summaryrefslogtreecommitdiff
path: root/generate-and-upload-self-signed-key.in
diff options
context:
space:
mode:
Diffstat (limited to 'generate-and-upload-self-signed-key.in')
-rwxr-xr-xgenerate-and-upload-self-signed-key.in116
1 files changed, 116 insertions, 0 deletions
diff --git a/generate-and-upload-self-signed-key.in b/generate-and-upload-self-signed-key.in
new file mode 100755
index 0000000..fd903d3
--- /dev/null
+++ b/generate-and-upload-self-signed-key.in
@@ -0,0 +1,116 @@
+#!/bin/bash
+
+if [ -r '#ETCDIR#/generate-and-manage-self-signed-keys.conf' ]; then
+ . '#ETCDIR#/generate-and-manage-self-signed-keys.conf'
+fi
+
+hosts=$(
+ find '#ETCDIR#/nginx/' -name sites-available -prune , \
+ \( -type f -o -type l \) \
+ -exec sed -n '
+ s/^\s*//
+ /^server_name\s.*;/ p
+ /^server_name[^;]*$/,/;/ p
+ ' {} \; 2>/dev/null \
+ | tr '\n' ' ' \
+ | sed '
+ s/\s\+/ /g
+ s/;\s*/;\n/g
+ '"$(
+ printf 's/\\s%s\\(;\\|\\s\)//\n' "${ignore_hosts[@]}"
+ )"'
+ ' \
+ | sed -n '
+ s/^server_name //
+ T
+ s/;$//
+ T
+ p
+ ' \
+ | sort -u
+)
+
+host_key_files=$(
+ printf '%s\n' "${hosts}" \
+ | cut -d' ' -f1
+)
+
+host_key_files=$(
+ printf '#ETCDIR#/nginx/keys/%s\n' ${host_key_files}
+)
+
+if [ "$(whoami)" = 'root' ]; then
+ updated_something=false
+ for host_key_file in ${host_key_files}; do
+ if [ -f "${host_key_file}.key.pem.new" ] \
+ && [ -f "${host_key_file}.cert.pem.new" ]; then
+ mv "${host_key_file}.key.pem"{.new,}
+ mv "${host_key_file}.cert.pem"{.new,}
+ updated_something=true
+ fi
+ done
+ if ${updated_something}; then
+ systemctl try-restart nginx
+ fi
+
+ su http -s /bin/bash -c "$0"
+fi
+
+if [ "$(whoami)" != 'http' ]; then
+ exit
+fi
+
+printf '%s\n' "${hosts}" \
+| while read -r host other_hosts; do
+ openssl req -x509 -newkey rsa:4096 \
+ -keyout "#ETCDIR#/nginx/keys/${host}.key.pem.new" \
+ -out "#ETCDIR#/nginx/keys/${host}.cert.pem.new" \
+ -days 365 -nodes -subj '/C=DE/ST=Thuringia/L=Jena/O=Eckner/OU=Net/CN='"${host}" -sha256 \
+ -config <(
+ cat '#ETCDIR#/ssl/openssl.cnf'
+ if [ -n "${other_hosts}" ]; then
+ printf '\n[SAN]\nsubjectAltName'
+ printf ',DNS:%s' \
+ "${host}" \
+ ${other_hosts} \
+ | sed 's/^,/=/'
+ fi
+ )
+done
+
+rsync --ignore-missing-args \
+ $(
+ printf '#ETCDIR#/nginx/keys/%s.cert.pem\n' ${host_key_files}
+ printf '#ETCDIR#/nginx/keys/%s.cert.pem.new\n' ${host_key_files}
+ ) \
+ "${remote_host}:${remote_dir}/"
+
+(
+ cd '#ETCDIR#/nginx/keys'
+ {
+ printf '%s.cert.pem\n' ${host_key_files}
+ printf '%s.cert.pem.new\n' ${host_key_files}
+ } \
+ | while read -r key; do
+ [ -f "${key}" ] || continue
+ printf '%s %s\n' "$(
+ date -u --iso-8601=seconds -d@$(stat -c%Y "${key}") \
+ | cut -d+ -f1
+ )" "$(
+ sha512sum "${key}" \
+ | sed 's/\s\+/ /'
+ )"
+ done
+) \
+| ssh "${remote_host}" '
+ cd "'"${remote_dir}"'"
+ while read -r time sum file; do
+ rm -f ????-??-??T??\:??\:??".${file}"
+ mv "${file}" "${time}.${file}"
+ sed -i '"'"'
+ / [^.]\+\.'"'"'"${file//./\.}"'"'"'$/d
+ '"'"' sha512sums
+ printf '"'"'%s %s\n'"'"' "${sum}" "${time}.${file}" \
+ >> sha512sums
+ done
+'