/scripts/alcasar-CA.sh |
---|
18,7 → 18,7 |
SRVKEY=$DIR_CERT/private/alcasar.key |
SRVCERT=$DIR_CERT/certs/alcasar.crt |
SRVPEM=$DIR_CERT/private/alcasar.pem |
SRVCHAIN=$DIR_CERT/certs/server-chain.crt |
SRVCHAIN=$DIR_CERT/certs/server-chain.pem |
CACERT_LIFETIME="1460" |
SRVCERT_LIFETIME="1460" |
/scripts/alcasar-certificates.sh |
---|
41,7 → 41,7 |
tar cvf $FILE.tar $DIR_PKI/CA/{alcasar-ca.crt,private/alcasar-ca.key} |
# Export of server Certificate |
tar rvf $FILE.tar $DIR_PKI/tls/{certs/alcasar.crt,private/alcasar.key,certs/server-chain.crt} |
tar rvf $FILE.tar $DIR_PKI/tls/{certs/alcasar.crt,private/alcasar.key,certs/server-chain.pem} |
gzip $FILE.tar |
echo "Le fichier des certificats exportés est : $FILE.tar.gz" |
} # end function export |
60,7 → 60,7 |
cd $DIR_PKI/tls |
cp certs/alcasar.crt $DIR_SAVE/. |
cp private/alcasar.key $DIR_SAVE/. |
cp certs/server-chain.crt $DIR_SAVE/. |
cp certs/server-chain.pem $DIR_SAVE/. |
} # end function archive |
function import() { |
79,10 → 79,10 |
echo "Import new certificates in ALCASAR !!!" |
cp -r $DIR_IMPORT/* /. |
chown root:apache $DIR_PKI/CA/{alcasar-ca.crt,private/alcasar-ca.key} |
chown root:apache $DIR_PKI/tls/{certs/alcasar.crt,private/alcasar.key,private/alcasar.pem,certs/server-chain.crt} |
chown root:apache $DIR_PKI/tls/{certs/alcasar.crt,private/alcasar.key,private/alcasar.pem,certs/server-chain.pem} |
chmod 750 $DIR_PKI/CA/{alcasar-ca.crt,private/alcasar-ca.key} |
chmod 750 $DIR_PKI/tls/{certs/alcasar.crt,private/alcasar.key,private/alcasar.pem,certs/server-chain.crt} |
chmod 750 $DIR_PKI/tls/{certs/alcasar.crt,private/alcasar.key,private/alcasar.pem,certs/server-chain.pem} |
service lighttpd restart |
else |
/scripts/alcasar-conf.sh |
---|
91,10 → 91,10 |
[ -e /etc/pki/tls/private/alcasar.pem ] && cp -f /etc/pki/tls/private/alcasar.pem $DIR_UPDATE # since V3.3 |
cp -f /etc/pki/CA/alcasar-ca.crt $DIR_UPDATE |
cp -f /etc/pki/CA/private/alcasar-ca.key $DIR_UPDATE |
if [ -e /etc/pki/tls/certs/server-chain.crt ]; then |
cp -f /etc/pki/tls/certs/server-chain.crt* $DIR_UPDATE # autosigned and official if exist |
if [ -e /etc/pki/tls/certs/server-chain.pem ]; then |
cp -f /etc/pki/tls/certs/server-chain.pem $DIR_UPDATE # autosigned and official if exist |
else |
cp -f /etc/pki/tls/certs/alcasar.crt $DIR_UPDATE/server-chain.crt |
cp -f /etc/pki/tls/certs/alcasar.crt $DIR_UPDATE/server-chain.pem |
fi |
# pureip & safesearch status |
[ -d /etc/dansguardian ] && dg_path=/etc/dansguardian || dg_path=/etc/e2guardian |
194,7 → 194,7 |
cp -f $DIR_UPDATE/alcasar.crt /etc/pki/tls/certs/ |
cp -f $DIR_UPDATE/alcasar.key /etc/pki/tls/private/ |
cp -f $DIR_UPDATE/alcasar.pem /etc/pki/tls/private/ |
[ -e $DIR_UPDATE/server-chain.crt ] && cp -f $DIR_UPDATE/server-chain.crt* /etc/pki/tls/certs/ # autosigned and official if exist |
[ -e $DIR_UPDATE/server-chain.pem ] && cp -f $DIR_UPDATE/server-chain.pem /etc/pki/tls/certs/ # autosigned and official if exist |
chown root:apache /etc/pki/CA; chmod 750 /etc/pki/CA |
chmod 640 /etc/pki/CA/* |
chown root:root /etc/pki/CA/private; chmod 700 /etc/pki/CA/private |
439,7 → 439,14 |
local-zone: "$HOSTNAME" static |
local-data: "$HOSTNAME A $PRIVATE_IP" |
EOF |
