diff options
| -rwxr-xr-x | bin/clean_challenge.nsupdate.sh | 26 | ||||
| -rwxr-xr-x | bin/dehydrated-cron | 7 | ||||
| -rwxr-xr-x | bin/dehydrated-hook.d | 297 | ||||
| -rwxr-xr-x | bin/dehydrated-knotupdate | 83 | ||||
| -rwxr-xr-x | bin/deploy_cert.fullchain-privkey.sh | 9 | ||||
| -rwxr-xr-x | bin/deploy_cert.slapd.sh | 78 | ||||
| -rwxr-xr-x | bin/deploy_challenge.nsupdate.sh | 26 | ||||
| -rwxr-xr-x | bin/deploy_ocsp.fullchain-privkey.sh | 8 | ||||
| -rwxr-xr-x | bin/exit_hook.fix-permissions.sh | 15 | ||||
| -rwxr-xr-x | bin/exit_hook.service-reload.sh | 13 | ||||
| -rwxr-xr-x | bin/exit_hook.slapd.sh | 42 |
11 files changed, 0 insertions, 604 deletions
diff --git a/bin/clean_challenge.nsupdate.sh b/bin/clean_challenge.nsupdate.sh deleted file mode 100755 index 05ffb40..0000000 --- a/bin/clean_challenge.nsupdate.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/sh - -set -e - -NAMESERVERS="$(kdig -4 +short @ns.bfh.science ns.bfh.science)" -ZONE="$(cat /etc/hostname | awk -F. '{ print $(NF-1) "." $NF}')" - -for NAMESERVER in ${NAMESERVERS} -do - echo -n " + Deleting TXT record (_acme-challenge.${DOMAIN})..." - - NSUPDATE="$(mktemp nsupdate.XXXX)" - -cat > "${NSUPDATE}" << EOF -server ${NAMESERVER} -zone ${ZONE} -ttl 300 -update delete _acme-challenge.${DOMAIN} 300 TXT ${TOKEN_VALUE} -send -EOF - - knsupdate "${NSUPDATE}" - rm -f "${NSUPDATE}" - - echo " done." -done diff --git a/bin/dehydrated-cron b/bin/dehydrated-cron deleted file mode 100755 index bd3bcf5..0000000 --- a/bin/dehydrated-cron +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/sh - -set -e - -dehydrated -c -dehydrated -gc -rm -f /var/lib/dehydrated/archive/* diff --git a/bin/dehydrated-hook.d b/bin/dehydrated-hook.d deleted file mode 100755 index 62095e5..0000000 --- a/bin/dehydrated-hook.d +++ /dev/null @@ -1,297 +0,0 @@ -#!/bin/sh -HOOKS_DIR="/etc/dehydrated/hook.d" - -deploy_challenge () -{ - local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}" - - # This hook is called once for every domain that needs to be - # validated, including any alternative names you may have listed. - # - # Parameters: - # - DOMAIN - # The domain name (CN or subject alternative name) being - # validated. - # - TOKEN_FILENAME - # The name of the file containing the token to be served for HTTP - # validation. Should be served by your web server as - # /.well-known/acme-challenge/${TOKEN_FILENAME}. - # - TOKEN_VALUE - # The token value that needs to be served for validation. For DNS - # validation, this is what you want to put in the _acme-challenge - # TXT record. For HTTP validation it is the value that is expected - # be found in the $TOKEN_FILENAME file. - - export DOMAIN - export TOKEN_FILENAME - export TOKEN_VALUE - run-parts --regex '^deploy_challenge.*.sh$' ${HOOKS_DIR} - unset DOMAIN - unset TOKEN_FILENAME - unset TOKEN_VALUE -} - -clean_challenge () -{ - local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}" - - # This hook is called after attempting to validate each domain, - # whether or not validation was successful. Here you can delete - # files or DNS records that are no longer needed. - # - # The parameters are the same as for deploy_challenge. - - export DOMAIN - export TOKEN_FILENAME - export TOKEN_VALUE - run-parts --regex '^clean_challenge.