summaryrefslogtreecommitdiff
path: root/rotate-keys.in
blob: 8b8cfe79f71dd32e4264e0994e379f2517af5ea4 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
#!/bin/bash

key_dir='#ETCDIR#/simple-pki/cb'

if [ -r '#ETCDIR#/simple-pki/cb.conf' ]; then
  . '#ETCDIR#/simple-pki/cb.conf'
fi

me=$(readlink -e "$0")
cd /

hosts=$(
  find '#ETCDIR#/nginx/' \
    -name keys -prune , \
    -name sites-available -prune , \
    \( -type f -o -type l \) \
    -exec sed -n '
      s/^\s*//
      /^server_name\s.*;/ p
      /^server_name[^;]*$/,/;/ p
    ' {} \; 2>/dev/null \
  | tr '\n' ' ' \
  | sed '
    s/\s\+/ /g
    s/;\s*/;\n/g
    '"$(
      printf 's/\\s%s\\(;\\|\\s\)//\n' "${ignore_hosts[@]}"
    )"'
  ' \
  | sed -n '
    s/^server_name //
    T
    s/;$//
    T
    p
  ' \
  | sort -u
)

host_key_files=$(
  printf '%s\n' "${hosts}" \
  | cut -d' ' -f1
)

if [ "$(whoami)" != "${certificate_user}" ]; then

  if [ "$(whoami)" = 'root' ]; then
    updated_something=false
    for host_key_file in ${host_key_files}; do
      if [ -f "${key_dir}/${host_key_file}.key.new" ] \
      && [ -f "${key_dir}/${host_key_file}.crt.new" ]; then
        if [ "$(stat -c%Y "${key_dir}/${host_key_file}.key.new")" -ge "$(($(date +%s)-60*60*24*key_min_duration))" ] \
        && [ -f "${key_dir}/${host_key_file}.key" ] \
        && [ "$(stat -c%Y "${key_dir}/${host_key_file}.crt.new")" -ge "$(($(date +%s)-60*60*24*key_min_duration))" ] \
        && [ -f "${key_dir}/${host_key_file}.crt" ]; then
          continue
        fi
        mv "${key_dir}/${host_key_file}.key"{.new,}
        mv "${key_dir}/${host_key_file}.crt"{.new,}
        updated_something=true
      fi
    done
    if ${updated_something}; then
      systemctl try-restart nginx
    fi

    chown -R "${certificate_user}" "${key_dir}"
    exec su "${certificate_user}" -s /bin/bash -c "${me}"
  fi
  >&2 printf 'only root can su %s\n' "${certificate_user}"
  exit 1
fi

if [ -n "$(trap)" ]; then
  >&2 echo 'outer traps set - those will be forgotten!'
  exit 1
fi

tmp_dir=$(mktemp -d "${webserver_dir}"'/tmp.XXXXXXXXXX')
trap 'rm -rf --one-file-system "${tmp_dir}"' EXIT

printf '%s\n' "${hosts}" \
| while read -r host other_hosts; do
  if [ -f "${key_dir}/${host}.key.new" ] \
  && [ -f "${key_dir}/${host}.crt.new" ]; then
    continue
  fi

  SAN=$(
    printf ',DNS:%s' \
      "${host}" \
      ${other_hosts} \
    | sed 's/^,//'
  ) \
  CN="${host}" \
  openssl req -new \
    -config '#ETCDIR#/simple-pki/server-ssl.conf' \
    -keyout "${key_dir}/${host}.key.new" \
    -out "${tmp_dir}/${host}.csr" \

  printf 'https://%s/.csr/%s/%s.csr\n' \
    "${host}" \
    "${tmp_dir##*/}" \
    "${host}" \
  >> "${tmp_dir}/commands"
done

if [ ! -s "${tmp_dir}/commands" ]; then
  >&2 echo 'nothing to do.'
  exit
fi

cd "${tmp_dir}"

| ssh -T "${ca_host}" \
< 'commands' \
| tar -xzf -

for host_key_file in ${host_key_files}; do
  if [ ! -f "${tmp_dir}/${host_key_file}.crt" ]; then
    continue
  fi
  cat "${tmp_dir}/${host_key_file}.crt" \
  > "${key_dir}/${host_key_file}.crt.new"
  cat "${tmp_dir}/${host_key_file}.chain" \
  > "${key_dir}/${host_key_file}.chain.new"
done