summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rwxr-xr-xbin/clean_challenge.nsupdate.sh26
-rwxr-xr-xbin/dehydrated-cron7
-rwxr-xr-xbin/dehydrated-hook.d297
-rwxr-xr-xbin/dehydrated-knotupdate83
-rwxr-xr-xbin/deploy_cert.fullchain-privkey.sh9
-rwxr-xr-xbin/deploy_cert.slapd.sh78
-rwxr-xr-xbin/deploy_challenge.nsupdate.sh26
-rwxr-xr-xbin/deploy_ocsp.fullchain-privkey.sh8
-rwxr-xr-xbin/exit_hook.fix-permissions.sh15
-rwxr-xr-xbin/exit_hook.service-reload.sh13
-rwxr-xr-xbin/exit_hook.slapd.sh42
11 files changed, 0 insertions, 604 deletions
diff --git a/bin/clean_challenge.nsupdate.sh b/bin/clean_challenge.nsupdate.sh
deleted file mode 100755
index 05ffb40..0000000
--- a/bin/clean_challenge.nsupdate.sh
+++ /dev/null
@@ -1,26 +0,0 @@
-#!/bin/sh
-
-set -e
-
-NAMESERVERS="$(kdig -4 +short @ns.bfh.science ns.bfh.science)"
-ZONE="$(cat /etc/hostname | awk -F. '{ print $(NF-1) "." $NF}')"
-
-for NAMESERVER in ${NAMESERVERS}
-do
- echo -n " + Deleting TXT record (_acme-challenge.${DOMAIN})..."
-
- NSUPDATE="$(mktemp nsupdate.XXXX)"
-
-cat > "${NSUPDATE}" << EOF
-server ${NAMESERVER}
-zone ${ZONE}
-ttl 300
-update delete _acme-challenge.${DOMAIN} 300 TXT ${TOKEN_VALUE}
-send
-EOF
-
- knsupdate "${NSUPDATE}"
- rm -f "${NSUPDATE}"
-
- echo " done."
-done
diff --git a/bin/dehydrated-cron b/bin/dehydrated-cron
deleted file mode 100755
index bd3bcf5..0000000
--- a/bin/dehydrated-cron
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/sh
-
-set -e
-
-dehydrated -c
-dehydrated -gc
-rm -f /var/lib/dehydrated/archive/*
diff --git a/bin/dehydrated-hook.d b/bin/dehydrated-hook.d
deleted file mode 100755
index 62095e5..0000000
--- a/bin/dehydrated-hook.d
+++ /dev/null
@@ -1,297 +0,0 @@
-#!/bin/sh
-HOOKS_DIR="/etc/dehydrated/hook.d"
-
-deploy_challenge ()
-{
- local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
-
- # This hook is called once for every domain that needs to be
- # validated, including any alternative names you may have listed.
- #
- # Parameters:
- # - DOMAIN
- # The domain name (CN or subject alternative name) being
- # validated.
- # - TOKEN_FILENAME
- # The name of the file containing the token to be served for HTTP
- # validation. Should be served by your web server as
- # /.well-known/acme-challenge/${TOKEN_FILENAME}.
- # - TOKEN_VALUE
- # The token value that needs to be served for validation. For DNS
- # validation, this is what you want to put in the _acme-challenge
- # TXT record. For HTTP validation it is the value that is expected
- # be found in the $TOKEN_FILENAME file.
-
- export DOMAIN
- export TOKEN_FILENAME
- export TOKEN_VALUE
- run-parts --regex '^deploy_challenge.*.sh$' ${HOOKS_DIR}
- unset DOMAIN
- unset TOKEN_FILENAME
- unset TOKEN_VALUE
-}
-
-clean_challenge ()
-{
- local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
-
- # This hook is called after attempting to validate each domain,
- # whether or not validation was successful. Here you can delete
- # files or DNS records that are no longer needed.
- #
- # The parameters are the same as for deploy_challenge.
