zulip/scripts/setup/generate-self-signed-cert

#!/usr/bin/env bash
set -e

usage() {
    echo "usage: $0 [--force] [--exists-ok] EXTERNAL_HOST" >&2
    exit 1
}

args="$(getopt -o '' --long help,force,exists-ok -- "$@")"
eval "set -- $args"
while true; do
    case "$1" in
        --help) usage ;;
        --force)
            FORCE=1
            shift
            ;;
        --exists-ok)
            EXISTS_OK=1
            shift
            ;;
        --)
            shift
            break
            ;;
        *) usage ;;
    esac
done
EXTERNAL_HOST="$1"

if [ -z "$EXTERNAL_HOST" ]; then
    usage
fi

if [ "$EUID" -ne 0 ]; then
    echo "error: this script must be run as root" >&2
    exit 1
fi

set -x

is_redhat=false
if [ -e /etc/redhat-release ]; then
    is_redhat=true
    SSLDIR=/etc/pki/tls
else
    SSLDIR=/etc/ssl
fi
KEYFILE=$SSLDIR/private/zulip.key
CERTFILE=$SSLDIR/certs/zulip.combined-chain.crt

if [ -n "$EXISTS_OK" ] && [ -e "$KEYFILE" ] && [ -e "$CERTFILE" ]; then
    exit 0
fi

if [ -z "$FORCE" ] && { [ -e "$KEYFILE" ] || [ -e "$CERTFILE" ]; }; then
    echo "$0: certificate and/or key already exists; use --force to overwrite." >&2
    exit 1
fi
rm -f "$KEYFILE" "$CERTFILE"

if [[ "$EXTERNAL_HOST" =~ ^(([0-9]+\.){3}[0-9]+)(:[0-9]+)?$ ]]; then
    subjectAltName="IP:${BASH_REMATCH[1]}" # IPv4 address
elif [[ "$EXTERNAL_HOST" =~ ^\[([^][]*)\](:[0-9]+)?$ ]]; then
    subjectAltName="IP:${BASH_REMATCH[1]}" # IPv6 address
elif [[ "$EXTERNAL_HOST" =~ ^([^:]+)(:[0-9]+)?$ ]]; then
    subjectAltName="DNS:${BASH_REMATCH[1]}"
else
    echo "$0: invalid host $EXTERNAL_HOST" >&2
    exit 1
fi

config="$(mktemp)" || exit 1
trap 'rm -f "$config"' EXIT

cat >"$config" <<EOF
# Based on /usr/share/ssl-cert/ssleay.cnf from Debian's \`ssl-cert\`
# package, which is used for the system's snakeoil cert in /etc/ssl/.

[ req ]
default_bits        = 2048
distinguished_name  = req_distinguished_name
prompt              = no
policy              = policy_anything
req_extensions      = v3_req
x509_extensions     = v3_req

[ req_distinguished_name ]
commonName          = $EXTERNAL_HOST

[ v3_req ]
basicConstraints    = CA:FALSE
subjectAltName      = $subjectAltName
EOF

if [ "$is_redhat" = true ]; then
    yum install -y openssl
else
    apt-get install -y openssl
fi

# Based on /usr/sbin/make-ssl-cert from Debian's `ssl-cert` package.
openssl req -new -x509 \
    -config "$config" -days 3650 -nodes -sha256 \
    -out "$CERTFILE" -keyout "$KEYFILE"

