summaryrefslogtreecommitdiffstats
path: root/src/collectors/systemd-journal.plugin/systemd-journal-self-signed-certs.sh
blob: ada735f1fbc2154f2ab8bb07220667ecd7dc1721 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
#!/usr/bin/env bash

me="${0}"
dst="/etc/ssl/systemd-journal"

show_usage() {
      cat <<EOFUSAGE

${me} [options] server_name alias1 alias2 ...

server_name
      the canonical name of the server on the certificates

aliasN
      a hostname or IP this server is reachable with
      DNS names should be like DNS:hostname
      IPs should be like IP:1.2.3.4
      Any number of aliases are accepted per server

options can be:

  -h, --help
      show this message

  -d, --directory DIRECTORY
      change the default certificates install dir
      default: ${dst}

EOFUSAGE
}

while [ ! -z "${1}" ]; do
      case "${1}" in
            -h|--help)
                  show_usage
                  exit 0
                  ;;

            -d|--directory)
                  dst="${2}"
                  echo >&2 "directory set to: ${dst}"
                  shift
                  ;;

            *)
                  break 2
                  ;;
      esac

      shift
done

if [ -z "${1}" ]; then
      show_usage
      exit 1
fi


# Define a regular expression pattern for a valid canonical name
valid_canonical_name_pattern="^[a-zA-Z0-9][a-zA-Z0-9.-]+$"

# Check if ${1} matches the pattern
if [[ ! "${1}" =~ ${valid_canonical_name_pattern} ]]; then
    echo "Certificate name '${1}' is not valid."
    exit 1
fi

# -----------------------------------------------------------------------------
# Create the CA

# stop on all errors
set -e

if [ $UID -ne 0 ]
then
      echo >&2 "Hey! sudo me: sudo ${me}"
      exit 1
fi

if ! getent group systemd-journal >/dev/null 2>&1; then
      echo >&2 "Missing system group: systemd-journal. Did you install systemd-journald?"
      exit 1
fi

if ! getent passwd systemd-journal-remote >/dev/null 2>&1; then
      echo >&2 "Missing system user: systemd-journal-remote. Did you install systemd-journal-remote?"
      exit 1
fi

if [ ! -d "${dst}" ]
then
      mkdir -p "${dst}"
      chown systemd-journal-remote:systemd-journal "${dst}"
      chmod 750 "${dst}"
fi

cd "${dst}"

test ! -f ca.conf && cat >ca.conf <<EOF
[ ca ]
default_ca = CA_default
[ CA_default ]
new_certs_dir = .
certificate = ca.pem
database = ./index
private_key = ca.key
serial = ./serial
default_days = 3650
default_md = default
policy = policy_anything
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
EOF

test ! -f index && touch index
test ! -f serial && echo 0001 >serial

if [ ! -f ca.pem -o ! -f ca.key ]; then
      echo >&2 "Generating ca.pem ..."

      openssl req -newkey rsa:2048 -days 3650 -x509 -nodes -out ca.pem -keyout ca.key -subj "/CN=systemd-journal-remote-ca/"
      chown systemd-journal-remote:systemd-journal ca.pem
      chmod 0640 ca.pem
fi

# -----------------------------------------------------------------------------
# Create a server certificate

generate_server_certificate() {
      local cn="${1}"; shift

      if [ ! -f "${cn}.pem" -o ! -f "${cn}.key" ]; then
            if [ -z "${*}" ]; then
                  echo >"${cn}.conf"
            else
                  echo "subjectAltName = $(echo "${@}" | tr " " ",")" >"${cn}.conf"
            fi

            echo >&2 "Generating server: ${cn}.pem and ${cn}.key ..."

            openssl req -newkey rsa:2048 -nodes -out "${cn}.csr" -keyout "${cn}.key" -subj "/CN=${cn}/"
            openssl ca -batch -config ca.conf -notext -in "${cn}.csr" -out "${cn}.pem" -extfile "${cn}.conf"
      else
            echo >&2 "certificates for ${cn} are already available."
      fi

      chown systemd-journal-remote:systemd-journal "${cn}.pem" "${cn}.key"
      chmod 0640 "${cn}.pem" "${cn}.key"
}


