fixes
This commit is contained in:
parent
d52e0e7861
commit
4076c4b4ef
59
gencert.sh
59
gencert.sh
@ -8,8 +8,8 @@
|
|||||||
|
|
||||||
ME=$(printf '%s\n' "${0##*/}")
|
ME=$(printf '%s\n' "${0##*/}")
|
||||||
|
|
||||||
function print_help() {
|
print_help() {
|
||||||
echo -e "[${ME}] HELP: I accept following arguments:
|
printf "[${ME}] HELP: I accept following arguments:
|
||||||
--help - show this message
|
--help - show this message
|
||||||
--cn - certificate's CN name\t\t(MANDATORY)
|
--cn - certificate's CN name\t\t(MANDATORY)
|
||||||
--key - server key name\t\t\t(default: private.key)
|
--key - server key name\t\t\t(default: private.key)
|
||||||
@ -17,7 +17,7 @@ function print_help() {
|
|||||||
--days - server cert expiration in days\t(default: 365)
|
--days - server cert expiration in days\t(default: 365)
|
||||||
--cakey - CA key name\t\t\t(default: ca.key)
|
--cakey - CA key name\t\t\t(default: ca.key)
|
||||||
--ca - CA cert name\t\t\t(default: ca.crt)
|
--ca - CA cert name\t\t\t(default: ca.crt)
|
||||||
--cadays - CA cert expiration in days\t(default: 3650)"
|
--cadays - CA cert expiration in days\t(default: 3650)\n"
|
||||||
}
|
}
|
||||||
|
|
||||||
# A POSIX variable
|
# A POSIX variable
|
||||||
@ -33,7 +33,7 @@ opts=$(getopt \
|
|||||||
|
|
||||||
eval set --$opts
|
eval set --$opts
|
||||||
|
|
||||||
while [[ $# -gt 0 ]]; do
|
while [ $# -gt 0 ]; do
|
||||||
case "$1" in
|
case "$1" in
|
||||||
--help)
|
--help)
|
||||||
print_help;
|
print_help;
|
||||||
@ -107,7 +107,7 @@ DAYS="${ARG_DAYS:-365}"
|
|||||||
# set -x
|
# set -x
|
||||||
set -e
|
set -e
|
||||||
|
|
||||||
function gen_openssl_config() {
|
gen_openssl_config() {
|
||||||
OPENSSL_CONFIG_CONTENT="[ req ]
|
OPENSSL_CONFIG_CONTENT="[ req ]
|
||||||
distinguished_name = req_distinguished_name
|
distinguished_name = req_distinguished_name
|
||||||
[req_distinguished_name]
|
[req_distinguished_name]
|
||||||
@ -128,44 +128,57 @@ subjectAltName = @alt_names
|
|||||||
echo "[${ME}] Found these IPs: " ${IPS}
|
echo "[${ME}] Found these IPs: " ${IPS}
|
||||||
PAYLOAD="$(for IP in $IPS; do echo "IP.${i} = ${IP}" ; i=$((i + 1)); done)"
|
PAYLOAD="$(for IP in $IPS; do echo "IP.${i} = ${IP}" ; i=$((i + 1)); done)"
|
||||||
|
|
||||||
echo -e "${OPENSSL_CONFIG_CONTENT}\n${PAYLOAD}" > "${OPENSSL_CONFIG}"
|
printf "${OPENSSL_CONFIG_CONTENT}\n${PAYLOAD}\n" > "${OPENSSL_CONFIG}"
|
||||||
}
|
}
|
||||||
|
|
||||||
function gen_ca() {
|
gen_ca() {
|
||||||
echo "[${ME}] Generating new CA: ${CA_KEY} / ${CA_CERT} ..."
|
echo "[${ME}] Generating new CA: ${CA_KEY} / ${CA_CERT} ..."
|
||||||
openssl ecparam -name prime256v1 -genkey -noout -out "${CA_KEY}" 2>/dev/null
|
openssl ecparam -name prime256v1 -genkey -noout -out "${CA_KEY}"
|
||||||
chmod 0600 "${CA_KEY}"
|
chmod 0600 "${CA_KEY}"
|
||||||
openssl req -x509 -new -sha256 -nodes -key "${CA_KEY}" -days "${CA_DAYS}" -out "${CA_CERT}" \
|
openssl req -x509 -new -sha256 -nodes -key "${CA_KEY}" -days "${CA_DAYS}" -out "${CA_CERT}" \
|
||||||
-subj "/CN=my-CA" -extensions v3_ca -config "${OPENSSL_CONFIG}" 2>/dev/null
|
-subj "/CN=my-CA" -extensions v3_ca -config "${OPENSSL_CONFIG}"
|
||||||
}
|
}
|
||||||
|
|
||||||
function gen_server_x509() {
|
gen_server_x509() {
|
||||||
echo "[${ME}] Generating new server x509: ${SERVER_KEY} / ${SERVER_CERT} ..."
