Skip to content
Snippets Groups Projects
Commit 91dbbecd authored by Hahn Axel (hahn)'s avatar Hahn Axel (hahn)
Browse files

remove usage of csr and generation of key file

parent d39fe885
No related branches found
No related tags found
1 merge request!1Handle dns alias domain
......@@ -25,6 +25,7 @@
# 2021-09-27 <axel.hahn@iml.unibe.ch> softer behaviour: do not revoke changed certs (add does not stop; ensure does not delete)
# 2021-12-23 <axel.hahn@iml.unibe.ch> added param --trace as 1st param to generate a trace log
# 2022-01-10 <axel.hahn@iml.unibe.ch> _wait_for_free_slot: exclude ssh calls
# 2022-03-30 <axel.hahn@iml.unibe.ch> remove usage of csr and generation of key file
# ======================================================================
......@@ -105,39 +106,45 @@ function _certTransfer(){
test -d ${CM_dircerts} && rm -f "${CM_dircerts}/*" 2>/dev/null
_wd "--- transfer acme.sh files to ${CM_dircerts}/"
$ACME \
if ! $ACME \
--install-cert \
-d ${CM_fqdn} \
--cert-file ${CM_outfile_cert} \
--fullchain-file ${CM_outfile_chain} \
--ca-file ${CM_outfile_ca}
if [ $? -ne 0 ]; then
echo "ERROR occured during transfer. Removing files in ${CM_dircerts} to prevent strange effects..."
-d "${CM_fqdn}" \
--key-file "${CM_outfile_key}" \
--cert-file "${CM_outfile_cert}" \
--fullchain-file "${CM_outfile_chain}" \
--ca-file "${CM_outfile_ca}"
then
echo "ERROR occured during acme transfer. Removing files in ${CM_dircerts} to prevent strange effects..."
rm -f "${CM_dircerts}/*"
exit
exit 2
fi
echo "OK."
_wd "--- copy key to ${CM_dircerts}"
cp ${CM_filekey} ${CM_outfile_key}
# _wd "--- copy key to ${CM_dircerts}"
# cp ${CM_filekey} ${CM_outfile_key}
_wd "--- create chained file for haproxy"
cat ${CM_outfile_chain} ${CM_outfile_key} > ${CM_outfile_haproxy}
cat "${CM_outfile_chain}" "${CM_outfile_key}" > "${CM_outfile_haproxy}"
_wd "--- content of output dir $CM_dircerts:"
ls -l $CM_dircerts/*
if ! ls -l "${CM_outfile_cert}" "${CM_outfile_chain}" "${CM_outfile_key}" "${CM_outfile_haproxy}"
then
echo "ERROR missing a file (or no access?)"
rm -f "${CM_dircerts}/*"
exit 2
fi
}
# internal function; show md5 hashsums for certificate, csr and key
# for visual comparison if the match
function _certMatching(){
local md5_csr=$( test -f ${CM_filecsr} && openssl req -noout -modulus -in ${CM_filecsr} | openssl md5 | cut -f 2 -d " " )
# local md5_csr=$( test -f ${CM_filecsr} && openssl req -noout -modulus -in ${CM_filecsr} | openssl md5 | cut -f 2 -d " " )
local md5_key=$( test -f ${CM_outfile_key} && openssl rsa -noout -modulus -in ${CM_outfile_key} | openssl md5 | cut -f 2 -d " " )
local md5_cert=$( test -f ${CM_outfile_cert} && openssl x509 -noout -modulus -in ${CM_outfile_cert} | openssl md5 | cut -f 2 -d " " )
echo
echo "--- compare hashes"
echo "csr : $md5_csr (used for creation of cert)"
# echo "csr : $md5_csr (used for creation of cert)"
echo "key : $md5_key"
echo "cert : $md5_cert"
if [ "$md5_key" = "$md5_cert" ]; then
......@@ -157,15 +164,17 @@ function _certMatching(){
function _checkDig(){
local myfqdn=$1
local _type=${2:-"a"}
which dig >/dev/null
if [ $? -eq 0 ]; then
_wd "CHECK: $myfqdn exists as [$_type] in DNS (using dig) ..."
dig "${myfqdn}" "${_type}" | grep "^${myfqdn}"
if [ $? -ne 0 ]; then
echo "ERROR: not found. Maybe there is a typo in the hostname or it does not exist in DNS."
