RuhNetConsulting
/
getssl
mirror of https://github.com/srvrco/getssl
1
0
Fork 0
Code Issues 0 Projects 0 Releases 51 Wiki Activity
Browse Source

Merge branch to add more server-types based on openssl s_client

pull/78/head
srvrco 10 years ago
parent
7ef5ec32fd 703dab5bbc
commit
dcc3ec2847
3 changed files with 109 additions and 20 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +27
    -3
      README.md
  2. +40
    -8
      create-getssl-config
  3. +42
    -9
      getssl

+ 27
- 3
README.md View File

@ -6,7 +6,7 @@ Obtain SSL certificates from the letsencrypt.org ACME server. Suitable for auto
* **Get certificates for remote servers** - The tokens used to provide validation of domain ownership, and the certificates themselves can be automatically copied to remote servers (via ssh, sftp or ftp for tokens). The script doesn't need to run on the server itself. This can be useful if you don't have access to run such scripts on the server itself, as it's a shared server for example.
* **Runs as a daily cron** - so certificates will be automatically renewed when required.
* **Automatic certificate renewals**
* **Checks certificates are correctly loaded**. After installation of a new certificate it will test the port specified ( typically https / 443) that the certificate is actually being used correctly.
* **Checks certificates are correctly loaded**. After installation of a new certificate it will test the port specified ( see [Server-Types](#server-types) for options ) that the certificate is actually being used correctly.
* **Automatically updates** - The script can automatically update itself with bug fixes etc if required.
* **Extensively configurable** - With a simple configuration file for each certificate it is possible to configure it exactly for your needs, whether a simple single domain or multiple domains across multiple servers on the same certificate.
* **Supports http and dns challenges** - Full ACME implementation
@ -172,10 +172,11 @@ RELOAD_CMD="service apache2 reload"
# The time period within which you want to allow renewal of a certificate - this prevents hitting some of the rate limits.
#RENEW_ALLOW="30"
# Define the server type. The can either webserver, ldaps or a port number which
# Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp,
# smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which
# will be checked for certificate expiry and also will be checked after
# an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true
#SERVER_TYPE="webserver"
#SERVER_TYPE="https"
#CHECK_REMOTE="true"
# Use the following 3 variables if you want to validate via DNS
@ -195,6 +196,29 @@ Note: FTP can be used for copying tokens only and can **not** be used for uploa
ssh can also be used for the reload command if using on remote servers.
## Server-Types
OpenSSL has built-in support for getting the certificate from a number of SSL services
these are available in getssl to check if the certificate is installed correctly
| Server-Type | Port | Extra |
|------------------|------|--------------|
| https | 443 | |
| ftp | 21 | FTP Explicit |
| ftpi | 990 | FTP Implicit |
| imap | 143 | StartTLS |
| imaps | 993 | |
| pop3 | 110 | StartTLS |
| pop3s | 995 | |
| smtp | 25 | StartTLS |
| smtps_deprecated | 465 | |
| smtps | 587 | StartTLS |
| smtp_submission | 587 | StartTLS |
| xmpp | 5222 | StartTLS |
| xmpps | 5269 | |
| ldaps | 636 | |
| port number | | |
## Issues / problems / help
If you have any issues, please log them at https://github.com/srvrco/getssl/issues


