starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-04-24 09:18:28 +02:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

Cleaner outputs

Browse Source
This commit is contained in:
Martin Geiseler
2015-12-06 18:22:17 +01:00
committed by Lukas Schauer
parent 5d24285f5e
commit 579e231631
2 changed files with 25 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
config.sh.example
View File

@@ -9,7 +9,7 @@
# on the webserver # on the webserver
#HOOK_CHALLENGE= #HOOK_CHALLENGE=
# try to renew certs that are within RENEW_DAYS days of there expire date # try to renew certs that are within RENEW_DAYS days of their expiration date
#RENEW_DAYS="14" #RENEW_DAYS="14"
# create new private key for each csr (yes|no) # create new private key for each csr (yes|no)

41
letsencrypt.sh
View File

@@ -101,17 +101,17 @@ signed_request() {
sign_domain() { sign_domain() {
domain="${1}" domain="${1}"
altnames="${*}" altnames="${*}"
echo "Signing domain ${1} (${*})..." echo " + Signing domains..."
# If there is no existing certificate directory => make it # If there is no existing certificate directory => make it
if [[ ! -e "certs/${domain}" ]]; then if [[ ! -e "certs/${domain}" ]]; then
echo " + make directory certs/${domain} ..." echo " + make directory certs/${domain} ..."
mkdir -p "certs/${domain}" mkdir -p "certs/${domain}"
fi fi
# generate a new private key if we need or want one # generate a new private key if we need or want one
if [[ ! -f "certs/${domain}/privkey.pem" ]] || [[ "${PRIVATE_KEY_RENEW}" = "yes" ]]; then if [[ ! -f "certs/${domain}/privkey.pem" ]] || [[ "${PRIVATE_KEY_RENEW}" = "yes" ]]; then
echo " + Generating private key..." echo " + Generating private key..."
timestamp="$(date +%s)" timestamp="$(date +%s)"
openssl genrsa -out "certs/${domain}/privkey-${timestamp}.pem" "${KEYSIZE}" 2> /dev/null > /dev/null openssl genrsa -out "certs/${domain}/privkey-${timestamp}.pem" "${KEYSIZE}" 2> /dev/null > /dev/null
rm -f "certs/${domain}/privkey.pem" rm -f "certs/${domain}/privkey.pem"
@@ -124,13 +124,13 @@ sign_domain() {
SAN+="DNS:${altname}, " SAN+="DNS:${altname}, "
done done
SAN="$(printf '%s' "${SAN}" | sed 's/,\s*$//g')" SAN="$(printf '%s' "${SAN}" | sed 's/,\s*$//g')"
echo " + Generating signing request..." echo " + Generating signing request..."
openssl req -new -sha256 -key "certs/${domain}/privkey.pem" -out "certs/${domain}/cert.csr" -subj "/CN=${domain}/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=%s" "${SAN}")) > /dev/null openssl req -new -sha256 -key "certs/${domain}/privkey.pem" -out "certs/${domain}/cert.csr" -subj "/CN=${domain}/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=%s" "${SAN}")) > /dev/null
# Request and respond to challenges # Request and respond to challenges
for altname in $altnames; do for altname in $altnames; do
# Ask the acme-server for new challenge token and extract them from the resulting json block # Ask the acme-server for new challenge token and extract them from the resulting json block
echo " + Requesting challenge for ${altname}..." echo " + Requesting challenge for ${altname}..."
response="$(signed_request "${CA}/acme/new-authz" '{"resource": "new-authz", "identifier": {"type": "dns", "value": "'"${altname}"'"}}')" response="$(signed_request "${CA}/acme/new-authz" '{"resource": "new-authz", "identifier": {"type": "dns", "value": "'"${altname}"'"}}')"
challenge_token="$(printf '%s\n' "${response}" | grep -Eo '"challenges":[^\[]*\[[^]]*]' | sed 's/{/\n{/g' | grep 'http-01' | grep -Eo '"token":\s*"[^"]*"' | cut -d'"' -f4 | sed 's/[^A-Za-z0-9_\-]/_/g')" challenge_token="$(printf '%s\n' "${response}" | grep -Eo '"challenges":[^\[]*\[[^]]*]' | sed 's/{/\n{/g' | grep 'http-01' | grep -Eo '"token":\s*"[^"]*"' | cut -d'"' -f4 | sed 's/[^A-Za-z0-9_\-]/_/g')"
@@ -154,7 +154,7 @@ sign_domain() {
fi fi
