You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
190 lines
4.5 KiB
190 lines
4.5 KiB
#!/bin/bash
|
|
# info: generate self signed certificate and CSR request
|
|
# options: DOMAIN EMAIL COUNTRY STATE CITY ORG UNIT [ALIASES] [FORMAT]
|
|
#
|
|
# example: v-generate-ssl-cert example.com mail@yahoo.com USA California Monterey ACME.COM IT
|
|
#
|
|
# This function generates self signed SSL certificate and CSR request
|
|
|
|
#----------------------------------------------------------#
|
|
# Variables & Functions #
|
|
#----------------------------------------------------------#
|
|
|
|
# Argument definition
|
|
domain=$1
|
|
domain=$(echo $domain | sed -e 's/\.*$//g' -e 's/^\.*//g')
|
|
domain_alias=$domain
|
|
email=$2
|
|
country=$3
|
|
state=$4
|
|
city=$5
|
|
org=$6
|
|
org_unit=$7
|
|
aliases=$8
|
|
format=${9-shell}
|
|
KEY_SIZE=4096
|
|
DAYS=365
|
|
|
|
# Includes
|
|
# shellcheck source=/etc/hestiacp/hestia.conf
|
|
source /etc/hestiacp/hestia.conf
|
|
# shellcheck source=/usr/local/hestia/func/main.sh
|
|
source $HESTIA/func/main.sh
|
|
# load config file
|
|
source_conf "$HESTIA/conf/hestia.conf"
|
|
|
|
# Json function
|
|
json_list_ssl() {
|
|
i='1' # iterator
|
|
echo '{'
|
|
echo -e "\t\"$domain\": {"
|
|
echo " \"CRT\": \"$crt\","
|
|
echo " \"KEY\": \"$key\","
|
|
echo " \"CSR\": \"$csr\","
|
|
echo " \"DIR\": \"$workdir\""
|
|
echo -e "\t}\n}"
|
|
}
|
|
|
|
# Shell function
|
|
shell_list_ssl() {
|
|
if [ -n "$crt" ]; then
|
|
echo -e "$crt"
|
|
fi
|
|
if [ -n "$key" ]; then
|
|
echo -e "\n$key"
|
|
fi
|
|
if [ -n "$csr" ]; then
|
|
echo -e "\n$csr"
|
|
fi
|
|
echo -e "\nDirectory: $workdir"
|
|
}
|
|
|
|
# Additional argument formatting
|
|
format_domain_idn
|
|
if [[ "$email" = *[![:ascii:]]* ]]; then
|
|
email=$(idn2 --quiet $email)
|
|
fi
|
|
|
|
#----------------------------------------------------------#
|
|
# Verifications #
|
|
#----------------------------------------------------------#
|
|
|
|
args_usage='DOMAIN EMAIL COUNTRY STATE CITY ORG UNIT [ALIASES] [FORMAT]'
|
|
check_args '7' "$#" "$args_usage"
|
|
is_format_valid 'domain' 'aliases' 'format' 'email'
|
|
is_common_format_valid $country "country"
|
|
is_common_format_valid $state "state"
|
|
is_common_format_valid $org "org"
|
|
is_common_format_valid $unit "unit"
|
|
|
|
if [ ! -f '/etc/redhat-release' ]; then
|
|
release="$(lsb_release -s -r)"
|
|
fi
|
|
|
|
if [ -z "$email" ] && [ "$release" = "18.04" ]; then
|
|
echo "Email address is required"
|
|
exit 2
|
|
fi
|
|
if [ ! -f /root/.rnd ]; then
|
|
touch /root/.rnd
|
|
fi
|
|
|
|
# Perform verification if read-only mode is enabled
|
|
check_hestia_demo_mode
|
|
|
|
#----------------------------------------------------------#
|
|
# Action #
|
|
#----------------------------------------------------------#
|
|
|
|
# Create temporary work directory
|
|
workdir=$(mktemp -d)
|
|
cd $workdir
|
|
|
|
# Generate private key
|
|
openssl genrsa "$KEY_SIZE" > "$domain.key" 2> /dev/null
|
|
|
|
subj=""
|
|
# Generate the CSR
|
|
if [ -n "$email" ]; then
|
|
subj="/emailAddress=$email"
|
|
fi
|
|
|
|
subj="$subj/C=$country/ST=$state/L=$city/O=$org"
|
|
subj="$subj/OU=$org_unit/CN=$domain_idn"
|
|
|
|
if [ -z "$aliases" ]; then
|
|
openssl req -sha256 -new \
|
|
-batch \
|
|
-subj "$subj" \
|
|
-key $domain.key \
|
|
-out $domain.csr > /dev/null 2>&1
|
|
else
|
|
for alias in $(echo $domain,$aliases | tr ',' '\n' | sort -u); do
|
|
if [[ "$alias" = *[![:ascii:]]* ]]; then
|
|
alias=$(idn2 --quiet $alias)
|
|
fi
|
|
dns_aliases="${dns_aliases}DNS:$alias,"
|
|
done
|
|
dns_aliases=$(echo $dns_aliases | sed "s/,$//")
|
|
if [ -e "/etc/ssl/openssl.cnf" ]; then
|
|
ssl_conf='/etc/ssl/openssl.cnf'
|
|
else
|
|
ssl_conf="/etc/pki/tls/openssl.cnf"
|
|
fi
|
|
|
|
openssl req -sha256 -new \
|
|
-batch \
|
|
-subj "$subj" \
|
|
-key $domain.key \
|
|
-reqexts SAN \
|
|
-config <(cat $ssl_conf \
|
|
<(printf "[SAN]\nsubjectAltName=$dns_aliases")) \
|
|
-out $domain.csr > /dev/null 2>&1
|
|
fi
|
|
|
|
# Generate the cert 1 year
|
|
openssl x509 -req -sha256 \
|
|
-days $DAYS \
|
|
-in $domain.csr \
|
|
-signkey $domain.key \
|
|
-out $domain.crt > /dev/null 2>&1
|
|
|
|
# Listing certificates
|
|
if [ -e "$domain.crt" ]; then
|
|
crt=$(cat $domain.crt | sed ':a;N;$!ba;s/\n/\\n/g')
|
|
fi
|
|
|
|
if [ -e "$domain.key" ]; then
|
|
key=$(cat $domain.key | sed ':a;N;$!ba;s/\n/\\n/g')
|
|
fi
|
|
|
|
if [ -e "$domain.csr" ]; then
|
|
csr=$(cat $domain.csr | sed ':a;N;$!ba;s/\n/\\n/g')
|
|
fi
|
|
|
|
case $format in
|
|
json) json_list_ssl ;;
|
|
plain)
|
|
nohead=1
|
|
shell_list_ssl
|
|
;;
|
|
shell) shell_list_ssl ;;
|
|
*) check_args '1' '0' '[FORMAT]' ;;
|
|
esac
|
|
|
|
# Don't allow non root users view folder
|
|
chmod 660 $workdir
|
|
# Clean up the mess
|
|
echo "rm -rf $workdir" | at -M "now +15 minute" > /dev/null 2>&1
|
|
# Delete tmp dir
|
|
#rm -rf $workdir
|
|
|
|
#----------------------------------------------------------#
|
|
# Hestia #
|
|
#----------------------------------------------------------#
|
|
|
|
# Logging
|
|
log_event "$OK" "$ARGUMENTS"
|
|
|
|
exit
|