*.sh$' ${HOOKS_DIR} - unset DOMAIN - unset TOKEN_FILENAME - unset TOKEN_VALUE -} - -sync_cert () -{ - local KEYFILE="${1}" CERTFILE="${2}" FULLCHAINFILE="${3}" CHAINFILE="${4}" REQUESTFILE="${5}" - - # This hook is called after the certificates have been created but before - # they are symlinked. This allows you to sync the files to disk to prevent - # creating a symlink to empty files on unexpected system crashes. - # - # This hook is not intended to be used for further processing of certificate - # files, see deploy_cert for that. - # - # Parameters: - # - KEYFILE - # The path of the file containing the private key. - # - CERTFILE - # The path of the file containing the signed certificate. - # - FULLCHAINFILE - # The path of the file containing the full certificate chain. - # - CHAINFILE - # The path of the file containing the intermediate certificate(s). - # - REQUESTFILE - # The path of the file containing the certificate signing request. - - export KEYFILE - export CERTFILE - export FULLCHAINFILE - export CHAINFILE - export REQUESTFILE - run-parts --regex '^sync_cert.*.sh$' ${HOOKS_DIR} - unset KEYFILE - unset CERTFILE - unset FULLCHAINFILE - unset CHAINFILE - unset REQUESTFILE -} - -deploy_cert () -{ - local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}" - - # This hook is called once for each certificate that has been - # produced. Here you might, for instance, copy your new certificates - # to service-specific locations and reload the service. - # - # Parameters: - # - DOMAIN - # The primary domain name, i.e. the certificate common - # name (CN). - # - KEYFILE - # The path of the file containing the private key. - # - CERTFILE - # The path of the file containing the signed certificate. - # - FULLCHAINFILE - # The path of the file containing the full certificate chain. - # - CHAINFILE - # The path of the file containing the intermediate certificate(s). - # - TIMESTAMP - # Timestamp when the specified certificate was created. - - export DOMAIN - export KEYFILE - export CERTFILE - export FULLCHAINFILE - export CHAINFILE - export TIMESTAMP - run-parts --regex '^deploy_cert.*.sh$' ${HOOKS_DIR} - unset DOMAIN - unset CERTFILE - unset FULLCHAINFILE - unset CHAINFILE - unset TIMESTAMP -} - -deploy_ocsp () -{ - local DOMAIN="${1}" OCSPFILE="${2}" TIMESTAMP="${3}" - - # This hook is called once for each updated ocsp stapling file that has - # been produced. Here you might, for instance, copy your new ocsp stapling - # files to service-specific locations and reload the service. - # - # Parameters: - # - DOMAIN - # The primary domain name, i.e. the certificate common - # name (CN). - # - OCSPFILE - # The path of the ocsp stapling file - # - TIMESTAMP - # Timestamp when the specified ocsp stapling file was created. - - export DOMAIN - export OCSPFILE - export TIMESTAMP - run-parts --regex '^deploy_ocsp.