initial commit
This commit is contained in:
commit
64274baa10
|
@ -0,0 +1,51 @@
|
|||
letsEncryptScripts
|
||||
===
|
||||
Copyright (c) 2017, Bret R. Human
|
||||
All rights reserved.
|
||||
|
||||
Further documentation can be found at
|
||||
https://psi.cynicaloptimist.me/Caffarius/letsEncryptScripts/
|
||||
Happy modding! -Bret
|
||||
|
||||
Redistribution and use in source and binary forms, with or without
|
||||
modification, are permitted provided that the following conditions are met:
|
||||
|
||||
1. Redistributions of source code must retain the above copyright notice,
|
||||
the documentation link and note, this list of conditions, and the following
|
||||
disclaimer.
|
||||
|
||||
2. Redistributions in binary form must reproduce the above copyright notice,
|
||||
this list of conditions and the following disclaimer in the documentation
|
||||
and/or other materials provided with the distribution.
|
||||
|
||||
3. All advertising materials mentioning features or use of this
|
||||
software must display the following acknowledgment:
|
||||
"Built using software developed by Cynical Optimist - https://cynicaloptimist.me
|
||||
Ask what we can build for you at info@cynicaloptimist.me"
|
||||
|
||||
4. The names "Cynical Optimist" and "Bret R. Human" and the software name listed
|
||||
at the top of this document, or the domain "cynicaloptimist.me" or any
|
||||
affiliated service must not be used to endorse or promote products derived
|
||||
from this software without prior written permission. For written permission,
|
||||
contact info@cynicaloptimist.me.
|
||||
|
||||
5. Products derived from this software may not be called the software name
|
||||
listed at the top of this document nor may "Cynical Optimist" or the software
|
||||
name listed at the top of this document appear in their names without prior
|
||||
written permission of Bret R. Human.
|
||||
|
||||
6. Redistributions of any form whatsoever must retain the following
|
||||
acknowledgment:
|
||||
"Built using software developed by Cynical Optimist - https://cynicaloptimist.me
|
||||
Ask what we can build for you at info@cynicaloptimist.me"
|
||||
|
||||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
|
||||
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
||||
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||||
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
|
||||
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
||||
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
||||
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
|
||||
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
||||
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
@ -0,0 +1,9 @@
|
|||
letsEncryptScripts
|
||||
=============================
|
||||
How to generate and manage a fleet of SSL certificates for free with ease.
|
||||
|
||||
|
||||
|
||||
## Usage
|
||||
|
||||
See the lets_encrypt_examples file for a run through.
|
|
@ -0,0 +1,42 @@
|
|||
## Copyright © 2017 Bret Human
|
||||
## https://cynicaloptimist.me/
|
||||
##
|
||||
## Documentation at:
|
||||
## https://psi.cynicaloptimist.me/Caffarius/letsEncryptScripts
|
||||
##
|
||||
## For questions or comments write:
|
||||
## info@cynicaloptimist.me
|
||||
#
|
||||
# Random script samples for SSL cert generation
|
||||
|
||||
|
||||
|
||||
############### Generate a new domain key (must be root) ################
|
||||
# 1. Replace "example.com" with your intended domain name and run the
|
||||
# commands below.
|
||||
# 2. Make sure to keep this key safe. It is the basis for all SSL certs
|
||||
# signed with it in the future. If an attacker gets it, they can
|
||||
# generate certificates that seem like they're genuinely from you.
|
||||
|
||||
|
||||
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out /etc/ssl/keys/example.com.key