+ 40
- 8
create-getssl-config View File

@ -36,7 +36,7 @@ VALIDATE_VIA_DNS="false"
RELOAD_CMD=""
RENEW_ALLOW="30"
PRIVATE_KEY_ALG="rsa"
SERVER_TYPE="webserver"
SERVER_TYPE="https"
CHECK_REMOTE="true"
DNS_EXTRA_WAIT=0
@ -135,10 +135,11 @@ write_getssl_template() { # write out the main template file
# this prevents hitting some of the rate limits.
RENEW_ALLOW="30"
# Define the server type. The can either webserver, ldaps or a port number which
# Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp,
# smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which
# will be checked for certificate expiry and also will be checked after
# an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true
SERVER_TYPE="webserver"
SERVER_TYPE="https"
CHECK_REMOTE="true"
# openssl config file. The default should work in most cases.
@ -194,7 +195,8 @@ write_domain_template() { # write out a template file for a domain.
# this prevents hitting some of the rate limits.
RENEW_ALLOW="$RENEW_ALLOW"
# Define the server type. The can either webserver, ldaps or a port number which
# Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp,
# smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which
# will be checked for certificate expiry and also will be checked after
# an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true
SERVER_TYPE="$SERVER_TYPE"
@ -330,24 +332,54 @@ CHECK_REMOTE=$res
if [[ "$CHECK_REMOTE" == "true" ]]; then
get_user_input "server type" "$SERVER_TYPE" \
"This can be 'webserver', 'ldap', or a port number that getssl will use for certifcate checks"
"This can be 'https', 'ftp', 'ftpi', 'imap', 'imaps', 'pop3', 'pop3s', 'smtp', 'smtps_deprecated', 'smtps', 'smtp_submission', 'xmpp', 'xmpps', 'ldaps' or a port number that getssl will use for certifcate checks"
SERVER_TYPE=$res
else
SERVER_TYPE=""
fi
if [[ ${SERVER_TYPE} == "webserver" ]]; then
if [[ ${SERVER_TYPE} == "https" ]] || [[ ${SERVER_TYPE} == "webserver" ]]; then
REMOTE_PORT=443
elif [[ ${SERVER_TYPE} == "ftp" ]]; then
REMOTE_PORT=21
REMOTE_EXTRA="-starttls ftp"
elif [[ ${SERVER_TYPE} == "ftpi" ]]; then
REMOTE_PORT=990
elif [[ ${SERVER_TYPE} == "imap" ]]; then
REMOTE_PORT=143
REMOTE_EXTRA="-starttls imap"
elif [[ ${SERVER_TYPE} == "imaps" ]]; then
REMOTE_PORT=993
elif [[ ${SERVER_TYPE} == "pop3" ]]; then
REMOTE_PORT=110
REMOTE_EXTRA="-starttls pop3"
elif [[ ${SERVER_TYPE} == "pop3s" ]]; then
REMOTE_PORT=995
elif [[ ${SERVER_TYPE} == "smtp" ]]; then
REMOTE_PORT=25
REMOTE_EXTRA="-starttls smtp"
elif [[ ${SERVER_TYPE} == "smtps_deprecated" ]]; then
REMOTE_PORT=465
elif [[ ${SERVER_TYPE} == "smtps" ]] || [[ ${SERVER_TYPE} == "smtp_submission" ]]; then
REMOTE_PORT=587
REMOTE_EXTRA="-starttls smtp"
elif [[ ${SERVER_TYPE} == "xmpp" ]]; then
REMOTE_PORT=5222
REMOTE_EXTRA="-starttls xmpp"
elif [[ ${SERVER_TYPE} == "xmpps" ]]; then
REMOTE_PORT=5269
elif [[ ${SERVER_TYPE} == "ldaps" ]]; then
REMOTE_PORT=636
elif [[ ${SERVER_TYPE} =~ ^[0-9]+$ ]]; then
REMOTE_PORT=SERVER_TYPE
REMOTE_PORT=${SERVER_TYPE}
else
error_exit "unknown server type"
fi
SANS="www.${DOMAIN}"
if [[ ! -z ${REMOTE_PORT} ]]; then
# Additional domains - this could be multiple domains / subdomains in a comma separated list
EX_CERT=$(echo | openssl s_client -servername "${DOMAIN}" -connect "${DOMAIN}:${REMOTE_PORT}" 2>/dev/null | openssl x509 2>/dev/null)
EX_CERT=$(echo | openssl s_client -servername "${DOMAIN}" -connect "${DOMAIN}:${REMOTE_PORT}" ${REMOTE_EXTRA} 2>/dev/null | openssl x509 2>/dev/null)
if [ ! -z "${EX_CERT}" ]; then
SANS=$(echo "$EX_CERT" | openssl x509 -noout -text 2>/dev/null| grep "Subject Alternative Name" -A2 \
| grep -Eo "DNS:[a-zA-Z 0-9.-]*" | sed "s@DNS:$DOMAIN@@g" | grep -v '^$' | cut -c 5-)