-
- export DOMAIN
- export TOKEN_FILENAME
- export TOKEN_VALUE
- run-parts --regex '^clean_challenge.*.sh$' ${HOOKS_DIR}
- unset DOMAIN
- unset TOKEN_FILENAME
- unset TOKEN_VALUE
-}
-
-sync_cert ()
-{
- local KEYFILE="${1}" CERTFILE="${2}" FULLCHAINFILE="${3}" CHAINFILE="${4}" REQUESTFILE="${5}"
-
- # This hook is called after the certificates have been created but before
- # they are symlinked. This allows you to sync the files to disk to prevent
- # creating a symlink to empty files on unexpected system crashes.
- #
- # This hook is not intended to be used for further processing of certificate
- # files, see deploy_cert for that.
- #
- # Parameters:
- # - KEYFILE
- # The path of the file containing the private key.
- # - CERTFILE
- # The path of the file containing the signed certificate.
- # - FULLCHAINFILE
- # The path of the file containing the full certificate chain.
- # - CHAINFILE
- # The path of the file containing the intermediate certificate(s).
- # - REQUESTFILE
- # The path of the file containing the certificate signing request.
-
- export KEYFILE
- export CERTFILE
- export FULLCHAINFILE
- export CHAINFILE
- export REQUESTFILE
- run-parts --regex '^sync_cert.*.sh$' ${HOOKS_DIR}
- unset KEYFILE
- unset CERTFILE
- unset FULLCHAINFILE
- unset CHAINFILE
- unset REQUESTFILE
-}
-
-deploy_cert ()
-{
- local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}"
-
- # This hook is called once for each certificate that has been
- # produced. Here you might, for instance, copy your new certificates
- # to service-specific locations and reload the service.
- #
- # Parameters:
- # - DOMAIN
- # The primary domain name, i.e. the certificate common
- # name (CN).
- # - KEYFILE
- # The path of the file containing the private key.
- # - CERTFILE
- # The path of the file containing the signed certificate.
- # - FULLCHAINFILE
- # The path of the file containing the full certificate chain.
- # - CHAINFILE
- # The path of the file containing the intermediate certificate(s).
- # - TIMESTAMP
- # Timestamp when the specified certificate was created.
-
- export DOMAIN
- export KEYFILE
- export CERTFILE
- export FULLCHAINFILE
- export CHAINFILE
- export TIMESTAMP
- run-parts --regex '^deploy_cert.*.sh$' ${HOOKS_DIR}
- unset DOMAIN
- unset CERTFILE
- unset FULLCHAINFILE
- unset CHAINFILE
- unset TIMESTAMP
-}
-
-deploy_ocsp ()
-{
- local DOMAIN="${1}" OCSPFILE="${2}" TIMESTAMP="${3}"
-
- # This hook is called once for each updated ocsp stapling file that has
- # been produced. Here you might, for instance, copy your new ocsp stapling
- # files to service-specific locations and reload the service.
- #
- # Parameters:
- # - DOMAIN
- # The primary domain name, i.e. the certificate common
- # name (CN).
- # - OCSPFILE
- # The path of the ocsp stapling file
- # - TIMESTAMP
- # Timestamp when the specified ocsp stapling file was created.
-
- export DOMAIN
- export OCSPFILE
- export TIMESTAMP
- run-parts --regex '^deploy_ocsp.*.sh$' ${HOOKS_DIR}
- unset DOMAIN
- unset OCSPFILE
- unset TIMESTAMP
-}
-
-unchanged_cert ()
-{
- local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}"
-
- # This hook is called once for each certificate that is still
- # valid and therefore wasn't reissued.
- #
- # Parameters:
- # - DOMAIN
- # The primary domain name, i.e. the certificate common
- # name (CN).
- # - KEYFILE
- # The path of the file containing the private key.
- # - CERTFILE
- # The path of the file containing the signed certificate.
- # - FULLCHAINFILE
- # The path of the file containing the full certificate chain.
- # - CHAINFILE
- # The path of the file containing the intermediate certificate(s).
-
- export DOMAIN
- export KEYFILE
- export CERTFILE
- export FULLCHAINFILE
- export CHAINFILE
- run-parts --regex '^unchanged_cert.*.sh$' ${HOOKS_DIR}
- unset DOMAIN
- unset CERTFILE
- unset FULLCHAINFILE
- unset CHAINFILE
-}
-
-invalid_challenge ()
-{
- local DOMAIN="${1}" RESPONSE="${2}"
-
- # This hook is called if the challenge response has failed, so domain
- # owners can be aware and act accordingly.
