blob: 0ba3480cc18223e46dbe08c29aacb9bb3b7c46c4 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
|
#!/bin/bash
key_dir='#ETCDIR#/simple-pki/keys'
if [ -r '#ETCDIR#/simple-pki/cb.conf' ]; then
. '#ETCDIR#/simple-pki/cb.conf'
fi
hosts=$(
find '#ETCDIR#/nginx/' \
-name keys -prune , \
-name sites-available -prune , \
\( -type f -o -type l \) \
-exec sed -n '
s/^\s*//
/^server_name\s.*;/ p
/^server_name[^;]*$/,/;/ p
' {} \; 2>/dev/null \
| tr '\n' ' ' \
| sed '
s/\s\+/ /g
s/;\s*/;\n/g
'"$(
printf 's/\\s%s\\(;\\|\\s\)//\n' "${ignore_hosts[@]}"
)"'
' \
| sed -n '
s/^server_name //
T
s/;$//
T
p
' \
| sort -u
)
host_key_files=$(
printf '%s\n' "${hosts}" \
| cut -d' ' -f1
)
if [ "$(whoami)" != "${certificate_user}" ]; then
if [ "$(whoami)" = 'root' ]; then
updated_something=false
for host_key_file in ${host_key_files}; do
if [ -f "${key_dir}/${host_key_file}.key.new" ] \
&& [ -f "${key_dir}/${host_key_file}.crt.new" ]; then
if [ "$(stat -c%Y "${key_dir}/${host_key_file}.key.new")" -ge "$(($(date +%s)-60*60*24*30))" ] \
&& [ -f "${key_dir}/${host_key_file}.key" ] \
&& [ "$(stat -c%Y "${key_dir}/${host_key_file}.crt.new")" -ge "$(($(date +%s)-60*60*24*30))" ] \
&& [ -f "${key_dir}/${host_key_file}.crt" ]; then
continue
fi
mv "${key_dir}/${host_key_file}.key"{.new,}
mv "${key_dir}/${host_key_file}.crt"{.new,}
updated_something=true
fi
done
if ${updated_something}; then
systemctl try-restart nginx
fi
su "${certificate_user}" -s /bin/bash -c "$0"
fi
exit
fi
if [ -n "$(trap)" ]; then
>&2 echo 'outer traps set - those will be forgotten!'
exit 1
fi
tmp_dir=$(mktemp -d "${webserver_dir}"'/tmp.XXXXXXXXXX')
trap 'rm -rf --one-file-system "${tmp_dir}"' EXIT
printf '%s\n' "${hosts}" \
| while read -r host other_hosts; do
if [ -f "${key_dir}/${host}.key.new" ] \
&& [ -f "${key_dir}/${host}.crt.new" ]; then
continue
fi
if [ -n "${other_hosts}" ]; then
extensions="-addext subjectAltName=$(
printf ',DNS:%s' \
"${host}" \
${other_hosts} \
| sed 's/^,//'
)"
else
extensions=''
fi
openssl req -newkey rsa:4096 \
-keyout "${key_dir}/${host}.key.new" \
-out "${tmp_dir}/${host}.csr" \
-nodes -subj "${subject_prefix}"'/CN='"${host}" -sha256 \
${extensions}
printf 'https://%s/.csr/%s/%s.csr %s/CN=%s %s\n' \
"${host}" \
"${tmp_dir##*/}" \
"${host}" \
"${subject_prefix}" \
"${host}" \
"${extensions}" \
>> "${tmp_dir}/commands"
done
if [ ! -s "${tmp_dir}/commands" ]; then
>&2 echo 'nothing to do.'
exit
fi
cd "${tmp_dir}"
cut -d' ' -f1 \
< 'commands' \
| ssh -T "${ca_host}" \
| tar -xzf -
for host_key_file in ${host_key_files}; do
if [ ! -f "${tmp_dir}/${host_key_file}.crt" ]; then
continue
fi
cat "${tmp_dir}/${host_key_file}.crt" \
> "${key_dir}/${host_key_file}.crt.new"
done
|
