forked from jcmoraisjr/simple-ca
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathstart.sh
100 lines (86 loc) · 2.97 KB
/
start.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
#!/bin/bash
set -e
info() {
echo "[$(date -u '+%Y/%m/%d %H:%M:%S GMT')] $*"
}
if ! grep -Eq '^([a-z0-9_]+,)+[a-z0-9_]+$' <<<"${CA_DEFAULT},${CA_LIST}"; then
echo "Current CA_DEFAULT..: $CA_DEFAULT"
echo "Current CA_LIST.....: $CA_LIST"
echo "Authority IDs must match [a-z0-9_]"
exit 1
fi
mkdir -p "${CERT_TLS%/*}" "$CA_DIR"
cd "$CA_DIR"
# 0.7 to 0.8 migration
if [ -f ca.cnf ] && [ ! -d "$CA_DEFAULT" ]; then
echo "Moving to multi authority schema"
mkdir _d
mv .rnd [a-z]* _d || :
mv _d "$CA_DEFAULT"
fi
for ca_id in ${CA_LIST//,/ }; do
mkdir -p "$ca_id"
cd "$ca_id"
CRT_DAYS_name="CRT_DAYS_$ca_id"
CRT_DAYS_value="${!CRT_DAYS_name:-$CRT_DAYS}"
CA_DAYS_name="CA_DAYS_$ca_id"
CA_DAYS_value="${!CA_DAYS_name:-$CA_DAYS}"
CA_CN_name="CA_CN_$ca_id"
CA_CN_value="${!CA_CN_name:-$CA_CN}"
if [ ! -f ca.cnf ]; then
sed "s/{{CRT_DAYS}}/${CRT_DAYS_value:-365}/" /srv/ca.cnf > ca.cnf
fi
mkdir -p private newcerts
chmod 700 private
touch index.txt
if [ ! -f ca.pem ] || [ ! -f private/ca-key.pem ]; then
info "CA cert or private key not found, building CA \"$ca_id\"..."
openssl genrsa -out private/ca-key.pem 2048
openssl req \
-x509 -new -nodes -days ${CA_DAYS_value:-3652} -subj "/CN=$CA_CN_value" \
-key private/ca-key.pem -out ca.pem
info "CA \"$ca_id\" successfully built"
else
info "Found CA cert and private key: $PWD"
fi
chmod 400 private/ca-key.pem
if [ ! -f serial ]; then
echo -n "0001" > serial
fi
cd ..
done
if [ ! -f "$CERT_TLS" ]; then
info "$CERT_TLS not found, building new private key and certificate"
cd "$CA_DEFAULT" 2>/dev/null || cd "${CA_LIST%%,*}"
trap "rm -f /tmp/key.pem /tmp/crt.pem" EXIT
openssl req -new -newkey rsa:2048 -nodes -keyout /tmp/key.pem -subj "/" | openssl ca \
-batch \
-config ca.cnf \
-subj "/CN=${CERT_TLS_DNS:-$(hostname)}" \
-notext \
-days "${CERT_TLS_DAYS:-365}" \
-in <(cat -) \
-out /tmp/crt.pem \
-extfile <(
echo "basicConstraints = CA:FALSE"
echo "keyUsage = nonRepudiation, digitalSignature, keyEncipherment"
echo "extendedKeyUsage = clientAuth, serverAuth"
if [ -n "${CERT_TLS_DNS}" ] || [ -n "$CERT_TLS_IP" ]; then
echo "subjectAltName = @alt_names"
echo "[ alt_names ]"
[ -n "$CERT_TLS_DNS" ] && echo "DNS.1 = $CERT_TLS_DNS"
[ -n "$CERT_TLS_IP" ] && echo "IP.1 = $CERT_TLS_IP"
fi
)
cat /tmp/crt.pem /tmp/key.pem > "$CERT_TLS"
rm -f /tmp/*.pem
chmod 400 "$CERT_TLS"
if [ -z "${CERT_TLS_DNS}" ] && [ -z "$CERT_TLS_IP" ]; then
info "Define CERT_TLS_DNS or CERT_TLS_IP (or both) to create a valid TLS cert"
fi
info "New cert successfully built"
cd ..
else
info "Found TLS cert: $CERT_TLS"
fi
exec lighttpd -f /etc/lighttpd/lighttpd.conf -D