# -----------------------------------------------------------------------------
# Create a script to install the certificate on each server

generate_install_script() {
      local cn="${1}"
      local dst="/etc/ssl/systemd-journal"

      cat >"runme-on-${cn}.sh" <<EOFC1
#!/usr/bin/env bash

# stop on all errors
set -e

if [ \$UID -ne 0 ]; then
      echo >&2 "Hey! sudo me: sudo \${0}"
      exit 1
fi

# make sure the systemd-journal group exists
# all certificates will be owned by this group
if ! getent group systemd-journal >/dev/null 2>&1; then
      echo >&2 "Missing system group: systemd-journal. Did you install systemd-journald?"
      exit 1
fi

if ! getent passwd systemd-journal-remote >/dev/null 2>&1; then
      echo >&2 "Missing system user: systemd-journal-remote. Did you install systemd-journal-remote?"
      exit 1
fi

if [ ! -d ${dst} ]; then
      echo >&2 "creating directory: ${dst}"
      mkdir -p "${dst}"
fi
chown systemd-journal-remote:systemd-journal "${dst}"
chmod 750 "${dst}"
cd "${dst}"

echo >&2 "saving trusted certificate file as: ${dst}/ca.pem"
cat >ca.pem <<EOFCAPEM
$(cat ca.pem)
EOFCAPEM

chown systemd-journal-remote:systemd-journal ca.pem
chmod 0640 ca.pem

echo >&2 "saving server ${cn} certificate file as: ${dst}/${cn}.pem"
cat >"${cn}.pem" <<EOFSERPEM
$(cat "${cn}.pem")
EOFSERPEM

chown systemd-journal-remote:systemd-journal "${cn}.pem"
chmod 0640 "${cn}.pem"

echo >&2 "saving server ${cn} key file as: ${dst}/${cn}.key"
cat >"${cn}.key" <<EOFSERKEY
$(cat "${cn}.key")
EOFSERKEY

chown systemd-journal-remote:systemd-journal "${cn}.key"
chmod 0640 "${cn}.key"

for cfg in /etc/systemd/journal-remote.conf /etc/systemd/journal-upload.conf
do
      if [ -f \${cfg} ]; then
            # keep a backup of the file
            test ! -f \${cfg}.orig && cp \${cfg} \${cfg}.orig

            # fix its contents
            echo >&2 "updating the certificates in \${cfg}"
            sed -i "s|^#\\?\\s*ServerKeyFile=.*$|ServerKeyFile=${dst}/${cn}.key|" \${cfg}
            sed -i "s|^#\\?\\s*ServerCertificateFile=.*$|ServerCertificateFile=${dst}/${cn}.pem|" \${cfg}
            sed -i "s|^#\\?\\s*TrustedCertificateFile=.*$|TrustedCertificateFile=${dst}/ca.pem|" \${cfg}
      fi
done

echo >&2 "certificates installed - you may need to restart services to active them"
echo >&2
echo >&2 "If this is a central server:"
echo >&2 "# systemctl restart systemd-journal-remote.socket"
echo >&2
echo >&2 "If this is a passive client:"
echo >&2 "# systemctl restart systemd-journal-upload.service"
echo >&2
echo >&2 "If this is an active client:"
echo >&2 "# systemctl restart systemd-journal-gateway.socket"
EOFC1

      chmod 0700 "runme-on-${cn}.sh"
}

# -----------------------------------------------------------------------------
# Create the client certificates

generate_server_certificate "${@}"
generate_install_script "${1}"


# Set ANSI escape code for colors
yellow_color="\033[1;33m"
green_color="\033[0;32m"
# Reset ANSI color after the message
reset_color="\033[0m"


echo >&2 -e "use this script to install it on ${1}: ${yellow_color}$(ls ${dst}/runme-on-${1}.sh)${reset_color}"
echo >&2 "copy it to your server ${1}, like this:"
echo >&2 -e "# ${green_color}scp ${dst}/runme-on-${1}.sh ${1}:/tmp/${reset_color}"
echo >&2 "and then run it on that server to install the certificates"
echo >&2