blob: ada735f1fbc2154f2ab8bb07220667ecd7dc1721 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
|
#!/usr/bin/env bash
me="${0}"
dst="/etc/ssl/systemd-journal"
show_usage() {
cat <<EOFUSAGE
${me} [options] server_name alias1 alias2 ...
server_name
the canonical name of the server on the certificates
aliasN
a hostname or IP this server is reachable with
DNS names should be like DNS:hostname
IPs should be like IP:1.2.3.4
Any number of aliases are accepted per server
options can be:
-h, --help
show this message
-d, --directory DIRECTORY
change the default certificates install dir
default: ${dst}
EOFUSAGE
}
while [ ! -z "${1}" ]; do
case "${1}" in
-h|--help)
show_usage
exit 0
;;
-d|--directory)
dst="${2}"
echo >&2 "directory set to: ${dst}"
shift
;;
*)
break 2
;;
esac
shift
done
if [ -z "${1}" ]; then
show_usage
exit 1
fi
# Define a regular expression pattern for a valid canonical name
valid_canonical_name_pattern="^[a-zA-Z0-9][a-zA-Z0-9.-]+$"
# Check if ${1} matches the pattern
if [[ ! "${1}" =~ ${valid_canonical_name_pattern} ]]; then
echo "Certificate name '${1}' is not valid."
exit 1
fi
# -----------------------------------------------------------------------------
# Create the CA
# stop on all errors
set -e
if [ $UID -ne 0 ]
then
echo >&2 "Hey! sudo me: sudo ${me}"
exit 1
fi
if ! getent group systemd-journal >/dev/null 2>&1; then
echo >&2 "Missing system group: systemd-journal. Did you install systemd-journald?"
exit 1
fi
if ! getent passwd systemd-journal-remote >/dev/null 2>&1; then
echo >&2 "Missing system user: systemd-journal-remote. Did you install systemd-journal-remote?"
exit 1
fi
if [ ! -d "${dst}" ]
then
mkdir -p "${dst}"
chown systemd-journal-remote:systemd-journal "${dst}"
chmod 750 "${dst}"
fi
cd "${dst}"
test ! -f ca.conf && cat >ca.conf <<EOF
[ ca ]
default_ca = CA_default
[ CA_default ]
new_certs_dir = .
certificate = ca.pem
database = ./index
private_key = ca.key
serial = ./serial
default_days = 3650
default_md = default
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
EOF
test ! -f index && touch index
test ! -f serial && echo 0001 >serial
if [ ! -f ca.pem -o ! -f ca.key ]; then
echo >&2 "Generating ca.pem ..."
openssl req -newkey rsa:2048 -days 3650 -x509 -nodes -out ca.pem -keyout ca.key -subj "/CN=systemd-journal-remote-ca/"
chown systemd-journal-remote:systemd-journal ca.pem
chmod 0640 ca.pem
fi
# -----------------------------------------------------------------------------
# Create a server certificate
generate_server_certificate() {
local cn="${1}"; shift
if [ ! -f "${cn}.pem" -o ! -f "${cn}.key" ]; then
if [ -z "${*}" ]; then
echo >"${cn}.conf"
else
echo "subjectAltName = $(echo "${@}" | tr " " ",")" >"${cn}.conf"
fi
echo >&2 "Generating server: ${cn}.pem and ${cn}.key ..."
openssl req -newkey rsa:2048 -nodes -out "${cn}.csr" -keyout "${cn}.key" -subj "/CN=${cn}/"
openssl ca -batch -config ca.conf -notext -in "${cn}.csr" -out "${cn}.pem" -extfile "${cn}.conf"
else
echo >&2 "certificates for ${cn} are already available."
