RuhNetConsulting
/
getssl
mirror of https://github.com/srvrco/getssl
1
0
Fork 0
Code Issues 0 Projects 0 Releases 51 Wiki Activity
Browse Source

Combine Private key reuse, archive permissions and EC signing #144

pull/152/head
srvrco 9 years ago
parent
ea9367a9af
commit
60c034e913
1 changed files with 33 additions and 34 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +33
    -34
      getssl

+ 33
- 34
getssl View File

@ -130,10 +130,14 @@
# 2016-10-20 add option to revoke a certificate (1.64) # 2016-10-20 add option to revoke a certificate (1.64)
# 2016-10-21 set revocation server default to acme-v01.api.letsencrypt.org (1.65) # 2016-10-21 set revocation server default to acme-v01.api.letsencrypt.org (1.65)
# 2016-10-21 bug fix for revocation on different servers. (1.66) # 2016-10-21 bug fix for revocation on different servers. (1.66)
# 2016-10-22 Tidy up archive code for certificates and reduce permissions for security
# 2016-10-22 Add EC signing for secp384r1 and secp521r1 (the latter not yet supported by Let's Encrypt
# 2016-10-22 Add option to create a new private key for every cert (REUSE_PRIVATE_KEY="true" by default)
# 2016-10-22 Combine EC signing, Private key reuse and archive permissions (1.67)
# ---------------------------------------------------------------------------------------- # ----------------------------------------------------------------------------------------
PROGNAME=${0##*/} PROGNAME=${0##*/}
VERSION="1.66"
VERSION="1.67"
# defaults # defaults
CODE_LOCATION="https://raw.githubusercontent.com/srvrco/getssl/master/getssl" CODE_LOCATION="https://raw.githubusercontent.com/srvrco/getssl/master/getssl"
@ -146,6 +150,7 @@ SSLCONF="$(openssl version -d 2>/dev/null| cut -d\" -f2)/openssl.cnf"
VALIDATE_VIA_DNS="" VALIDATE_VIA_DNS=""
RELOAD_CMD="" RELOAD_CMD=""
RENEW_ALLOW="30" RENEW_ALLOW="30"
REUSE_PRIVATE_KEY="true"
PRIVATE_KEY_ALG="rsa" PRIVATE_KEY_ALG="rsa"
SERVER_TYPE="https" SERVER_TYPE="https"
CHECK_REMOTE="true" CHECK_REMOTE="true"
@ -172,15 +177,16 @@ _REVOKE=0
ORIGCMD="$0 $*" ORIGCMD="$0 $*"
cert_archive() { # Archive certificate file by copying with dates at end. cert_archive() { # Archive certificate file by copying with dates at end.
certfile=$1
enddate=$(openssl x509 -in "$certfile" -noout -enddate 2>/dev/null| cut -d= -f 2-)
enddate_s=$(date_epoc "$enddate")
formatted_enddate=$(date_fmt "${enddate_s}")
startdate=$(openssl x509 -in "$certfile" -noout -startdate 2>/dev/null| cut -d= -f 2-)
startdate_s=$(date_epoc "$startdate")
formatted_startdate=$(date_fmt "${startdate_s}")
cp "${certfile}" "${certfile}_${formatted_startdate}_${formatted_enddate}"
info "archiving old certificate file to ${certfile}_${formatted_startdate}_${formatted_enddate}"
debug "creating an achive copy of current new certs"
date_time=$(date +%Y_%m_%d_%H_%M)
mkdir -p "${DOMAIN_DIR}/archive/${date_time}"
umask 077
cp "$CERT_FILE" "${DOMAIN_DIR}/archive/${date_time}/${DOMAIN}.crt"
cp "$DOMAIN_DIR/${DOMAIN}.key" "${DOMAIN_DIR}/archive/${date_time}/${DOMAIN}.key"
cp "$CA_CERT" "${DOMAIN_DIR}/archive/${date_time}/chain.crt"
umask "$ORIG_UMASK"
debug "purging old GetSSL archives"
purge_archive "$DOMAIN_DIR"
} }
check_challenge_completion() { # checks with the ACME server if our challenge is OK check_challenge_completion() { # checks with the ACME server if our challenge is OK
@ -800,6 +806,7 @@ write_getssl_template() { # write out the main template file
ACCOUNT_KEY_LENGTH=4096 ACCOUNT_KEY_LENGTH=4096
ACCOUNT_KEY="$WORKING_DIR/account.key" ACCOUNT_KEY="$WORKING_DIR/account.key"
PRIVATE_KEY_ALG="rsa" PRIVATE_KEY_ALG="rsa"
#REUSE_PRIVATE_KEY="true"
# The command needed to reload apache / nginx or whatever you use # The command needed to reload apache / nginx or whatever you use
#RELOAD_CMD="" #RELOAD_CMD=""
@ -1117,15 +1124,9 @@ if [[ "${CHECK_REMOTE}" == "true" ]] && [ $_FORCE_RENEW -eq 0 ]; then
debug "certificates expire at the same time" debug "certificates expire at the same time"
elif [ "$enddate_ex_s" -gt "$enddate_lc_s" ]; then elif [ "$enddate_ex_s" -gt "$enddate_lc_s" ]; then
