diff options
Diffstat (limited to 'rotate-keys.in')
| -rw-r--r-- | rotate-keys.in | 43 |
1 files changed, 20 insertions, 23 deletions
diff --git a/rotate-keys.in b/rotate-keys.in index 6116d9d..8b8cfe7 100644 --- a/rotate-keys.in +++ b/rotate-keys.in @@ -1,6 +1,6 @@ #!/bin/bash -key_dir='#ETCDIR#/simple-pki/keys' +key_dir='#ETCDIR#/simple-pki/cb' if [ -r '#ETCDIR#/simple-pki/cb.conf' ]; then . '#ETCDIR#/simple-pki/cb.conf' @@ -64,10 +64,11 @@ if [ "$(whoami)" != "${certificate_user}" ]; then systemctl try-restart nginx fi - su "${certificate_user}" -s /bin/bash -c "${me}" + chown -R "${certificate_user}" "${key_dir}" + exec su "${certificate_user}" -s /bin/bash -c "${me}" fi - - exit + >&2 printf 'only root can su %s\n' "${certificate_user}" + exit 1 fi if [ -n "$(trap)" ]; then @@ -84,28 +85,23 @@ printf '%s\n' "${hosts}" \ && [ -f "${key_dir}/${host}.crt.new" ]; then continue fi - if [ -n "${other_hosts}" ]; then - extensions="-addext subjectAltName=$( - printf ',DNS:%s' \ - "${host}" \ - ${other_hosts} \ - | sed 's/^,//' - )" - else - extensions='' - fi - openssl req -newkey rsa:4096 \ + + SAN=$( + printf ',DNS:%s' \ + "${host}" \ + ${other_hosts} \ + | sed 's/^,//' + ) \ + CN="${host}" \ + openssl req -new \ + -config '#ETCDIR#/simple-pki/server-ssl.conf' \ -keyout "${key_dir}/${host}.key.new" \ -out "${tmp_dir}/${host}.csr" \ - -nodes -subj "${subject_prefix}"'/CN='"${host}" -sha256 \ - ${extensions} - printf 'https://%s/.csr/%s/%s.csr %s/CN=%s %s\n' \ + + printf 'https://%s/.csr/%s/%s.csr\n' \ "${host}" \ "${tmp_dir##*/}" \ "${host}" \ - "${subject_prefix}" \ - "${host}" \ - "${extensions}" \ >> "${tmp_dir}/commands" done @@ -116,9 +112,8 @@ fi cd "${tmp_dir}" -cut -d' ' -f1 \ -< 'commands' \ | ssh -T "${ca_host}" \ +< 'commands' \ | tar -xzf - for host_key_file in ${host_key_files}; do @@ -127,4 +122,6 @@ for host_key_file in ${host_key_files}; do fi cat "${tmp_dir}/${host_key_file}.crt" \ > "${key_dir}/${host_key_file}.crt.new" + cat "${tmp_dir}/${host_key_file}.chain" \ + > "${key_dir}/${host_key_file}.chain.new" done |