# local _verify=${3:-"."}
if which dig >/dev/null
then
# _wd "[$myfqdn] exists as type [$_type] in DNS?"
if ! dig "${myfqdn}" "${_type}" | grep "^${myfqdn}" # | grep "${_verify}"
then
echo "ERROR: [$myfqdn] was not found. Maybe there is a typo in the hostname or it does not exist in DNS."
exit 2
fi
_wd "OK"
_wd "OK: [$myfqdn] exists in DNS."
else
_wd "SKIP: dig was not found"
fi
......@@ -173,35 +182,33 @@ function _checkDig(){
}
# internal function; generate a csr file before creating a new certifcate
# this function is used in public_add
function _gencsr(){
function _dnsCheck(){
local altdns=
local _mydomain=
local _subdomain='_acme-challenge'
# check alt names too
# _checkDig $CM_fqdn
for _mydomain in $CM_fqdn $*
for _mydomain in $*
do
_wd "dig check - domain for cert"
_checkDig "$_mydomain" "a"
# if [ -n "${CM_challenge_alias}" ] && ! echo "$_mydomain" | grep "${CM_certmatch}"
if [ -n "${CM_challenge_alias}" ] && echo "$_mydomain" | grep "${CM_certmatch}" >/dev/null
if [ -n "${CM_challenge_alias}" ] && ! echo "$_mydomain" | grep "${CM_certmatch}" >/dev/null
then
_wd "dig check - domain with api access $_subdomain... "
_checkDig "${_subdomain}.${CM_challenge_alias}" "a"
_wd "dig check - alias $_subdomain... "
# _wd "Host is not matching ${CM_certmatch} ... using dns alias"
# _wd "dig check - domain with api access $_subdomain... "
# _checkDig "${_subdomain}.${CM_challenge_alias}" "a"
_wd "dig check - cname ${_subdomain}.${_mydomain} must point to ${_subdomain}.${CM_challenge_alias}"
_checkDig "${_subdomain}.${_mydomain}" "cname"
fi
done
echo ABORT in _gencsr Zeile 195
exit 1
}
# internal function; generate a csr file before creating a new certifcate
# this function is used in public_add
function _gencsr(){
local altdns=
for myalt in $*
do
......@@ -357,6 +364,49 @@ function _testFqdncount(){
# pulic function ADD certificate
#
function public_add(){
local _params=""
_wait_for_free_slot
_requiresFqdn
_certMustNotExist
# _dnsCheck $CM_fqdn $*
for _mydomain in $CM_fqdn $*
do
_params+="-d $_mydomain "
if [ -n "${CM_challenge_alias}" ] && ! echo "$_mydomain" | grep "${CM_certmatch}" >/dev/null
then
_params+="--challenge-alias ${CM_challenge_alias}"
fi
done
_wd "--- create output dir $dircerts"
mkdir -p "${CM_dircerts}" 2>/dev/null
_wd "--- create certificate"
# echo $ACME --signcsr --csr $CM_filecsr $ACME_Params
# $ACME --signcsr --csr $CM_filecsr $ACME_Params
echo $ACME --issue $_params $ACME_Params
if ! $ACME --issue $_params $ACME_Params
then
echo "ERROR: adding cert failed. Trying to delete internal data ..."
public_delete $CM_fqdn
exit 1
fi
# $ACME --issue -d $CM_fqdn $ACME_Params || exit 1
_certTransfer
_certMatching
_update "added $CM_fqdn $*"
}
function OLD__public_add(){
_wait_for_free_slot
_requiresFqdn
_certMustNotExist
......
......@@ -43,6 +43,8 @@ export ACME=../acme.sh/acme.sh
# have no permission
# export CM_certmatch="\.example\.com"
# export CM_challenge_alias="example.com"
# optional: force a user to execute cm.sh
# this is for a central installation with a software deployment
# like Ansible or puppet; default: none (=any user can run cm.sh)
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment