diff options
Diffstat (limited to 'dehydrated/share/hooks')
| -rwxr-xr-x | dehydrated/share/hooks/deploy_cert.chrony | 4 | ||||
| -rwxr-xr-x | dehydrated/share/hooks/deploy_cert.extra | 65 | ||||
| -rwxr-xr-x | dehydrated/share/hooks/deploy_ocsp.extra | 9 | ||||
| -rwxr-xr-x | dehydrated/share/hooks/exit_hook.cleanup-extra-cert | 42 | ||||
| -rwxr-xr-x | dehydrated/share/hooks/exit_hook.cleanup-extra-ocsp | 43 | ||||
| -rwxr-xr-x | dehydrated/share/hooks/exit_hook.extra-cleanup | 77 | ||||
| -rwxr-xr-x | dehydrated/share/hooks/exit_hook.fix-permissions | 10 | ||||
| -rwxr-xr-x | dehydrated/share/hooks/exit_hook.service-reload | 15 |
8 files changed, 158 insertions, 107 deletions
diff --git a/dehydrated/share/hooks/deploy_cert.chrony b/dehydrated/share/hooks/deploy_cert.chrony index 9bccf75..40771a8 100755 --- a/dehydrated/share/hooks/deploy_cert.chrony +++ b/dehydrated/share/hooks/deploy_cert.chrony @@ -2,7 +2,7 @@ # Open Infrastructure: service-tools -# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# Copyright (C) 2014-2023 Daniel Baumann <daniel.baumann@open-infrastructure.net> # # SPDX-License-Identifier: GPL-3.0+ # @@ -23,9 +23,9 @@ set -e if grep -Eqrs '^ *ntsservercert' /etc/chrony then - # https://bugs.debian.org/1013882 echo -n " + Copying certificate for chrony..." + # https://bugs.debian.org/1013882 cp -fL "${FULLCHAINFILE}" /etc/chrony/cert.pem cp -fL "${KEYFILE}" /etc/chrony/key.pem diff --git a/dehydrated/share/hooks/deploy_cert.extra b/dehydrated/share/hooks/deploy_cert.extra index ec61676..5cf7b72 100755 --- a/dehydrated/share/hooks/deploy_cert.extra +++ b/dehydrated/share/hooks/deploy_cert.extra @@ -2,7 +2,7 @@ # Open Infrastructure: service-tools -# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# Copyright (C) 2014-2023 Daniel Baumann <daniel.baumann@open-infrastructure.net> # # SPDX-License-Identifier: GPL-3.0+ # @@ -21,17 +21,68 @@ set -e -echo " + Creating extra certificate files..." +echo -n " + Creating extra certificate files..." DIRECTORY="$(dirname "${CERTFILE}")" -for EXTRA in fullchain-privkey privkey-fullchain +if [ "$(grep -c 'BEGIN CERTIFICATE' ${FULLCHAINFILE})" -ge 3 ] +then + # long chain: + # * chain.pem: (R3 | ISRG Root X1) + # * fullchain.pem: (Certificate | R3 | ISRG Root X1) + CHAIN="long" +else + # short chain: + # * chain.pem: (R3) + # * fullchain.pem (Certificate | R3) + CHAIN="short" +fi + +case "${CHAIN}" in + long) + # split chain.pem + TMPFILE="$(mktemp -p "${DIRECTORY}" -u ca.XXXXXXXXXX)" + grep -Ev '^$' "${CHAINFILE}" | csplit -f "${TMPFILE}" -s -z - '/-----BEGIN CERTIFICATE-----/' '{*}' + + # intermediate (R3) + mv "${TMPFILE}00" "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" + ln -sf "intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate.pem" + + # root (ISRG Root X1) + mv "${TMPFILE}01" "${DIRECTORY}/root-${TIMESTAMP}.pem" + ln -sf "root-${TIMESTAMP}.pem" "${DIRECTORY}/root.pem" + ;; + + short) + # intermediate (R3) + grep -Ev '^$' "${DIRECTORY}/chain-${TIMESTAMP}.pem" > "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" + ln -sf "intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate.pem" + + # root (ISRG Root X1) + ISSUER_URI="$(openssl x509 -in "${DIRECTORY}/chain-${TIMESTAMP}.pem" -text -noout | grep 'Authority Information Access:' -A1 | awk -FURI: '/http/ { print $2 }')" + + if [ -n "${ISSUER_URI}" ] + then + wget -q "${ISSUER_URI}" -O - | openssl x509 -outform PEM > "${DIRECTORY}/root-${TIMESTAMP}.pem" + ln -sf "root-${TIMESTAMP}.pem" "${DIRECTORY}/root.pem" + fi + ;; +esac + +# extra certificate permutations: +# * privkey_fullchain.pem: postfix +# * root_intermediate_cert.pem: redis + +for EXTRA in fullchain_privkey privkey_fullchain root_intermediate_cert do - EXTRA1="$(echo ${EXTRA} | awk -F- '{ print $1 }')" - EXTRA2="$(echo ${EXTRA} | awk -F- '{ print $2 }')" + rm -f "${DIRECTORY}/${EXTRA}-${TIMESTAMP}.pem" + + for FILE in $(echo ${EXTRA} | sed -e 's|_| |g') + do + cat "${DIRECTORY}/${FILE}-${TIMESTAMP}.pem" >> "${DIRECTORY}/${EXTRA}-${TIMESTAMP}.pem" + done - cat "${EXTRA1}-${TIMESTAMP}.pem" "${EXTRA2}-${TIMESTAMP}.pem" > "${DIRECTORY}/${EXTRA1}-${EXTRA2}-${TIMESTAMP}.pem" - ln -sf "${EXTRA1}-${EXTRA2}-${TIMESTAMP}.pem" "${DIRECTORY}/cert.${EXTRA1}-${EXTRA2}.pem" + ln -sf "${EXTRA}-${TIMESTAMP}.pem" "${DIRECTORY}/${EXTRA}.pem" done echo " done." diff --git a/dehydrated/share/hooks/deploy_ocsp.extra b/dehydrated/share/hooks/deploy_ocsp.extra index 36d0302..869616d 100755 --- a/dehydrated/share/hooks/deploy_ocsp.extra +++ b/dehydrated/share/hooks/deploy_ocsp.extra @@ -2,7 +2,7 @@ # Open Infrastructure: service-tools -# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# Copyright (C) 2014-2023 Daniel Baumann <daniel.baumann@open-infrastructure.net> # # SPDX-License-Identifier: GPL-3.0+ # @@ -26,12 +26,11 @@ echo " + Creating extra ocsp links..." DIRECTORY="$(dirname "${OCSPFILE}")" OCSP="$(readlink "${OCSPFILE}")" -for EXTRA in fullchain-privkey privkey-fullchain +for EXTRA in fullchain_privkey privkey_fullchain root_intermediate_cert do - EXTRA1="$(echo ${EXTRA} | awk -F- '{ print $1 }')" - EXTRA2="$(echo ${EXTRA} | awk -F- '{ print $2 }')" + rm -f "${DIRECTORY}/${EXTRA}-${TIMESTAMP}.pem.ocsp" - ln -sf "${OCSP}" "${DIRECTORY}/cert.${EXTRA1}-${EXTRA2}.pem.ocsp" + ln -sf "${OCSP}" "${DIRECTORY}/${EXTRA}.pem.ocsp" done echo " done." diff --git a/dehydrated/share/hooks/exit_hook.cleanup-extra-cert b/dehydrated/share/hooks/exit_hook.cleanup-extra-cert deleted file mode 100755 index 816a65c..0000000 --- a/dehydrated/share/hooks/exit_hook.cleanup-extra-cert +++ /dev/null @@ -1,42 +0,0 @@ -#!/bin/sh - -# Open Infrastructure: service-tools - -# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> -# -# SPDX-License-Identifier: GPL-3.0+ -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <https://www.gnu.org/licenses/>. - -set -e - -echo " + Deleting extra certificate files..." - -for EXTRA in fullchain-privkey privkey-fullchain -do - EXTRA1="$(echo ${EXTRA} | awk -F- '{ print $1 }')" - EXTRA2="$(echo ${EXTRA} | awk -F- '{ print $2 }')" - - for FILE in "${CERTDIR}"/*/"cert.${EXTRA1}-${EXTRA2}-"*.pem - do - LINK="$(dirname ${FILE})/cert.${EXTRA1}-${EXTRA2}.pem" - - if [ "${FILE}" != "${LINK}" ] - then - rm -f "${FILE}" - fi - done -done - -echo " done." diff --git a/dehydrated/share/hooks/exit_hook.cleanup-extra-ocsp b/dehydrated/share/hooks/exit_hook.cleanup-extra-ocsp deleted file mode 100755 index 0efc812..0000000 --- a/dehydrated/share/hooks/exit_hook.cleanup-extra-ocsp +++ /dev/null @@ -1,43 +0,0 @@ -#!/bin/sh - -# Open Infrastructure: service-tools - -# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> -# -# SPDX-License-Identifier: GPL-3.0+ -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <https://www.gnu.org/licenses/>. - -set -e - -echo " + Deleting extra ocsp links..." - -for EXTRA in fullchain-privkey privkey-fullchain -do - EXTRA1="$(echo ${EXTRA} | awk -F- '{ print $1 }')" - EXTRA2="$(echo ${EXTRA} | awk -F- '{ print $2 }')" - - for FILE in "${CERTDIR}"/*/ocsp-*.der - do - LINK="$(dirname ${FILE})/cert.