chmod 644 "$CERTFILE"
chmod 640 "$KEYFILE"
scripts: Add script to autogenerate a self-signed SSL cert. This will simplify step 1 of prod-install instruction to reduce suffering in testing/experimenting production environments. Attribution: the scripts/setup/configure-certs is based on @galexrt's https://github.com/zulip/zulip/pull/450/commits/5c0daf62114b8ae7bd16f317a1883fd5f421d906 Further tweaked by tabbott to rename the script and edit the messages. 2017-07-01 13:17:51 +02:00			`#!/usr/bin/env bash`
			`set -e`
install: Replace our generate-self-signed-certs script. Take the core of the logic from how Debian generates the system's /etc/ssl/certs/ssl-cert-snakeoil.pem ; that gives me more confidence in the various config choices, and it also demonstrates a much cleaner way to use the `openssl` tool. Also replace the outer shell logic for CLI and logging with a cleaner version. 2018-01-24 00:42:56 +01:00
			`usage() {`
install --self-signed-cert: Generate our own, rather than use system's. This gives us just one way of adopting a self-signed cert, rather than one script which would generate a new one and an option to another which would symlink to the system's snakeoil cert. Now those two codepaths converge, and do the same thing. The small advantage of generating our own over the alternative is that it lets us set the name in the cert to EXTERNAL_HOST, rather than the system's hostname as embedded in the system snakeoil certs. Not a big deal, but might make things go slightly smoother if some browsers are lenient (in a way that they probably shouldn't be.) 2018-01-24 02:13:09 +01:00			`echo "usage: $0 [--force] [--exists-ok] EXTERNAL_HOST" >&2`
scripts: Add script to autogenerate a self-signed SSL cert. This will simplify step 1 of prod-install instruction to reduce suffering in testing/experimenting production environments. Attribution: the scripts/setup/configure-certs is based on @galexrt's https://github.com/zulip/zulip/pull/450/commits/5c0daf62114b8ae7bd16f317a1883fd5f421d906 Further tweaked by tabbott to rename the script and edit the messages. 2017-07-01 13:17:51 +02:00			`exit 1`
install: Replace our generate-self-signed-certs script. Take the core of the logic from how Debian generates the system's /etc/ssl/certs/ssl-cert-snakeoil.pem ; that gives me more confidence in the various config choices, and it also demonstrates a much cleaner way to use the `openssl` tool. Also replace the outer shell logic for CLI and logging with a cleaner version. 2018-01-24 00:42:56 +01:00			`}`

install --self-signed-cert: Generate our own, rather than use system's. This gives us just one way of adopting a self-signed cert, rather than one script which would generate a new one and an option to another which would symlink to the system's snakeoil cert. Now those two codepaths converge, and do the same thing. The small advantage of generating our own over the alternative is that it lets us set the name in the cert to EXTERNAL_HOST, rather than the system's hostname as embedded in the system snakeoil certs. Not a big deal, but might make things go slightly smoother if some browsers are lenient (in a way that they probably shouldn't be.) 2018-01-24 02:13:09 +01:00			`args="$(getopt -o '' --long help,force,exists-ok -- "$@")"`
install: Replace our generate-self-signed-certs script. Take the core of the logic from how Debian generates the system's /etc/ssl/certs/ssl-cert-snakeoil.pem ; that gives me more confidence in the various config choices, and it also demonstrates a much cleaner way to use the `openssl` tool. Also replace the outer shell logic for CLI and logging with a cleaner version. 2018-01-24 00:42:56 +01:00			`eval "set -- $args"`
			`while true; do`
			`case "$1" in`
shfmt: Reformat shell scripts with shfmt. https://github.com/mvdan/sh Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-10-15 04:55:57 +02:00			`--help) usage ;;`
			`--force)`
			`FORCE=1`
			`shift`
			`;;`
			`--exists-ok)`
			`EXISTS_OK=1`
			`shift`
			`;;`
			`--)`
			`shift`
			`break`
			`;;`
			`*) usage ;;`
install: Replace our generate-self-signed-certs script. Take the core of the logic from how Debian generates the system's /etc/ssl/certs/ssl-cert-snakeoil.pem ; that gives me more confidence in the various config choices, and it also demonstrates a much cleaner way to use the `openssl` tool. Also replace the outer shell logic for CLI and logging with a cleaner version. 2018-01-24 00:42:56 +01:00			`esac`
			`done`
			`EXTERNAL_HOST="$1"`