+ 42
- 9
getssl View File

@ -85,10 +85,11 @@
# 2016-07-21 add output of combined private key and domain cert (1.19)
# 2016-07-21 updated typo (1.20)
# 2016-07-22 corrected issue in nslookup debug option - issue #74 (1.21)
# 2016-07-26 add more server-types based on openssl s_client (1.22)
# ---------------------------------------------------------------------------
PROGNAME=${0##*/}
VERSION="1.21"
VERSION="1.22"
# defaults
CODE_LOCATION="https://raw.githubusercontent.com/srvrco/getssl/master/getssl"
@ -102,7 +103,7 @@ VALIDATE_VIA_DNS=""
RELOAD_CMD=""
RENEW_ALLOW="30"
PRIVATE_KEY_ALG="rsa"
SERVER_TYPE="webserver"
SERVER_TYPE="https"
CHECK_REMOTE="true"
DNS_WAIT=10
DNS_EXTRA_WAIT=""
@ -552,10 +553,11 @@ write_domain_template() { # write out a template file for a domain.
# this prevents hitting some of the rate limits.
RENEW_ALLOW="30"
# Define the server type. This can either be a webserver, ldaps or a port number which
# Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp,
# smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which
# will be checked for certificate expiry and also will be checked after
# an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true
#SERVER_TYPE="webserver"
#SERVER_TYPE="https"
#CHECK_REMOTE="true"
# Use the following 3 variables if you want to validate via DNS
@ -592,10 +594,11 @@ write_getssl_template() { # write out the main template file
# this prevents hitting some of the rate limits.
RENEW_ALLOW="30"
# Define the server type. This can either be a webserver, ldaps or a port number which
# Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp,
# smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which
# will be checked for certificate expiry and also will be checked after
# an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true
SERVER_TYPE="webserver"
SERVER_TYPE="https"
CHECK_REMOTE="true"
# openssl config file. The default should work in most cases.
@ -797,8 +800,36 @@ if [ -f "$DOMAIN_DIR/getssl.cfg" ]; then
. "$DOMAIN_DIR/getssl.cfg"
fi
if [[ ${SERVER_TYPE} == "webserver" ]]; then
if [[ ${SERVER_TYPE} == "https" ]] || [[ ${SERVER_TYPE} == "webserver" ]]; then
REMOTE_PORT=443
elif [[ ${SERVER_TYPE} == "ftp" ]]; then
REMOTE_PORT=21
REMOTE_EXTRA="-starttls ftp"
elif [[ ${SERVER_TYPE} == "ftpi" ]]; then
REMOTE_PORT=990
elif [[ ${SERVER_TYPE} == "imap" ]]; then
REMOTE_PORT=143
REMOTE_EXTRA="-starttls imap"
elif [[ ${SERVER_TYPE} == "imaps" ]]; then
REMOTE_PORT=993
elif [[ ${SERVER_TYPE} == "pop3" ]]; then
REMOTE_PORT=110
REMOTE_EXTRA="-starttls pop3"
elif [[ ${SERVER_TYPE} == "pop3s" ]]; then
REMOTE_PORT=995
elif [[ ${SERVER_TYPE} == "smtp" ]]; then
REMOTE_PORT=25
REMOTE_EXTRA="-starttls smtp"
elif [[ ${SERVER_TYPE} == "smtps_deprecated" ]]; then
REMOTE_PORT=465
elif [[ ${SERVER_TYPE} == "smtps" ]] || [[ ${SERVER_TYPE} == "smtp_submission" ]]; then
REMOTE_PORT=587
REMOTE_EXTRA="-starttls smtp"
elif [[ ${SERVER_TYPE} == "xmpp" ]]; then
REMOTE_PORT=5222
REMOTE_EXTRA="-starttls xmpp"
elif [[ ${SERVER_TYPE} == "xmpps" ]]; then
REMOTE_PORT=5269
elif [[ ${SERVER_TYPE} == "ldaps" ]]; then
REMOTE_PORT=636
elif [[ ${SERVER_TYPE} =~ ^[0-9]+$ ]]; then
@ -810,7 +841,8 @@ fi
# if check_remote is true then connect and obtain the current certificate (if not forcing renewal)
if [[ "${CHECK_REMOTE}" == "true" ]] && [ $_FORCE_RENEW -eq 0 ]; then
debug "getting certificate for $DOMAIN from remote server"
EX_CERT=$(echo | openssl s_client -servername "${DOMAIN}" -connect "${DOMAIN}:${REMOTE_PORT}" 2>/dev/null | openssl x509 2>/dev/null)
# shellcheck disable=SC2086
EX_CERT=$(echo | openssl s_client -servername "${DOMAIN}" -connect "${DOMAIN}:${REMOTE_PORT}" ${REMOTE_EXTRA} 2>/dev/null | openssl x509 2>/dev/null)
if [ ! -z "$EX_CERT" ]; then # if obtained a cert
if [ -f "$CERT_FILE" ]; then # if local exists
CERT_REMOTE=$(echo "$EX_CERT" | openssl x509 -noout -fingerprint 2>/dev/null)
@ -1255,7 +1287,8 @@ reload_service
# Check if the certificate is installed correctly
if [[ ${CHECK_REMOTE} == "true" ]]; then
CERT_REMOTE=$(echo | openssl s_client -servername "${DOMAIN}" -connect "${DOMAIN}:${REMOTE_PORT}" 2>/dev/null | openssl x509 -noout -fingerprint 2>/dev/null)
# shellcheck disable=SC2086
CERT_REMOTE=$(echo | openssl s_client -servername "${DOMAIN}" -connect "${DOMAIN}:${REMOTE_PORT}" ${REMOTE_EXTRA} 2>/dev/null | openssl x509 -noout -fingerprint 2>/dev/null)
CERT_LOCAL=$(openssl x509 -noout -fingerprint < "$CERT_FILE" 2>/dev/null)
if [ "$CERT_LOCAL" == "$CERT_REMOTE" ]; then
info "certificate installed OK on server"


Write Preview
Loading…
Cancel
Save