LibertaCasa/system
9
0
Fork 0
Code Issues 3 Pull Requests Projects Releases Wiki Activity

Update certificate hook script

Browse Source 
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
This commit is contained in:
Georg Pfuetzenreuter 2022-05-31 21:51:28 +02:00
parent f33ae8debd
commit f655c72534
Signed by: Georg
GPG Key ID: 1ED2F138E7E6FF57
1 changed files with 16 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
scripts/certificate_hook.sh
View File

@ -2,18 +2,21 @@
#to-do: make this universal / not specific to a certain service #to-do: make this universal / not specific to a certain service
set -C set -C
set -e #set -e
set -u set -u
certname="irc.casa" certname="irc.casa"
mailto="system@lysergic.dev" mailto="system@lysergic.dev"
hosts="dericom01 deriweb01" #hosts="dericom01 deriweb01"
hosts="dericom01"
OUTPUT="/var/log/lysergic/certificate-scripts/$certname.log" OUTPUT="/var/log/lysergic/certificate-scripts/$certname.log"
crt="/etc/ssl/lego/certificates/$certname.crt" crt="/etc/ssl/lego/certificates/$certname.crt"
key="/etc/ssl/lego/certificates/$certname.key" key="/etc/ssl/lego/certificates/$certname.key"
crtdest="/etc/ssl/irc/crt" destdir="/etc/ssl/irc/"
keydest="/etc/ssl/irc/key" #crtdest="/etc/ssl/irc/crt"
sshkey="/home/brain/.ssh/id_ed25519_brain" #keydest="/etc/ssl/irc/key"
sshuser="brain"
sshkey="/home/brain/.ssh/id_lysergic"
sshopts=" -qi $sshkey" sshopts=" -qi $sshkey"
cn=`openssl x509 -in $crt -noout -text | grep "CN ="` cn=`openssl x509 -in $crt -noout -text | grep "CN ="`
@ -25,22 +28,22 @@ fp_crt=`openssl x509 -fingerprint -sha256 -noout -in $crt`
install () { install () {
local host="$1" local host="$1"
local source="$2" local source="$2"
local target="$host:$3" local target="$sshuser@$host:$3"
echo "$host: Installing $target ..." >> $OUTPUT echo "$host: Installing $target ..." >> $OUTPUT
scp $sshopts $source $target >> $OUTPUT 2>&1 scp $sshopts "$source" "$target" >> $OUTPUT 2>&1
} }
reload () { reload () {
local host="$1" local host="$1"
local service="$2" local service="$2"
echo "$host: Reloading $service ..." >> $OUTPUT echo "$host: Reloading $service ..." >> $OUTPUT
ssh $sshopts "/usr/bin/sudo /usr/bin/systemctl reload $service.service" >> $OUTPUT 2>&1 ssh $sshopts "$sshuser:$host" "/usr/bin/sudo /usr/bin/systemctl reload $service.service" >> $OUTPUT 2>&1
} }
check () { check () {
local host="$1" local host="$1"
local port="$2" local port="$2"
echo "Performing self-check [$host:$port]..." > $OUTPUT echo "Performing self-check [$host:$port]..." >> $OUTPUT
local fp_remote=`openssl s_client -connect "$host":"$port" < /dev/null 2>/dev/null | openssl x509 -fingerprint -sha256 -noout -in /dev/stdin` local fp_remote=`openssl s_client -connect "$host":"$port" < /dev/null 2>/dev/null | openssl x509 -fingerprint -sha256 -noout -in /dev/stdin`
echo "Remote fingerprint: $fp_crt" >> $OUTPUT echo "Remote fingerprint: $fp_crt" >> $OUTPUT
if [ "$fp_crt" = "$fp_crt" ]; then if [ "$fp_crt" = "$fp_crt" ]; then
@ -51,6 +54,7 @@ check () {
} }
echo "Last renewal happened on `date`" >| $OUTPUT echo "Last renewal happened on `date`" >| $OUTPUT
echo "$cn" >> $OUTPUT echo "$cn" >> $OUTPUT
echo "$alt" >> $OUTPUT echo "$alt" >> $OUTPUT
echo "$notbefore" >> $OUTPUT echo "$notbefore" >> $OUTPUT
@ -58,10 +62,10 @@ echo "$notafter" | grep "Not After" >> $OUTPUT
echo "Installing files ..." >> $OUTPUT echo "Installing files ..." >> $OUTPUT
for host in "$hosts" for host in $hosts
do do
install "$host" "$crt" "$crtdest" install "$host" "$crt" "$destdir"
install "$host" "$key" "$keydest" install "$host" "$key" "$destdir"
done done
# do we really need this certificate on the webserver? # do we really need this certificate on the webserver?