| 1 |
#!/bin/sh
|
1 |
#!/bin/sh
|
| 2 |
|
2 |
|
| 3 |
# alcasar-importcert.sh
|
3 |
# alcasar-importcert.sh
|
| 4 |
# by Raphaël, Hugo, Clément, Bettyna & rexy
|
4 |
# by Raphaël, Hugo, Clément, Bettyna & rexy
|
| 5 |
|
5 |
|
| 6 |
# This script is distributed under the Gnu General Public License (GPL)
|
6 |
# This script is distributed under the Gnu General Public License (GPL)
|
| 7 |
|
7 |
|
| 8 |
# Script permettant
|
8 |
# Script permettant
|
| 9 |
# - d'importer des certificats sur Alcasar
|
9 |
# - d'importer des certificats sur Alcasar
|
| 10 |
# - de revenir au certificat par default
|
10 |
# - de revenir au certificat par default
|
| 11 |
|
11 |
|
| 12 |
# This script allows
|
12 |
# This script allows
|
| 13 |
# - to import a certificate in Alcasar
|
13 |
# - to import a certificate in Alcasar
|
| 14 |
# - to go back to the default certificate
|
14 |
# - to go back to the default certificate
|
| 15 |
|
15 |
|
| 16 |
SED="/bin/sed -ri"
|
16 |
SED="/bin/sed -ri"
|
| 17 |
DIR_CERT="/etc/pki/tls"
|
17 |
DIR_CERT="/etc/pki/tls"
|
| 18 |
CONF_FILE="/usr/local/etc/alcasar.conf"
|
18 |
CONF_FILE="/usr/local/etc/alcasar.conf"
|
| 19 |
PRIVATE_IP_MASK=`grep PRIVATE_IP $CONF_FILE|cut -d"=" -f2`
|
19 |
PRIVATE_IP_MASK=`grep PRIVATE_IP $CONF_FILE|cut -d"=" -f2`
|
| 20 |
PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`
|
20 |
PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`
|
| 21 |
DEFAULT_FQDN='alcasar.localdomain'
|
21 |
DEFAULT_FQDN='alcasar.localdomain'
|
| 22 |
|
22 |
|
| 23 |
usage="Usage: alcasar-importcert.sh -i /path/to/certificate.crt -k /path/to/privatekey.key (-c /path/to/serverchain.crt) || alcasar-importcert.sh -d (Cette utilisation permet de revenir au certificat par default)"
|
23 |
usage="Usage: alcasar-importcert.sh -i /path/to/certificate.crt -k /path/to/privatekey.key (-c /path/to/serverchain.crt) || alcasar-importcert.sh -d (Cette utilisation permet de revenir au certificat par default)"
|
| 24 |
nb_args=$#
|
24 |
nb_args=$#
|
| 25 |
arg1=$1
|
25 |
arg1=$1
|
| 26 |
|
26 |
|
| 27 |
|
27 |
|
| 28 |
function defaultNdd()
|
28 |
function defaultNdd()
|
| 29 |
{
|
29 |
{
|
| 30 |
$SED 's/^DOMAIN=.*/DOMAIN=localdomain/g' /usr/local/etc/alcasar.conf
|
30 |
$SED 's/^DOMAIN=.*/DOMAIN=localdomain/g' /usr/local/etc/alcasar.conf
|
| 31 |
$SED 's/\.([a-zA-Z][a-zA-Z0-9-]+(\.[a-z]{2,4})?)/.localdomain/g' /etc/hosts
|
31 |
$SED 's/\.([a-zA-Z][a-zA-Z0-9-]+(\.[a-z]{2,4})?)/.localdomain/g' /etc/hosts
|
| 32 |