# Ask the acme-server to verify our challenge and wait until it becomes valid # Ask the acme-server to verify our challenge and wait until it becomes valid
echo " + Responding to challenge for ${altname}..." echo " + Responding to challenge for ${altname}..."
result="$(signed_request "${challenge_uri}" '{"resource": "challenge", "keyAuthorization": "'"${keyauth}"'"}')" result="$(signed_request "${challenge_uri}" '{"resource": "challenge", "keyAuthorization": "'"${keyauth}"'"}')"
status="$(printf '%s\n' "${result}" | grep -Eo '"status":\s*"[^"]*"' | cut -d'"' -f4)" status="$(printf '%s\n' "${result}" | grep -Eo '"status":\s*"[^"]*"' | cut -d'"' -f4)"
@@ -166,23 +166,23 @@ sign_domain() {
done done
if [[ "${status}" = "valid" ]]; then if [[ "${status}" = "valid" ]]; then
echo " + Challenge is valid!" echo " + Challenge is valid!"
else else
echo " + Challenge is invalid! (returned: ${status})" echo " + Challenge is invalid! (returned: ${status})"
exit 1 exit 1
fi fi
done done
# Finally request certificate from the acme-server and store it in cert-${timestamp}.pem and link from cert.pem # Finally request certificate from the acme-server and store it in cert-${timestamp}.pem and link from cert.pem
echo " + Requesting certificate..." echo " + Requesting certificate..."
timestamp="$(date +%s)" timestamp="$(date +%s)"
csr64="$(openssl req -in "certs/${domain}/cert.csr" -outform DER | urlbase64)" csr64="$(openssl req -in "certs/${domain}/cert.csr" -outform DER | urlbase64)"
crt64="$(signed_request "${CA}/acme/new-cert" '{"resource": "new-cert", "csr": "'"${csr64}"'"}' | openssl base64 -e)" crt64="$(signed_request "${CA}/acme/new-cert" '{"resource": "new-cert", "csr": "'"${csr64}"'"}' | openssl base64 -e)"
printf -- '-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----\n' "${crt64}" > "certs/${domain}/cert-${timestamp}.pem" printf -- '-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----\n' "${crt64}" > "certs/${domain}/cert-${timestamp}.pem"
rm -f "certs/${domain}/cert.pem" rm -f "certs/${domain}/cert.pem"
ln -s "cert-${timestamp}.pem" "certs/${domain}/cert.pem" ln -s "cert-${timestamp}.pem" "certs/${domain}/cert.pem"
echo " + Done!" echo " + Done!"
} }
# Check if private key exists, if it doesn't exist yet generate a new one (rsa key) # Check if private key exists, if it doesn't exist yet generate a new one (rsa key)
@@ -217,15 +217,22 @@ fi
# Generate certificates for all domains found in domain.txt. Check if existing certificate are about to expire # Generate certificates for all domains found in domain.txt. Check if existing certificate are about to expire
<domains.txt sed 's/^\s*//g;s/\s*$//g' | grep -v '^#' | grep -v '^$' | while read -r line; do <domains.txt sed 's/^\s*//g;s/\s*$//g' | grep -v '^#' | grep -v '^$' | while read -r line; do
domain="$(echo $line | cut -d' ' -f1)" domain="$(echo $line | cut -d' ' -f1)"
if [[ -e "certs/${domain}/cert.pem" ]]; then cert="certs/${domain}/cert.pem"
echo -n "Found existing cert for ${domain}. Expire date ..."
set +e; openssl x509 -checkend $((${RENEW_DAYS} * 86400)) -noout -in "certs/${domain}/cert.pem"; expiring=$?; set -e echo "Processing ${domain}"
if [[ -e "${cert}" ]]; then
echo " + Found existing cert..."
# Turning off exit on non-zero status for cert validation
set +e; openssl x509 -checkend $((${RENEW_DAYS} * 86400)) -noout -in "${cert}"; expiring=$?; set -e
valid="$(openssl x509 -enddate -noout -in "certs/${domain}/cert.pem" | cut -d= -f2- )"
echo -n " + Valid till ${valid} "
if [[ ${expiring} -eq 0 ]]; then if [[ ${expiring} -eq 0 ]]; then
valid=$(openssl x509 -enddate -noout -in "certs/${domain}/cert.pem" | cut -d= -f2- ) echo "(Longer than ${RENEW_DAYS} days). Skipping!"
echo " ${valid} Skipping. (Valid longer than ${RENEW_DAYS} days.)" continue
continue
fi fi
echo " is within ${RENEW_DAYS} days. Renewing..." echo "(Less than ${RENEW_DAYS} days). Renewing!"
fi fi
sign_domain $line sign_domain $line