# remote has longer to expiry date than local copy. # remote has longer to expiry date than local copy.
# archive local copy and save remote to local
debug "remote cert has longer to run than local cert - ignoring" debug "remote cert has longer to run than local cert - ignoring"
# cert_archive "$CERT_FILE"
# debug "copying remote certificate to local"
# echo "$EX_CERT" > "$DOMAIN_DIR/${DOMAIN}.crt"
else else
info "remote expires sooner than local ..... will attempt to upload from local" info "remote expires sooner than local ..... will attempt to upload from local"
echo "$EX_CERT" > "$DOMAIN_DIR/${DOMAIN}.crt.remote"
cert_archive "$DOMAIN_DIR/${DOMAIN}.crt.remote"
copy_file_to_location "domain certificate" "$CERT_FILE" "$DOMAIN_CERT_LOCATION" copy_file_to_location "domain certificate" "$CERT_FILE" "$DOMAIN_CERT_LOCATION"
copy_file_to_location "private key" "$DOMAIN_DIR/${DOMAIN}.key" "$DOMAIN_KEY_LOCATION" copy_file_to_location "private key" "$DOMAIN_DIR/${DOMAIN}.key" "$DOMAIN_KEY_LOCATION"
copy_file_to_location "CA certificate" "$CA_CERT" "$CA_CERT_LOCATION" copy_file_to_location "CA certificate" "$CA_CERT" "$CA_CERT_LOCATION"
@ -1158,9 +1159,7 @@ if [ -f "$CERT_FILE" ]; then
# everything is OK, so exit. # everything is OK, so exit.
graceful_exit graceful_exit
else else
# certificate needs renewal, archive current cert and continue.
debug "certificate for $DOMAIN needs renewal" debug "certificate for $DOMAIN needs renewal"
cert_archive "${CERT_FILE}"
fi fi
fi fi
fi # end of .... if there is an existing certificate file, check details. fi # end of .... if there is an existing certificate file, check details.
@ -1175,6 +1174,12 @@ else
umask "$ORIG_UMASK" umask "$ORIG_UMASK"
fi fi
if [ "$REUSE_PRIVATE_KEY" != "true" ]; then
if [ -f "$DOMAIN_DIR/${DOMAIN}.key" ]; then
rm -f "$DOMAIN_DIR/${DOMAIN}.key"
fi
fi
# check if domain key exists, if not then create it. # check if domain key exists, if not then create it.
if [ -f "$DOMAIN_DIR/${DOMAIN}.key" ]; then if [ -f "$DOMAIN_DIR/${DOMAIN}.key" ]; then
debug "domain key exists at $DOMAIN_DIR/${DOMAIN}.key - skipping generation" debug "domain key exists at $DOMAIN_DIR/${DOMAIN}.key - skipping generation"
@ -1182,13 +1187,14 @@ if [ -f "$DOMAIN_DIR/${DOMAIN}.key" ]; then
else else
umask 077 umask 077
info "creating domain key - $DOMAIN_DIR/${DOMAIN}.key" info "creating domain key - $DOMAIN_DIR/${DOMAIN}.key"
if [[ "${PRIVATE_KEY_ALG}" == "rsa" ]]; then
openssl genrsa "$DOMAIN_KEY_LENGTH" > "$DOMAIN_DIR/${DOMAIN}.key"
elif [[ "${PRIVATE_KEY_ALG}" == "prime256v1" ]]; then
openssl ecparam -genkey -name prime256v1 > "$DOMAIN_DIR/${DOMAIN}.key"
else
error_exit "unknown private key algorithm type ${PRIVATE_KEY_ALG}"
fi
case "${PRIVATE_KEY_ALG}" in
rsa)
openssl genrsa "$DOMAIN_KEY_LENGTH" > "$DOMAIN_DIR/${DOMAIN}.key";;
prime256v1|secp384r1|secp521r1)
openssl ecparam -genkey -name "${PRIVATE_KEY_ALG}" > "$DOMAIN_DIR/${DOMAIN}.key";;
*)
error_exit "unknown private key algorithm type ${PRIVATE_KEY_ALG}";;
esac
umask "$ORIG_UMASK" umask "$ORIG_UMASK"
# remove csr on generation of new domain key # remove csr on generation of new domain key
rm -f "$DOMAIN_DIR/${DOMAIN}.csr" rm -f "$DOMAIN_DIR/${DOMAIN}.csr"
@ -1534,15 +1540,8 @@ if [ "$IssuerData" ] ; then
info "The intermediate CA cert is in $CA_CERT" info "The intermediate CA cert is in $CA_CERT"
fi fi
debug "creating an achive copy of current new certs"
date_time=$(date +%Y_%m_%d_%H_%M)
mkdir -p "${DOMAIN_DIR}/archive/${date_time}"
cp "$CERT_FILE" "${DOMAIN_DIR}/archive/${date_time}/${DOMAIN}.crt"
cp "$DOMAIN_DIR/${DOMAIN}.key" "${DOMAIN_DIR}/archive/${date_time}/${DOMAIN}.key"
cp "$CA_CERT" "${DOMAIN_DIR}/archive/${date_time}/chain.crt"
debug "purging old GetSSL archives"
purge_archive "$DOMAIN_DIR"
# create Archive of new certs
cert_archive
debug "Certificates obtained and archived locally, will now copy to specified locations" debug "Certificates obtained and archived locally, will now copy to specified locations"


Write Preview
Loading…
Cancel
Save