$SED 's/alcasar\.([a-zA-Z0-9-]+(\.[a-z]{2,4})?)/alcasar.localdomain/g' /etc/chilli.conf
|
32 |
$SED 's/alcasar\.([a-zA-Z0-9-]+(\.[a-z]{2,4})?)/alcasar.localdomain/g' /etc/chilli.conf
|
| 33 |
$SED 's/^domain.*/domain\t\tlocaldomain/g' /etc/chilli.conf
|
33 |
$SED 's/^domain.*/domain\t\tlocaldomain/g' /etc/chilli.conf
|
| 34 |
$SED 's/^ServerName.*/ServerName alcasar.localdomain/g' /etc/httpd/conf/httpd.conf
|
34 |
$SED 's/^ServerName.*/ServerName alcasar.localdomain/g' /etc/httpd/conf/httpd.conf
|
| 35 |
$SED "s/^domain=.*/domain=localdomain/g" /etc/dnsmasq.conf /etc/dnsmasq-blackhole.conf /etc/dnsmasq-blacklist.conf /etc/dnsmasq-whitelist.conf
|
35 |
$SED "s/^domain=.*/domain=localdomain/g" /etc/dnsmasq.conf /etc/dnsmasq-blackhole.conf /etc/dnsmasq-blacklist.conf /etc/dnsmasq-whitelist.conf
|
| 36 |
hostnamectl set-hostname alcasar.localdomain
|
36 |
hostnamectl set-hostname alcasar.localdomain
|
| 37 |
$SED "s/^\tAuthName.*/\tAuthName alcasar.localdomain/g" /etc/httpd/conf/webapps.d/alcasar.conf
|
- |
|
| 38 |
$SED "s/^\tErrorDocument.*/\tErrorDocument 404 https:\/\/alcasar.localdomain\//g" /etc/httpd/conf/webapps.d/alcasar.conf
|
37 |
$SED "s/^\tErrorDocument.*/\tErrorDocument 404 https:\/\/alcasar.localdomain\//g" /etc/httpd/conf/webapps.d/alcasar.conf
|
| 39 |
$SED "s/^\tAuthDigestDomain.*/\tAuthDigestDomain alcasar.localdomain/g" /etc/httpd/conf/webapps.d/alcasar.conf
|
38 |
$SED "s/^\tAuthDigestDomain.*/\tAuthDigestDomain alcasar.localdomain/g" /etc/httpd/conf/webapps.d/alcasar.conf
|
| 40 |
$SED "s/^ ServerName.*/ ServerName alcasar.localdomain/g" /etc/httpd/conf/sites.d/00_default_vhosts.conf /etc/httpd/conf/sites.d/00_default_ssl_vhost.conf
|
39 |
$SED "s/^ ServerName.*/ ServerName alcasar.localdomain/g" /etc/httpd/conf/sites.d/00_default_vhosts.conf /etc/httpd/conf/sites.d/00_default_ssl_vhost.conf
|
| 41 |
$SED "s/:.*:/:alcasar.localdomain:/g" /usr/local/etc/digest/key_*
|
- |
|
| 42 |
}
|
40 |
}
|
| 43 |
|
41 |
|
| 44 |
function defaultCert()
|
42 |
function defaultCert()
|
| 45 |
{
|
43 |
{
|
| 46 |
mv -f $DIR_CERT/certs/alcasar.crt.old $DIR_CERT/certs/alcasar.crt
|
44 |
mv -f $DIR_CERT/certs/alcasar.crt.old $DIR_CERT/certs/alcasar.crt
|
| 47 |
mv -f $DIR_CERT/private/alcasar.key.old $DIR_CERT/private/alcasar.key
|
45 |
mv -f $DIR_CERT/private/alcasar.key.old $DIR_CERT/private/alcasar.key
|
| 48 |
if [ -f $DIR_CERT/certs/server-chain.crt.old ]
|
46 |
if [ -f $DIR_CERT/certs/server-chain.crt.old ]
|
| 49 |
then
|
47 |
then
|
| 50 |