fi
chown systemd-journal-remote:systemd-journal "${cn}.pem" "${cn}.key"
chmod 0640 "${cn}.pem" "${cn}.key"
}
# -----------------------------------------------------------------------------
# Create a script to install the certificate on each server
generate_install_script() {
local cn="${1}"
local dst="/etc/ssl/systemd-journal"
cat >"runme-on-${cn}.sh" <<EOFC1
#!/usr/bin/env bash
# stop on all errors
set -e
if [ \$UID -ne 0 ]; then
echo >&2 "Hey! sudo me: sudo \${0}"
exit 1
fi
# make sure the systemd-journal group exists
# all certificates will be owned by this group
if ! getent group systemd-journal >/dev/null 2>&1; then
echo >&2 "Missing system group: systemd-journal. Did you install systemd-journald?"
exit 1
fi
if ! getent passwd systemd-journal-remote >/dev/null 2>&1; then
echo >&2 "Missing system user: systemd-journal-remote. Did you install systemd-journal-remote?"
exit 1
fi
if [ ! -d ${dst} ]; then
echo >&2 "creating directory: ${dst}"
mkdir -p "${dst}"
fi
chown systemd-journal-remote:systemd-journal "${dst}"
chmod 750 "${dst}"
cd "${dst}"
echo >&2 "saving trusted certificate file as: ${dst}/ca.pem"
cat >ca.pem <<EOFCAPEM
$(cat ca.pem)
EOFCAPEM
chown systemd-journal-remote:systemd-journal ca.pem
chmod 0640 ca.pem
echo >&2 "saving server ${cn} certificate file as: ${dst}/${cn}.pem"
cat >"${cn}.pem" <<EOFSERPEM
$(cat "${cn}.pem")
EOFSERPEM
chown systemd-journal-remote:systemd-journal "${cn}.pem"
chmod 0640 "${cn}.pem"
echo >&2 "saving server ${cn} key file as: ${dst}/${cn}.key"
cat >"${cn}.key" <<EOFSERKEY
$(cat "${cn}.key")
EOFSERKEY
chown systemd-journal-remote:systemd-journal "${cn}.key"
chmod 0640 "${cn}.key"
for cfg in /etc/systemd/journal-remote.conf /etc/systemd/journal-upload.conf
do
if [ -f \${cfg} ]; then
# keep a backup of the file
test ! -f \${cfg}.orig && cp \${cfg} \${cfg}.orig
# fix its contents
echo >&2 "updating the certificates in \${cfg}"
sed -i "s|^#\\?\\s*ServerKeyFile=.*$|ServerKeyFile=${dst}/${cn}.key|" \${cfg}
sed -i "s|^#\\?\\s*ServerCertificateFile=.*$|ServerCertificateFile=${dst}/${cn}.pem|" \${cfg}
sed -i "s|^#\\?\\s*TrustedCertificateFile=.*$|TrustedCertificateFile=${dst}/ca.pem|" \${cfg}
fi
done
echo >&2 "certificates installed - you may need to restart services to active them"
echo >&2
echo >&2 "If this is a central server:"
echo >&2 "# systemctl restart systemd-journal-remote.socket"
echo >&2
echo >&2 "If this is a passive client:"
echo >&2 "# systemctl restart systemd-journal-upload.service"
echo >&2
echo >&2 "If this is an active client:"
echo >&2 "# systemctl restart systemd-journal-gateway.socket"
EOFC1
chmod 0700 "runme-on-${cn}.sh"
}
# -----------------------------------------------------------------------------
# Create the client certificates
generate_server_certificate "${@}"
generate_install_script "${1}"
# Set ANSI escape code for colors
yellow_color="\033[1;33m"
green_color="\033[0;32m"
# Reset ANSI color after the message
reset_color="\033[0m"
echo >&2 -e "use this script to install it on ${1}: ${yellow_color}$(ls ${dst}/runme-on-${1}.sh)${reset_color}"
echo >&2 "copy it to your server ${1}, like this:"
echo >&2 -e "# ${green_color}scp ${dst}/runme-on-${1}.sh ${1}:/tmp/${reset_color}"
echo >&2 "and then run it on that server to install the certificates"
echo >&2
|