|
||||
chmod 700 /etc/ssl/keys
|
||||
chmod 400 /etc/ssl/keys/example.com.key
|
||||
|
||||
|
||||
|
||||
################### Generate a new csr (must be root) ###################
|
||||
# Only perform this if you're creating a new subdomain with an existing
|
||||
# domain key.
|
||||
#
|
||||
# 1. Replace "subdomain.example.com" with your intended hostname
|
||||
# and run the command below
|
||||
# 2. Move existing csr files to /etc/acme-tiny/temp/
|
||||
# mv /etc/acme-tiny/csr/* /etc/acme-tiny/temp/
|
||||
# 3. Place new csr in /etc/acme-tiny/csr/
|
||||
# 4. Run /root/.script/letsencrypt.sh
|
||||
# 5. Move the other csr files back so they can be renewed later
|
||||
# mv /etc/acme-tiny/temp/* /etc/acme-tiny/csr/
|
||||
# 6. Don't forget to renew the certs before the 90 day expiration!
|
||||
|
||||
openssl req -new -sha256 -key /etc/ssl/keys/example.com.key -subj "/CN=subdomain.example.com" > /etc/acme-tiny/csr/subdomain.example.com.csr
|
|
@ -0,0 +1,74 @@
|
|||
#!/bin/bash
|
||||
|
||||
## Copyright © 2017 Bret Human
|
||||
## https://cynicaloptimist.me/
|
||||
##
|
||||
## Documentation at:
|
||||
## https://psi.cynicaloptimist.me/Caffarius/letsEncryptScripts
|
||||
##
|
||||
## For questions or comments write:
|
||||
## info@cynicaloptimist.me
|
||||
#
|
||||
# Generate and manage a fleet of SSL certificates for free with ease
|
||||
|
||||
# Stuff the public certificates in your package repository!
|
||||
# - No trailing slash! -
|
||||
pacRepo="/var/cache/pacman/pkg"
|
||||
|
||||
umask 022
|
||||
echo "#############################"
|
||||
date
|
||||
echo "#############################"
|
||||
|
||||
## Define our functions
|
||||
|
||||
function exampleChain () {
|
||||
echo "Chaining ${1}example.com..."
|
||||
cat /etc/ssl/keys/example.com.key /etc/acme-tiny/live/${1}example.com/cert.pem /etc/haproxy/dhparams.pem > /etc/haproxy/crt/${1}example.com.pem
|
||||
echo "Pubkeying ${1}example.com..."
|
||||
cat /etc/acme-tiny/live/${1}example.com/cert.pem > /var/cache/pacman/pkg/pubcerts/${1}example.com.pem
|
||||
}
|
||||
|
||||
|
||||
|
||||
# Get encryptin'
|
||||
|
||||
echo "*** Moving original hosts file..."
|
||||
mv /etc/hosts /etc/hosts.bak && cp /etc/hosts.le_upd /etc/hosts
|
||||
|
||||
chown -R letsencrypt: /etc/acme-tiny/
|
||||
|
||||
echo "*** Switching HAProxy to basic config..."
|
||||
systemctl stop haproxy
|
||||
mv /etc/haproxy/haproxy.cfg /etc/haproxy/backup_configs/haproxy.cfg.$(date +'%Y%m%d_%H-%M')
|
||||
cp /etc/haproxy/haproxy.cfg.le /etc/haproxy/haproxy.cfg
|
||||
systemctl start haproxy
|
||||
|
||||
cd /etc/acme-tiny/
|
||||
echo "*** Running acme-tiny-wrapper..."
|
||||
acme-tiny-wrapper /usr/share/nginx/html/.well-known/acme-challenge/
|
||||
echo "Moving original hosts file back..."
|
||||
cp /etc/hosts.orig /etc/hosts
|
||||
|
||||
chown -R letsencrypt: /etc/acme-tiny/
|
||||
|
||||
exampleChain ""
|
||||
exampleChain "www."
|
||||
exampleChain "subdomain."
|
||||
|
||||
chmod 755 "${pacRepo}"/pubcerts/
|
||||
chmod 644 "${pacRepo}"/pubcerts/*
|
||||
chown -R root: "${pacRepo}"/pubcerts/
|
||||
chmod 700 /etc/haproxy/crt/
|
||||
chmod 600 /etc/haproxy/crt/*
|
||||
chown root: /etc/haproxy/crt/*
|
||||
|
||||
echo "Switching HAProxy back to standard config..."
|
||||
systemctl stop haproxy
|
||||
cp /etc/haproxy/haproxy.cfg.latest_working /etc/haproxy/haproxy.cfg
|
||||
systemctl start haproxy
|
||||
|
||||
echo "Cleaning up the acme-challenge folder..."
|
||||
rm /usr/share/nginx/html/.well-known/acme-challenge/*
|
||||
|
||||
echo "Done."
|
|
@ -0,0 +1,20 @@
|
|||
## Copyright © 2017 Bret Human
|
||||
## https://cynicaloptimist.me/
|
||||
##
|
||||
## Documentation at:
|
||||
## https://psi.cynicaloptimist.me/Caffarius/letsEncryptScripts
|
||||
##
|
||||
## For questions or comments write:
|
||||
## info@cynicaloptimist.me
|
||||
#
|
||||
# Script for updating OCSP staples.
|
||||
# Intended to be cron'd nightly - also solves the
|
||||
# HAProxy SSL session issues (cleans up the SSL
|
||||
# sessions every night)
|
||||
#
|
||||
# Don't forget to add any new domains you want
|
||||
# stapled to this list!
|
||||
|
||||
rm /etc/haproxy/crt/*.pem.ocsp
|
||||
/root/.script/hapos-upd.sh --cert /etc/haproxy/crt/subdomain.example.com.pem --skip-update
|
||||
systemctl restart haproxy
|
Loading…
Reference in New Issue