From 64274baa1085ac99566990b95049ff5fb178342f Mon Sep 17 00:00:00 2001
From: "Bret R. Human" <support@cynicaloptimist.me>
Date: Tue, 21 May 2019 06:42:03 -0400
Subject: [PATCH] initial commit

---
 LICENSE               | 51 +++++++++++++++++++++++++++++
 README.md             |  9 ++++++
 lets_encrypt_examples | 42 ++++++++++++++++++++++++
 letsencrypt.sh        | 74 +++++++++++++++++++++++++++++++++++++++++++
 ocsp.sh               | 20 ++++++++++++
 5 files changed, 196 insertions(+)
 create mode 100644 LICENSE
 create mode 100644 README.md
 create mode 100644 lets_encrypt_examples
 create mode 100755 letsencrypt.sh
 create mode 100755 ocsp.sh

diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..bd4d1c6
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,51 @@
+letsEncryptScripts
+===
+Copyright (c) 2017, Bret R. Human
+All rights reserved.
+
+Further documentation can be found at
+   https://psi.cynicaloptimist.me/Caffarius/letsEncryptScripts/
+Happy modding! -Bret
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice,
+   the documentation link and note, this list of conditions, and the following
+   disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+3. All advertising materials mentioning features or use of this
+   software must display the following acknowledgment:
+"Built using software developed by Cynical Optimist - https://cynicaloptimist.me
+ Ask what we can build for you at info@cynicaloptimist.me"
+
+4. The names "Cynical Optimist" and "Bret R. Human" and the software name listed
+   at the top of this document, or the domain "cynicaloptimist.me" or any
+   affiliated service must not be used to endorse or promote products derived
+   from this software without prior written permission. For written permission,
+   contact info@cynicaloptimist.me.
+
+5. Products derived from this software may not be called the software name
+   listed at the top of this document nor may "Cynical Optimist" or the software
+   name listed at the top of this document appear in their names without prior
+   written permission of Bret R. Human.
+
+6. Redistributions of any form whatsoever must retain the following
+   acknowledgment:
+"Built using software developed by Cynical Optimist - https://cynicaloptimist.me
+ Ask what we can build for you at info@cynicaloptimist.me"
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..696bc54
--- /dev/null
+++ b/README.md
@@ -0,0 +1,9 @@
+letsEncryptScripts
+=============================
+How to generate and manage a fleet of SSL certificates for free with ease.
+
+
+
+## Usage
+
+See the lets_encrypt_examples file for a run through.
\ No newline at end of file
diff --git a/lets_encrypt_examples b/lets_encrypt_examples
new file mode 100644
index 0000000..a6821fd
--- /dev/null
+++ b/lets_encrypt_examples
@@ -0,0 +1,42 @@
+## Copyright © 2017 Bret Human
+## https://cynicaloptimist.me/
+##
+##    Documentation at:
+## https://psi.cynicaloptimist.me/Caffarius/letsEncryptScripts
+##
+## For questions or comments write:
+##    info@cynicaloptimist.me
+#
+# Random script samples for SSL cert generation
+
+
+
+############### Generate a new domain key (must be root) ################
+# 1. Replace "example.com" with your intended  domain name and run the
+#    commands below.
+# 2. Make sure to keep this key safe. It is the basis for all SSL certs
+#    signed with it in the future. If an attacker gets it, they can
+#    generate certificates that seem like they're genuinely from you.
+
+
+openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out /etc/ssl/keys/example.com.key
+chmod 700 /etc/ssl/keys
+chmod 400 /etc/ssl/keys/example.com.key
+
+
+
+################### Generate a new csr (must be root) ###################
+# Only perform this if you're creating a new subdomain with an existing
+# domain key.
+#
+# 1. Replace "subdomain.example.com" with your intended hostname
+#    and run the command below
+# 2. Move existing csr files to /etc/acme-tiny/temp/
+#       mv /etc/acme-tiny/csr/* /etc/acme-tiny/temp/
+# 3. Place new csr in /etc/acme-tiny/csr/
+# 4. Run /root/.script/letsencrypt.sh
+# 5. Move the other csr files back so they can be renewed later
+#       mv /etc/acme-tiny/temp/* /etc/acme-tiny/csr/
+# 6. Don't forget to renew the certs before the 90 day expiration!
