diff options
| author | Erich Eckner <git@eckner.net> | 2019-09-02 12:19:35 +0200 |
|---|---|---|
| committer | Erich Eckner <git@eckner.net> | 2019-09-02 12:19:35 +0200 |
| commit | 60bcc6097db7c05caee560e31eada48f831941b0 (patch) | |
| tree | 9e690f78c87daae2cfe556b461afa83f034fa6cb | |
| parent | 69d1ec7d8de2d4926b55f44279a41ba7e086be30 (diff) | |
| download | simple-pki-60bcc6097db7c05caee560e31eada48f831941b0.tar.xz | |
rotate-keys.in: should work
| -rw-r--r-- | etc/cb.conf | 2 | ||||
| -rw-r--r-- | rotate-keys.in | 43 |
2 files changed, 21 insertions, 24 deletions
diff --git a/etc/cb.conf b/etc/cb.conf index 47ae16a..98029b7 100644 --- a/etc/cb.conf +++ b/etc/cb.conf @@ -9,7 +9,7 @@ ignore_hosts=('localhost') # where should the certificates be requested? ca_host='user@ca.example.com' -# request new key/cert afther this many days +# request new key/cert not before this many days key_min_duration=15 # which user owns the certificates (not root) diff --git a/rotate-keys.in b/rotate-keys.in index 6116d9d..8b8cfe7 100644 --- a/rotate-keys.in +++ b/rotate-keys.in @@ -1,6 +1,6 @@ #!/bin/bash -key_dir='#ETCDIR#/simple-pki/keys' +key_dir='#ETCDIR#/simple-pki/cb' if [ -r '#ETCDIR#/simple-pki/cb.conf' ]; then . '#ETCDIR#/simple-pki/cb.conf' @@ -64,10 +64,11 @@ if [ "$(whoami)" != "${certificate_user}" ]; then systemctl try-restart nginx fi - su "${certificate_user}" -s /bin/bash -c "${me}" + chown -R "${certificate_user}" "${key_dir}" + exec su "${certificate_user}" -s /bin/bash -c "${me}" fi - - exit + >&2 printf 'only root can su %s\n' "${certificate_user}" + exit 1 fi if [ -n "$(trap)" ]; then @@ -84,28 +85,23 @@ printf '%s\n' "${hosts}" \ && [ -f "${key_dir}/${host}.crt.new" ]; then continue fi - if [ -n "${other_hosts}" ]; then - extensions="-addext subjectAltName=$( - printf ',DNS:%s' \ - "${host}" \ - ${other_hosts} \ - | sed 's/^,//' - )" - else - extensions='' - fi - openssl req -newkey rsa:4096 \ + + SAN=$( + printf ',DNS:%s' \ + "${host}" \ + ${other_hosts} \ + | sed 's/^,//' + ) \ + CN="${host}" \ + openssl req -new \ + -config '#ETCDIR#/simple-pki/server-ssl.conf' \ -keyout "${key_dir}/${host}.key.new" \ -out "${tmp_dir}/${host}.csr" \ - -nodes -subj "${subject_prefix}"'/CN='"${host}" -sha256 \ - ${extensions} - printf 'https://%s/.csr/%s/%s.csr %s/CN=%s %s\n' \ + + printf 'https://%s/.csr/%s/%s.csr\n' \ "${host}" \ "${tmp_dir##*/}" \ "${host}" \ - "${subject_prefix}" \ - "${host}" \ - "${extensions}" \ >> "${tmp_dir}/commands" done @@ -116,9 +112,8 @@ fi cd "${tmp_dir}" -cut -d' ' -f1 \ -< 'commands' \ | ssh -T "${ca_host}" \ +< 'commands' \ | tar -xzf - for host_key_file in ${host_key_files}; do @@ -127,4 +122,6 @@ for host_key_file in ${host_key_files}; do fi cat "${tmp_dir}/${host_key_file}.crt" \ > "${key_dir}/${host_key_file}.crt.new" + cat "${tmp_dir}/${host_key_file}.chain" \ + > "${key_dir}/${host_key_file}.chain.new" done |