remove usage of csr and generation of key file

91dbbecd · Hahn Axel (hahn) · d39fe885 · 91dbbecd · 91dbbecd
Commit 91dbbecd authored 3 years ago by Hahn Axel (hahn)
--- a/cm.sh
+++ b/cm.sh
@@ -25,6 +25,7 @@
 # 2021-09-27  <axel.hahn@iml.unibe.ch>  softer behaviour: do not revoke changed certs (add does not stop; ensure does not delete)
 # 2021-12-23  <axel.hahn@iml.unibe.ch>  added param --trace as 1st param to generate a trace log 
 # 2022-01-10  <axel.hahn@iml.unibe.ch>  _wait_for_free_slot: exclude ssh calls 
+# 2022-03-30  <axel.hahn@iml.unibe.ch>  remove usage of csr and generation of key file
 # ======================================================================


@@ -105,39 +106,45 @@ function _certTransfer(){
    test -d ${CM_dircerts} && rm -f "${CM_dircerts}/*" 2>/dev/null

 	_wd "--- transfer acme.sh files to ${CM_dircerts}/"
-	$ACME \
+	if ! $ACME \
 		--install-cert \
-		-d ${CM_fqdn} \
-		--cert-file       ${CM_outfile_cert}  \
-		--fullchain-file  ${CM_outfile_chain} \
-		--ca-file         ${CM_outfile_ca}
-    if [ $? -ne 0 ]; then
-        echo "ERROR occured during transfer. Removing files in ${CM_dircerts} to prevent strange effects..."
+		-d "${CM_fqdn}" \
+		--key-file        "${CM_outfile_key}"   \
+		--cert-file       "${CM_outfile_cert}"  \
+		--fullchain-file  "${CM_outfile_chain}" \
+		--ca-file         "${CM_outfile_ca}"
+    then
+        echo "ERROR occured during acme transfer. Removing files in ${CM_dircerts} to prevent strange effects..."
        rm -f "${CM_dircerts}/*"
-        exit
+        exit 2
    fi
 	echo "OK."
 	
-	_wd "--- copy key to ${CM_dircerts}"
-	cp ${CM_filekey} ${CM_outfile_key}
+	# _wd "--- copy key to ${CM_dircerts}"
+	# cp ${CM_filekey} ${CM_outfile_key}

 	_wd "--- create chained file for haproxy"
-	cat ${CM_outfile_chain} ${CM_outfile_key} > ${CM_outfile_haproxy}
+	cat "${CM_outfile_chain}" "${CM_outfile_key}" > "${CM_outfile_haproxy}"

 	_wd "--- content of output dir $CM_dircerts:"
-	ls -l $CM_dircerts/*
+	if ! ls -l "${CM_outfile_cert}" "${CM_outfile_chain}" "${CM_outfile_key}" "${CM_outfile_haproxy}"
+    then
+        echo "ERROR missing a file (or no access?)"
+        rm -f "${CM_dircerts}/*"
+        exit 2
+    fi
 }

 # internal function; show md5 hashsums for certificate, csr and key
 # for visual comparison if the match
 function _certMatching(){
-	local md5_csr=$(  test -f ${CM_filecsr}      && openssl req  -noout -modulus -in ${CM_filecsr}      | openssl md5 | cut -f 2 -d " " )
+	# local md5_csr=$(  test -f ${CM_filecsr}      && openssl req  -noout -modulus -in ${CM_filecsr}      | openssl md5 | cut -f 2 -d " " )
 	local md5_key=$(  test -f ${CM_outfile_key}  && openssl rsa  -noout -modulus -in ${CM_outfile_key}  | openssl md5 | cut -f 2 -d " " )
 	local md5_cert=$( test -f ${CM_outfile_cert} && openssl x509 -noout -modulus -in ${CM_outfile_cert} | openssl md5 | cut -f 2 -d " " )