*.sh$' ${HOOKS_DIR} - unset DOMAIN - unset OCSPFILE - unset TIMESTAMP -} - -unchanged_cert () -{ - local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" - - # This hook is called once for each certificate that is still - # valid and therefore wasn't reissued. - # - # Parameters: - # - DOMAIN - # The primary domain name, i.e. the certificate common - # name (CN). - # - KEYFILE - # The path of the file containing the private key. - # - CERTFILE - # The path of the file containing the signed certificate. - # - FULLCHAINFILE - # The path of the file containing the full certificate chain. - # - CHAINFILE - # The path of the file containing the intermediate certificate(s). - - export DOMAIN - export KEYFILE - export CERTFILE - export FULLCHAINFILE - export CHAINFILE - run-parts --regex '^unchanged_cert.*.sh$' ${HOOKS_DIR} - unset DOMAIN - unset CERTFILE - unset FULLCHAINFILE - unset CHAINFILE -} - -invalid_challenge () -{ - local DOMAIN="${1}" RESPONSE="${2}" - - # This hook is called if the challenge response has failed, so domain - # owners can be aware and act accordingly. - # - # Parameters: - # - DOMAIN - # The primary domain name, i.e. the certificate common - # name (CN). - # - RESPONSE - # The response that the verification server returned - - # Simple example: Send mail to root - # printf "Subject: Validation of ${DOMAIN} failed!\n\nOh noez!" | sendmail root - export DOMAIN - export RESPONSE - run-parts --regex '^invalid_challenge.*.sh$' ${HOOKS_DIR} - unset DOMAIN - unset RESPONSE -} - -request_failure () -{ - local STATUSCODE="${1}" REASON="${2}" REQTYPE="${3}" HEADERS="${4}" - - # This hook is called when an HTTP request fails (e.g., when the ACME - # server is busy, returns an error, etc). It will be called upon any - # response code that does not start with '2'. Useful to alert admins - # about problems with requests. - # - # Parameters: - # - STATUSCODE - # The HTML status code that originated the error. - # - REASON - # The specified reason for the error. - # - REQTYPE - # The kind of request that was made (GET, POST...) - # - HEADERS - # HTTP headers returned by the CA - - export STATUSCODE - export REASON - export REQTYPE - export HEADERS - run-parts --regex '^request_failure.*.sh$' ${HOOKS_DIR} - unset STATUSCODE - unset REASON - unset REQTYPE - unset HEADERS -} - -generate_csr () -{ - local DOMAIN="${1}" CERTDIR="${2}" ALTNAMES="${3}" - - # This hook is called before any certificate signing operation takes place. - # It can be used to generate or fetch a certificate signing request with external - # tools. - # The output should be just the cerificate signing request formatted as PEM. - # - # Parameters: - # - DOMAIN - # The primary domain as specified in domains.txt. This does not need to - # match with the domains in the CSR, it's basically just the directory name. - # - CERTDIR - # Certificate output directory for this particular certificate. Can be used - # for storing additional files. - # - ALTNAMES - # All domain names for the current certificate as specified in domains.txt. - # Again, this doesn't need to match with the CSR, it's just there for convenience. - - # Simple example: Look for pre-generated CSRs - # if [ -e "${CERTDIR}/pre-generated.csr" ]; then - # cat "${CERTDIR}/pre-generated.csr" - # fi - export DOMAIN - export CERTDIR - export ALTNAMES - run-parts --regex '^generate_csr.