- #
- # Parameters:
- # - DOMAIN
- # The primary domain name, i.e. the certificate common
- # name (CN).
- # - RESPONSE
- # The response that the verification server returned
-
- # Simple example: Send mail to root
- # printf "Subject: Validation of ${DOMAIN} failed!\n\nOh noez!" | sendmail root
- export DOMAIN
- export RESPONSE
- run-parts --regex '^invalid_challenge.*.sh$' ${HOOKS_DIR}
- unset DOMAIN
- unset RESPONSE
-}
-
-request_failure ()
-{
- local STATUSCODE="${1}" REASON="${2}" REQTYPE="${3}" HEADERS="${4}"
-
- # This hook is called when an HTTP request fails (e.g., when the ACME
- # server is busy, returns an error, etc). It will be called upon any
- # response code that does not start with '2'. Useful to alert admins
- # about problems with requests.
- #
- # Parameters:
- # - STATUSCODE
- # The HTML status code that originated the error.
- # - REASON
- # The specified reason for the error.
- # - REQTYPE
- # The kind of request that was made (GET, POST...)
- # - HEADERS
- # HTTP headers returned by the CA
-
- export STATUSCODE
- export REASON
- export REQTYPE
- export HEADERS
- run-parts --regex '^request_failure.*.sh$' ${HOOKS_DIR}
- unset STATUSCODE
- unset REASON
- unset REQTYPE
- unset HEADERS
-}
-
-generate_csr ()
-{
- local DOMAIN="${1}" CERTDIR="${2}" ALTNAMES="${3}"
-
- # This hook is called before any certificate signing operation takes place.
- # It can be used to generate or fetch a certificate signing request with external
- # tools.
- # The output should be just the cerificate signing request formatted as PEM.
- #
- # Parameters:
- # - DOMAIN
- # The primary domain as specified in domains.txt. This does not need to
- # match with the domains in the CSR, it's basically just the directory name.
- # - CERTDIR
- # Certificate output directory for this particular certificate. Can be used
- # for storing additional files.
- # - ALTNAMES
- # All domain names for the current certificate as specified in domains.txt.
- # Again, this doesn't need to match with the CSR, it's just there for convenience.
-
- # Simple example: Look for pre-generated CSRs
- # if [ -e "${CERTDIR}/pre-generated.csr" ]; then
- # cat "${CERTDIR}/pre-generated.csr"
- # fi
- export DOMAIN
- export CERTDIR
- export ALTNAMES
- run-parts --regex '^generate_csr.*.sh$' ${HOOKS_DIR}
- unset DOMAIN
- unset CERTDIR
- unset ALTNAMES
-}
-
-startup_hook ()
-{
- # This hook is called before the cron command to do some initial tasks
- # (e.g. starting a webserver).
-
- run-parts --regex '^startup.*.sh$' ${HOOKS_DIR}
-}
-
-exit_hook ()
-{
- local ERROR="${1:-}"
-
- # This hook is called at the end of the cron command and can be used to
- # do some final (cleanup or other) tasks.
