Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
C
certman
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Wiki
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Container registry
Model registry
Operate
Environments
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
IML Open Source
certman
Commits
91dbbecd
Commit
91dbbecd
authored
3 years ago
by
Hahn Axel (hahn)
Browse files
Options
Downloads
Patches
Plain Diff
remove usage of csr and generation of key file
parent
d39fe885
No related branches found
No related tags found
1 merge request
!1
Handle dns alias domain
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
cm.sh
+86
-36
86 additions, 36 deletions
cm.sh
inc_config.sh.dist
+2
-0
2 additions, 0 deletions
inc_config.sh.dist
with
88 additions
and
36 deletions
cm.sh
+
86
−
36
View file @
91dbbecd
...
...
@@ -25,6 +25,7 @@
# 2021-09-27 <axel.hahn@iml.unibe.ch> softer behaviour: do not revoke changed certs (add does not stop; ensure does not delete)
# 2021-12-23 <axel.hahn@iml.unibe.ch> added param --trace as 1st param to generate a trace log
# 2022-01-10 <axel.hahn@iml.unibe.ch> _wait_for_free_slot: exclude ssh calls
# 2022-03-30 <axel.hahn@iml.unibe.ch> remove usage of csr and generation of key file
# ======================================================================
...
...
@@ -105,39 +106,45 @@ function _certTransfer(){
test
-d
${
CM_dircerts
}
&&
rm
-f
"
${
CM_dircerts
}
/*"
2>/dev/null
_wd
"--- transfer acme.sh files to
${
CM_dircerts
}
/"
$ACME
\
if
!
$ACME
\
--install-cert
\
-d
${
CM_fqdn
}
\
--cert-file
${
CM_outfile_cert
}
\
--fullchain-file
${
CM_outfile_chain
}
\
--ca-file
${
CM_outfile_ca
}
if
[
$?
-ne
0
]
;
then
echo
"ERROR occured during transfer. Removing files in
${
CM_dircerts
}
to prevent strange effects..."
-d
"
${
CM_fqdn
}
"
\
--key-file
"
${
CM_outfile_key
}
"
\
--cert-file
"
${
CM_outfile_cert
}
"
\
--fullchain-file
"
${
CM_outfile_chain
}
"
\
--ca-file
"
${
CM_outfile_ca
}
"
then
echo
"ERROR occured during acme transfer. Removing files in
${
CM_dircerts
}
to prevent strange effects..."
rm
-f
"
${
CM_dircerts
}
/*"
exit
exit
2
fi
echo
"OK."
_wd
"--- copy key to
${
CM_dircerts
}
"
cp
${
CM_filekey
}
${
CM_outfile_key
}
#
_wd "--- copy key to ${CM_dircerts}"
#
cp ${CM_filekey} ${CM_outfile_key}
_wd
"--- create chained file for haproxy"
cat
${
CM_outfile_chain
}
${
CM_outfile_key
}
>
${
CM_outfile_haproxy
}
cat
"
${
CM_outfile_chain
}
"
"
${
CM_outfile_key
}
"
>
"
${
CM_outfile_haproxy
}
"
_wd
"--- content of output dir
$CM_dircerts
:"
ls
-l
$CM_dircerts
/
*
if
!
ls
-l
"
${
CM_outfile_cert
}
"
"
${
CM_outfile_chain
}
"
"
${
CM_outfile_key
}
"
"
${
CM_outfile_haproxy
}
"
then
echo
"ERROR missing a file (or no access?)"
rm
-f
"
${
CM_dircerts
}
/*"
exit
2
fi
}
# internal function; show md5 hashsums for certificate, csr and key
# for visual comparison if the match
function
_certMatching
(){
local
md5_csr
=
$(
test
-f
${
CM_filecsr
}
&&
openssl req
-noout
-modulus
-in
${
CM_filecsr
}
| openssl md5 |
cut
-f
2
-d
" "
)
#
local md5_csr=$( test -f ${CM_filecsr} && openssl req -noout -modulus -in ${CM_filecsr} | openssl md5 | cut -f 2 -d " " )
local
md5_key
=
$(
test
-f
${
CM_outfile_key
}
&&
openssl rsa
-noout
-modulus
-in
${
CM_outfile_key
}
| openssl md5 |
cut
-f
2
-d
" "
)
local
md5_cert
=
$(
test
-f
${
CM_outfile_cert
}
&&
openssl x509
-noout
-modulus
-in
${
CM_outfile_cert
}
| openssl md5 |
cut
-f
2
-d
" "
)
echo
echo
"--- compare hashes"
echo
"csr :
$md5_csr
(used for creation of cert)"
#
echo "csr : $md5_csr (used for creation of cert)"
echo
"key :
$md5_key
"
echo
"cert :
$md5_cert
"
if
[
"
$md5_key
"
=
"
$md5_cert
"
]
;
then
...
...
@@ -157,15 +164,17 @@ function _certMatching(){
function
_checkDig
(){
local
myfqdn
=
$1
local
_type
=
${
2
:-
"a"
}
which dig
>
/dev/null
if
[
$?