			`if [ -z "$EXTERNAL_HOST" ]; then`
			`usage`
scripts: Add script to autogenerate a self-signed SSL cert. This will simplify step 1 of prod-install instruction to reduce suffering in testing/experimenting production environments. Attribution: the scripts/setup/configure-certs is based on @galexrt's https://github.com/zulip/zulip/pull/450/commits/5c0daf62114b8ae7bd16f317a1883fd5f421d906 Further tweaked by tabbott to rename the script and edit the messages. 2017-07-01 13:17:51 +02:00			`fi`

install: Replace our generate-self-signed-certs script. Take the core of the logic from how Debian generates the system's /etc/ssl/certs/ssl-cert-snakeoil.pem ; that gives me more confidence in the various config choices, and it also demonstrates a much cleaner way to use the `openssl` tool. Also replace the outer shell logic for CLI and logging with a cleaner version. 2018-01-24 00:42:56 +01:00			`if [ "$EUID" -ne 0 ]; then`
			`echo "error: this script must be run as root" >&2`
scripts: Add script to autogenerate a self-signed SSL cert. This will simplify step 1 of prod-install instruction to reduce suffering in testing/experimenting production environments. Attribution: the scripts/setup/configure-certs is based on @galexrt's https://github.com/zulip/zulip/pull/450/commits/5c0daf62114b8ae7bd16f317a1883fd5f421d906 Further tweaked by tabbott to rename the script and edit the messages. 2017-07-01 13:17:51 +02:00			`exit 1`
			`fi`

install: Replace our generate-self-signed-certs script. Take the core of the logic from how Debian generates the system's /etc/ssl/certs/ssl-cert-snakeoil.pem ; that gives me more confidence in the various config choices, and it also demonstrates a much cleaner way to use the `openssl` tool. Also replace the outer shell logic for CLI and logging with a cleaner version. 2018-01-24 00:42:56 +01:00			`set -x`

generate-self-signed-cert: Generalize to CentOS, Fedora, RHEL. 2019-01-05 02:09:16 +01:00			`is_redhat=false`
			`if [ -e /etc/redhat-release ]; then`
			`is_redhat=true`
			`SSLDIR=/etc/pki/tls`
			`else`
			`SSLDIR=/etc/ssl`
			`fi`
			`KEYFILE=$SSLDIR/private/zulip.key`
			`CERTFILE=$SSLDIR/certs/zulip.combined-chain.crt`
install: Replace our generate-self-signed-certs script. Take the core of the logic from how Debian generates the system's /etc/ssl/certs/ssl-cert-snakeoil.pem ; that gives me more confidence in the various config choices, and it also demonstrates a much cleaner way to use the `openssl` tool. Also replace the outer shell logic for CLI and logging with a cleaner version. 2018-01-24 00:42:56 +01:00
generate-self-signed-cert: Fix shellcheck warnings. In scripts/setup/generate-self-signed-cert line 36: if [ -n "$EXISTS_OK" ] && [ -e "$KEYFILE" -a -e "$CERTFILE" ]; then ^-- SC2166: Prefer [ p ] && [ q ] as [ p -a q ] is not well defined. In scripts/setup/generate-self-signed-cert line 40: if [ -z "$FORCE" ] && [ -e "$KEYFILE" -o -e "$CERTFILE" ]; then ^-- SC2166: Prefer [ p ] \|\| [ q ] as [ p -o q ] is not well defined. Signed-off-by: Anders Kaseorg <andersk@mit.edu> 2018-08-03 02:14:47 +02:00			`if [ -n "$EXISTS_OK" ] && [ -e "$KEYFILE" ] && [ -e "$CERTFILE" ]; then`
install --self-signed-cert: Generate our own, rather than use system's. This gives us just one way of adopting a self-signed cert, rather than one script which would generate a new one and an option to another which would symlink to the system's snakeoil cert. Now those two codepaths converge, and do the same thing. The small advantage of generating our own over the alternative is that it lets us set the name in the cert to EXTERNAL_HOST, rather than the system's hostname as embedded in the system snakeoil certs. Not a big deal, but might make things go slightly smoother if some browsers are lenient (in a way that they probably shouldn't be.) 2018-01-24 02:13:09 +01:00			`exit 0`
			`fi`