|
echo "[${ME}] Generating new server x509: ${SERVER_KEY} / ${SERVER_CERT} ..."
|
||||||
openssl ecparam -name prime256v1 -genkey -noout -out "${SERVER_KEY}" 2>/dev/null
|
openssl ecparam -name prime256v1 -genkey -noout -out "${SERVER_KEY}"
|
||||||
chmod 0600 "${SERVER_KEY}"
|
chmod 0600 "${SERVER_KEY}"
|
||||||
openssl req -new -sha256 -key "${SERVER_KEY}" -subj "/CN=${ARG_CN}" \
|
openssl req -new -sha256 -key "${SERVER_KEY}" -subj "/CN=${ARG_CN}" \
|
||||||
| openssl x509 -req -sha256 -CA "${CA_CERT}" -CAkey "${CA_KEY}" -CAcreateserial \
|
| openssl x509 -req -sha256 -CA "${CA_CERT}" -CAkey "${CA_KEY}" -CAcreateserial \
|
||||||
-out ${SERVER_CERT} -days "${DAYS}" \
|
-out ${SERVER_CERT} -days "${DAYS}" \
|
||||||
-extensions v3_req_server -extfile "${OPENSSL_CONFIG}" 2>/dev/null
|
-extensions v3_req_server -extfile "${OPENSSL_CONFIG}"
|
||||||
}
|
}
|
||||||
|
|
||||||
function install_openssl() {
|
install_openssl() {
|
||||||
if type -p openssl >/dev/null; then
|
set +e
|
||||||
|
type openssl >/dev/null
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
return;
|
return;
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -f /etc/alpine-release ]; then
|
grep -q Ubuntu /etc/lsb-release
|
||||||
apk add --update openssl
|
if [ $? -eq 0 ]; then
|
||||||
elif [ -f /etc/centos-release ]; then
|
echo "[${ME}] Installing openssl in Ubuntu"
|
||||||
yum -y install openssl
|
|
||||||
elif grep -q Ubuntu /etc/lsb-release; then
|
|
||||||
export DEBIAN_FRONTEND=noninteractive
|
export DEBIAN_FRONTEND=noninteractive
|
||||||
apt-get update
|
apt-get update
|
||||||
apt-get -y install openssl
|
apt-get -y install openssl
|
||||||
|
elif [ -f /etc/alpine-release ]; then
|
||||||
|
echo "[${ME}] Installing openssl in Alpine"
|
||||||
|
apk add --update openssl
|
||||||
|
elif [ -f /etc/centos-release ]; then
|
||||||
|
echo "[${ME}] Installing openssl in CentOS"
|
||||||
|
yum -y install openssl
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
type openssl >/dev/null
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
echo "[${ME}] ERROR: Could not install openssl. Exitting."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
set -e
|
||||||
}
|
}
|
||||||
|
|
||||||
function start() {
|
start() {
|
||||||
echo "[${ME}] Started in ${PWD} directory."
|
echo "[${ME}] Started in ${PWD} directory."
|
||||||
|
|
||||||
install_openssl;
|
install_openssl;
|
||||||
@ -176,11 +189,13 @@ function start() {
|
|||||||
gen_ca;
|
gen_ca;
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if ! openssl x509 -in "${CA_CERT}" -noout -checkend 2592000; then
|
openssl x509 -in "${CA_CERT}" -noout -checkend 2592000 >/dev/null
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
echo "[${ME}] WARNING! Your CA certificate will expire in less than 30 days."
|
echo "[${ME}] WARNING! Your CA certificate will expire in less than 30 days."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if ! openssl x509 -in "${CA_CERT}" -noout -checkend 1; then
|
openssl x509 -in "${CA_CERT}" -noout -checkend 1 >/dev/null
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
echo "[${ME}] WARNING! Your CA certificate has expired, so we will generate a new one."
|
echo "[${ME}] WARNING! Your CA certificate has expired, so we will generate a new one."
|
||||||
gen_ca;
|
gen_ca;
|
||||||
fi
|
fi
|
||||||
|
Loading…
Reference in New Issue
Block a user