mv $DIR_CERT/certs/server-chain.crt.old $DIR_CERT/certs/server-chain.crt
|
48 |
mv $DIR_CERT/certs/server-chain.crt.old $DIR_CERT/certs/server-chain.crt
|
| 51 |
#else
|
49 |
#else
|
| 52 |
# rm -f $DIR_CERT/certs/server-chain.crt
|
50 |
# rm -f $DIR_CERT/certs/server-chain.crt
|
| 53 |
fi
|
51 |
fi
|
| 54 |
}
|
52 |
}
|
| 55 |
|
53 |
|
| 56 |
function domainName() # change the domain name in the conf files
|
54 |
function domainName() # change the domain name in the conf files
|
| 57 |
{
|
55 |
{
|
| 58 |
|
56 |
|
| 59 |
fqdn=$(openssl x509 -noout -subject -in $cert | sed -n '/^subject/s/^.*CN=//p' | cut -d'/' -f 1)
|
57 |
fqdn=$(openssl x509 -noout -subject -in $cert | sed -n '/^subject/s/^.*CN=//p' | cut -d'/' -f 1)
|
| 60 |
hostname=`echo $fqdn | awk -F'.' '{ print $1 }'`
|
58 |
hostname=`echo $fqdn | awk -F'.' '{ print $1 }'`
|
| 61 |
domain=`echo $fqdn | awk -F'.' '{$1="";OFS=".";print $0}' |sed 's/^.//'`
|
59 |
domain=`echo $fqdn | awk -F'.' '{$1="";OFS=".";print $0}' |sed 's/^.//'`
|
| 62 |
echo "fqdn=$fqdn hostname=$hostname domain=$domain"
|
60 |
echo "fqdn=$fqdn hostname=$hostname domain=$domain"
|
| 63 |
if [ "$fqdn" != "" ]
|
61 |
if [ "$fqdn" != "" ]
|
| 64 |
then
|
62 |
then
|
| 65 |
$SED "s/^DOMAIN=.*/DOMAIN=$domain/g" /usr/local/etc/alcasar.conf
|
63 |
$SED "s/^DOMAIN=.*/DOMAIN=$domain/g" /usr/local/etc/alcasar.conf
|
| 66 |
cat <<EOF > /etc/hosts
|
64 |
cat <<EOF > /etc/hosts
|
| 67 |
127.0.0.1 localhost
|
65 |
127.0.0.1 localhost
|
| 68 |
$PRIVATE_IP $fqdn $hostname
|
66 |
$PRIVATE_IP $fqdn $hostname
|
| 69 |
EOF
|
67 |
EOF
|
| 70 |
$SED "s/^domain.*/domain\t\t$domain/g" /etc/chilli.conf
|
68 |
$SED "s/^domain.*/domain\t\t$domain/g" /etc/chilli.conf
|
| 71 |
$SED "s/^locationname.*/locationname\t$fqdn/g" /etc/chilli.conf
|
69 |
$SED "s/^locationname.*/locationname\t$fqdn/g" /etc/chilli.conf
|
| 72 |
$SED "s/^uamserver.*/uamserver\thttps:\/\/$fqdn\/intercept.php/g" /etc/chilli.conf
|
70 |
$SED "s/^uamserver.*/uamserver\thttps:\/\/$fqdn\/intercept.php/g" /etc/chilli.conf
|
| 73 |
$SED "s/^radiusnasid.*/radiusnasid\t$fqdn/g" /etc/chilli.conf
|
71 |
$SED "s/^radiusnasid.*/radiusnasid\t$fqdn/g" /etc/chilli.conf
|
| 74 |
$SED "s/^uamallowed.*/uamallowed\t$hostname,$fqdn/g" /etc/chilli.conf
|
72 |
$SED "s/^uamallowed.*/uamallowed\t$hostname,$fqdn/g" /etc/chilli.conf
|
| 75 |
$SED "s/^ServerName.*/ServerName $fqdn/g" /etc/httpd/conf/httpd.conf
|
73 |
$SED "s/^ServerName.*/ServerName $fqdn/g" /etc/httpd/conf/httpd.conf
|
| 76 |