generate-self-signed-cert: Fix shellcheck warnings. In scripts/setup/generate-self-signed-cert line 36: if [ -n "$EXISTS_OK" ] && [ -e "$KEYFILE" -a -e "$CERTFILE" ]; then ^-- SC2166: Prefer [ p ] && [ q ] as [ p -a q ] is not well defined. In scripts/setup/generate-self-signed-cert line 40: if [ -z "$FORCE" ] && [ -e "$KEYFILE" -o -e "$CERTFILE" ]; then ^-- SC2166: Prefer [ p ] \|\| [ q ] as [ p -o q ] is not well defined. Signed-off-by: Anders Kaseorg <andersk@mit.edu> 2018-08-03 02:14:47 +02:00			`if [ -z "$FORCE" ] && { [ -e "$KEYFILE" ] \|\| [ -e "$CERTFILE" ]; }; then`
install: Replace our generate-self-signed-certs script. Take the core of the logic from how Debian generates the system's /etc/ssl/certs/ssl-cert-snakeoil.pem ; that gives me more confidence in the various config choices, and it also demonstrates a much cleaner way to use the `openssl` tool. Also replace the outer shell logic for CLI and logging with a cleaner version. 2018-01-24 00:42:56 +01:00			`echo "$0: certificate and/or key already exists; use --force to overwrite." >&2`
			`exit 1`
scripts: Add script to autogenerate a self-signed SSL cert. This will simplify step 1 of prod-install instruction to reduce suffering in testing/experimenting production environments. Attribution: the scripts/setup/configure-certs is based on @galexrt's https://github.com/zulip/zulip/pull/450/commits/5c0daf62114b8ae7bd16f317a1883fd5f421d906 Further tweaked by tabbott to rename the script and edit the messages. 2017-07-01 13:17:51 +02:00			`fi`
install: Replace our generate-self-signed-certs script. Take the core of the logic from how Debian generates the system's /etc/ssl/certs/ssl-cert-snakeoil.pem ; that gives me more confidence in the various config choices, and it also demonstrates a much cleaner way to use the `openssl` tool. Also replace the outer shell logic for CLI and logging with a cleaner version. 2018-01-24 00:42:56 +01:00			`rm -f "$KEYFILE" "$CERTFILE"`

generate-self-signed-cert: Correct subjectAltName for an IP address. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-06-27 02:27:32 +02:00			`if [[ "$EXTERNAL_HOST" =~ ^(([0-9]+\.){3}[0-9]+)(:[0-9]+)?$ ]]; then`
shfmt: Reformat shell scripts with shfmt. https://github.com/mvdan/sh Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-10-15 04:55:57 +02:00			`subjectAltName="IP:${BASH_REMATCH[1]}" # IPv4 address`
generate-self-signed-cert: Correct subjectAltName for an IP address. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-06-27 02:27:32 +02:00			`elif [[ "$EXTERNAL_HOST" =~ ^\[([^][]*)\](:[0-9]+)?$ ]]; then`
shfmt: Reformat shell scripts with shfmt. https://github.com/mvdan/sh Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-10-15 04:55:57 +02:00			`subjectAltName="IP:${BASH_REMATCH[1]}" # IPv6 address`
generate-self-signed-cert: Correct subjectAltName for an IP address. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-06-27 02:27:32 +02:00			`elif [[ "$EXTERNAL_HOST" =~ ^([^:]+)(:[0-9]+)?$ ]]; then`
			`subjectAltName="DNS:${BASH_REMATCH[1]}"`
			`else`
			`echo "$0: invalid host $EXTERNAL_HOST" >&2`
			`exit 1`
			`fi`

install: Replace our generate-self-signed-certs script. Take the core of the logic from how Debian generates the system's /etc/ssl/certs/ssl-cert-snakeoil.pem ; that gives me more confidence in the various config choices, and it also demonstrates a much cleaner way to use the `openssl` tool. Also replace the outer shell logic for CLI and logging with a cleaner version. 2018-01-24 00:42:56 +01:00			`config="$(mktemp)" \|\| exit 1`
			`trap 'rm -f "$config"' EXIT`

