RuhNetConsulting
/
getssl
mirror of https://github.com/srvrco/getssl
1
0
Fork 0
Code Issues 0 Projects 0 Releases 51 Wiki Activity
Browse Source

add additional config checks

pull/216/head
srvrco 9 years ago
parent
0ef348b5e7
commit
e9ec9067e8
1 changed files with 23 additions and 13 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +23
    -13
      getssl

+ 23
- 13
getssl View File

@ -309,12 +309,17 @@ check_challenge_completion() { # checks with the ACME server if our challenge is
check_config() { # check the config files for all obvious errors check_config() { # check the config files for all obvious errors
debug "checking config" debug "checking config"
# check keys
if [[ ! "$ACCOUNT_KEY_TYPE" =~ ^(rsa|prime256v1|secp384r1|secp521r1)$ ]]; then if [[ ! "$ACCOUNT_KEY_TYPE" =~ ^(rsa|prime256v1|secp384r1|secp521r1)$ ]]; then
info "invalid ACCOUNT_KEY_TYPE"
info "${DOMAIN}: invalid ACCOUNT_KEY_TYPE"
config_errors=true config_errors=true
fi fi
if [[ ! "$PRIVATE_KEY_ALG" =~ ^(rsa|prime256v1|secp384r1|secp521r1)$ ]]; then if [[ ! "$PRIVATE_KEY_ALG" =~ ^(rsa|prime256v1|secp384r1|secp521r1)$ ]]; then
info "invalid PRIVATE_KEY_ALG"
info "${DOMAIN}: invalid PRIVATE_KEY_ALG"
config_errors=true
fi
if [[ "$DUAL_RSA_ECDSA" == "true" ]] && [[ "$PRIVATE_KEY_ALG" == "rsa" ]]; then
info "${DOMAIN}: PRIVATE_KEY_ALG not set to an EC type and DUAL_RSA_ECDSA=\"true\""
config_errors=true config_errors=true
fi fi
@ -324,14 +329,18 @@ check_config() { # check the config files for all obvious errors
else else
alldomains=$(echo "$DOMAIN,$SANS" | sed "s/,/ /g") alldomains=$(echo "$DOMAIN,$SANS" | sed "s/,/ /g")
fi fi
if [[ -z "$alldomains" ]]; then
info "${DOMAIN}: no domains specified"
config_errors=true
fi
if [[ $VALIDATE_VIA_DNS == "true" ]]; then # using dns-01 challenge if [[ $VALIDATE_VIA_DNS == "true" ]]; then # using dns-01 challenge
if [[ -z "$DNS_ADD_COMMAND" ]]; then if [[ -z "$DNS_ADD_COMMAND" ]]; then
info "DNS_ADD_COMMAND not defined (whilst VALIDATE_VIA_DNS=true)"
info "${DOMAIN}: DNS_ADD_COMMAND not defined (whilst VALIDATE_VIA_DNS=\"true\")"
config_errors=true config_errors=true
fi fi
if [[ -z "$DNS_DEL_COMMAND" ]]; then if [[ -z "$DNS_DEL_COMMAND" ]]; then
info "DNS_DEL_COMMAND not defined (whilst VALIDATE_VIA_DNS=true)"
info "${DOMAIN}: DNS_DEL_COMMAND not defined (whilst VALIDATE_VIA_DNS=\"true\")"
config_errors=true config_errors=true
fi fi
fi fi
@ -339,8 +348,9 @@ check_config() { # check the config files for all obvious errors
dn=0 dn=0
tmplist=$(mktemp) tmplist=$(mktemp)
for d in $alldomains; do # loop over domains (dn is domain number) for d in $alldomains; do # loop over domains (dn is domain number)
debug "checking domain $d"
if [[ "$(grep "^${d}$" "$tmplist")" = "$d" ]]; then if [[ "$(grep "^${d}$" "$tmplist")" = "$d" ]]; then
echo "$d appears to be duplicated in domain, SAN list"
info "${DOMAIN}: $d appears to be duplicated in domain, SAN list"
config_errors=true config_errors=true
else else
echo "$d" >> "$tmplist" echo "$d" >> "$tmplist"
@ -354,7 +364,7 @@ check_config() { # check the config files for all obvious errors
if [[ $VALIDATE_VIA_DNS != "true" ]]; then # using http-01 challenge if [[ $VALIDATE_VIA_DNS != "true" ]]; then # using http-01 challenge
if [[ -z "${DOMAIN_ACL}" ]]; then if [[ -z "${DOMAIN_ACL}" ]]; then
info "ACL location not specified for domain $d in $DOMAIN_DIR/getssl.cfg"
info "${DOMAIN}: ACL location not specified for domain $d in $DOMAIN_DIR/getssl.cfg"
config_errors=true config_errors=true
fi fi
# check domain exist # check domain exist
@ -363,7 +373,7 @@ check_config() { # check the config files for all obvious errors
elif [[ "$(nslookup "${d}"| grep -c ^Name)" -ge 1 ]]; then elif [[ "$(nslookup "${d}"| grep -c ^Name)" -ge 1 ]]; then
debug "found IPv4 record for ${d}" debug "found IPv4 record for ${d}"
else else
info "DNS lookup failed for $d"
info "${DOMAIN}: DNS lookup failed for $d"
config_errors=true config_errors=true
fi fi
fi # end http-01 check fi # end http-01 check
@ -374,9 +384,9 @@ check_config() { # check the config files for all obvious errors
rm -f "$tmplist" rm -f "$tmplist"
if [[ "$config_errors" == "true" ]]; then if [[ "$config_errors" == "true" ]]; then
error_exit "exiting due to config errors"
error_exit "${DOMAIN}: exiting due to config errors"
fi fi
debug "check_config completed - all OK"
debug "${DOMAIN}: check_config completed - all OK"
} }
check_getssl_upgrade() { # check if a more recent version of code is available available check_getssl_upgrade() { # check if a more recent version of code is available available
@ -1158,12 +1168,12 @@ write_domain_template() { # write out a template file for a domain.
# Location for all your certs, these can either be on the server (full path name) # Location for all your certs, these can either be on the server (full path name)
# or using ssh /sftp as for the ACL # or using ssh /sftp as for the ACL
#DOMAIN_CERT_LOCATION="/etc/ssl/domain.crt"
#DOMAIN_KEY_LOCATION="/etc/ssl/domain.key"
#DOMAIN_CERT_LOCATION="/etc/ssl/${DOMAIN}.crt"
#DOMAIN_KEY_LOCATION="/etc/ssl/${DOMAIN}.key"
#CA_CERT_LOCATION="/etc/ssl/chain.crt" #CA_CERT_LOCATION="/etc/ssl/chain.crt"
#DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert #DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
#DOMAIN_KEY_CERT_LOCATION="" # this is the domain_key and domain cert #DOMAIN_KEY_CERT_LOCATION="" # this is the domain_key and domain cert
#DOMAIN_PEM_LOCATION="" # this is the domain_key. domain cert and CA cert
#DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
# The command needed to reload apache / nginx or whatever you use # The command needed to reload apache / nginx or whatever you use
#RELOAD_CMD="" #RELOAD_CMD=""
@ -1463,7 +1473,7 @@ if [[ -s "$DOMAIN_DIR/getssl.cfg" ]]; then
. "$DOMAIN_DIR/getssl.cfg" . "$DOMAIN_DIR/getssl.cfg"
fi fi
# check config files for typical errors.
# check config for typical errors.
check_config check_config
# Obtain CA resource locations # Obtain CA resource locations


Write Preview
Loading…
Cancel
Save