- #
- # Parameters:
- # - ERROR
- # Contains error message if dehydrated exits with error
- export ERROR
- run-parts --regex '^exit_hook.*.sh$' ${HOOKS_DIR}
- unset ERROR
-}
-
-HANDLER="$1"; shift
-if echo "${HANDLER}" | grep -o -E '^(deploy_challenge|clean_challenge|sync_cert|deploy_cert|deploy_ocsp|unchanged_cert|invalid_challenge|request_failure|generate_csr|startup_hook|exit_hook)$'
-then
- "$HANDLER" "$@"
-fi
diff --git a/bin/dehydrated-knotupdate b/bin/dehydrated-knotupdate
deleted file mode 100755
index 1a56f80..0000000
--- a/bin/dehydrated-knotupdate
+++ /dev/null
@@ -1,83 +0,0 @@
-#!/bin/bash
-
-#
-# Example how to deploy a DNS challenge using nsupdate
-#
-# https://github.com/lukas2511/dehydrated/wiki/example-dns-01-nsupdate-script
-# slightly modified by kdrexel
-
-# example:
-#update add monitor2-test.bfh.host 7200 TXT "if-you-can-dig-it-everything-works-fine"
-#printf "server %s\nzone %s.\nttl %d\nupdate add _acme-challenge.%s. %d TXT \"%s\"\nsend\n" "${DNSSERVER}" "${ZONE}" "${TTL}" "${2}" "${TTL}" "${CHALLENGE}" | $NSUPDATE
-
-set -e
-set -u
-set -o pipefail
-
-if [ $# -lt 3 ]; then
- logger "$0 called with too few ARGS: $@"
- exit 42
-fi
-
-# Params from hook.sh
-DOMAIN="$2"
-CHALLENGE="$3"
-
-ZONE=$(cat /etc/hostname |awk -F '.' '{ print $(NF-1),$NF}'| sed -e 's/ /./')
-NSUPDATE="knsupdate"
-#NSUPDATE="nsupdate -k /path/to/Kdnsupdatekey.private" #bind only
-DNSSERVER=$(kdig -4 @ns.bfh.science ns.bfh.science +short)
-
-TTL=300
-
-case "$1" in
- "deploy_challenge")
- for NS in $DNSSERVER
- do
- TEMPFILE=$(tempfile -s -dehydrated)
- cat << EOF >> $TEMPFILE
-server $NS
-zone ${ZONE}.
-ttl $TTL
-update add _acme-challenge.${DOMAIN} $TTL TXT $CHALLENGE
-send
-EOF
- $NSUPDATE $TEMPFILE
- done
- ;;
-
- "clean_challenge")
- for NS in $DNSSERVER
- do
- TEMPFILE=$(tempfile -s -dehydrated-del)
- cat << EOF >> $TEMPFILE
-server $NS
-zone ${ZONE}.
-ttl $TTL
-update delete _acme-challenge.${DOMAIN} $TTL TXT $CHALLENGE
-send
-EOF
- if [ -t 1 ]
- then
- echo "Deleting TXT Record _acme-challenge.${DOMAIN}..."
- fi
- sleep 10
- $NSUPDATE $TEMPFILE
- done
- ;;
- "deploy_cert")
- # optional:
- # /path/to/deploy_cert.sh "$@"
- ;;
- "unchanged_cert")
- # do nothing for now
- ;;
- "startup_hook")
- # do nothing for now
- ;;
- "exit_hook")
- # do nothing for now
- ;;
-esac
-
-exit 0
diff --git a/bin/deploy_cert.fullchain-privkey.sh b/bin/deploy_cert.fullchain-privkey.sh
deleted file mode 100755
index 9946281..0000000
--- a/bin/deploy_cert.fullchain-privkey.sh
+++ /dev/null
@@ -1,9 +0,0 @@
-#!/bin/sh
-
-set -e
-
-DIRECTORY="$(dirname ${FULLCHAINFILE})"
-FILE="cert.fullchain-privkey-${TIMESTAMP}.pem"
-
-cat "${FULLCHAINFILE}" "${KEYFILE}" > "${DIRECTORY}/${FILE}"
-ln -sf "${FILE}" "${DIRECTORY}/cert.fullchain-privkey.pem"
diff --git a/bin/deploy_cert.slapd.sh b/bin/deploy_cert.slapd.sh
deleted file mode 100755
index e40060d..0000000
--- a/bin/deploy_cert.slapd.sh
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/bin/sh
-
-set -e
-
-#CA_FROM_INTERNET="TRUE"
-CA_LINK_FILE_NAME="ca"
-CA_CHAIN_NAME="cachain"
-CERT_PATH="$(dirname ${CHAINFILE})"
-CA_LINK_FILE="${CERT_PATH}/${CA_LINK_FILE_NAME}.pem"
-
-Ca_from_internet ()
-{
- echo "Downloading CA file from internet!"
