You can not select more than 25 topics
			Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
		
		
		
		
		
			
		
			
				
					190 lines
				
				4.5 KiB
			
		
		
			
		
	
	
					190 lines
				
				4.5 KiB
			| 
											2 years ago
										 | #!/bin/bash | ||
|  | # info: generate self signed certificate and CSR request | ||
|  | # options: DOMAIN EMAIL COUNTRY STATE CITY ORG UNIT [ALIASES] [FORMAT] | ||
|  | # | ||
|  | # example: v-generate-ssl-cert example.com mail@yahoo.com USA California Monterey ACME.COM IT | ||
|  | # | ||
|  | # This function generates self signed SSL certificate and CSR request | ||
|  | 
 | ||
|  | #----------------------------------------------------------# | ||
|  | #                Variables & Functions                     # | ||
|  | #----------------------------------------------------------# | ||
|  | 
 | ||
|  | # Argument definition | ||
|  | domain=$1 | ||
|  | domain=$(echo $domain | sed -e 's/\.*$//g' -e 's/^\.*//g') | ||
|  | domain_alias=$domain | ||
|  | email=$2 | ||
|  | country=$3 | ||
|  | state=$4 | ||
|  | city=$5 | ||
|  | org=$6 | ||
|  | org_unit=$7 | ||
|  | aliases=$8 | ||
|  | format=${9-shell} | ||
|  | KEY_SIZE=4096 | ||
|  | DAYS=365 | ||
|  | 
 | ||
|  | # Includes | ||
|  | # shellcheck source=/etc/hestiacp/hestia.conf | ||
|  | source /etc/hestiacp/hestia.conf | ||
|  | # shellcheck source=/usr/local/hestia/func/main.sh | ||
|  | source $HESTIA/func/main.sh | ||
|  | # load config file | ||
|  | source_conf "$HESTIA/conf/hestia.conf" | ||
|  | 
 | ||
|  | # Json function | ||
|  | json_list_ssl() { | ||
|  | 	i='1' # iterator | ||
|  | 	echo '{' | ||
|  | 	echo -e "\t\"$domain\": {" | ||
|  | 	echo "        \"CRT\": \"$crt\"," | ||
|  | 	echo "        \"KEY\": \"$key\"," | ||
|  | 	echo "        \"CSR\": \"$csr\"," | ||
|  | 	echo "        \"DIR\": \"$workdir\"" | ||
|  | 	echo -e "\t}\n}" | ||
|  | } | ||
|  | 
 | ||
|  | # Shell function | ||
|  | shell_list_ssl() { | ||
|  | 	if [ -n "$crt" ]; then | ||
|  | 		echo -e "$crt" | ||
|  | 	fi | ||
|  | 	if [ -n "$key" ]; then | ||
|  | 		echo -e "\n$key" | ||
|  | 	fi | ||
|  | 	if [ -n "$csr" ]; then | ||
|  | 		echo -e "\n$csr" | ||
|  | 	fi | ||
|  | 	echo -e "\nDirectory: $workdir" | ||
|  | } | ||
|  | 
 | ||
|  | # Additional argument formatting | ||
|  | format_domain_idn | ||
|  | if [[ "$email" = *[![:ascii:]]* ]]; then | ||
|  | 	email=$(idn2 --quiet $email) | ||
|  | fi | ||
|  | 
 | ||
|  | #----------------------------------------------------------# | ||
|  | #                    Verifications                         # | ||
|  | #----------------------------------------------------------# | ||
|  | 
 | ||
|  | args_usage='DOMAIN EMAIL COUNTRY STATE CITY ORG UNIT [ALIASES] [FORMAT]' | ||
|  | check_args '7' "$#" "$args_usage" | ||
|  | is_format_valid 'domain' 'aliases' 'format' 'email' | ||
|  | is_common_format_valid $country "country" | ||
|  | is_common_format_valid $state "state" | ||
|  | is_common_format_valid $org "org" | ||
|  | is_common_format_valid $unit "unit" | ||
|  | 
 | ||
|  | if [ ! -f '/etc/redhat-release' ]; then | ||
|  | 	release="$(lsb_release -s -r)" | ||
|  | fi | ||
|  | 
 | ||
|  | if [ -z "$email" ] && [ "$release" = "18.04" ]; then | ||
|  | 	echo "Email address is required" | ||
|  | 	exit 2 | ||
|  | fi | ||
|  | if [ ! -f /root/.rnd ]; then | ||
