2017-07-01 13:17:51 +02:00
|
|
|
#!/usr/bin/env bash
|
|
|
|
set -e
|
2018-01-24 00:42:56 +01:00
|
|
|
|
|
|
|
usage() {
|
2018-01-24 02:13:09 +01:00
|
|
|
echo "usage: $0 [--force] [--exists-ok] EXTERNAL_HOST" >&2
|
2017-07-01 13:17:51 +02:00
|
|
|
exit 1
|
2018-01-24 00:42:56 +01:00
|
|
|
}
|
|
|
|
|
2018-01-24 02:13:09 +01:00
|
|
|
args="$(getopt -o '' --long help,force,exists-ok -- "$@")"
|
2018-01-24 00:42:56 +01:00
|
|
|
eval "set -- $args"
|
|
|
|
while true; do
|
|
|
|
case "$1" in
|
|
|
|
--help) usage;;
|
|
|
|
--force) FORCE=1; shift;;
|
2018-01-24 02:13:09 +01:00
|
|
|
--exists-ok) EXISTS_OK=1; shift;;
|
2018-01-24 00:42:56 +01:00
|
|
|
--) shift; break;;
|
|
|
|
*) usage;;
|
|
|
|
esac
|
|
|
|
done
|
|
|
|
EXTERNAL_HOST="$1"
|
|
|
|
|
|
|
|
if [ -z "$EXTERNAL_HOST" ]; then
|
|
|
|
usage
|
2017-07-01 13:17:51 +02:00
|
|
|
fi
|
|
|
|
|
2018-01-24 00:42:56 +01:00
|
|
|
if [ "$EUID" -ne 0 ]; then
|
|
|
|
echo "error: this script must be run as root" >&2
|
2017-07-01 13:17:51 +02:00
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
2018-01-24 00:42:56 +01:00
|
|
|
set -x
|
|
|
|
|
|
|
|
KEYFILE=/etc/ssl/private/zulip.key
|
|
|
|
CERTFILE=/etc/ssl/certs/zulip.combined-chain.crt
|
|
|
|
|
2018-08-03 02:14:47 +02:00
|
|
|
if [ -n "$EXISTS_OK" ] && [ -e "$KEYFILE" ] && [ -e "$CERTFILE" ]; then
|
2018-01-24 02:13:09 +01:00
|
|
|
exit 0
|
|
|
|
fi
|
|
|
|
|
2018-08-03 02:14:47 +02:00
|
|
|
if [ -z "$FORCE" ] && { [ -e "$KEYFILE" ] || [ -e "$CERTFILE" ]; }; then
|
2018-01-24 00:42:56 +01:00
|
|
|
echo "$0: certificate and/or key already exists; use --force to overwrite." >&2
|
|
|
|
exit 1
|
2017-07-01 13:17:51 +02:00
|
|
|
fi
|
2018-01-24 00:42:56 +01:00
|
|
|
rm -f "$KEYFILE" "$CERTFILE"
|
|
|
|
|
|
|
|
config="$(mktemp)" || exit 1
|
|
|
|
trap 'rm -f "$config"' EXIT
|
|
|
|
|
|
|
|
cat >"$config" <<EOF
|
2018-01-24 02:59:45 +01:00
|
|
|
# Based on /usr/share/ssl-cert/ssleay.cnf from Debian's \`ssl-cert\`
|
2018-01-24 00:42:56 +01:00
|
|
|
# package, which is used for the system's snakeoil cert in /etc/ssl/.
|
|
|
|
|
|
|
|
RANDFILE = /dev/urandom
|
|
|
|
|
|
|
|
[ req ]
|
|
|
|
default_bits = 2048
|
|
|
|
distinguished_name = req_distinguished_name
|
|
|
|
prompt = no
|
|
|
|
policy = policy_anything
|
|
|
|
req_extensions = v3_req
|
|
|
|
x509_extensions = v3_req
|
|
|
|
|
|
|
|
[ req_distinguished_name ]
|
|
|
|
commonName = $EXTERNAL_HOST
|
|
|
|
|
|
|
|
[ v3_req ]
|
|
|
|
basicConstraints = CA:FALSE
|
|
|
|
subjectAltName = DNS:$EXTERNAL_HOST
|
|
|
|
EOF
|
|
|
|
|
|
|
|
apt-get install -y openssl
|
|
|
|
|
|
|
|
# Based on /usr/sbin/make-ssl-cert from Debian's `ssl-cert` package.
|
|
|
|
openssl req -new -x509 \
|
|
|
|
-config "$config" -days 3650 -nodes -sha256 \
|
|
|
|
-out "$CERTFILE" -keyout "$KEYFILE"
|
|
|
|
|
|
|
|
chmod 644 "$CERTFILE"
|
|
|
|
chmod 640 "$KEYFILE"
|