-
- ISSUER_URL="$(openssl x509 -in "${CHAINFILE}" -noout -text | grep 'CA Issuers' | cut -d ':' -f 2-)"
- TEMPDIR="$(mktemp -d /tmp/dehydrated-hook.XXXX)"
-
- wget --quiet "${ISSUER_URL}" -O "${TEMPDIR}/${CA_LINK_FILE_NAME}"
-
- if openssl x509 -in "${TEMPDIR}/${CA_LINK_FILE_NAME}" -text > /dev/null 2>&1
- then
- echo "Root certificate format is text PEM"
- /usr/bin/mv "${TEMPDIR}/${CA_LINK_FILE_NAME}" "${CA_LINK_FILE}.new"
- elif openssl x509 -inform DER -in "${TEMPDIR}/${CA_LINK_FILE_NAME}" -text > /dev/null 2>&1
- then
- echo "Root certificate format is binary DER"
- openssl x509 -in "${TEMPDIR}/${CA_LINK_FILE_NAME}" -inform DER -out "${CA_LINK_FILE}.new"
- elif openssl pkcs7 -inform der -in "${TEMPDIR}/${CA_LINK_FILE_NAME}" > /dev/null 2>&1
- then
- echo "Root certificate format is binary pkcs7"
- openssl pkcs7 -print_certs -inform der -in "${TEMPDIR}/${CA_LINK_FILE_NAME}" -out "${CA_LINK_FILE}.new"
- elif openssl pkcs12 -in "${TEMPDIR}/${CA_LINK_FILE_NAME}" -info > /dev/null 2>&1
- then
- echo "${0}: root certificate format is binary pkcs12"
- echo "Error, root certificate is in unhandled format." >&2
- exit 1
- else
- echo "${0}: error, root certificate is in unhandled format." >&2
- exit 1
- fi
-
- openssl verify -trusted "${CA_LINK_FILE}.new" -untrusted "${CHAINFILE}" "${CERTFILE}" 1> /dev/null
-
- CA_COMMON_NAME="$(openssl x509 -noout -subject -nameopt multiline -in "${CA_LINK_FILE}.new" | grep commonName | sed -n 's/ *commonName *= //p')"
- CA_FILE="${CERT_PATH}/${CA_COMMON_NAME}.pem"
-
- mv "${CA_LINK_FILE}.new" "${CA_FILE}"
- rm -rf "${TEMPDIR}"
-}
-
-unset CA_FILE
-
-for FILE in $(find /etc/ssl/certs -not -name "????????.?" -not -name ca-certificates.crt)
-do
- if openssl verify -no-CApath -CAfile "${FILE}" "${CHAINFILE}" > /dev/null 2>&1
- then
- CA_FILE="${FILE}"
- break
- fi
-done
-
-if [ -z "${CA_FILE}" ]
-then
- echo "Could not find root CA on this system."
-
- if [ "${CA_FROM_INTERNET}" = "TRUE" ]
- then
- Ca_from_internet
- else
- exit 1
- fi
-fi
-
-echo "Found trusted root CA file: ${CA_FILE}"
-ln -sf "${CA_FILE}" "${CA_LINK_FILE}"
-#cp "${CA_FILE}" "${CA_LINK_FILE}"
-openssl verify -trusted "${CA_LINK_FILE}" -untrusted "${CHAINFILE}" "${CERTFILE}" 1> /dev/null
-cat "${CA_LINK_FILE}" "${CHAINFILE}" "${CERTFILE}" > "${CERT_PATH}/${CA_CHAIN_NAME}.pem"
diff --git a/bin/deploy_challenge.nsupdate.sh b/bin/deploy_challenge.nsupdate.sh
deleted file mode 100755
index 3b55840..0000000
--- a/bin/deploy_challenge.nsupdate.sh
+++ /dev/null
@@ -1,26 +0,0 @@
-#!/bin/sh
-
-set -e
-
-NAMESERVERS="$(kdig -4 +short @ns.bfh.science ns.bfh.science)"
-ZONE="$(cat /etc/hostname | awk -F. '{ print $(NF-1) "." $NF}')"
-
-for NAMESERVER in ${NAMESERVERS}
-do
- echo -n " + Adding TXT record (_acme-challenge.${DOMAIN})..."
-
- NSUPDATE="$(mktemp nsupdate.XXXX)"
-
-cat > "${NSUPDATE}" << EOF
-server ${NAMESERVER}
-zone ${ZONE}.
-ttl 300
-update add _acme-challenge.${DOMAIN} 300 TXT ${TOKEN_VALUE}
-send
-EOF
-
- knsupdate "${NSUPDATE}"
- rm -f "${NSUPDATE}"
-
- echo " done."