$SED "s/^domain=.*/domain=$domain/g" /etc/dnsmasq.conf /etc/dnsmasq-blackhole.conf /etc/dnsmasq-blacklist.conf /etc/dnsmasq-whitelist.conf
|
74 |
$SED "s/^domain=.*/domain=$domain/g" /etc/dnsmasq.conf /etc/dnsmasq-blackhole.conf /etc/dnsmasq-blacklist.conf /etc/dnsmasq-whitelist.conf
|
| 77 |
hostnamectl set-hostname $fqdn
|
75 |
hostnamectl set-hostname $fqdn
|
| 78 |
$SED "s/^\tAuthName.*/\tAuthName $fqdn/g" /etc/httpd/conf/webapps.d/alcasar.conf
|
- |
|
| 79 |
$SED "s/^\tErrorDocument.*/\tErrorDocument 404 https:\/\/$fqdn\//g" /etc/httpd/conf/webapps.d/alcasar.conf
|
76 |
$SED "s/^\tErrorDocument.*/\tErrorDocument 404 https:\/\/$fqdn\//g" /etc/httpd/conf/webapps.d/alcasar.conf
|
| 80 |
$SED "s/^\tAuthDigestDomain.*/\tAuthDigestDomain $fqdn/g" /etc/httpd/conf/webapps.d/alcasar.conf
|
77 |
$SED "s/^\tAuthDigestDomain.*/\tAuthDigestDomain $fqdn/g" /etc/httpd/conf/webapps.d/alcasar.conf
|
| 81 |
$SED "s/^ ServerName.*/ ServerName $fqdn/g" /etc/httpd/conf/sites.d/00_default_vhosts.conf /etc/httpd/conf/sites.d/00_default_ssl_vhost.conf /etc/httpd/conf/vhosts-ssl.default
|
78 |
$SED "s/^ ServerName.*/ ServerName $fqdn/g" /etc/httpd/conf/sites.d/00_default_vhosts.conf /etc/httpd/conf/sites.d/00_default_ssl_vhost.conf /etc/httpd/conf/vhosts-ssl.default
|
| 82 |
$SED "s/:.*:/:$fqdn:/g" /usr/local/etc/digest/key_*
|
- |
|
| 83 |
fi
|
79 |
fi
|
| 84 |
}
|
80 |
}
|
| 85 |
|
81 |
|
| 86 |
function certImport()
|
82 |
function certImport()
|
| 87 |
{
|
83 |
{
|
| 88 |
if [ ! -f "$DIR_CERT/certs/alcasar.crt.old" ]
|
84 |
if [ ! -f "$DIR_CERT/certs/alcasar.crt.old" ]
|
| 89 |
then
|
85 |
then
|
| 90 |
echo "Backup of old cert (alcasar.crt)"
|
86 |
echo "Backup of old cert (alcasar.crt)"
|
| 91 |
mv $DIR_CERT/certs/alcasar.crt $DIR_CERT/certs/alcasar.crt.old
|
87 |
mv $DIR_CERT/certs/alcasar.crt $DIR_CERT/certs/alcasar.crt.old
|
| 92 |
fi
|
88 |
fi
|
| 93 |
if [ ! -f "$DIR_CERT/private/alcasar.key.old" ]
|
89 |
if [ ! -f "$DIR_CERT/private/alcasar.key.old" ]
|
| 94 |
then
|
90 |
then
|
| 95 |
echo "Backup of old private key (alcasar.key)"
|
91 |
echo "Backup of old private key (alcasar.key)"
|
| 96 |
mv $DIR_CERT/private/alcasar.key $DIR_CERT/private/alcasar.key.old
|
92 |
mv $DIR_CERT/private/alcasar.key $DIR_CERT/private/alcasar.key.old
|
| 97 |
fi
|
93 |
fi
|
| 98 |
cp $cert $DIR_CERT/certs/alcasar.crt
|
94 |
cp $cert $DIR_CERT/certs/alcasar.crt
|
| 99 |
cp $key $DIR_CERT/private/alcasar.key
|
95 |
cp $key $DIR_CERT/private/alcasar.key
|
| 100 |
|
96 |
|
| 101 |
rm $cert $key
|
97 |