${EXTRA1}-${EXTRA2}.pem.ocsp" - ORIGINAL="$(readlink "${LINK}")" - - if [ ! -e "$(dirname ${FILE})/${ORIGINAL}" ] - then - rm -f "${LINK}" - fi - done -done - -echo " done." diff --git a/dehydrated/share/hooks/exit_hook.extra-cleanup b/dehydrated/share/hooks/exit_hook.extra-cleanup new file mode 100755 index 0000000..02baa19 --- /dev/null +++ b/dehydrated/share/hooks/exit_hook.extra-cleanup @@ -0,0 +1,77 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2023 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +set -e + +echo -n " + Cleanup extra certificate files..." + +for EXTRA in root intermediate fullchain_privkey privkey_fullchain root_intermediate_cert +do + for CERTIFICATE in "${CERTDIR}"/*/ + do + if ! ls "${CERTIFICATE}"/${EXTRA}*.pem > /dev/null 2>&1 + then + continue + fi + + SYMLINK="${CERTIFICATE}/${EXTRA}.pem" + ORIGINAL="$(readlink -f "${SYMLINK}")" + + if [ -e "${SYMLINK}" ] && [ ! -e "${ORIGINAL}" ] + then + # remove dangling symlink + rm -f "${SYMLINK}" + fi + + if [ -e "${SYMLINK}.ocsp" ] && [ ! -e "${ORIGINAL}.ocsp" ] + then + # remove dangling symlink + rm -f "${SYMLINK}.ocsp" + fi + + if [ -e "${SYMLINK}" ] + then + for FILE in "${CERTIFICATE}/${EXTRA}"-[0-9]*.pem + do + case "$(basename "${FILE}")" in + "$(basename "${ORIGINAL}")") + continue + ;; + + *) + # archive unused files + ARCHIVE="${BASEDIR}/archive/$(basename "${CERTIFICATE}")" + mkdir -p "${ARCHIVE}" + + mv "${FILE}" "${ARCHIVE}" + + if [ -e "${FILE}.ocsp" ] + then + mv "${FILE}.ocsp" "${ARCHIVE}" + fi + ;; + esac + done + fi + done +done + +echo " done." diff --git a/dehydrated/share/hooks/exit_hook.fix-permissions b/dehydrated/share/hooks/exit_hook.fix-permissions index 4a467a7..fa8ef95 100755 --- a/dehydrated/share/hooks/exit_hook.fix-permissions +++ b/dehydrated/share/hooks/exit_hook.fix-permissions @@ -2,7 +2,7 @@ # Open Infrastructure: service-tools -# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# Copyright (C) 2014-2023 Daniel Baumann <daniel.baumann@open-infrastructure.net> # # SPDX-License-Identifier: GPL-3.0+ # @@ -21,7 +21,7 @@ set -e -if [ ! -e /var/lib/dehydrated/certs ] +if [ ! -e "${CERTDIR}" ] then exit 0 fi @@ -31,10 +31,10 @@ then echo -n " + Fixing file owner and permissions..." # https://bugs.debian.org/854431 - chown -R root:ssl-cert /var/lib/dehydrated/certs + chown -R root:ssl-cert "${CERTDIR}" - find /var/lib/dehydrated/certs -type d -exec chmod 0750 {} \; - find /var/lib/dehydrated/certs -type f -exec chmod 0640 {} \; + find "${CERTDIR}" -type d -exec chmod 0750 {} \; + find "${CERTDIR}" -type f -exec chmod 0640 {} \; echo " done." fi diff --git a/dehydrated/share/hooks/exit_hook.service-reload b/dehydrated/share/hooks/exit_hook.service-reload index cf297ab..dcbbb58 100755 --- a/dehydrated/share/hooks/exit_hook.service-reload +++ b/dehydrated/share/hooks/exit_hook.service-reload @@ -2,7 +2,7 @@ # Open Infrastructure: service-tools -# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# Copyright (C) 2014-2023 Daniel Baumann <daniel.baumann@open-infrastructure.net> # # SPDX-License-Identifier: GPL-3.0+ # @@ -25,7 +25,8 @@ Run_apache2 () { if grep -Eqrs '^ *SSLCertificateFile' /etc/apache2/sites-enabled then - service apache2 reload + service apache2 stop + service apache2 start fi } @@ -37,6 +38,14 @@ Run_chrony () fi } +Run_freeradius () +{ + if grep -Eqrs 'certificate_file = /var/lib/dehydrated' /etc/freeradius/*/* + then + service freeradius reload + fi +} + Run_haproxy () { if grep 'ssl crt' /etc/haproxy/haproxy.cfg | grep -qsv '^#' @@ -95,7 +104,7 @@ Run_redis_server () echo " + Reloading services:" -SERVICES="apache2 chrony haproxy knot-resolver postfix postgresql redis-sentinel redis-server" +SERVICES="apache2 chrony freeradius haproxy knot-resolver postfix postgresql redis-sentinel redis-server" for SERVICE in ${SERVICES} do |