*.sh$' ${HOOKS_DIR} - unset DOMAIN - unset CERTDIR - unset ALTNAMES -} - -startup_hook () -{ - # This hook is called before the cron command to do some initial tasks - # (e.g. starting a webserver). - - run-parts --regex '^startup.*.sh$' ${HOOKS_DIR} -} - -exit_hook () -{ - local ERROR="${1:-}" - - # This hook is called at the end of the cron command and can be used to - # do some final (cleanup or other) tasks. - # - # Parameters: - # - ERROR - # Contains error message if dehydrated exits with error - export ERROR - run-parts --regex '^exit_hook.*.sh$' ${HOOKS_DIR} - unset ERROR -} - -HANDLER="$1"; shift -if echo "${HANDLER}" | grep -o -E '^(deploy_challenge|clean_challenge|sync_cert|deploy_cert|deploy_ocsp|unchanged_cert|invalid_challenge|request_failure|generate_csr|startup_hook|exit_hook)$' -then - "$HANDLER" "$@" -fi diff --git a/bin/dehydrated-knotupdate b/bin/dehydrated-knotupdate deleted file mode 100755 index 1a56f80..0000000 --- a/bin/dehydrated-knotupdate +++ /dev/null @@ -1,83 +0,0 @@ -#!/bin/bash - -# -# Example how to deploy a DNS challenge using nsupdate -# -# https://github.com/lukas2511/dehydrated/wiki/example-dns-01-nsupdate-script -# slightly modified by kdrexel - -# example: -#update add monitor2-test.bfh.host 7200 TXT "if-you-can-dig-it-everything-works-fine" -#printf "server %s\nzone %s.\nttl %d\nupdate add _acme-challenge.%s. %d TXT \"%s\"\nsend\n" "${DNSSERVER}" "${ZONE}" "${TTL}" "${2}" "${TTL}" "${CHALLENGE}" | $NSUPDATE - -set -e -set -u -set -o pipefail - -if [ $# -lt 3 ]; then - logger "$0 called with too few ARGS: $@" - exit 42 -fi - -# Params from hook.sh -DOMAIN="$2" -CHALLENGE="$3" - -ZONE=$(cat /etc/hostname |awk -F '.' '{ print $(NF-1),$NF}'| sed -e 's/ /./') -NSUPDATE="knsupdate" -#NSUPDATE="nsupdate -k /path/to/Kdnsupdatekey.private" #bind only -DNSSERVER=$(kdig -4 @ns.bfh.science ns.bfh.science +short) - -TTL=300 - -case "$1" in - "deploy_challenge") - for NS in $DNSSERVER - do - TEMPFILE=$(tempfile -s -dehydrated) - cat << EOF >> $TEMPFILE -server $NS -zone ${ZONE}. -ttl $TTL -update add _acme-challenge.${DOMAIN} $TTL TXT $CHALLENGE -send -EOF - $NSUPDATE $TEMPFILE - done - ;; - - "clean_challenge") - for NS in $DNSSERVER - do - TEMPFILE=$(tempfile -s -dehydrated-del) - cat << EOF >> $TEMPFILE -server $NS -zone ${ZONE}. -ttl $TTL -update delete _acme-challenge.${DOMAIN} $TTL TXT $CHALLENGE -send -EOF - if [ -t 1 ] - then - echo "Deleting TXT Record _acme-challenge.${DOMAIN}..." - fi - sleep 10 - $NSUPDATE $TEMPFILE - done - ;; - "deploy_cert") - # optional: - # /path/to/deploy_cert.sh "$@" - ;; - "unchanged_cert") - # do nothing for now - ;; - "startup_hook") - # do nothing for now - ;; - "exit_hook") - # do nothing for now - ;; -esac - -exit 0 diff --git a/bin/deploy_cert.fullchain-privkey.sh b/bin/deploy_cert.fullchain-privkey.sh deleted file mode 100755 index 9946281..0000000 --- a/bin/deploy_cert.fullchain-privkey.