rm $cert $key
|
| 102 |
|
98 |
|
| 103 |
chown root:apache $DIR_CERT/certs/alcasar.crt
|
99 |
chown root:apache $DIR_CERT/certs/alcasar.crt
|
| 104 |
chown root:apache $DIR_CERT/private/alcasar.key
|
100 |
chown root:apache $DIR_CERT/private/alcasar.key
|
| 105 |
|
101 |
|
| 106 |
chmod 750 $DIR_CERT/certs/alcasar.crt
|
102 |
chmod 750 $DIR_CERT/certs/alcasar.crt
|
| 107 |
chmod 750 $DIR_CERT/private/alcasar.key
|
103 |
chmod 750 $DIR_CERT/private/alcasar.key
|
| 108 |
if [ "$sc" != "" ]
|
104 |
if [ "$sc" != "" ]
|
| 109 |
then
|
105 |
then
|
| 110 |
echo "cert-chain exists"
|
106 |
echo "cert-chain exists"
|
| 111 |
if [ ! -f "$DIR_CERT/certs/server-chain.crt.old" ]
|
107 |
if [ ! -f "$DIR_CERT/certs/server-chain.crt.old" ]
|
| 112 |
then
|
108 |
then
|
| 113 |
echo "Backup of old cert-chain (server-chain.crt)"
|
109 |
echo "Backup of old cert-chain (server-chain.crt)"
|
| 114 |
mv $DIR_CERT/certs/server-chain.crt $DIR_CERT/certs/server-chain.crt.old
|
110 |
mv $DIR_CERT/certs/server-chain.crt $DIR_CERT/certs/server-chain.crt.old
|
| 115 |
fi
|
111 |
fi
|
| 116 |
cp $sc $DIR_CERT/certs/server-chain.crt
|
112 |
cp $sc $DIR_CERT/certs/server-chain.crt
|
| 117 |
rm $sc
|
113 |
rm $sc
|
| 118 |
chown root:apache $DIR_CERT/certs/server-chain.crt
|
114 |
chown root:apache $DIR_CERT/certs/server-chain.crt
|
| 119 |
chmod 750 $DIR_CERT/certs/server-chain.crt
|
115 |
chmod 750 $DIR_CERT/certs/server-chain.crt
|
| 120 |
fi
|
116 |
fi
|
| 121 |
}
|
117 |
}
|
| 122 |
|
118 |
|
| 123 |
|
119 |
|
| 124 |
if [ $nb_args -eq 0 ]
|
120 |
if [ $nb_args -eq 0 ]
|
| 125 |
then
|
121 |
then
|
| 126 |
echo "$usage"
|
122 |
echo "$usage"
|
| 127 |
exit 1
|
123 |
exit 1
|
| 128 |
fi
|
124 |
fi
|
| 129 |
|
125 |
|
| 130 |
case $arg1 in
|
126 |
case $arg1 in
|
| 131 |
-\? | -h* | --h*)
|
127 |
-\? | -h* | --h*)
|
| 132 |
echo "$usage"
|
128 |
echo "$usage"
|
| 133 |
exit 0
|
129 |
exit 0
|
| 134 |
;;
|
130 |
;;
|
| 135 |
-i)
|
131 |
-i)
|
| 136 |
arg3=$3
|
132 |
arg3=$3
|
| 137 |
arg5=$5
|
133 |
arg5=$5
|
| 138 |
cert=$2
|
134 |
cert=$2
|
| 139 |
key=$4
|
135 |
key=$4
|
| 140 |
sc=$6
|
136 |
sc=$6
|
| 141 |
|
137 |
|
| 142 |
if [ "$cert" == "" ] || [ "$key" == "" ]
|
138 |
if [ "$cert" == "" ] || [ "$key" == "" ]
|
| 143 |
then
|
139 |
then
|
| 144 |
echo "$usage"
|
140 |
echo "$usage"
|
| 145 |
exit 1
|
141 |
exit 1
|
| 146 |
fi
|
142 |
fi
|
| 147 |
|
143 |
|
| 148 |
if [ ! -f "$cert" -o ! -f "$key" ]
|
144 |
if [ ! -f "$cert" -o ! -f "$key" ]
|
| 149 |
then
|
145 |
