Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 2812 → Rev 2813

/scripts/alcasar-CA.sh
18,7 → 18,7
SRVKEY=$DIR_CERT/private/alcasar.key
SRVCERT=$DIR_CERT/certs/alcasar.crt
SRVPEM=$DIR_CERT/private/alcasar.pem
SRVCHAIN=$DIR_CERT/certs/server-chain.crt
SRVCHAIN=$DIR_CERT/certs/server-chain.pem
 
CACERT_LIFETIME="1460"
SRVCERT_LIFETIME="1460"
/scripts/alcasar-certificates.sh
41,7 → 41,7
tar cvf $FILE.tar $DIR_PKI/CA/{alcasar-ca.crt,private/alcasar-ca.key}
 
# Export of server Certificate
tar rvf $FILE.tar $DIR_PKI/tls/{certs/alcasar.crt,private/alcasar.key,certs/server-chain.crt}
tar rvf $FILE.tar $DIR_PKI/tls/{certs/alcasar.crt,private/alcasar.key,certs/server-chain.pem}
gzip $FILE.tar
echo "Le fichier des certificats exportés est : $FILE.tar.gz"
} # end function export
60,7 → 60,7
cd $DIR_PKI/tls
cp certs/alcasar.crt $DIR_SAVE/.
cp private/alcasar.key $DIR_SAVE/.
cp certs/server-chain.crt $DIR_SAVE/.
cp certs/server-chain.pem $DIR_SAVE/.
} # end function archive
 
function import() {
79,10 → 79,10
echo "Import new certificates in ALCASAR !!!"
cp -r $DIR_IMPORT/* /.
chown root:apache $DIR_PKI/CA/{alcasar-ca.crt,private/alcasar-ca.key}
chown root:apache $DIR_PKI/tls/{certs/alcasar.crt,private/alcasar.key,private/alcasar.pem,certs/server-chain.crt}
chown root:apache $DIR_PKI/tls/{certs/alcasar.crt,private/alcasar.key,private/alcasar.pem,certs/server-chain.pem}
 
chmod 750 $DIR_PKI/CA/{alcasar-ca.crt,private/alcasar-ca.key}
chmod 750 $DIR_PKI/tls/{certs/alcasar.crt,private/alcasar.key,private/alcasar.pem,certs/server-chain.crt}
chmod 750 $DIR_PKI/tls/{certs/alcasar.crt,private/alcasar.key,private/alcasar.pem,certs/server-chain.pem}
 
