From f50a655d4bfb9991aac72db5d8c0b076c0435348 Mon Sep 17 00:00:00 2001 From: "Soennecken, Torben" Date: Fri, 12 Feb 2021 17:37:17 +0100 Subject: [PATCH 1/3] [-] Removed static CA content [~] Changed certificate installation to use proper commands --- renew-le.sh | 49 +++++++++++++++++++++++++++++++++++++------------ 1 file changed, 37 insertions(+), 12 deletions(-) diff --git a/renew-le.sh b/renew-le.sh index 740053e..bec3e96 100755 --- a/renew-le.sh +++ b/renew-le.sh @@ -1,9 +1,14 @@ #!/usr/bin/bash set -o nounset -o errexit + WORKDIR=$(dirname "$(realpath $0)") EMAIL="" +# This is needed for enabling the certificates +# TODO : Store safely +DIRPASSWD="" + ### cron # check that the cert will last at least 2 days from now to prevent too frequent renewal # comment out this line for the first run @@ -16,28 +21,48 @@ then exit 0 fi fi + cd "$WORKDIR" # cert renewal is needed if we reached this line # cleanup -rm -f "$WORKDIR"/*.pem -rm -f "$WORKDIR"/httpd-csr.* +needs_cleanup=false +for f in "$WORKDIR/*.key"; do + echo $f + ## Check if the glob gets expanded to existing files. + ## If not, f here will be exactly the pattern above + ## and the exists test will evaluate to false. + if [ -e $f ]; then + needs_cleanup=true + fi + + ## This is all we needed to know, so we can break after the first iteration + break +done + +if [ "$needs_cleanup" = true ]; then + #backup + echo "BACKUP" + mkdir -p "$WORKDIR"/backup + rm -f "$WORKDIR"/backup/* + mv "$WORKDIR"/*.key "$WORKDIR"/backup/ + mv "$WORKDIR"/*.pem "$WORKDIR"/backup/ + + #cleanup + rm -f "$WORKDIR"/*.csr + rm -f "$WORKDIR"/*.key + rm -f "$WORKDIR"/*.pem +fi # generate CSR -OPENSSL_PASSWD_FILE="/var/lib/ipa/passwds/$HOSTNAME-443-RSA" -[ -f "$OPENSSL_PASSWD_FILE" ] && OPENSSL_EXTRA_ARGS="-passout file:$OPENSSL_PASSWD_FILE" || OPENSSL_EXTRA_ARGS="" -openssl req -new -sha256 -config "$WORKDIR/ipa-httpd.cnf" -key /var/lib/ipa/private/httpd.key -out "$WORKDIR/httpd-csr.der" $OPENSSL_EXTRA_ARGS +openssl req -new -config "$WORKDIR/ipa-httpd.cnf" -keyout "$WORKDIR/req.key" -out "$WORKDIR/req.csr" # httpd process prevents letsencrypt from working, stop it service httpd stop # get a new cert -letsencrypt certonly --standalone --csr "$WORKDIR/httpd-csr.der" --email "$EMAIL" --agree-tos +letsencrypt certonly --standalone --csr "$WORKDIR/req.csr" --email "$EMAIL" --agree-tos --cert-path "$WORKDIR/cert.pem" --chain-path "$WORKDIR/chain.pem" --fullchain-path "$WORKDIR/fullchain.pem" # replace the cert -cp /var/lib/ipa/certs/httpd.crt /var/lib/ipa/certs/httpd.crt.bkp -mv -f "$WORKDIR/0000_cert.pem" /var/lib/ipa/certs/httpd.crt -restorecon -v /var/lib/ipa/certs/httpd.crt - -# start httpd with the new cert -service httpd start +yes $DIRPASSWD "" | ipa-server-certinstall -w -d "$WORKDIR/req.key" "$WORKDIR/cert.pem" +ipactl restart From 1f9202efe7e8c5f0c96d9dfe2afcf62de4bd42d4 Mon Sep 17 00:00:00 2001 From: "Soennecken, Torben" Date: Fri, 12 Feb 2021 17:39:49 +0100 Subject: [PATCH 2/3] [+] Added some debug messages to renewal script [f] Fixed setup-le.sh to use -O (output) and not -o (log) --- README.md | 10 +++++----- renew-le.sh | 16 +++++++++------- setup-le.sh | 2 +- 3 files changed, 15 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index 769b583..a8fa849 100644 --- a/README.md +++ b/README.md @@ -3,15 +3,15 @@ to FreeIPA web interface. To use it, do this: * BACKUP /var/lib/ipa/certs/ and /var/lib/ipa/private/ to some safe place (it contains private keys!) -* clone/unpack all scripts including "ca" subdirectory somewhere -* set EMAIL variable in renew-le.sh +* clone/unpack all scripts somewhere (e.g. /opt/) where they are going to run and create directories and files +* set DIRPASSWD and EMAIL variable in renew-le.sh * set FQDN in ipa-httpd.cnf +* retrieve current ticket for admin (kinit admin) * run setup-le.sh script once to prepare the machine. The script will: * install Let's Encrypt client package * install Let's Encrypt CA certificates into FreeIPA certificate store * requests new certificate for FreeIPA web interface -* run renew-le.sh script once a day: it will renew the cert as necessary - +* run renew-le.sh script as needed (e.g. daily, weekly) If you have any problem, feel free to contact FreeIPA team: -http://www.freeipa.org/page/Contribute#Communication +http://www.freeipa.org/page/Contribute#Communication \ No newline at end of file diff --git a/renew-le.sh b/renew-le.sh index bec3e96..b766efc 100755 --- a/renew-le.sh +++ b/renew-le.sh @@ -1,7 +1,6 @@ #!/usr/bin/bash set -o nounset -o errexit - WORKDIR=$(dirname "$(realpath $0)") EMAIL="" @@ -14,16 +13,19 @@ DIRPASSWD="" # comment out this line for the first run if [ "${1:-renew}" != "--first-time" ] then - start_timestamp=`date +%s --date="$(openssl x509 -startdate -noout -in /var/lib/ipa/certs/httpd.crt | cut -d= -f2)"` - now_timestamp=`date +%s` - let diff=($now_timestamp-$start_timestamp)/86400 - if [ "$diff" -lt "2" ]; then - exit 0 - fi + echo "Checking when certificate was renewed" + start_timestamp=`date +%s --date="$(openssl x509 -startdate -noout -in /var/lib/ipa/certs/httpd.crt | cut -d= -f2)"` + now_timestamp=`date +%s` + diff=$(((now_timestamp-start_timestamp) / 86400)) + if [ "$diff" -lt "2" ]; then + echo "No renewal needed" + exit 0 + fi fi cd "$WORKDIR" # cert renewal is needed if we reached this line +echo "Renewal needed" # cleanup needs_cleanup=false diff --git a/setup-le.sh b/setup-le.sh index ea2a694..6c52989 100755 --- a/setup-le.sh +++ b/setup-le.sh @@ -28,4 +28,4 @@ done ipa-certupdate -"$WORKDIR/renew-le.sh" --first-time +"$WORKDIR/renew-le.sh" --first-time \ No newline at end of file From 1dfa2c81fb182e56034aae2d6078d57e49b6fb77 Mon Sep 17 00:00:00 2001 From: "Soennecken, Torben" Date: Fri, 12 Feb 2021 17:40:14 +0100 Subject: [PATCH 3/3] [~] Rebase --- renew-le.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/renew-le.sh b/renew-le.sh index b766efc..8c97b69 100755 --- a/renew-le.sh +++ b/renew-le.sh @@ -67,4 +67,4 @@ letsencrypt certonly --standalone --csr "$WORKDIR/req.csr" --email "$EMAIL" --ag # replace the cert yes $DIRPASSWD "" | ipa-server-certinstall -w -d "$WORKDIR/req.key" "$WORKDIR/cert.pem" -ipactl restart +ipactl restart \ No newline at end of file