			`cat >"$config" <<EOF`
generate-self-signed-cert: Fix a mostly-harmless bug. Thanks to the magic of `set -x`, I noticed this: ``` + cat ++ ssl-cert /tmp/src/zulip-server/scripts/setup/generate-self-signed-cert: line 49: ssl-cert: command not found + apt-get install -y openssl [...] ``` In other words, we were trying to run `ssl-cert` -- the name of a Debian package I meant to refer to in a comment inside the templated temporary config file for `openssl req` -- as if it were a command. It wasn't, hence the error. Because `set -e` has loopholes like a sieve, this didn't cause the script to exit, just produced this funny output and presumably caused the config file's comment to be missing a word. In principle, it could do something surprising if for some reason there were a command named `ssl-cert` on PATH. Fix it. 2018-01-24 02:59:45 +01:00			# Based on /usr/share/ssl-cert/ssleay.cnf from Debian's \`ssl-cert\`
install: Replace our generate-self-signed-certs script. Take the core of the logic from how Debian generates the system's /etc/ssl/certs/ssl-cert-snakeoil.pem ; that gives me more confidence in the various config choices, and it also demonstrates a much cleaner way to use the `openssl` tool. Also replace the outer shell logic for CLI and logging with a cleaner version. 2018-01-24 00:42:56 +01:00			`# package, which is used for the system's snakeoil cert in /etc/ssl/.`

			`[ req ]`
			`default_bits = 2048`
			`distinguished_name = req_distinguished_name`
			`prompt = no`
			`policy = policy_anything`
			`req_extensions = v3_req`
			`x509_extensions = v3_req`

			`[ req_distinguished_name ]`
			`commonName = $EXTERNAL_HOST`

			`[ v3_req ]`
			`basicConstraints = CA:FALSE`
generate-self-signed-cert: Correct subjectAltName for an IP address. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-06-27 02:27:32 +02:00			`subjectAltName = $subjectAltName`
install: Replace our generate-self-signed-certs script. Take the core of the logic from how Debian generates the system's /etc/ssl/certs/ssl-cert-snakeoil.pem ; that gives me more confidence in the various config choices, and it also demonstrates a much cleaner way to use the `openssl` tool. Also replace the outer shell logic for CLI and logging with a cleaner version. 2018-01-24 00:42:56 +01:00			`EOF`

generate-self-signed-cert: Generalize to CentOS, Fedora, RHEL. 2019-01-05 02:09:16 +01:00			`if [ "$is_redhat" = true ]; then`
			`yum install -y openssl`
			`else`
			`apt-get install -y openssl`
			`fi`
install: Replace our generate-self-signed-certs script. Take the core of the logic from how Debian generates the system's /etc/ssl/certs/ssl-cert-snakeoil.pem ; that gives me more confidence in the various config choices, and it also demonstrates a much cleaner way to use the `openssl` tool. Also replace the outer shell logic for CLI and logging with a cleaner version. 2018-01-24 00:42:56 +01:00
			# Based on /usr/sbin/make-ssl-cert from Debian's `ssl-cert` package.
			`openssl req -new -x509 \`
shfmt: Reformat shell scripts with shfmt. https://github.com/mvdan/sh Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-10-15 04:55:57 +02:00			`-config "$config" -days 3650 -nodes -sha256 \`
			`-out "$CERTFILE" -keyout "$KEYFILE"`
install: Replace our generate-self-signed-certs script. Take the core of the logic from how Debian generates the system's /etc/ssl/certs/ssl-cert-snakeoil.pem ; that gives me more confidence in the various config choices, and it also demonstrates a much cleaner way to use the `openssl` tool. Also replace the outer shell logic for CLI and logging with a cleaner version. 2018-01-24 00:42:56 +01:00
			`chmod 644 "$CERTFILE"`
			`chmod 640 "$KEYFILE"`