# Configuration file for lo of forward unbound |
if [ "$HOSTNAME" != 'alcasar' ] |
then |
echo -e "\tlocal-zone: \"alcasar\" static" >> /etc/unbound/conf.d/common/local-dns/${INTIF}.conf |
echo -e "\tlocal-zone: \"alcasar A $PRIVATE_IP\"" >> /etc/unbound/conf.d/common/local-dns/${INTIF}.conf |
echo -e "\tlocal-zone: \"alcasar\" static" >> /etc/unbound/conf.d/forward/iface.lo.conf |
echo -e "\tlocal-zone: \"alcasar A 127.0.0.1\"" >> /etc/unbound/conf.d/forward/iface.lo.conf |
fi |
# Configuration file for lo of forward |
cat << EOF > /etc/unbound/conf.d/forward/iface.lo.conf |
server: |
interface: 127.0.0.1@53 |
454,14 → 461,7 |
local-zone: "$DOMAIN." static |
local-data: "$DOMAIN. A" |
EOF |
if [ "$HOSTNAME" != 'alcasar' ] |
then |
echo -e "\tlocal-zone: \"alcasar\" static" >> /etc/unbound/conf.d/common/local-dns/${INTIF}.conf |
echo -e "\tlocal-zone: \"alcasar A $PRIVATE_IP\"" >> /etc/unbound/conf.d/common/local-dns/${INTIF}.conf |
echo -e "\tlocal-zone: \"alcasar\" static" >> /etc/unbound/conf.d/forward/iface.lo.conf |
echo -e "\tlocal-zone: \"alcasar A 127.0.0.1\"" >> /etc/unbound/conf.d/forward/iface.lo.conf |
fi |
# Configuration file for $INTIF of forward unbound |
# Configuration file for $INTIF of forward |
cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf |
server: |
interface: ${PRIVATE_IP}@53 |
471,7 → 471,7 |
name: "$INTIF" |
view-first: yes |
EOF |
# Configuration file for $INTIF of blacklist unbound |
# Configuration file for $INTIF of blacklist |
cat << EOF > /etc/unbound/conf.d/blacklist/iface.${INTIF}.conf |
server: |
interface: ${PRIVATE_IP}@54 |
480,7 → 480,7 |
access-control-tag-action: $PRIVATE_IP_MASK "blacklist" redirect |
access-control-tag-data: $PRIVATE_IP_MASK "blacklist" "A $PRIVATE_IP" |
EOF |
# Configuration file for $INTIF of whitelist unbound |
# Configuration file for $INTIF of whitelist |
cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf |
server: |
interface: ${PRIVATE_IP}@55 |
489,7 → 489,7 |
access-control-tag-action: $PRIVATE_IP_MASK "whitelist" redirect |
access-control-tag-data: $PRIVATE_IP_MASK "whitelist" "A $PRIVATE_IP" |
EOF |
# Configuration file for $INTIF of blackhole unbound |
# Configuration file for $INTIF of blackhole |
cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf |
server: |
interface: ${PRIVATE_IP}@56 |
/scripts/alcasar-importcert.sh |
---|
25,24 → 25,15 |
nb_args=$# |
arg1=$1 |
function defaultNdd() |
{ |
$SED "s/^HOSTNAME=.*/HOSTNAME=alcasar/g" /usr/local/etc/alcasar.conf |
$SED "s/^DOMAIN=.*/DOMAIN=localdomain/g" /usr/local/etc/alcasar.conf |
/usr/local/bin/alcasar-conf.sh --apply |
} |
function defaultCert() |
{ |
mv -f $DIR_CERT/certs/alcasar.crt.old $DIR_CERT/certs/alcasar.crt |
mv -f $DIR_CERT/private/alcasar.key.old $DIR_CERT/private/alcasar.key |
if [ -f $DIR_CERT/certs/server-chain.crt.old ] |
if [ -f $DIR_CERT/certs/server-chain.pem.old ] |
then |
mv $DIR_CERT/certs/server-chain.crt.old $DIR_CERT/certs/server-chain.crt |
mv $DIR_CERT/certs/server-chain.pem.old $DIR_CERT/certs/server-chain.pem |
fi |
(cat $DIR_CERT/private/alcasar.key; echo; cat $DIR_CERT/certs/alcasar.crt) > $DIR_CERT/private/alcasar.pem |
chown root:apache $DIR_CERT/private/alcasar.pem |
chmod 750 $DIR_CERT/private/alcasar.pem |
} |
