initial commit
This commit is contained in:
commit
64274baa10
|
@ -0,0 +1,51 @@
|
||||||
|
letsEncryptScripts
|
||||||
|
===
|
||||||
|
Copyright (c) 2017, Bret R. Human
|
||||||
|
All rights reserved.
|
||||||
|
|
||||||
|
Further documentation can be found at
|
||||||
|
https://psi.cynicaloptimist.me/Caffarius/letsEncryptScripts/
|
||||||
|
Happy modding! -Bret
|
||||||
|
|
||||||
|
Redistribution and use in source and binary forms, with or without
|
||||||
|
modification, are permitted provided that the following conditions are met:
|
||||||
|
|
||||||
|
1. Redistributions of source code must retain the above copyright notice,
|
||||||
|
the documentation link and note, this list of conditions, and the following
|
||||||
|
disclaimer.
|
||||||
|
|
||||||
|
2. Redistributions in binary form must reproduce the above copyright notice,
|
||||||
|
this list of conditions and the following disclaimer in the documentation
|
||||||
|
and/or other materials provided with the distribution.
|
||||||
|
|
||||||
|
3. All advertising materials mentioning features or use of this
|
||||||
|
software must display the following acknowledgment:
|
||||||
|
"Built using software developed by Cynical Optimist - https://cynicaloptimist.me
|
||||||
|
Ask what we can build for you at info@cynicaloptimist.me"
|
||||||
|
|
||||||
|
4. The names "Cynical Optimist" and "Bret R. Human" and the software name listed
|
||||||
|
at the top of this document, or the domain "cynicaloptimist.me" or any
|
||||||
|
affiliated service must not be used to endorse or promote products derived
|
||||||
|
from this software without prior written permission. For written permission,
|
||||||
|
contact info@cynicaloptimist.me.
|
||||||
|
|
||||||
|
5. Products derived from this software may not be called the software name
|
||||||
|
listed at the top of this document nor may "Cynical Optimist" or the software
|
||||||
|
name listed at the top of this document appear in their names without prior
|
||||||
|
written permission of Bret R. Human.
|
||||||
|
|
||||||
|
6. Redistributions of any form whatsoever must retain the following
|
||||||
|
acknowledgment:
|
||||||
|
"Built using software developed by Cynical Optimist - https://cynicaloptimist.me
|
||||||
|
Ask what we can build for you at info@cynicaloptimist.me"
|
||||||
|
|
||||||
|
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
|
||||||
|
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
||||||
|
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||||||
|
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
|
||||||
|
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
||||||
|
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
||||||
|
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
|
||||||
|
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||||
|
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
||||||
|
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
@ -0,0 +1,9 @@
|
||||||
|
letsEncryptScripts
|
||||||
|
=============================
|
||||||
|
How to generate and manage a fleet of SSL certificates for free with ease.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
See the lets_encrypt_examples file for a run through.
|
|
@ -0,0 +1,42 @@
|
||||||
|
## Copyright © 2017 Bret Human
|
||||||
|
## https://cynicaloptimist.me/
|
||||||
|
##
|
||||||
|
## Documentation at:
|
||||||
|
## https://psi.cynicaloptimist.me/Caffarius/letsEncryptScripts
|
||||||
|
##
|
||||||
|
## For questions or comments write:
|
||||||
|
## info@cynicaloptimist.me
|
||||||
|
#
|
||||||
|
# Random script samples for SSL cert generation
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
############### Generate a new domain key (must be root) ################
|
||||||
|
# 1. Replace "example.com" with your intended domain name and run the
|
||||||
|
# commands below.
|
||||||
|
# 2. Make sure to keep this key safe. It is the basis for all SSL certs
|
||||||
|
# signed with it in the future. If an attacker gets it, they can
|
||||||
|
# generate certificates that seem like they're genuinely from you.
|
||||||
|
|
||||||
|
|
||||||
|
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out /etc/ssl/keys/example.com.key
|
||||||
|
chmod 700 /etc/ssl/keys
|
||||||
|
chmod 400 /etc/ssl/keys/example.com.key
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
################### Generate a new csr (must be root) ###################
|
||||||
|
# Only perform this if you're creating a new subdomain with an existing
|
||||||
|
# domain key.
|
||||||
|
#
|
||||||
|
# 1. Replace "subdomain.example.com" with your intended hostname
|
||||||
|
# and run the command below
|
||||||
|
# 2. Move existing csr files to /etc/acme-tiny/temp/
|
||||||
|
# mv /etc/acme-tiny/csr/* /etc/acme-tiny/temp/
|
||||||
|
# 3. Place new csr in /etc/acme-tiny/csr/
|
||||||
|
# 4. Run /root/.script/letsencrypt.sh
|
||||||
|
# 5. Move the other csr files back so they can be renewed later
|
||||||
|
# mv /etc/acme-tiny/temp/* /etc/acme-tiny/csr/
|
||||||
|
# 6. Don't forget to renew the certs before the 90 day expiration!
|
||||||
|
|
||||||
|
openssl req -new -sha256 -key /etc/ssl/keys/example.com.key -subj "/CN=subdomain.example.com" > /etc/acme-tiny/csr/subdomain.example.com.csr
|
|
@ -0,0 +1,74 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
## Copyright © 2017 Bret Human
|
||||||
|
## https://cynicaloptimist.me/
|
||||||
|
##
|
||||||
|
## Documentation at:
|
||||||
|
## https://psi.cynicaloptimist.me/Caffarius/letsEncryptScripts
|
||||||
|
##
|
||||||
|
## For questions or comments write:
|
||||||
|
## info@cynicaloptimist.me
|
||||||
|
#
|
||||||
|
# Generate and manage a fleet of SSL certificates for free with ease
|
||||||
|
|
||||||
|
# Stuff the public certificates in your package repository!
|
||||||
|
# - No trailing slash! -
|
||||||
|
pacRepo="/var/cache/pacman/pkg"
|
||||||
|
|
||||||
|
umask 022
|
||||||
|
echo "#############################"
|
||||||
|
date
|
||||||
|
echo "#############################"
|
||||||
|
|
||||||
|
## Define our functions
|
||||||
|
|
||||||
|
function exampleChain () {
|
||||||
|
echo "Chaining ${1}example.com..."
|
||||||
|
cat /etc/ssl/keys/example.com.key /etc/acme-tiny/live/${1}example.com/cert.pem /etc/haproxy/dhparams.pem > /etc/haproxy/crt/${1}example.com.pem
|
||||||
|
echo "Pubkeying ${1}example.com..."
|
||||||
|
cat /etc/acme-tiny/live/${1}example.com/cert.pem > /var/cache/pacman/pkg/pubcerts/${1}example.com.pem
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# Get encryptin'
|
||||||
|
|
||||||
|
echo "*** Moving original hosts file..."
|
||||||
|
mv /etc/hosts /etc/hosts.bak && cp /etc/hosts.le_upd /etc/hosts
|
||||||
|
|
||||||
|
chown -R letsencrypt: /etc/acme-tiny/
|
||||||
|
|
||||||
|
echo "*** Switching HAProxy to basic config..."
|
||||||
|
systemctl stop haproxy
|
||||||
|
mv /etc/haproxy/haproxy.cfg /etc/haproxy/backup_configs/haproxy.cfg.$(date +'%Y%m%d_%H-%M')
|
||||||
|
cp /etc/haproxy/haproxy.cfg.le /etc/haproxy/haproxy.cfg
|
||||||
|
systemctl start haproxy
|
||||||
|
|
||||||
|
cd /etc/acme-tiny/
|
||||||
|
echo "*** Running acme-tiny-wrapper..."
|
||||||
|
acme-tiny-wrapper /usr/share/nginx/html/.well-known/acme-challenge/
|
||||||
|
echo "Moving original hosts file back..."
|
||||||
|
cp /etc/hosts.orig /etc/hosts
|
||||||
|
|
||||||
|
chown -R letsencrypt: /etc/acme-tiny/
|
||||||
|
|
||||||
|
exampleChain ""
|
||||||
|
exampleChain "www."
|
||||||
|
exampleChain "subdomain."
|
||||||
|
|
||||||
|
chmod 755 "${pacRepo}"/pubcerts/
|
||||||
|
chmod 644 "${pacRepo}"/pubcerts/*
|
||||||
|
chown -R root: "${pacRepo}"/pubcerts/
|
||||||
|
chmod 700 /etc/haproxy/crt/
|
||||||
|
chmod 600 /etc/haproxy/crt/*
|
||||||
|
chown root: /etc/haproxy/crt/*
|
||||||
|
|
||||||
|
echo "Switching HAProxy back to standard config..."
|
||||||
|
systemctl stop haproxy
|
||||||
|
cp /etc/haproxy/haproxy.cfg.latest_working /etc/haproxy/haproxy.cfg
|
||||||
|
systemctl start haproxy
|
||||||
|
|
||||||
|
echo "Cleaning up the acme-challenge folder..."
|
||||||
|
rm /usr/share/nginx/html/.well-known/acme-challenge/*
|
||||||
|
|
||||||
|
echo "Done."
|
|
@ -0,0 +1,20 @@
|
||||||
|
## Copyright © 2017 Bret Human
|
||||||
|
## https://cynicaloptimist.me/
|
||||||
|
##
|
||||||
|
## Documentation at:
|
||||||
|
## https://psi.cynicaloptimist.me/Caffarius/letsEncryptScripts
|
||||||
|
##
|
||||||
|
## For questions or comments write:
|
||||||
|
## info@cynicaloptimist.me
|
||||||
|
#
|
||||||
|
# Script for updating OCSP staples.
|
||||||
|
# Intended to be cron'd nightly - also solves the
|
||||||
|
# HAProxy SSL session issues (cleans up the SSL
|
||||||
|
# sessions every night)
|
||||||
|
#
|
||||||
|
# Don't forget to add any new domains you want
|
||||||
|
# stapled to this list!
|
||||||
|
|
||||||
|
rm /etc/haproxy/crt/*.pem.ocsp
|
||||||
|
/root/.script/hapos-upd.sh --cert /etc/haproxy/crt/subdomain.example.com.pem --skip-update
|
||||||
|
systemctl restart haproxy
|
Loading…
Reference in New Issue