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh - -set -e - -DIRECTORY="$(dirname ${FULLCHAINFILE})" -FILE="cert.fullchain-privkey-${TIMESTAMP}.pem" - -cat "${FULLCHAINFILE}" "${KEYFILE}" > "${DIRECTORY}/${FILE}" -ln -sf "${FILE}" "${DIRECTORY}/cert.fullchain-privkey.pem" diff --git a/bin/deploy_cert.slapd.sh b/bin/deploy_cert.slapd.sh deleted file mode 100755 index e40060d..0000000 --- a/bin/deploy_cert.slapd.sh +++ /dev/null @@ -1,78 +0,0 @@ -#!/bin/sh - -set -e - -#CA_FROM_INTERNET="TRUE" -CA_LINK_FILE_NAME="ca" -CA_CHAIN_NAME="cachain" -CERT_PATH="$(dirname ${CHAINFILE})" -CA_LINK_FILE="${CERT_PATH}/${CA_LINK_FILE_NAME}.pem" - -Ca_from_internet () -{ - echo "Downloading CA file from internet!" - - ISSUER_URL="$(openssl x509 -in "${CHAINFILE}" -noout -text | grep 'CA Issuers' | cut -d ':' -f 2-)" - TEMPDIR="$(mktemp -d /tmp/dehydrated-hook.XXXX)" - - wget --quiet "${ISSUER_URL}" -O "${TEMPDIR}/${CA_LINK_FILE_NAME}" - - if openssl x509 -in "${TEMPDIR}/${CA_LINK_FILE_NAME}" -text > /dev/null 2>&1 - then - echo "Root certificate format is text PEM" - /usr/bin/mv "${TEMPDIR}/${CA_LINK_FILE_NAME}" "${CA_LINK_FILE}.new" - elif openssl x509 -inform DER -in "${TEMPDIR}/${CA_LINK_FILE_NAME}" -text > /dev/null 2>&1 - then - echo "Root certificate format is binary DER" - openssl x509 -in "${TEMPDIR}/${CA_LINK_FILE_NAME}" -inform DER -out "${CA_LINK_FILE}.new" - elif openssl pkcs7 -inform der -in "${TEMPDIR}/${CA_LINK_FILE_NAME}" > /dev/null 2>&1 - then - echo "Root certificate format is binary pkcs7" - openssl pkcs7 -print_certs -inform der -in "${TEMPDIR}/${CA_LINK_FILE_NAME}" -out "${CA_LINK_FILE}.new" - elif openssl pkcs12 -in "${TEMPDIR}/${CA_LINK_FILE_NAME}" -info > /dev/null 2>&1 - then - echo "${0}: root certificate format is binary pkcs12" - echo "Error, root certificate is in unhandled format." >&2 - exit 1 - else - echo "${0}: error, root certificate is in unhandled format." >&2 - exit 1 - fi - - openssl verify -trusted "${CA_LINK_FILE}.new" -untrusted "${CHAINFILE}" "${CERTFILE}" 1> /dev/null - - CA_COMMON_NAME="$(openssl x509 -noout -subject -nameopt multiline -in "${CA_LINK_FILE}.new" | grep commonName | sed -n 's/ *commonName *= //p')" - CA_FILE="${CERT_PATH}/${CA_COMMON_NAME}.pem" - - mv "${CA_LINK_FILE}.new" "${CA_FILE}" - rm -rf "${TEMPDIR}" -} - -unset CA_FILE - -for FILE in $(find /etc/ssl/certs -not -name "????????.?" -not -name ca-certificates.crt) -do - if openssl verify -no-CApath -CAfile "${FILE}" "${CHAINFILE}" > /dev/null 2>&1 - then - CA_FILE="${FILE}" - break - fi -done - -if [ -z "${CA_FILE}" ] -then - echo "Could not find root CA on this system." - - if [ "${CA_FROM_INTERNET}" = "TRUE" ] - then - Ca_from_internet - else - exit 1 - fi -fi - -echo "Found trusted root CA file: ${CA_FILE}" -ln -sf "${CA_FILE}" "${CA_LINK_FILE}" -#cp "${CA_FILE}" "${CA_LINK_FILE}" -openssl verify -trusted "${CA_LINK_FILE}" -untrusted "${CHAINFILE}" "${CERTFILE}" 1> /dev/null -cat "${CA_LINK_FILE}" "${CHAINFILE}" "${CERTFILE}" > "${CERT_PATH}/${CA_CHAIN_NAME}.pem" diff --git a/bin/deploy_challenge.nsupdate.sh b/bin/deploy_challenge.nsupdate.sh deleted file mode 100755 index 3b55840..0000000 --- a/bin/deploy_challenge.nsupdate.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/sh - -set -e - -NAMESERVERS="$(kdig -4 +short @ns.bfh.science ns.bfh.science)" -ZONE="$(cat /etc/hostname | awk -F. '{ print $(NF-1) "." $NF}')" - -for NAMESERVER in ${NAMESERVERS} -do - echo -n " + Adding TXT record (_acme-challenge.