-eq
0
]
;
then
_wd
"CHECK:
$myfqdn
exists as [
$_type
] in DNS (using dig) ..."
dig
"
${
myfqdn
}
"
"
${
_type
}
"
|
grep
"^
${
myfqdn
}
"
if
[
$?
-ne
0
]
;
then
echo
"ERROR: not found. Maybe there is a typo in the hostname or it does not exist in DNS."
# local _verify=${3:-"."}
if
which dig
>
/dev/null
then
# _wd "[$myfqdn] exists as type [$_type] in DNS?"
if
!
dig
"
${
myfqdn
}
"
"
${
_type
}
"
|
grep
"^
${
myfqdn
}
"
# | grep "${_verify}"
then
echo
"ERROR: [
$myfqdn
] was not found. Maybe there is a typo in the hostname or it does not exist in DNS."
exit
2
fi
_wd
"OK"
_wd
"OK
: [
$myfqdn
] exists in DNS.
"
else
_wd
"SKIP: dig was not found"
fi
...
...
@@ -173,35 +182,33 @@ function _checkDig(){
}
# internal function; generate a csr file before creating a new certifcate
# this function is used in public_add
function
_gencsr
(){
function
_dnsCheck
(){
local
altdns
=
local
_mydomain
=
local
_subdomain
=
'_acme-challenge'
# check alt names too
# _checkDig $CM_fqdn
for
_mydomain
in
$CM_fqdn
$*
for
_mydomain
in
$*
do
_wd
"dig check - domain for cert"
_checkDig
"
$_mydomain
"
"a"
# if [ -n "${CM_challenge_alias}" ] && ! echo "$_mydomain" | grep "${CM_certmatch}"
if
[
-n
"
${
CM_challenge_alias
}
"
]
&&
echo
"
$_mydomain
"
|
grep
"
${
CM_certmatch
}
"
>
/dev/null
if
[
-n
"
${
CM_challenge_alias
}
"
]
&&
!
echo
"
$_mydomain
"
|
grep
"
${
CM_certmatch
}
"
>
/dev/null
then
_wd
"dig check - domain with api access
$_subdomain
... "
_checkDig
"
${
_subdomain
}
.
${
CM_challenge_alias
}
"
"a"
_wd
"dig check - alias
$_subdomain
... "
# _wd "Host is not matching ${CM_certmatch} ... using dns alias"
# _wd "dig check - domain with api access $_subdomain... "
# _checkDig "${_subdomain}.${CM_challenge_alias}" "a"
_wd
"dig check - cname
${
_subdomain
}
.
${
_mydomain
}
must point to
${
_subdomain
}
.
${
CM_challenge_alias
}
"
_checkDig
"
${
_subdomain
}
.
${
_mydomain
}
"
"cname"
fi
done
echo
ABORT
in
_gencsr Zeile 195
exit
1
}
# internal function; generate a csr file before creating a new certifcate
# this function is used in public_add
function
_gencsr
(){
local
altdns
=
for
myalt
in
$*
do
...
...
@@ -357,6 +364,49 @@ function _testFqdncount(){
# pulic function ADD certificate
#
function
public_add
(){
local
_params
=
""
_wait_for_free_slot
_requiresFqdn
_certMustNotExist
# _dnsCheck $CM_fqdn $*
for
_mydomain
in
$CM_fqdn
$*
do
_params+
=
"-d
$_mydomain
"
if
[
-n
"
${
CM_challenge_alias
}
"
]
&&
!
echo
"
$_mydomain
"
|
grep
"
${
CM_certmatch
}
"
>
/dev/null
then
_params+
=
"--challenge-alias
${
CM_challenge_alias
}
"
fi
done
_wd
"--- create output dir
$dircerts
"
mkdir
-p
"
${
CM_dircerts
}
"
2>/dev/null
_wd
"--- create certificate"
# echo $ACME --signcsr --csr $CM_filecsr $ACME_Params
# $ACME --signcsr --csr $CM_filecsr $ACME_Params
echo
$ACME
--issue
$_params
$ACME_Params
if
!
$ACME
--issue
$_params
$ACME_Params
then
echo
"ERROR: adding cert failed. Trying to delete internal data ..."
public_delete
$CM_fqdn
exit
1
fi
# $ACME --issue -d $CM_fqdn $ACME_Params || exit 1
_certTransfer
_certMatching
_update
"added
$CM_fqdn
$*
"
}
function
OLD__public_add
(){
_wait_for_free_slot
_requiresFqdn
_certMustNotExist
...
...
This diff is collapsed.
Click to expand it.
inc_config.sh.dist
+
2
−
0
View file @
91dbbecd
...
...
@@ -43,6 +43,8 @@ export ACME=../acme.sh/acme.sh
# have no permission
# export CM_certmatch="\.example\.com"
# export CM_challenge_alias="example.com"
# optional: force a user to execute cm.sh
# this is for a central installation with a software deployment
# like Ansible or puppet; default: none (=any user can run cm.sh)
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment