summaryrefslogtreecommitdiffstats
path: root/collectors/systemd-journal.plugin/systemd-journal-self-signed-certs.sh
diff options
context:
space:
mode:
Diffstat (limited to '')
-rwxr-xr-xcollectors/systemd-journal.plugin/systemd-journal-self-signed-certs.sh267
1 files changed, 267 insertions, 0 deletions
diff --git a/collectors/systemd-journal.plugin/systemd-journal-self-signed-certs.sh b/collectors/systemd-journal.plugin/systemd-journal-self-signed-certs.sh
new file mode 100755
index 00000000..ada735f1
--- /dev/null
+++ b/collectors/systemd-journal.plugin/systemd-journal-self-signed-certs.sh
@@ -0,0 +1,267 @@
+#!/usr/bin/env bash
+
+me="${0}"
+dst="/etc/ssl/systemd-journal"
+
+show_usage() {
+ cat <<EOFUSAGE
+
+${me} [options] server_name alias1 alias2 ...
+
+server_name
+ the canonical name of the server on the certificates
+
+aliasN
+ a hostname or IP this server is reachable with
+ DNS names should be like DNS:hostname
+ IPs should be like IP:1.2.3.4
+ Any number of aliases are accepted per server
+
+options can be:
+
+ -h, --help
+ show this message
+
+ -d, --directory DIRECTORY
+ change the default certificates install dir
+ default: ${dst}
+
+EOFUSAGE
+}
+
+while [ ! -z "${1}" ]; do
+ case "${1}" in
+ -h|--help)
+ show_usage
+ exit 0
+ ;;
+
+ -d|--directory)
+ dst="${2}"
+ echo >&2 "directory set to: ${dst}"
+ shift
+ ;;
+
+ *)
+ break 2
+ ;;
+ esac
+
+ shift
+done
+
+if [ -z "${1}" ]; then
+ show_usage
+ exit 1
+fi
+
+
+# Define a regular expression pattern for a valid canonical name
+valid_canonical_name_pattern="^[a-zA-Z0-9][a-zA-Z0-9.-]+$"
+
+# Check if ${1} matches the pattern
+if [[ ! "${1}" =~ ${valid_canonical_name_pattern} ]]; then
+ echo "Certificate name '${1}' is not valid."
+ exit 1
+fi
+
+# -----------------------------------------------------------------------------
+# Create the CA
+
+# stop on all errors
+set -e
+
+if [ $UID -ne 0 ]
+then
+ echo >&2 "Hey! sudo me: sudo ${me}"
+ exit 1
+fi
+
+if ! getent group systemd-journal >/dev/null 2>&1; then
+ echo >&2 "Missing system group: systemd-journal. Did you install systemd-journald?"
+ exit 1
+fi
+
+if ! getent passwd systemd-journal-remote >/dev/null 2>&1; then
+ echo >&2 "Missing system user: systemd-journal-remote. Did you install systemd-journal-remote?"
+ exit 1
+fi
+
+if [ ! -d "${dst}" ]
+then
+ mkdir -p "${dst}"
+ chown systemd-journal-remote:systemd-journal "${dst}"
+ chmod 750 "${dst}"
+fi
+
+cd "${dst}"
+
+test ! -f ca.conf && cat >ca.conf <<EOF
+[ ca ]
+default_ca = CA_default
+[ CA_default ]
+new_certs_dir = .
+certificate = ca.pem
+database = ./index
+private_key = ca.key
+serial = ./serial
+default_days = 3650
+default_md = default
+policy = policy_anything
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+EOF
+
+test ! -f index && touch index
+test ! -f serial && echo 0001 >serial
+
+if [ ! -f ca.pem -o ! -f ca.key ]; then
+ echo >&2 "Generating ca.pem ..."
+
+ openssl req -newkey rsa:2048 -days 3650 -x509 -nodes -out ca.pem -keyout ca.key -subj "/CN=systemd-journal-remote-ca/"
+ chown systemd-journal-remote:systemd-journal ca.pem
+ chmod 0640 ca.pem
+fi
+
+# -----------------------------------------------------------------------------
+# Create a server certificate
+
+generate_server_certificate() {
+ local cn="${1}"; shift
+
+ if [ ! -f "${cn}.pem" -o ! -f "${cn}.key" ]; then
+ if [ -z "${*}" ]; then
+ echo >"${cn}.conf"
+ else
+ echo "subjectAltName = $(echo "${@}" | tr " " ",")" >"${cn}.conf"
+ fi
+
+ echo >&2 "Generating server: ${cn}.pem and ${cn}.key ..."
+
+ openssl req -newkey rsa:2048 -nodes -out "${cn}.csr" -keyout "${cn}.key" -subj "/CN=${cn}/"
+ openssl ca -batch -config ca.conf -notext -in "${cn}.csr" -out "${cn}.pem" -extfile "${cn}.conf"
+ else
+ echo >&2 "certificates for ${cn} are already available."
+ fi
+
+ chown systemd-journal-remote:systemd-journal "${cn}.pem" "${cn}.key"
+ chmod 0640 "${cn}.pem" "${cn}.key"
+}
+
+
+# -----------------------------------------------------------------------------
+# Create a script to install the certificate on each server
+
+generate_install_script() {
+ local cn="${1}"
+ local dst="/etc/ssl/systemd-journal"
+
+ cat >"runme-on-${cn}.sh" <<EOFC1
+#!/usr/bin/env bash
+
+# stop on all errors
+set -e
+
+if [ \$UID -ne 0 ]; then
+ echo >&2 "Hey! sudo me: sudo \${0}"
+ exit 1
+fi
+
+# make sure the systemd-journal group exists
+# all certificates will be owned by this group
+if ! getent group systemd-journal >/dev/null 2>&1; then
+ echo >&2 "Missing system group: systemd-journal. Did you install systemd-journald?"
+ exit 1
+fi
+
+if ! getent passwd systemd-journal-remote >/dev/null 2>&1; then
+ echo >&2 "Missing system user: systemd-journal-remote. Did you install systemd-journal-remote?"
+ exit 1
+fi
+
+if [ ! -d ${dst} ]; then
+ echo >&2 "creating directory: ${dst}"
+ mkdir -p "${dst}"
+fi
+chown systemd-journal-remote:systemd-journal "${dst}"
+chmod 750 "${dst}"
+cd "${dst}"
+
+echo >&2 "saving trusted certificate file as: ${dst}/ca.pem"
+cat >ca.pem <<EOFCAPEM
+$(cat ca.pem)
+EOFCAPEM
+
+chown systemd-journal-remote:systemd-journal ca.pem
+chmod 0640 ca.pem
+
+echo >&2 "saving server ${cn} certificate file as: ${dst}/${cn}.pem"
+cat >"${cn}.pem" <<EOFSERPEM
+$(cat "${cn}.pem")
+EOFSERPEM
+
+chown systemd-journal-remote:systemd-journal "${cn}.pem"
+chmod 0640 "${cn}.pem"
+
+echo >&2 "saving server ${cn} key file as: ${dst}/${cn}.key"
+cat >"${cn}.key" <<EOFSERKEY
+$(cat "${cn}.key")
+EOFSERKEY
+
+chown systemd-journal-remote:systemd-journal "${cn}.key"
+chmod 0640 "${cn}.key"
+
+for cfg in /etc/systemd/journal-remote.conf /etc/systemd/journal-upload.conf
+do
+ if [ -f \${cfg} ]; then
+ # keep a backup of the file
+ test ! -f \${cfg}.orig && cp \${cfg} \${cfg}.orig
+
+ # fix its contents
+ echo >&2 "updating the certificates in \${cfg}"
+ sed -i "s|^#\\?\\s*ServerKeyFile=.*$|ServerKeyFile=${dst}/${cn}.key|" \${cfg}
+ sed -i "s|^#\\?\\s*ServerCertificateFile=.*$|ServerCertificateFile=${dst}/${cn}.pem|" \${cfg}
+ sed -i "s|^#\\?\\s*TrustedCertificateFile=.*$|TrustedCertificateFile=${dst}/ca.pem|" \${cfg}
+ fi
+done
+
+echo >&2 "certificates installed - you may need to restart services to active them"
+echo >&2
+echo >&2 "If this is a central server:"
+echo >&2 "# systemctl restart systemd-journal-remote.socket"
+echo >&2
+echo >&2 "If this is a passive client:"
+echo >&2 "# systemctl restart systemd-journal-upload.service"
+echo >&2
+echo >&2 "If this is an active client:"
+echo >&2 "# systemctl restart systemd-journal-gateway.socket"
+EOFC1
+
+ chmod 0700 "runme-on-${cn}.sh"
+}
+
+# -----------------------------------------------------------------------------
+# Create the client certificates
+
+generate_server_certificate "${@}"
+generate_install_script "${1}"
+
+
+# Set ANSI escape code for colors
+yellow_color="\033[1;33m"
+green_color="\033[0;32m"
+# Reset ANSI color after the message
+reset_color="\033[0m"
+
+
+echo >&2 -e "use this script to install it on ${1}: ${yellow_color}$(ls ${dst}/runme-on-${1}.sh)${reset_color}"
+echo >&2 "copy it to your server ${1}, like this:"
+echo >&2 -e "# ${green_color}scp ${dst}/runme-on-${1}.sh ${1}:/tmp/${reset_color}"
+echo >&2 "and then run it on that server to install the certificates"
+echo >&2