 	echo
 	echo "--- compare hashes"
-	echo "csr  : $md5_csr (used for creation of cert)"
+	# echo "csr  : $md5_csr (used for creation of cert)"
 	echo "key  : $md5_key"
 	echo "cert : $md5_cert"
 	if [ "$md5_key" = "$md5_cert" ]; then
@@ -157,15 +164,17 @@ function _certMatching(){
 function _checkDig(){
    local myfqdn=$1
 	local _type=${2:-"a"}
-    which dig >/dev/null
-    if [ $? -eq 0 ]; then
-        _wd "CHECK: $myfqdn exists as [$_type] in DNS (using dig) ..."
-        dig "${myfqdn}" "${_type}" | grep "^${myfqdn}"
-        if [ $? -ne 0 ]; then
-            echo "ERROR: not found. Maybe there is a typo in the hostname or it does not exist in DNS."
+	# local _verify=${3:-"."}
+
+    if which dig >/dev/null
+    then
+        # _wd "[$myfqdn] exists as type [$_type] in DNS?"
+        if ! dig "${myfqdn}" "${_type}" | grep "^${myfqdn}" # | grep "${_verify}"
+        then
+            echo "ERROR: [$myfqdn] was not found. Maybe there is a typo in the hostname or it does not exist in DNS."
            exit 2
        fi
-        _wd "OK"
+        _wd "OK: [$myfqdn] exists in DNS."
    else
        _wd "SKIP: dig was not found"
    fi
@@ -173,35 +182,33 @@ function _checkDig(){

 }

-# internal function; generate a csr file before creating a new certifcate
-# this function is used in public_add
-function _gencsr(){
-
+function _dnsCheck(){
 	local altdns=
 	local _mydomain=
 	local _subdomain='_acme-challenge'

-	# check alt names too
-	# _checkDig $CM_fqdn
-
-	for _mydomain in $CM_fqdn $*
+	for _mydomain in $*
 	do
 		_wd "dig check - domain for cert"
 		_checkDig "$_mydomain" "a"

-		# if [ -n "${CM_challenge_alias}" ] && ! echo "$_mydomain" | grep "${CM_certmatch}" 
-		if [ -n "${CM_challenge_alias}" ] && echo "$_mydomain" | grep "${CM_certmatch}" >/dev/null
+		if [ -n "${CM_challenge_alias}" ] && ! echo "$_mydomain" | grep "${CM_certmatch}" >/dev/null
 		then
-			_wd "dig check - domain with api access $_subdomain... "
-			_checkDig "${_subdomain}.${CM_challenge_alias}" "a"
-			_wd "dig check - alias $_subdomain... "
+			# _wd "Host is not matching ${CM_certmatch} ... using dns alias"
+			# _wd "dig check - domain with api access $_subdomain... "
+			# _checkDig "${_subdomain}.${CM_challenge_alias}" "a"
+			_wd "dig check - cname ${_subdomain}.${_mydomain} must point to ${_subdomain}.${CM_challenge_alias}"
 			_checkDig "${_subdomain}.${_mydomain}" "cname"
 		fi
 	done

-echo ABORT in _gencsr Zeile 195
-exit 1
+}

+# internal function; generate a csr file before creating a new certifcate
+# this function is used in public_add
+function _gencsr(){
+
+	local altdns=

 	for myalt in $*
 	do
@@ -357,6 +364,49 @@ function _testFqdncount(){
 # pulic function ADD certificate
 # 
 function public_add(){
+	local _params=""
+
+	_wait_for_free_slot
+	_requiresFqdn
+    _certMustNotExist
+
+	# _dnsCheck $CM_fqdn $*
+
+	for _mydomain in $CM_fqdn $*
+	do
+		_params+="-d $_mydomain "
+
+		if [ -n "${CM_challenge_alias}" ] && ! echo "$_mydomain" | grep "${CM_certmatch}" >/dev/null
+		then
+			_params+="--challenge-alias ${CM_challenge_alias}"
+		fi
+	done
+
+	_wd "--- create output dir $dircerts"
+	mkdir -p "${CM_dircerts}" 2>/dev/null
+
+	_wd "--- create certificate"
+	# echo $ACME --signcsr --csr $CM_filecsr $ACME_Params 
+	# $ACME --signcsr --csr $CM_filecsr $ACME_Params 
+
+
+
+	echo $ACME --issue $_params $ACME_Params 
+	if ! $ACME --issue $_params $ACME_Params 
+	then
+		echo "ERROR: adding cert failed. Trying to delete internal data ..."
+		public_delete $CM_fqdn
+		exit 1
+	fi
+	# $ACME --issue -d $CM_fqdn $ACME_Params || exit 1
+
+	_certTransfer
+	_certMatching
+
+	_update "added $CM_fqdn $*"
+}
+
+function OLD__public_add(){
 	_wait_for_free_slot
 	_requiresFqdn
    _certMustNotExist

--- a/inc_config.sh.dist
+++ b/inc_config.sh.dist
@@ -43,6 +43,8 @@ export ACME=../acme.sh/acme.sh
 # have no permission
 # export CM_certmatch="\.example\.com"

+# export CM_challenge_alias="example.com"
+
 # optional: force a user to execute cm.sh
 # this is for a central installation with a software deployment
 # like Ansible or puppet; default: none (=any user can run cm.sh)