-done
diff --git a/bin/deploy_ocsp.fullchain-privkey.sh b/bin/deploy_ocsp.fullchain-privkey.sh
deleted file mode 100755
index 9418590..0000000
--- a/bin/deploy_ocsp.fullchain-privkey.sh
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/bin/sh
-
-set -e
-
-FILE="$(readlink ${OCSPFILE})"
-DIRECTORY="$(dirname ${OCSPFILE})"
-
-ln -sf "${FILE}" "${DIRECTORY}/cert.fullchain-privkey.pem.ocsp"
diff --git a/bin/exit_hook.fix-permissions.sh b/bin/exit_hook.fix-permissions.sh
deleted file mode 100755
index 74074cd..0000000
--- a/bin/exit_hook.fix-permissions.sh
+++ /dev/null
@@ -1,15 +0,0 @@
-#!/bin/sh
-
-echo " + Fixing permissions..."
-
-if getent group ssl-cert > /dev/null 2>&1
-then
- echo -n " + /var/lib/dehydrated/certs:"
-
- find /var/lib/dehydrated/certs -type d -exec chmod 0750 {} \;
- find /var/lib/dehydrated/certs -type f -exec chmod 0640 {} \;
-
- chown -R root:ssl-cert /var/lib/dehydrated/certs
-
- echo " done."
-fi
diff --git a/bin/exit_hook.service-reload.sh b/bin/exit_hook.service-reload.sh
deleted file mode 100755
index d434b71..0000000
--- a/bin/exit_hook.service-reload.sh
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/bin/sh
-
-echo " + Reloading services..."
-
-for PACKAGE in apache2 haproxy postgresql
-do
- if /usr/sbin/service ${PACKAGE} status > /dev/null 2>&1
- then
- echo -n " + ${PACKAGE}:"
- /usr/sbin/service ${PACKAGE} reload
- echo " done."
- fi
-done
diff --git a/bin/exit_hook.slapd.sh b/bin/exit_hook.slapd.sh
deleted file mode 100755
index 2cb74cf..0000000
--- a/bin/exit_hook.slapd.sh
+++ /dev/null
@@ -1,42 +0,0 @@
-#!/bin/sh
-
-set -e
-
-NAME="$(cat /etc/hostname)"
-DEHYDRATED_PATH="/srv/${NAME}/dehydrated/certs/${NAME}"
-SLAPD_CERT_PATH="/etc/crypto/tls"
-CA_CHAIN_NAME="cachain"
-
-mkdir -p "${SLAPD_CERT_PATH}"
-unset CHANGE
-
-if ! cmp -s "${DEHYDRATED_PATH}/${CA_CHAIN_NAME}.pem" "${SLAPD_CERT_PATH}/${NAME}-${CA_CHAIN_NAME}.pem"
-then
- /usr/bin/cp "${DEHYDRATED_PATH}/${CA_CHAIN_NAME}.pem" "${SLAPD_CERT_PATH}/${NAME}-${CA_CHAIN_NAME}.pem"
- CHANGE=true
-fi
-
-if ! cmp -s "${DEHYDRATED_PATH}/cert.pem" "${SLAPD_CERT_PATH}/${NAME}.pem"
-then
- /usr/bin/cp "${DEHYDRATED_PATH}/cert.pem" "${SLAPD_CERT_PATH}/${NAME}.pem"
- CHANGE=true
-fi
-
-if ! cmp -s "${DEHYDRATED_PATH}/privkey.pem" "${SLAPD_CERT_PATH}/${NAME}.key"
-then
- /usr/bin/cp "${DEHYDRATED_PATH}/privkey.pem" "${SLAPD_CERT_PATH}/${NAME}.key"
- CHANGE=true
-fi
-
-if ! cmp -s "${DEHYDRATED_PATH}/fullchain.pem" "${SLAPD_CERT_PATH}/${NAME}-fullchain.pem"
-then
- /usr/bin/cp "${DEHYDRATED_PATH}/fullchain.pem" "${SLAPD_CERT_PATH}/${NAME}-fullchain.pem"
- CHANGE=true
-fi
-
-if [ ! -z ${CHANGE} ]
-then
- chmod 0640 /etc/crypto/tls/${NAME}*
- chgrp ssl-cert /etc/crypto/tls/${NAME}*
- systemctl restart slapd.service
-fi