+
+openssl req -new -sha256 -key /etc/ssl/keys/example.com.key -subj "/CN=subdomain.example.com" > /etc/acme-tiny/csr/subdomain.example.com.csr
\ No newline at end of file
diff --git a/letsencrypt.sh b/letsencrypt.sh
new file mode 100755
index 0000000..a8cea55
--- /dev/null
+++ b/letsencrypt.sh
@@ -0,0 +1,74 @@
+#!/bin/bash
+
+## Copyright © 2017 Bret Human
+## https://cynicaloptimist.me/
+##
+##    Documentation at:
+## https://psi.cynicaloptimist.me/Caffarius/letsEncryptScripts
+##
+## For questions or comments write:
+##    info@cynicaloptimist.me
+#
+# Generate and manage a fleet of SSL certificates for free with ease
+
+# Stuff the public certificates in your package repository!
+#     - No trailing slash! -
+pacRepo="/var/cache/pacman/pkg"
+
+umask 022
+echo "#############################"
+date
+echo "#############################"
+
+## Define our functions
+
+function exampleChain () {
+    echo "Chaining ${1}example.com..."
+    cat /etc/ssl/keys/example.com.key /etc/acme-tiny/live/${1}example.com/cert.pem /etc/haproxy/dhparams.pem > /etc/haproxy/crt/${1}example.com.pem
+    echo "Pubkeying ${1}example.com..."
+    cat /etc/acme-tiny/live/${1}example.com/cert.pem > /var/cache/pacman/pkg/pubcerts/${1}example.com.pem
+}
+
+
+
+# Get encryptin'
+
+echo "*** Moving original hosts file..."
+mv /etc/hosts /etc/hosts.bak && cp /etc/hosts.le_upd /etc/hosts
+
+chown -R letsencrypt: /etc/acme-tiny/
+
+echo "*** Switching HAProxy to basic config..."
+systemctl stop haproxy
+mv /etc/haproxy/haproxy.cfg /etc/haproxy/backup_configs/haproxy.cfg.$(date +'%Y%m%d_%H-%M')
+cp /etc/haproxy/haproxy.cfg.le /etc/haproxy/haproxy.cfg
+systemctl start haproxy
+
+cd /etc/acme-tiny/
+echo "*** Running acme-tiny-wrapper..."
+acme-tiny-wrapper /usr/share/nginx/html/.well-known/acme-challenge/
+echo "Moving original hosts file back..."
+cp /etc/hosts.orig /etc/hosts
+
+chown -R letsencrypt: /etc/acme-tiny/
+
+exampleChain ""
+exampleChain "www."
+exampleChain "subdomain."
+
+chmod 755 "${pacRepo}"/pubcerts/
+chmod 644 "${pacRepo}"/pubcerts/*
+chown -R root: "${pacRepo}"/pubcerts/
+chmod 700 /etc/haproxy/crt/
+chmod 600 /etc/haproxy/crt/*
+chown root: /etc/haproxy/crt/*
+
+echo "Switching HAProxy back to standard config..."
+systemctl stop haproxy
+cp /etc/haproxy/haproxy.cfg.latest_working /etc/haproxy/haproxy.cfg
+systemctl start haproxy
+
+echo "Cleaning up the acme-challenge folder..."
+rm /usr/share/nginx/html/.well-known/acme-challenge/*
+
+echo "Done."
\ No newline at end of file
diff --git a/ocsp.sh b/ocsp.sh
new file mode 100755
index 0000000..7d50895
--- /dev/null
+++ b/ocsp.sh
@@ -0,0 +1,20 @@
+## Copyright © 2017 Bret Human
+## https://cynicaloptimist.me/
+##
+##    Documentation at:
+## https://psi.cynicaloptimist.me/Caffarius/letsEncryptScripts
+##
+## For questions or comments write:
+##    info@cynicaloptimist.me
+#
+# Script for updating OCSP staples.
+#  Intended to be cron'd nightly - also solves the
+#  HAProxy SSL session issues (cleans up the SSL
+#  sessions every night)
+#
+# Don't forget to add any new domains you want
+#  stapled to this list!
+
+rm /etc/haproxy/crt/*.pem.ocsp
+/root/.script/hapos-upd.sh --cert /etc/haproxy/crt/subdomain.example.com.pem --skip-update
+systemctl restart haproxy
\ No newline at end of file