|  | 	touch /root/.rnd | ||
|  | fi | ||
|  | 
 | ||
|  | # Perform verification if read-only mode is enabled | ||
|  | check_hestia_demo_mode | ||
|  | 
 | ||
|  | #----------------------------------------------------------# | ||
|  | #                       Action                             # | ||
|  | #----------------------------------------------------------# | ||
|  | 
 | ||
|  | # Create temporary work directory | ||
|  | workdir=$(mktemp -d) | ||
|  | cd $workdir | ||
|  | 
 | ||
|  | # Generate private key | ||
|  | openssl genrsa "$KEY_SIZE" > "$domain.key" 2> /dev/null | ||
|  | 
 | ||
|  | subj="" | ||
|  | # Generate the CSR | ||
|  | if [ -n "$email" ]; then | ||
|  | 	subj="/emailAddress=$email" | ||
|  | fi | ||
|  | 
 | ||
|  | subj="$subj/C=$country/ST=$state/L=$city/O=$org" | ||
|  | subj="$subj/OU=$org_unit/CN=$domain_idn" | ||
|  | 
 | ||
|  | if [ -z "$aliases" ]; then | ||
|  | 	openssl req -sha256 -new \ | ||
|  | 		-batch \ | ||
|  | 		-subj "$subj" \ | ||
|  | 		-key $domain.key \ | ||
|  | 		-out $domain.csr > /dev/null 2>&1 | ||
|  | else | ||
|  | 	for alias in $(echo $domain,$aliases | tr ',' '\n' | sort -u); do | ||
|  | 		if [[ "$alias" = *[![:ascii:]]* ]]; then | ||
|  | 			alias=$(idn2 --quiet $alias) | ||
|  | 		fi | ||
|  | 		dns_aliases="${dns_aliases}DNS:$alias," | ||
|  | 	done | ||
|  | 	dns_aliases=$(echo $dns_aliases | sed "s/,$//") | ||
|  | 	if [ -e "/etc/ssl/openssl.cnf" ]; then | ||
|  | 		ssl_conf='/etc/ssl/openssl.cnf' | ||
|  | 	else | ||
|  | 		ssl_conf="/etc/pki/tls/openssl.cnf" | ||
|  | 	fi | ||
|  | 
 | ||
|  | 	openssl req -sha256 -new \ | ||
|  | 		-batch \ | ||
|  | 		-subj "$subj" \ | ||
|  | 		-key $domain.key \ | ||
|  | 		-reqexts SAN \ | ||
|  | 		-config <(cat $ssl_conf \ | ||
|  | 			<(printf "[SAN]\nsubjectAltName=$dns_aliases")) \ | ||
|  | 		-out $domain.csr > /dev/null 2>&1 | ||
|  | fi | ||
|  | 
 | ||
|  | # Generate the cert 1 year | ||
|  | openssl x509 -req -sha256 \ | ||
|  | 	-days $DAYS \ | ||
|  | 	-in $domain.csr \ | ||
|  | 	-signkey $domain.key \ | ||
|  | 	-out $domain.crt > /dev/null 2>&1 | ||
|  | 
 | ||
|  | # Listing certificates | ||
|  | if [ -e "$domain.crt" ]; then | ||
|  | 	crt=$(cat $domain.crt | sed ':a;N;$!ba;s/\n/\\n/g') | ||
|  | fi | ||
|  | 
 | ||
|  | if [ -e "$domain.key" ]; then | ||
|  | 	key=$(cat $domain.key | sed ':a;N;$!ba;s/\n/\\n/g') | ||
|  | fi | ||
|  | 
 | ||
|  | if [ -e "$domain.csr" ]; then | ||
|  | 	csr=$(cat $domain.csr | sed ':a;N;$!ba;s/\n/\\n/g') | ||
|  | fi | ||
|  | 
 | ||
|  | case $format in | ||
|  | 	json) json_list_ssl ;; | ||
|  | 	plain) | ||
|  | 		nohead=1 | ||
|  | 		shell_list_ssl | ||
|  | 		;; | ||
|  | 	shell) shell_list_ssl ;; | ||
|  | 	*) check_args '1' '0' '[FORMAT]' ;; | ||
|  | esac | ||
|  | 
 | ||
|  | # Don't allow non root users view folder | ||
|  | chmod 660 $workdir | ||
|  | # Clean up the mess | ||
|  | echo "rm -rf $workdir" | at -M "now +15 minute" > /dev/null 2>&1 | ||
|  | # Delete tmp dir | ||
|  | #rm -rf $workdir | ||
|  | 
 | ||
|  | #----------------------------------------------------------# | ||
|  | #                       Hestia                             # | ||
|  | #----------------------------------------------------------# | ||
|  | 
 | ||
|  | # Logging | ||
|  | log_event "$OK" "$ARGUMENTS" | ||
|  | 
 | ||
|  | exit |