diff options
Diffstat (limited to 'generate-and-upload-self-signed-key.in')
-rwxr-xr-x | generate-and-upload-self-signed-key.in | 116 |
1 files changed, 116 insertions, 0 deletions
diff --git a/generate-and-upload-self-signed-key.in b/generate-and-upload-self-signed-key.in new file mode 100755 index 0000000..fd903d3 --- /dev/null +++ b/generate-and-upload-self-signed-key.in @@ -0,0 +1,116 @@ +#!/bin/bash + +if [ -r '#ETCDIR#/generate-and-manage-self-signed-keys.conf' ]; then + . '#ETCDIR#/generate-and-manage-self-signed-keys.conf' +fi + +hosts=$( + find '#ETCDIR#/nginx/' -name sites-available -prune , \ + \( -type f -o -type l \) \ + -exec sed -n ' + s/^\s*// + /^server_name\s.*;/ p + /^server_name[^;]*$/,/;/ p + ' {} \; 2>/dev/null \ + | tr '\n' ' ' \ + | sed ' + s/\s\+/ /g + s/;\s*/;\n/g + '"$( + printf 's/\\s%s\\(;\\|\\s\)//\n' "${ignore_hosts[@]}" + )"' + ' \ + | sed -n ' + s/^server_name // + T + s/;$// + T + p + ' \ + | sort -u +) + +host_key_files=$( + printf '%s\n' "${hosts}" \ + | cut -d' ' -f1 +) + +host_key_files=$( + printf '#ETCDIR#/nginx/keys/%s\n' ${host_key_files} +) + +if [ "$(whoami)" = 'root' ]; then + updated_something=false + for host_key_file in ${host_key_files}; do + if [ -f "${host_key_file}.key.pem.new" ] \ + && [ -f "${host_key_file}.cert.pem.new" ]; then + mv "${host_key_file}.key.pem"{.new,} + mv "${host_key_file}.cert.pem"{.new,} + updated_something=true + fi + done + if ${updated_something}; then + systemctl try-restart nginx + fi + + su http -s /bin/bash -c "$0" +fi + +if [ "$(whoami)" != 'http' ]; then + exit +fi + +printf '%s\n' "${hosts}" \ +| while read -r host other_hosts; do + openssl req -x509 -newkey rsa:4096 \ + -keyout "#ETCDIR#/nginx/keys/${host}.key.pem.new" \ + -out "#ETCDIR#/nginx/keys/${host}.cert.pem.new" \ + -days 365 -nodes -subj '/C=DE/ST=Thuringia/L=Jena/O=Eckner/OU=Net/CN='"${host}" -sha256 \ + -config <( + cat '#ETCDIR#/ssl/openssl.cnf' + if [ -n "${other_hosts}" ]; then + printf '\n[SAN]\nsubjectAltName' + printf ',DNS:%s' \ + "${host}" \ + ${other_hosts} \ + | sed 's/^,/=/' + fi + ) +done + +rsync --ignore-missing-args \ + $( + printf '#ETCDIR#/nginx/keys/%s.cert.pem\n' ${host_key_files} + printf '#ETCDIR#/nginx/keys/%s.cert.pem.new\n' ${host_key_files} + ) \ + "${remote_host}:${remote_dir}/" + +( + cd '#ETCDIR#/nginx/keys' + { + printf '%s.cert.pem\n' ${host_key_files} + printf '%s.cert.pem.new\n' ${host_key_files} + } \ + | while read -r key; do + [ -f "${key}" ] || continue + printf '%s %s\n' "$( + date -u --iso-8601=seconds -d@$(stat -c%Y "${key}") \ + | cut -d+ -f1 + )" "$( + sha512sum "${key}" \ + | sed 's/\s\+/ /' + )" + done +) \ +| ssh "${remote_host}" ' + cd "'"${remote_dir}"'" + while read -r time sum file; do + rm -f ????-??-??T??\:??\:??".${file}" + mv "${file}" "${time}.${file}" + sed -i '"'"' + / [^.]\+\.'"'"'"${file//./\.}"'"'"'$/d + '"'"' sha512sums + printf '"'"'%s %s\n'"'"' "${sum}" "${time}.${file}" \ + >> sha512sums + done +' |