Browse Source

initial commit

master
Bret R. Human 9 months ago
commit
64274baa10
5 changed files with 196 additions and 0 deletions
  1. +51
    -0
      LICENSE
  2. +9
    -0
      README.md
  3. +42
    -0
      lets_encrypt_examples
  4. +74
    -0
      letsencrypt.sh
  5. +20
    -0
      ocsp.sh

+ 51
- 0
LICENSE View File

@@ -0,0 +1,51 @@
letsEncryptScripts
===
Copyright (c) 2017, Bret R. Human
All rights reserved.

Further documentation can be found at
https://psi.cynicaloptimist.me/Caffarius/letsEncryptScripts/
Happy modding! -Bret

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice,
the documentation link and note, this list of conditions, and the following
disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.

3. All advertising materials mentioning features or use of this
software must display the following acknowledgment:
"Built using software developed by Cynical Optimist - https://cynicaloptimist.me
Ask what we can build for you at info@cynicaloptimist.me"

4. The names "Cynical Optimist" and "Bret R. Human" and the software name listed
at the top of this document, or the domain "cynicaloptimist.me" or any
affiliated service must not be used to endorse or promote products derived
from this software without prior written permission. For written permission,
contact info@cynicaloptimist.me.

5. Products derived from this software may not be called the software name
listed at the top of this document nor may "Cynical Optimist" or the software
name listed at the top of this document appear in their names without prior
written permission of Bret R. Human.

6. Redistributions of any form whatsoever must retain the following
acknowledgment:
"Built using software developed by Cynical Optimist - https://cynicaloptimist.me
Ask what we can build for you at info@cynicaloptimist.me"

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

+ 9
- 0
README.md View File

@@ -0,0 +1,9 @@
letsEncryptScripts
=============================
How to generate and manage a fleet of SSL certificates for free with ease.



## Usage

See the lets_encrypt_examples file for a run through.

+ 42
- 0
lets_encrypt_examples View File

@@ -0,0 +1,42 @@
## Copyright © 2017 Bret Human
## https://cynicaloptimist.me/
##
## Documentation at:
## https://psi.cynicaloptimist.me/Caffarius/letsEncryptScripts
##
## For questions or comments write:
## info@cynicaloptimist.me
#
# Random script samples for SSL cert generation



############### Generate a new domain key (must be root) ################
# 1. Replace "example.com" with your intended domain name and run the
# commands below.
# 2. Make sure to keep this key safe. It is the basis for all SSL certs
# signed with it in the future. If an attacker gets it, they can
# generate certificates that seem like they're genuinely from you.


openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out /etc/ssl/keys/example.com.key
chmod 700 /etc/ssl/keys
chmod 400 /etc/ssl/keys/example.com.key



################### Generate a new csr (must be root) ###################
# Only perform this if you're creating a new subdomain with an existing
# domain key.
#
# 1. Replace "subdomain.example.com" with your intended hostname
# and run the command below
# 2. Move existing csr files to /etc/acme-tiny/temp/
# mv /etc/acme-tiny/csr/* /etc/acme-tiny/temp/
# 3. Place new csr in /etc/acme-tiny/csr/
# 4. Run /root/.script/letsencrypt.sh
# 5. Move the other csr files back so they can be renewed later
# mv /etc/acme-tiny/temp/* /etc/acme-tiny/csr/
# 6. Don't forget to renew the certs before the 90 day expiration!

openssl req -new -sha256 -key /etc/ssl/keys/example.com.key -subj "/CN=subdomain.example.com" > /etc/acme-tiny/csr/subdomain.example.com.csr

+ 74
- 0
letsencrypt.sh View File

@@ -0,0 +1,74 @@
#!/bin/bash

## Copyright © 2017 Bret Human
## https://cynicaloptimist.me/
##
## Documentation at:
## https://psi.cynicaloptimist.me/Caffarius/letsEncryptScripts
##
## For questions or comments write:
## info@cynicaloptimist.me
#
# Generate and manage a fleet of SSL certificates for free with ease

# Stuff the public certificates in your package repository!
# - No trailing slash! -
pacRepo="/var/cache/pacman/pkg"

umask 022
echo "#############################"
date
echo "#############################"

## Define our functions

function exampleChain () {
echo "Chaining ${1}example.com..."
cat /etc/ssl/keys/example.com.key /etc/acme-tiny/live/${1}example.com/cert.pem /etc/haproxy/dhparams.pem > /etc/haproxy/crt/${1}example.com.pem
echo "Pubkeying ${1}example.com..."
cat /etc/acme-tiny/live/${1}example.com/cert.pem > /var/cache/pacman/pkg/pubcerts/${1}example.com.pem
}



# Get encryptin'

echo "*** Moving original hosts file..."
mv /etc/hosts /etc/hosts.bak && cp /etc/hosts.le_upd /etc/hosts

chown -R letsencrypt: /etc/acme-tiny/

echo "*** Switching HAProxy to basic config..."
systemctl stop haproxy
mv /etc/haproxy/haproxy.cfg /etc/haproxy/backup_configs/haproxy.cfg.$(date +'%Y%m%d_%H-%M')
cp /etc/haproxy/haproxy.cfg.le /etc/haproxy/haproxy.cfg
systemctl start haproxy

cd /etc/acme-tiny/
echo "*** Running acme-tiny-wrapper..."
acme-tiny-wrapper /usr/share/nginx/html/.well-known/acme-challenge/
echo "Moving original hosts file back..."
cp /etc/hosts.orig /etc/hosts

chown -R letsencrypt: /etc/acme-tiny/

exampleChain ""
exampleChain "www."
exampleChain "subdomain."

chmod 755 "${pacRepo}"/pubcerts/
chmod 644 "${pacRepo}"/pubcerts/*
chown -R root: "${pacRepo}"/pubcerts/
chmod 700 /etc/haproxy/crt/
chmod 600 /etc/haproxy/crt/*
chown root: /etc/haproxy/crt/*

echo "Switching HAProxy back to standard config..."
systemctl stop haproxy
cp /etc/haproxy/haproxy.cfg.latest_working /etc/haproxy/haproxy.cfg
systemctl start haproxy

echo "Cleaning up the acme-challenge folder..."
rm /usr/share/nginx/html/.well-known/acme-challenge/*

echo "Done."

+ 20
- 0
ocsp.sh View File

@@ -0,0 +1,20 @@
## Copyright © 2017 Bret Human
## https://cynicaloptimist.me/
##
## Documentation at:
## https://psi.cynicaloptimist.me/Caffarius/letsEncryptScripts
##
## For questions or comments write:
## info@cynicaloptimist.me
#
# Script for updating OCSP staples.
# Intended to be cron'd nightly - also solves the
# HAProxy SSL session issues (cleans up the SSL
# sessions every night)
#
# Don't forget to add any new domains you want
# stapled to this list!

rm /etc/haproxy/crt/*.pem.ocsp
/root/.script/hapos-upd.sh --cert /etc/haproxy/crt/subdomain.example.com.pem --skip-update
systemctl restart haproxy

Loading…
Cancel
Save