-
Notifications
You must be signed in to change notification settings - Fork 40
/
Copy pathcontrol_do.sh
executable file
·128 lines (105 loc) · 4.88 KB
/
control_do.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
#!/bin/bash
set -e
get_fqdn() {
local file_fqdn=""
if [ -e /opt/labca/data/config.json ]; then
file_fqdn=$(grep fqdn /opt/labca/data/config.json 2>/dev/null | cut -d ":" -f 2- | tr -d " \",")
fi
if [ "$file_fqdn" == "" ]; then
if [ "$LABCA_FQDN" == "notset" ]; then
echo "ERROR: environment variable LABCA_FQDN is not set!"
exit 1
else
echo -e "{\n \"config\": {\n \"complete\": false\n },\n \"labca\": {\n \"fqdn\": \"$LABCA_FQDN\"\n },\n \"version\": \"\"\n}" > /opt/labca/data/config.json
fi
elif [ "$LABCA_FQDN" != "notset" ] && [ "$LABCA_FQDN" != "$file_fqdn" ]; then
echo "WARNING: environment variable LABCA_FQDN ('$LABCA_FQDN') does not match config file. Using '$file_fqdn'..."
export LABCA_FQDN=$file_fqdn
fi
}
setup_boulder_data() {
cp -rp /opt/staging/boulder_labca/* /opt/boulder/labca/
cp -rp /opt/staging/boulder_labca/certs/* /opt/boulder/labca/certs/
cd /opt/boulder/labca
sed -i -e "s|https://boulder.service.consul:4431/terms/v7|https://$LABCA_FQDN/terms/v1|" config/wfe2.json
sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/wfe2.json
sed -i -e "s|http://ca.example.org:4002/|http://$LABCA_FQDN/ocsp/|g" config/ca.json
sed -i -e "s|http://ca.example.org:4501/rsa-a/|http://$LABCA_FQDN/crl/|g" config/ca.json
sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/remoteva-a.json
sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/remoteva-a.json
sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/remoteva-b.json
sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/remoteva-b.json
sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/va.json
sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/va.json
/opt/labca/apply-boulder
}
setup_nginx_data() {
rm -f /etc/nginx/conf.d/default.conf
cp -p /opt/staging/nginx.conf /etc/nginx/conf.d/labca.conf
cp -p /opt/staging/proxy.inc /etc/nginx/conf.d/proxy.inc
[ -e /opt/boulder/labca/setup_complete ] && perl -i -p0e 's/\n # BEGIN temporary redirect\n location = \/ \{\n return 302 \/admin\/;\n }\n # END temporary redirect\n//igs' /etc/nginx/conf.d/labca.conf || true
cd /var/www/html
mkdir -p .well-known/acme-challenge
find .well-known/acme-challenge/ -type f -mtime +10 -exec rm {} \; # Clean up files older than 10 days
mkdir -p crl
[ -e cert ] || ln -s certs cert
cp -rp /opt/staging/static/* .
[ -e /opt/labca/data/root-ca.pem ] && cp /opt/labca/data/root-ca.pem certs/ || true
[ -e /opt/labca/data/issuer/ca-int.pem ] && cp /opt/labca/data/issuer/ca-int.pem certs/ || true
if [ ! -e /etc/nginx/ssl/labca_cert.pem ]; then
pushd /etc/nginx/ssl >/dev/null
openssl req -x509 -nodes -sha256 -newkey rsa:2048 -keyout labca_key.pem -out labca_cert.pem -days 7 \
-subj "/O=LabCA/CN=$LABCA_FQDN" -reqexts SAN -extensions SAN \
-config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nbasicConstraints=CA:FALSE\nnsCertType=server\nsubjectAltName=DNS:$LABCA_FQDN"))
popd >/dev/null
fi
/opt/labca/apply-nginx
}
setup_labca_data() {
cd /opt/labca/data
cp -rp /opt/staging/data/* .
sed -i -e "s|LABCA_FQDN|$LABCA_FQDN|g" openssl.cnf
sed -i -e "s|LABCA_FQDN|$LABCA_FQDN|g" issuer/openssl.cnf
}
selfsigned_cert() {
pushd /etc/nginx/ssl >/dev/null
openssl req -x509 -nodes -sha256 -newkey rsa:2048 -keyout labca_key.pem -out labca_cert.pem -days 7 \
-subj "/O=LabCA/CN=$LABCA_FQDN" -reqexts SAN -extensions SAN \
-config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nbasicConstraints=CA:FALSE\nnsCertType=server\nsubjectAltName=DNS:$LABCA_FQDN"))
popd >/dev/null
}
renew_near_expiry() {
pushd /etc/nginx/ssl >/dev/null
if ! expires=$(openssl x509 -checkend 86400 -noout -in /etc/nginx/ssl/labca_cert.pem); then
hash=$(openssl x509 -hash -noout -in /etc/nginx/ssl/labca_cert.pem)
issuer_hash=$(openssl x509 -issuer_hash -noout -in /etc/nginx/ssl/labca_cert.pem)
if [ "$hash" == "$issuer_hash" ]; then
selfsigned_cert
else
echo "acme-request" | /opt/labca/commander
fi
fi
popd >/dev/null
}
start_cron() {
[ -e /opt/boulder/labca/setup_complete ] && [ ! -e /etc/cron.d/labca ] && ln -sf /opt/labca/cron_d /etc/cron.d/labca || true
chmod g-w /opt/labca/cron_d
[ -e /opt/logs/cron.log ] || touch /opt/logs/cron.log
tail -f -n0 /opt/logs/cron.log &
service cron start
}
serve_commander() {
echo "Start serving commander script..."
tcpserver 0.0.0.0 3030 /opt/labca/commander
}
main() {
get_fqdn
setup_boulder_data
setup_nginx_data
setup_labca_data
[ -e /etc/nginx/ssl/labca_cert.pem ] || selfsigned_cert
renew_near_expiry
start_cron
serve_commander
}
main "$@"