service lighttpd restart
else
/scripts/alcasar-conf.sh
91,10 → 91,10
[ -e /etc/pki/tls/private/alcasar.pem ] && cp -f /etc/pki/tls/private/alcasar.pem $DIR_UPDATE # since V3.3
cp -f /etc/pki/CA/alcasar-ca.crt $DIR_UPDATE
cp -f /etc/pki/CA/private/alcasar-ca.key $DIR_UPDATE
if [ -e /etc/pki/tls/certs/server-chain.crt ]; then
cp -f /etc/pki/tls/certs/server-chain.crt* $DIR_UPDATE # autosigned and official if exist
if [ -e /etc/pki/tls/certs/server-chain.pem ]; then
cp -f /etc/pki/tls/certs/server-chain.pem $DIR_UPDATE # autosigned and official if exist
else
cp -f /etc/pki/tls/certs/alcasar.crt $DIR_UPDATE/server-chain.crt
cp -f /etc/pki/tls/certs/alcasar.crt $DIR_UPDATE/server-chain.pem
fi
# pureip & safesearch status
[ -d /etc/dansguardian ] && dg_path=/etc/dansguardian || dg_path=/etc/e2guardian
194,7 → 194,7
cp -f $DIR_UPDATE/alcasar.crt /etc/pki/tls/certs/
cp -f $DIR_UPDATE/alcasar.key /etc/pki/tls/private/
cp -f $DIR_UPDATE/alcasar.pem /etc/pki/tls/private/
[ -e $DIR_UPDATE/server-chain.crt ] && cp -f $DIR_UPDATE/server-chain.crt* /etc/pki/tls/certs/ # autosigned and official if exist
[ -e $DIR_UPDATE/server-chain.pem ] && cp -f $DIR_UPDATE/server-chain.pem /etc/pki/tls/certs/ # autosigned and official if exist
chown root:apache /etc/pki/CA; chmod 750 /etc/pki/CA
chmod 640 /etc/pki/CA/*
chown root:root /etc/pki/CA/private; chmod 700 /etc/pki/CA/private
439,7 → 439,14
local-zone: "$HOSTNAME" static
local-data: "$HOSTNAME A $PRIVATE_IP"
EOF
# Configuration file for lo of forward unbound
if [ "$HOSTNAME" != 'alcasar' ]
then
echo -e "\tlocal-zone: \"alcasar\" static" >> /etc/unbound/conf.d/common/local-dns/${INTIF}.conf
echo -e "\tlocal-zone: \"alcasar A $PRIVATE_IP\"" >> /etc/unbound/conf.d/common/local-dns/${INTIF}.conf
echo -e "\tlocal-zone: \"alcasar\" static" >> /etc/unbound/conf.d/forward/iface.lo.conf
echo -e "\tlocal-zone: \"alcasar A 127.0.0.1\"" >> /etc/unbound/conf.d/forward/iface.lo.conf
fi
# Configuration file for lo of forward
cat << EOF > /etc/unbound/conf.d/forward/iface.lo.conf
server:
interface: 127.0.0.1@53
454,14 → 461,7
local-zone: "$DOMAIN." static
local-data: "$DOMAIN. A"
EOF
if [ "$HOSTNAME" != 'alcasar' ]
then
echo -e "\tlocal-zone: \"alcasar\" static" >> /etc/unbound/conf.d/common/local-dns/${INTIF}.conf
echo -e "\tlocal-zone: \"alcasar A $PRIVATE_IP\"" >> /etc/unbound/conf.d/common/local-dns/${INTIF}.conf
echo -e "\tlocal-zone: \"alcasar\" static" >> /etc/unbound/conf.d/forward/iface.lo.conf
echo -e "\tlocal-zone: \"alcasar A 127.0.0.1\"" >> /etc/unbound/conf.d/forward/iface.lo.conf
fi
# Configuration file for $INTIF of forward unbound
# Configuration file for $INTIF of forward
cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf
server:
interface: ${PRIVATE_IP}@53
471,7 → 471,7
name: "$INTIF"
view-first: yes
EOF
# Configuration file for $INTIF of blacklist unbound
# Configuration file for $INTIF of blacklist
cat << EOF > /etc/unbound/conf.d/blacklist/iface.${INTIF}.conf
server:
interface: ${PRIVATE_IP}@54
480,7 → 480,7
access-control-tag-action: $PRIVATE_IP_MASK "blacklist" redirect
access-control-tag-data: $PRIVATE_IP_MASK "blacklist" "A $PRIVATE_IP"
EOF
# Configuration file for $INTIF of whitelist unbound
# Configuration file for $INTIF of whitelist
cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf
server:
interface: ${PRIVATE_IP}@55
489,7 → 489,7
access-control-tag-action: $PRIVATE_IP_MASK "whitelist" redirect
access-control-tag-data: $PRIVATE_IP_MASK "whitelist" "A $PRIVATE_IP"
EOF
# Configuration file for $INTIF of blackhole unbound
# Configuration file for $INTIF of blackhole
cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf
server:
interface: ${PRIVATE_IP}@56
/scripts/alcasar-importcert.sh
25,24 → 25,15
nb_args=$#
arg1=$1
 
function defaultNdd()
{
$SED "s/^HOSTNAME=.*/HOSTNAME=alcasar/g" /usr/local/etc/alcasar.conf
$SED "s/^DOMAIN=.*/DOMAIN=localdomain/g" /usr/local/etc/alcasar.conf
/usr/local/bin/alcasar-conf.sh --apply
}
 
function defaultCert()
{
mv -f $DIR_CERT/certs/alcasar.crt.old $DIR_CERT/certs/alcasar.crt
mv -f $DIR_CERT/private/alcasar.key.old $DIR_CERT/private/alcasar.key
if [ -f $DIR_CERT/certs/server-chain.crt.old ]
if [ -f $DIR_CERT/certs/server-chain.pem.old ]
then
mv $DIR_CERT/certs/server-chain.crt.old $DIR_CERT/certs/server-chain.crt
mv $DIR_CERT/certs/server-chain.pem.old $DIR_CERT/certs/server-chain.pem
fi
(cat $DIR_CERT/private/alcasar.key; echo; cat $DIR_CERT/certs/alcasar.crt) > $DIR_CERT/private/alcasar.pem
 
