hestiacp/bin/v-generate-ssl-cert

#!/bin/bash
# info: generate self signed certificate and CSR request
# options: DOMAIN EMAIL COUNTRY STATE CITY ORG UNIT [ALIASES] [FORMAT]
#
# example: v-generate-ssl-cert example.com mail@yahoo.com USA California Monterey ACME.COM IT
#
# This function generates self signed SSL certificate and CSR request

#----------------------------------------------------------#
#                Variables & Functions                     #
#----------------------------------------------------------#

# Argument definition
domain=$1
domain=$(echo $domain | sed -e 's/\.*$//g' -e 's/^\.*//g')
domain_alias=$domain
email=$2
country=$3
state=$4
city=$5
org=$6
org_unit=$7
aliases=$8
format=${9-shell}
KEY_SIZE=4096
DAYS=365

# Includes
# shellcheck source=/etc/hestiacp/hestia.conf
source /etc/hestiacp/hestia.conf
# shellcheck source=/usr/local/hestia/func/main.sh
source $HESTIA/func/main.sh
# load config file
source_conf "$HESTIA/conf/hestia.conf"

# Json function
json_list_ssl() {
	i='1' # iterator
	echo '{'
	echo -e "\t\"$domain\": {"
	echo "        \"CRT\": \"$crt\","
	echo "        \"KEY\": \"$key\","
	echo "        \"CSR\": \"$csr\","
	echo "        \"DIR\": \"$workdir\""
	echo -e "\t}\n}"
}

# Shell function
shell_list_ssl() {
	if [ -n "$crt" ]; then
		echo -e "$crt"
	fi
	if [ -n "$key" ]; then
		echo -e "\n$key"
	fi
	if [ -n "$csr" ]; then
		echo -e "\n$csr"
	fi
	echo -e "\nDirectory: $workdir"
}

# Additional argument formatting
format_domain_idn
if [[ "$email" = *[![:ascii:]]* ]]; then
	email=$(idn2 --quiet $email)
fi

#----------------------------------------------------------#
#                    Verifications                         #
#----------------------------------------------------------#

args_usage='DOMAIN EMAIL COUNTRY STATE CITY ORG UNIT [ALIASES] [FORMAT]'
check_args '7' "$#" "$args_usage"
is_format_valid 'domain' 'aliases' 'format' 'email'
is_common_format_valid $country "country"
is_common_format_valid $state "state"
is_common_format_valid $org "org"
is_common_format_valid $unit "unit"

if [ ! -f '/etc/redhat-release' ]; then
	release="$(lsb_release -s -r)"
fi

if [ -z "$email" ] && [ "$release" = "18.04" ]; then
	echo "Email address is required"
	exit 2
fi
if [ ! -f /root/.rnd ]; then
	touch /root/.rnd
fi

# Perform verification if read-only mode is enabled
check_hestia_demo_mode

#----------------------------------------------------------#
#                       Action                             #
#----------------------------------------------------------#

# Create temporary work directory
workdir=$(mktemp -d)
cd $workdir

# Generate private key
openssl genrsa "$KEY_SIZE" > "$domain.key" 2> /dev/null

subj=""
# Generate the CSR
if [ -n "$email" ]; then
	subj="/emailAddress=$email"
fi

subj="$subj/C=$country/ST=$state/L=$city/O=$org"
subj="$subj/OU=$org_unit/CN=$domain_idn"

if [ -z "$aliases" ]; then
	openssl req -sha256 -new \
		-batch \
		-subj "$subj" \
		-key $domain.key \
		-out $domain.csr > /dev/null 2>&1
else
	for alias in $(echo $domain,$aliases | tr ',' '\n' | sort -u); do
		if [[ "$alias" = *[![:ascii:]]* ]]; then
			alias=$(idn2 --quiet $alias)
		fi
		dns_aliases="${dns_aliases}DNS:$alias,"
	done
	dns_aliases=$(echo $dns_aliases | sed "s/,$//")
	if [ -e "/etc/ssl/openssl.cnf" ]; then
		ssl_conf='/etc/ssl/openssl.cnf'
	else
		ssl_conf="/etc/pki/tls/openssl.cnf"
	fi

	openssl req -sha256 -new \
		-batch \
		-subj "$subj" \
		-key $domain.key \
		-reqexts SAN \
		-config <(cat $ssl_conf \
			<(printf "[SAN]\nsubjectAltName=$dns_aliases")) \
		-out $domain.csr > /dev/null 2>&1
fi

# Generate the cert 1 year
openssl x509 -req -sha256 \
	-days $DAYS \
	-in $domain.csr \
	-signkey $domain.key \
	-out $domain.crt > /dev/null 2>&1

# Listing certificates
if [ -e "$domain.crt" ]; then
	crt=$(cat $domain.crt | sed ':a;N;$!ba;s/\n/\\n/g')
fi

if [ -e "$domain.key" ]; then
	key=$(cat $domain.key | sed ':a;N;$!ba;s/\n/\\n/g')
fi

if [ -e "$domain.csr" ]; then
	csr=$(cat $domain.csr | sed ':a;N;$!ba;s/\n/\\n/g')
fi

case $format in
	json) json_list_ssl ;;
	plain)
		nohead=1
		shell_list_ssl
		;;
	shell) shell_list_ssl ;;
	*) check_args '1' '0' '[FORMAT]' ;;
esac

# Don't allow non root users view folder
chmod 660 $workdir
# Clean up the mess
echo "rm -rf $workdir" | at -M "now +15 minute" > /dev/null 2>&1
# Delete tmp dir
#rm -rf $workdir

#----------------------------------------------------------#
#                       Hestia                             #
#----------------------------------------------------------#

# Logging
log_event "$OK" "$ARGUMENTS"

exit
Initial 2 years ago			`#!/bin/bash`
			`# info: generate self signed certificate and CSR request`
			`# options: DOMAIN EMAIL COUNTRY STATE CITY ORG UNIT [ALIASES] [FORMAT]`
			`#`
			`# example: v-generate-ssl-cert example.com mail@yahoo.com USA California Monterey ACME.COM IT`
			`#`
			`# This function generates self signed SSL certificate and CSR request`

			`#----------------------------------------------------------#`
			`# Variables & Functions #`
			`#----------------------------------------------------------#`

			`# Argument definition`
			`domain=$1`
			`domain=$(echo $domain \| sed -e 's/\.$//g' -e 's/^\.//g')`
			`domain_alias=$domain`
			`email=$2`
			`country=$3`
			`state=$4`
			`city=$5`
			`org=$6`
			`org_unit=$7`
			`aliases=$8`
			`format=${9-shell}`
			`KEY_SIZE=4096`
			`DAYS=365`

			`# Includes`
			`# shellcheck source=/etc/hestiacp/hestia.conf`
			`source /etc/hestiacp/hestia.conf`
			`# shellcheck source=/usr/local/hestia/func/main.sh`
			`source $HESTIA/func/main.sh`
			`# load config file`
			`source_conf "$HESTIA/conf/hestia.conf"`

			`# Json function`
			`json_list_ssl() {`
			`i='1' # iterator`
			`echo '{'`
			`echo -e "\t\"$domain\": {"`
			`echo " \"CRT\": \"$crt\","`
			`echo " \"KEY\": \"$key\","`
			`echo " \"CSR\": \"$csr\","`
			`echo " \"DIR\": \"$workdir\""`
			`echo -e "\t}\n}"`
			`}`

			`# Shell function`
			`shell_list_ssl() {`
			`if [ -n "$crt" ]; then`
			`echo -e "$crt"`
			`fi`
			`if [ -n "$key" ]; then`
			`echo -e "\n$key"`
			`fi`
			`if [ -n "$csr" ]; then`
			`echo -e "\n$csr"`
			`fi`
			`echo -e "\nDirectory: $workdir"`
			`}`

			`# Additional argument formatting`
			`format_domain_idn`
			`if [[ "$email" = [![:ascii:]] ]]; then`
			`email=$(idn2 --quiet $email)`
			`fi`

			`#----------------------------------------------------------#`
			`# Verifications #`
			`#----------------------------------------------------------#`

			`args_usage='DOMAIN EMAIL COUNTRY STATE CITY ORG UNIT [ALIASES] [FORMAT]'`
			`check_args '7' "$#" "$args_usage"`
			`is_format_valid 'domain' 'aliases' 'format' 'email'`
			`is_common_format_valid $country "country"`
			`is_common_format_valid $state "state"`
			`is_common_format_valid $org "org"`
			`is_common_format_valid $unit "unit"`

			`if [ ! -f '/etc/redhat-release' ]; then`
			`release="$(lsb_release -s -r)"`
			`fi`

			`if [ -z "$email" ] && [ "$release" = "18.04" ]; then`
			`echo "Email address is required"`
			`exit 2`
			`fi`
			`if [ ! -f /root/.rnd ]; then`
			`touch /root/.rnd`
			`fi`

			`# Perform verification if read-only mode is enabled`
			`check_hestia_demo_mode`

			`#----------------------------------------------------------#`
			`# Action #`
			`#----------------------------------------------------------#`

			`# Create temporary work directory`
			`workdir=$(mktemp -d)`
			`cd $workdir`

			`# Generate private key`
			`openssl genrsa "$KEY_SIZE" > "$domain.key" 2> /dev/null`

			`subj=""`
			`# Generate the CSR`
			`if [ -n "$email" ]; then`
			`subj="/emailAddress=$email"`
			`fi`

			`subj="$subj/C=$country/ST=$state/L=$city/O=$org"`
			`subj="$subj/OU=$org_unit/CN=$domain_idn"`

			`if [ -z "$aliases" ]; then`
			`openssl req -sha256 -new \`
			`-batch \`
			`-subj "$subj" \`
			`-key $domain.key \`
			`-out $domain.csr > /dev/null 2>&1`
			`else`
			`for alias in $(echo $domain,$aliases \| tr ',' '\n' \| sort -u); do`
			`if [[ "$alias" = [![:ascii:]] ]]; then`
			`alias=$(idn2 --quiet $alias)`
			`fi`
			`dns_aliases="${dns_aliases}DNS:$alias,"`
			`done`
			`dns_aliases=$(echo $dns_aliases \| sed "s/,$//")`
			`if [ -e "/etc/ssl/openssl.cnf" ]; then`
			`ssl_conf='/etc/ssl/openssl.cnf'`
			`else`
			`ssl_conf="/etc/pki/tls/openssl.cnf"`
			`fi`

			`openssl req -sha256 -new \`
			`-batch \`
			`-subj "$subj" \`
			`-key $domain.key \`
			`-reqexts SAN \`
			`-config <(cat $ssl_conf \`
			`<(printf "[SAN]\nsubjectAltName=$dns_aliases")) \`
			`-out $domain.csr > /dev/null 2>&1`
			`fi`

			`# Generate the cert 1 year`
			`openssl x509 -req -sha256 \`
			`-days $DAYS \`
			`-in $domain.csr \`
			`-signkey $domain.key \`
			`-out $domain.crt > /dev/null 2>&1`

			`# Listing certificates`
			`if [ -e "$domain.crt" ]; then`
			`crt=$(cat $domain.crt \| sed ':a;N;$!ba;s/\n/\\n/g')`
			`fi`

			`if [ -e "$domain.key" ]; then`
			`key=$(cat $domain.key \| sed ':a;N;$!ba;s/\n/\\n/g')`
			`fi`

			`if [ -e "$domain.csr" ]; then`
			`csr=$(cat $domain.csr \| sed ':a;N;$!ba;s/\n/\\n/g')`
			`fi`

			`case $format in`
			`json) json_list_ssl ;;`
			`plain)`
			`nohead=1`
			`shell_list_ssl`
			`;;`
			`shell) shell_list_ssl ;;`
			`*) check_args '1' '0' '[FORMAT]' ;;`
			`esac`

			`# Don't allow non root users view folder`
			`chmod 660 $workdir`
			`# Clean up the mess`
			`echo "rm -rf $workdir" \| at -M "now +15 minute" > /dev/null 2>&1`
			`# Delete tmp dir`
			`#rm -rf $workdir`

			`#----------------------------------------------------------#`
			`# Hestia #`
			`#----------------------------------------------------------#`

			`# Logging`
			`log_event "$OK" "$ARGUMENTS"`

			`exit`