49,8 → 40,7 |
function domainName() # change the domain name in the conf files |
{ |
fqdn=$(openssl x509 -noout -subject -in $cert | sed -n '/^subject/s/^.*CN=//p' | cut -d'/' -f 1) |
fqdn=$(openssl x509 -noout -subject -nameopt multiline -in $DIR_CERT/certs/alcasar.crt | grep commonName|cut -d"=" -f2|tr -d ' ') |
#check if there is a wildcard in $fqdn |
if [[ $fqdn == *"*"* ]]; |
then |
61,12 → 51,11 |
fi |
domain=$(echo $fqdn | cut -d'.' -f2-) |
echo "fqdn=$fqdn hostname=$hostname domain=$domain" |
#check fqdn format |
if [[ "$fqdn" != "" && "$domain" != "" ]]; then |
$SED "s/^HOSTNAME=.*/HOSTNAME=$hostname/g" /usr/local/etc/alcasar.conf |
$SED "s/^DOMAIN=.*/DOMAIN=$domain/g" /usr/local/etc/alcasar.conf |
/usr/local/bin/alcasar-conf.sh --apply |
# /usr/local/bin/alcasar-conf.sh --apply |
fi |
} |
82,31 → 71,26 |
echo "Backup of old private key (alcasar.key)" |
mv $DIR_CERT/private/alcasar.key $DIR_CERT/private/alcasar.key.old |
fi |
cp $cert $DIR_CERT/certs/alcasar.crt |
cp $key $DIR_CERT/private/alcasar.key |
(cat $DIR_CERT/private/alcasar.key; echo; cat $DIR_CERT/certs/alcasar.crt) > $DIR_CERT/private/alcasar.pem |
chown root:apache $DIR_CERT/certs/alcasar.crt |
chown root:apache $DIR_CERT/private/alcasar.key |
chown root:apache $DIR_CERT/private/alcasar.pem |
chmod 750 $DIR_CERT/certs/alcasar.crt |
chmod 750 $DIR_CERT/private/alcasar.key |
chmod 750 $DIR_CERT/private/alcasar.pem |
if [ "$sc" != "" ] |
then |
echo "cert-chain exists" |
if [ ! -f "$DIR_CERT/certs/server-chain.crt.old" ] |
if [ ! -f "$DIR_CERT/certs/server-chain.pem.old" ] |
then |
echo "Backup of old cert-chain (server-chain.crt)" |
mv $DIR_CERT/certs/server-chain.crt $DIR_CERT/certs/server-chain.crt.old |
echo "Backup of old cert-chain (server-chain.pem)" |
mv $DIR_CERT/certs/server-chain.pem $DIR_CERT/certs/server-chain.pem.old |
fi |
cp $sc $DIR_CERT/certs/server-chain.crt |
chown root:apache $DIR_CERT/certs/server-chain.crt |
chmod 750 $DIR_CERT/certs/server-chain.crt |
cp $sc $DIR_CERT/certs/server-chain.pem |
chown root:apache $DIR_CERT/certs/server-chain.pem |
chmod 750 $DIR_CERT/certs/server-chain.pem |
fi |
} |
164,7 → 148,7 |
echo "Server-chain certificate not found" |
exit 1 |
fi |
if [ ${sc: -4} != ".crt" ] && [ ${sc: -4} != ".cer" ] |
if [ ${sc: -4} != ".crt" ] && [ ${sc: -4} != ".cer" ] && [ ${sc: -4} != ".pem" ] |
then |
echo "Invalid server-chain certificate file" |
exit 1 |
171,12 → 155,8 |
fi |
echo "Importing certificate $cert with private key $key and server-chain $sc" |
fi |
domainName $cert |
certImport $cert $key $sc |
for services in chilli unbound unbound-blackhole unbound-blacklist unbound-whitelist dnsmasq-whitelist lighttpd |
do |
echo "restarting $services"; systemctl restart $services; sleep 1 |
done |
certImport |
domainName |
;; |
-d) |
if [ -f "/etc/pki/tls/certs/alcasar.crt.old" -a -f "/etc/pki/tls/private/alcasar.key.old" ] |
183,11 → 163,8 |
then |
echo "Restoring default certificate" |
defaultCert |
defaultNdd |
for services in chilli unbound unbound-blackhole unbound-blacklist unbound-whitelist dnsmasq-whitelist lighttpd |
do |
echo "restarting $services"; systemctl restart $services; sleep 1 |
done |
domainName |
else echo "No default cert found" |
fi |
;; |
*) |