forked from cynthia-rempel/guacamole-compose
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathrenew-tls-certs.sh
86 lines (68 loc) · 2.45 KB
/
renew-tls-certs.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
#!/bin/bash
# Renew private keys & certificates for Guacamole & Keycloak
source .load.env
if [[ "${TLS_LETS_ENCRYPT}" == "true" ]]
then
echo -e "\n Generating let's encrypt certificates"
echo -e "\n Generating a new TLS server certificate for ${GUAC_HOSTNAME}"
docker run --rm -it \
-v "$(pwd)/init/x509":/acme.sh \
--net=host \
neilpang/acme.sh --renew -d ${GUAC_HOSTNAME} --standalone
echo -e "\n Generating a new TLS server certificate for ${KC_HOSTNAME}"
docker run --rm -it \
-v "$(pwd)/init/x509":/acme.sh \
--net=host \
neilpang/acme.sh --renew -d ${KC_HOSTNAME} --standalone
#TODO : better fix for unix rights
cp init/x509/${GUAC_HOSTNAME}_ecc/${GUAC_HOSTNAME}.cer init/guacamole.crt
cp init/x509/${KC_HOSTNAME}_ecc/${KC_HOSTNAME}.cer init/keycloak.crt
sudo cp init/x509/${GUAC_HOSTNAME}_ecc/${GUAC_HOSTNAME}.key init/guacamole.key
sudo cp init/x509/${KC_HOSTNAME}_ecc/${KC_HOSTNAME}.key init/keycloak.key
sudo chmod a+r init/guacamole.key init/keycloak.key
else
# keep a copy of existing keys & certs
rm init/{guacamole,keycloak}.{key,crt}.old
mv init/guacamole.key init/guacamole.key.old
mv init/guacamole.crt init/guacamole.crt.old
mv init/keycloak.key init/keycloak.key.old
mv init/keycloak.crt init/keycloak.crt.old
echo -e "\n Renewing TLS Server Keys and certificates for Guacamole"
openssl req \
-newkey rsa:2048 \
-nodes \
-keyout init/guacamole.key \
-x509 \
-days 730 \
-out init/guacamole.crt \
-subj "/C=FR/O=My Company/OU=My Division/CN=${GUAC_HOSTNAME}"
echo -e "\n Renewing TLS Server Keys and certificates for Keycloak"
# values pulled from server.xml within the image, and errors from the docker log
openssl req \
-newkey rsa:2048 \
-nodes \
-keyout init/keycloak.key \
-x509 \
-days 730 \
-out init/keycloak.crt \
-subj "/C=FR/O=My Company/OU=My Division/CN=${KC_HOSTNAME}"
#TODO : better fix for unix rights
sudo chmod a+r init/guacamole.key init/keycloak.key
#adding self signed certificates to truststore
chmod u+w init/cacerts
keytool -importcert \
-alias keycloak \
-keystore init/cacerts \
-storepass changeit \
-file init/keycloak.crt \
-trustcacerts -noprompt
keytool -importcert \
-alias guacamole \
-keystore init/cacerts \
-storepass changeit \
-file init/guacamole.crt \
-trustcacerts -noprompt
fi
#finally restart
docker compose down
docker compose up -d