${DOMAIN})..." - - NSUPDATE="$(mktemp nsupdate.XXXX)" - -cat > "${NSUPDATE}" << EOF -server ${NAMESERVER} -zone ${ZONE}. -ttl 300 -update add _acme-challenge.${DOMAIN} 300 TXT ${TOKEN_VALUE} -send -EOF - - knsupdate "${NSUPDATE}" - rm -f "${NSUPDATE}" - - echo " done." -done diff --git a/bin/deploy_ocsp.fullchain-privkey.sh b/bin/deploy_ocsp.fullchain-privkey.sh deleted file mode 100755 index 9418590..0000000 --- a/bin/deploy_ocsp.fullchain-privkey.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh - -set -e - -FILE="$(readlink ${OCSPFILE})" -DIRECTORY="$(dirname ${OCSPFILE})" - -ln -sf "${FILE}" "${DIRECTORY}/cert.fullchain-privkey.pem.ocsp" diff --git a/bin/exit_hook.fix-permissions.sh b/bin/exit_hook.fix-permissions.sh deleted file mode 100755 index 74074cd..0000000 --- a/bin/exit_hook.fix-permissions.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/sh - -echo " + Fixing permissions..." - -if getent group ssl-cert > /dev/null 2>&1 -then - echo -n " + /var/lib/dehydrated/certs:" - - find /var/lib/dehydrated/certs -type d -exec chmod 0750 {} \; - find /var/lib/dehydrated/certs -type f -exec chmod 0640 {} \; - - chown -R root:ssl-cert /var/lib/dehydrated/certs - - echo " done." -fi diff --git a/bin/exit_hook.service-reload.sh b/bin/exit_hook.service-reload.sh deleted file mode 100755 index d434b71..0000000 --- a/bin/exit_hook.service-reload.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/sh - -echo " + Reloading services..." - -for PACKAGE in apache2 haproxy postgresql -do - if /usr/sbin/service ${PACKAGE} status > /dev/null 2>&1 - then - echo -n " + ${PACKAGE}:" - /usr/sbin/service ${PACKAGE} reload - echo " done." - fi -done diff --git a/bin/exit_hook.slapd.sh b/bin/exit_hook.slapd.sh deleted file mode 100755 index 2cb74cf..0000000 --- a/bin/exit_hook.slapd.sh +++ /dev/null @@ -1,42 +0,0 @@ -#!/bin/sh - -set -e - -NAME="$(cat /etc/hostname)" -DEHYDRATED_PATH="/srv/${NAME}/dehydrated/certs/${NAME}" -SLAPD_CERT_PATH="/etc/crypto/tls" -CA_CHAIN_NAME="cachain" - -mkdir -p "${SLAPD_CERT_PATH}" -unset CHANGE - -if ! cmp -s "${DEHYDRATED_PATH}/${CA_CHAIN_NAME}.pem" "${SLAPD_CERT_PATH}/${NAME}-${CA_CHAIN_NAME}.pem" -then - /usr/bin/cp "${DEHYDRATED_PATH}/${CA_CHAIN_NAME}.pem" "${SLAPD_CERT_PATH}/${NAME}-${CA_CHAIN_NAME}.pem" - CHANGE=true -fi - -if ! cmp -s "${DEHYDRATED_PATH}/cert.pem" "${SLAPD_CERT_PATH}/${NAME}.pem" -then - /usr/bin/cp "${DEHYDRATED_PATH}/cert.pem" "${SLAPD_CERT_PATH}/${NAME}.pem" - CHANGE=true -fi - -if ! cmp -s "${DEHYDRATED_PATH}/privkey.pem" "${SLAPD_CERT_PATH}/${NAME}.key" -then - /usr/bin/cp "${DEHYDRATED_PATH}/privkey.pem" "${SLAPD_CERT_PATH}/${NAME}.key" - CHANGE=true -fi - -if ! cmp -s "${DEHYDRATED_PATH}/fullchain.pem" "${SLAPD_CERT_PATH}/${NAME}-fullchain.pem" -then - /usr/bin/cp "${DEHYDRATED_PATH}/fullchain.pem" "${SLAPD_CERT_PATH}/${NAME}-fullchain.pem" - CHANGE=true -fi - -if [ ! -z ${CHANGE} ] -then - chmod 0640 /etc/crypto/tls/${NAME}* - chgrp ssl-cert /etc/crypto/tls/${NAME}* - systemctl restart slapd.service -fi |