init
This commit is contained in:
Vassiliy Yegorov
18
letsencrypt/ipa-httpd.cnf
Normal file
18
letsencrypt/ipa-httpd.cnf
Normal file
@@ -0,0 +1,18 @@
|
||||
# the fully qualified server (or service) name
|
||||
FQDN = id1.storedme.com
|
||||
ALTNAMES = DNS:$FQDN
|
||||
|
||||
# --- no modifications required below ---
|
||||
[ req ]
|
||||
default_bits = 2048
|
||||
default_md = sha256
|
||||
prompt = no
|
||||
encrypt_key = no
|
||||
distinguished_name = dn
|
||||
req_extensions = req_ext
|
||||
|
||||
[ dn ]
|
||||
CN = $FQDN
|
||||
|
||||
[ req_ext ]
|
||||
subjectAltName = $ALTNAMES
|
||||
44
letsencrypt/renew-le.sh
Executable file
44
letsencrypt/renew-le.sh
Executable file
@@ -0,0 +1,44 @@
|
||||
#!/usr/bin/bash
|
||||
set -o nounset
|
||||
|
||||
WORKDIR=$(dirname "$(realpath $0)")
|
||||
EMAIL="mail@mail.ru"
|
||||
|
||||
### cron
|
||||
# check that the cert will last at least 2 days from now to prevent too frequent renewal
|
||||
# comment out this line for the first run
|
||||
if [ "${1:-renew}" != "--first-time" ]
|
||||
then
|
||||
start_timestamp=`date +%s --date="$(openssl x509 -startdate -noout -in /var/lib/ipa/certs/httpd.crt | cut -d= -f2)"`
|
||||
now_timestamp=`date +%s`
|
||||
let diff=($now_timestamp-$start_timestamp)/86400
|
||||
if [ "$diff" -lt "2" ]; then
|
||||
echo "Certificate is actuality"
|
||||
exit 0
|
||||
fi
|
||||
fi
|
||||
cd "$WORKDIR"
|
||||
# cert renewal is needed if we reached this line
|
||||
|
||||
# cleanup
|
||||
rm -f "$WORKDIR"/*.pem
|
||||
rm -f "$WORKDIR"/httpd-csr.*
|
||||
|
||||
# generate CSR
|
||||
OPENSSL_PASSWD_FILE="/var/lib/ipa/passwds/$HOSTNAME-443-RSA"
|
||||
[ -f "$OPENSSL_PASSWD_FILE" ] && OPENSSL_EXTRA_ARGS="-passin file:$OPENSSL_PASSWD_FILE" || OPENSSL_EXTRA_ARGS=""
|
||||
openssl req -new -sha256 -config "$WORKDIR/ipa-httpd.cnf" -key /var/lib/ipa/private/httpd.key -out "$WORKDIR/httpd-csr.der" $OPENSSL_EXTRA_ARGS
|
||||
|
||||
# httpd process prevents letsencrypt from working, stop it
|
||||
service httpd stop
|
||||
|
||||
# get a new cert
|
||||
letsencrypt certonly --standalone --csr "$WORKDIR/httpd-csr.der" --email "$EMAIL" --agree-tos
|
||||
|
||||
# replace the cert
|
||||
cp /var/lib/ipa/certs/httpd.crt /var/lib/ipa/certs/httpd.crt.bkp
|
||||
mv -f "$WORKDIR/0000_cert.pem" /var/lib/ipa/certs/httpd.crt
|
||||
restorecon -v /var/lib/ipa/certs/httpd.crt
|
||||
|
||||
# start httpd with the new cert
|
||||
service httpd start
|
||||
31
letsencrypt/setup-le.sh
Executable file
31
letsencrypt/setup-le.sh
Executable file
@@ -0,0 +1,31 @@
|
||||
#!/usr/bin/bash
|
||||
set -o nounset -o errexit
|
||||
|
||||
FQDN=$(hostname -f)
|
||||
WORKDIR=$(dirname "$(realpath $0)")
|
||||
CERTS=("isrgrootx1.pem" "isrg-root-x2.pem" "lets-encrypt-r3.pem" "lets-encrypt-e1.pem" "lets-encrypt-r4.pem" "lets-encrypt-e2.pem")
|
||||
|
||||
sed -i "s/server.example.test/$FQDN/g" $WORKDIR/ipa-httpd.cnf
|
||||
|
||||
dnf install letsencrypt -y
|
||||
|
||||
if [ ! -d "/etc/ssl/$FQDN" ]
|
||||
then
|
||||
mkdir -p "/etc/ssl/$FQDN"
|
||||
fi
|
||||
|
||||
for CERT in "${CERTS[@]}"
|
||||
do
|
||||
if command -v wget &> /dev/null
|
||||
then
|
||||
wget -O "/etc/ssl/$FQDN/$CERT" "https://letsencrypt.org/certs/$CERT"
|
||||
elif command -v curl &> /dev/null
|
||||
then
|
||||
curl -o "/etc/ssl/$FQDN/$CERT" "https://letsencrypt.org/certs/$CERT"
|
||||
fi
|
||||
ipa-cacert-manage install "/etc/ssl/$FQDN/$CERT"
|
||||
done
|
||||
|
||||
ipa-certupdate
|
||||
|
||||
"$WORKDIR/renew-le.sh" --first-time
|
||||
Reference in New Issue
Block a user