chown root:apache $DIR_CERT/private/alcasar.pem
chmod 750 $DIR_CERT/private/alcasar.pem
}
49,8 → 40,7
 
function domainName() # change the domain name in the conf files
{
fqdn=$(openssl x509 -noout -subject -in $cert | sed -n '/^subject/s/^.*CN=//p' | cut -d'/' -f 1)
 
fqdn=$(openssl x509 -noout -subject -nameopt multiline -in $DIR_CERT/certs/alcasar.crt | grep commonName|cut -d"=" -f2|tr -d ' ')
#check if there is a wildcard in $fqdn
if [[ $fqdn == *"*"* ]];
then
61,12 → 51,11
fi
domain=$(echo $fqdn | cut -d'.' -f2-)
echo "fqdn=$fqdn hostname=$hostname domain=$domain"
 
#check fqdn format
if [[ "$fqdn" != "" && "$domain" != "" ]]; then
$SED "s/^HOSTNAME=.*/HOSTNAME=$hostname/g" /usr/local/etc/alcasar.conf
$SED "s/^DOMAIN=.*/DOMAIN=$domain/g" /usr/local/etc/alcasar.conf
/usr/local/bin/alcasar-conf.sh --apply
# /usr/local/bin/alcasar-conf.sh --apply
fi
}
 
82,31 → 71,26
echo "Backup of old private key (alcasar.key)"
mv $DIR_CERT/private/alcasar.key $DIR_CERT/private/alcasar.key.old
fi
 
cp $cert $DIR_CERT/certs/alcasar.crt
cp $key $DIR_CERT/private/alcasar.key
 
(cat $DIR_CERT/private/alcasar.key; echo; cat $DIR_CERT/certs/alcasar.crt) > $DIR_CERT/private/alcasar.pem
 
chown root:apache $DIR_CERT/certs/alcasar.crt
chown root:apache $DIR_CERT/private/alcasar.key
chown root:apache $DIR_CERT/private/alcasar.pem
 
chmod 750 $DIR_CERT/certs/alcasar.crt
chmod 750 $DIR_CERT/private/alcasar.key
chmod 750 $DIR_CERT/private/alcasar.pem
 
if [ "$sc" != "" ]
then
echo "cert-chain exists"
if [ ! -f "$DIR_CERT/certs/server-chain.crt.old" ]
if [ ! -f "$DIR_CERT/certs/server-chain.pem.old" ]
then
echo "Backup of old cert-chain (server-chain.crt)"
mv $DIR_CERT/certs/server-chain.crt $DIR_CERT/certs/server-chain.crt.old
echo "Backup of old cert-chain (server-chain.pem)"
mv $DIR_CERT/certs/server-chain.pem $DIR_CERT/certs/server-chain.pem.old
fi
cp $sc $DIR_CERT/certs/server-chain.crt
chown root:apache $DIR_CERT/certs/server-chain.crt
chmod 750 $DIR_CERT/certs/server-chain.crt
cp $sc $DIR_CERT/certs/server-chain.pem
chown root:apache $DIR_CERT/certs/server-chain.pem
chmod 750 $DIR_CERT/certs/server-chain.pem
fi
}
 
164,7 → 148,7
echo "Server-chain certificate not found"
exit 1
fi
if [ ${sc: -4} != ".crt" ] && [ ${sc: -4} != ".cer" ]
if [ ${sc: -4} != ".crt" ] && [ ${sc: -4} != ".cer" ] && [ ${sc: -4} != ".pem" ]
then
echo "Invalid server-chain certificate file"
exit 1
171,12 → 155,8
fi
echo "Importing certificate $cert with private key $key and server-chain $sc"
fi
domainName $cert
certImport $cert $key $sc
for services in chilli unbound unbound-blackhole unbound-blacklist unbound-whitelist dnsmasq-whitelist lighttpd
do
echo "restarting $services"; systemctl restart $services; sleep 1
done
certImport
domainName
;;
-d)
if [ -f "/etc/pki/tls/certs/alcasar.crt.old" -a -f "/etc/pki/tls/private/alcasar.key.old" ]
183,11 → 163,8
then
echo "Restoring default certificate"
defaultCert
defaultNdd
for services in chilli unbound unbound-blackhole unbound-blacklist unbound-whitelist dnsmasq-whitelist lighttpd
do
echo "restarting $services"; systemctl restart $services; sleep 1
done
domainName
else echo "No default cert found"
fi
;;
*)