params
@@ -426,15 +466,15 @@ function public_show(){
 	_certMustExist
 
 	ls -l ${CM_filecsr} ${CM_dircerts}/*
+	_certMatching
 	echo $line
 	echo CSR $CM_filecsr
-	openssl req -noout -text -in $CM_filecsr | grep -E "(Subject:|DNS:)"
+	openssl req -noout -text -in $CM_filecsr | grep -E "(Subject:|DNS:)" | sed "s#^\ *##g"
 
 	echo $line
 	echo Cert ${CM_outfile_cert}
 	# openssl x509 -noout -text -in ${CM_outfile_cert}
-	openssl x509 -noout -text -in ${CM_outfile_cert} | grep -E "(Issuer:|Subject:|DNS:)"
-	_certMatching
+	openssl x509 -noout -text -in ${CM_outfile_cert} | grep -E "(Issuer:|Subject:|Not\ |DNS:)"| sed "s#^\ *##g"
 }
 
 
@@ -506,13 +546,17 @@ The ACTIONs for SINGLE certificate handlings are:
                 same certificate.
                 It updates files in ${CM_diracme}
 
-        add-or-renew FQDN [.. FQDN-N] 
-                This param is for automation tools like Ansible or Puppet.
-                It checks if the certificate for first (*) FQDN exists.
-                If not: add a new cert (see "add").
-                If so: call renew action (see "renew")
+        ensure FQDN [.. FQDN-N] 
+                It ensures that a certificate with given aliases exists and is up to date.
+                This param is for simple usage in automation tools like Ansible or Puppet.
+                It is required to add all aliases as parameters what is unhandy for
+                direct usage on cli.
 
-                (*) it doesn't verify the DNS aliases
+                If the cert does not exist it will be created (see "add").
+                If fqdn and aliases are the same like in the certificate it performs a renew.
+                If fqdn and aliases differ:
+                - the current certificate will be rejected + deleted (see "delete")
+                - a new certificate will be added ()
 
         delete FQDN
                 delete all files of a given certificate
@@ -522,7 +566,8 @@ The ACTIONs for SINGLE certificate handlings are:
                 and update files in ${CM_diracme}
 
         show FQDN
-                show place of csr + certificate data and show certificate
+                show place of csr + certificate data and show basic certificate data
+                (issuer, subject, aliases, ending date)
 
 ACTIONs for ALL certs
 

inc_config.sh.dist

@@ -35,4 +35,9 @@ export ACME=../acme.sh/acme.sh
 # place for cnf + csr files
 # export CM_dircsr="./csr"
 
+# check domain names before creating a new certificate
+# It is used for faster rejection of a hostname or alias for which you
+# have no permission
+# export CM_certmatch="\.example\.com"
+
 # ----------------------------------------------------------------------

readme.md

@@ -16,6 +16,7 @@ license: GNU GPL 3.0 <http://www.gnu.org/licenses/gpl-3.0.html>
     * set path to acme.sh script; the default is a relative path for the suggested contellation below.
     * optional: set custom target for generated certificates
     * optional: for testing enable Let's Encrypt stage server to prevent running into weekly limits during tests
+    * optional: set a filter that must match to new certificate and all aliases
   * templates/csr.txt
     * set location, company and department ... remark: (currently?) it is removed by LE
 
@@ -72,13 +73,17 @@ The ACTIONs for SINGLE certificate handlings are:
                 same certificate.
                 It updates files in ./certs
 
-        add-or-renew FQDN [.. FQDN-N] 
-                This param is for automation tools like Ansible or Puppet.
-                It checks if the certificate for first (*) FQDN exists.
-                If not: add a new cert (see "add").
-                If so: call renew action (see "renew")
+        ensure FQDN [.. FQDN-N] 
+                It ensures that a certificate with given aliases exists and is up to date.
+                This param is for simple usage in automation tools like Ansible or Puppet.
+                It is required to add all aliases as parameters what is unhandy for
+                direct usage on cli.
 
-                (*) it doesn't verify the DNS aliases
+                If the cert does not exist it will be created (see "add").
+                If fqdn and aliases are the same like in the certificate it performs a renew.
+                If fqdn and aliases differ:
+                - the current certificate will be rejected + deleted (see "delete")
+                - a new certificate will be added ()
 
         delete FQDN
                 delete all files of a given certificate
@@ -88,7 +93,8 @@ The ACTIONs for SINGLE certificate handlings are:
                 and update files in ./certs
 
         show FQDN
-                show place of csr + certificate data and show certificate
+                show place of csr + certificate data and show basic certificate data
+                (issuer, subject, aliases, ending date)
 
 ACTIONs for ALL certs
 
@@ -98,6 +104,7 @@ ACTIONs for ALL certs
         renew-all
                 renew all certificates (fast mode - without --force)
                 and update files in ./certs
+                It is useful for a cronjob.
 
 other ACTIONs
 
@@ -105,6 +112,7 @@ other ACTIONs
                 check of health with current setup and requirements.
                 This command is helpful for initial setups.
 
+
 DEBUG: Using Let's Encrypt STAGE environment ...
 DEBUG: You can test and mess around. Do not use certs in production.