blob: 8b8cfe79f71dd32e4264e0994e379f2517af5ea4 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
|
#!/bin/bash
key_dir='#ETCDIR#/simple-pki/cb'
if [ -r '#ETCDIR#/simple-pki/cb.conf' ]; then
. '#ETCDIR#/simple-pki/cb.conf'
fi
me=$(readlink -e "$0")
cd /
hosts=$(
find '#ETCDIR#/nginx/' \
-name keys -prune , \
-name sites-available -prune , \
\( -type f -o -type l \) \
-exec sed -n '
s/^\s*//
/^server_name\s.*;/ p
/^server_name[^;]*$/,/;/ p
' {} \; 2>/dev/null \
| tr '\n' ' ' \
| sed '
s/\s\+/ /g
s/;\s*/;\n/g
'"$(
printf 's/\\s%s\\(;\\|\\s\)//\n' "${ignore_hosts[@]}"
)"'
' \
| sed -n '
s/^server_name //
T
s/;$//
T
p
' \
| sort -u
)
host_key_files=$(
printf '%s\n' "${hosts}" \
| cut -d' ' -f1
)
if [ "$(whoami)" != "${certificate_user}" ]; then
if [ "$(whoami)" = 'root' ]; then
updated_something=false
for host_key_file in ${host_key_files}; do
if [ -f "${key_dir}/${host_key_file}.key.new" ] \
&& [ -f "${key_dir}/${host_key_file}.crt.new" ]; then
if [ "$(stat -c%Y "${key_dir}/${host_key_file}.key.new")" -ge "$(($(date +%s)-60*60*24*key_min_duration))" ] \
&& [ -f "${key_dir}/${host_key_file}.key" ] \
&& [ "$(stat -c%Y "${key_dir}/${host_key_file}.crt.new")" -ge "$(($(date +%s)-60*60*24*key_min_duration))" ] \
&& [ -f "${key_dir}/${host_key_file}.crt" ]; then
continue
fi
mv "${key_dir}/${host_key_file}.key"{.new,}
mv "${key_dir}/${host_key_file}.crt"{.new,}
updated_something=true
fi
done
if ${updated_something}; then
systemctl try-restart nginx
fi
chown -R "${certificate_user}" "${key_dir}"
exec su "${certificate_user}" -s /bin/bash -c "${me}"
fi
>&2 printf 'only root can su %s\n' "${certificate_user}"
exit 1
fi
if [ -n "$(trap)" ]; then
>&2 echo 'outer traps set - those will be forgotten!'
exit 1
fi
tmp_dir=$(mktemp -d "${webserver_dir}"'/tmp.XXXXXXXXXX')
trap 'rm -rf --one-file-system "${tmp_dir}"' EXIT
printf '%s\n' "${hosts}" \
| while read -r host other_hosts; do
if [ -f "${key_dir}/${host}.key.new" ] \
&& [ -f "${key_dir}/${host}.crt.new" ]; then
continue
fi
SAN=$(
printf ',DNS:%s' \
"${host}" \
${other_hosts} \
| sed 's/^,//'
) \
CN="${host}" \
openssl req -new \
-config '#ETCDIR#/simple-pki/server-ssl.conf' \
-keyout "${key_dir}/${host}.key.new" \
-out "${tmp_dir}/${host}.csr" \
printf 'https://%s/.csr/%s/%s.csr\n' \
"${host}" \
"${tmp_dir##*/}" \
"${host}" \
>> "${tmp_dir}/commands"
done
if [ ! -s "${tmp_dir}/commands" ]; then
>&2 echo 'nothing to do.'
exit
fi
cd "${tmp_dir}"
| ssh -T "${ca_host}" \
< 'commands' \
| tar -xzf -
for host_key_file in ${host_key_files}; do
if [ ! -f "${tmp_dir}/${host_key_file}.crt" ]; then
continue
fi
cat "${tmp_dir}/${host_key_file}.crt" \
> "${key_dir}/${host_key_file}.crt.new"
cat "${tmp_dir}/${host_key_file}.chain" \
> "${key_dir}/${host_key_file}.chain.new"
done
|