then
|
| 150 |
echo "Certificate and/or private key not found"
|
146 |
echo "Certificate and/or private key not found"
|
| 151 |
exit 1
|
147 |
exit 1
|
| 152 |
fi
|
148 |
fi
|
| 153 |
|
149 |
|
| 154 |
if [ ${cert: -4} != ".crt" ]
|
150 |
if [ ${cert: -4} != ".crt" ]
|
| 155 |
then
|
151 |
then
|
| 156 |
echo "Invalid certificate file"
|
152 |
echo "Invalid certificate file"
|
| 157 |
exit 1
|
153 |
exit 1
|
| 158 |
fi
|
154 |
fi
|
| 159 |
|
155 |
|
| 160 |
if [ ${key: -4} != ".key" ]
|
156 |
if [ ${key: -4} != ".key" ]
|
| 161 |
then
|
157 |
then
|
| 162 |
echo "Invalid private key"
|
158 |
echo "Invalid private key"
|
| 163 |
exit 1
|
159 |
exit 1
|
| 164 |
fi
|
160 |
fi
|
| 165 |
|
161 |
|
| 166 |
if [ "$arg5" != "-c" ] || [ ! -f "$sc" ]
|
162 |
if [ "$arg5" != "-c" ] || [ ! -f "$sc" ]
|
| 167 |
then
|
163 |
then
|
| 168 |
echo "No server-chain given"
|
164 |
echo "No server-chain given"
|
| 169 |
echo "Importing certificate $cert with private key $key"
|
165 |
echo "Importing certificate $cert with private key $key"
|
| 170 |
sc=""
|
166 |
sc=""
|
| 171 |
else
|
167 |
else
|
| 172 |
echo "Importing certificate $cert with private key $key and server-chain $sc"
|
168 |
echo "Importing certificate $cert with private key $key and server-chain $sc"
|
| 173 |
fi
|
169 |
fi
|
| 174 |
domainName $cert
|
170 |
domainName $cert
|
| 175 |
certImport $cert $key $sc
|
171 |
certImport $cert $key $sc
|
| 176 |
for services in chilli httpd dnsmasq dnsmasq-blackhole dnsmasq-blacklist dnsmasq-whitelist
|
172 |
for services in chilli httpd dnsmasq dnsmasq-blackhole dnsmasq-blacklist dnsmasq-whitelist
|
| 177 |
do
|
173 |
do
|
| 178 |
echo "restarting $services"; systemctl restart $services; sleep 1
|
174 |
echo "restarting $services"; systemctl restart $services; sleep 1
|
| 179 |
done
|
175 |
done
|
| 180 |
;;
|
176 |
;;
|
| 181 |
-d)
|
177 |
-d)
|
| 182 |
if [ -f "/etc/pki/tls/certs/alcasar.crt.old" -a -f "/etc/pki/tls/private/alcasar.key.old" ]
|
178 |
if [ -f "/etc/pki/tls/certs/alcasar.crt.old" -a -f "/etc/pki/tls/private/alcasar.key.old" ]
|
| 183 |
then
|
179 |
then
|
| 184 |
echo "Restoring default certificate"
|
180 |
echo "Restoring default certificate"
|
| 185 |
defaultCert
|
181 |
defaultCert
|
| 186 |
defaultNdd
|
182 |
defaultNdd
|
| 187 |
for services in chilli httpd dnsmasq dnsmasq-blackhole dnsmasq-blacklist dnsmasq-whitelist
|
183 |
for services in chilli httpd dnsmasq dnsmasq-blackhole dnsmasq-blacklist dnsmasq-whitelist
|
| 188 |
do
|
184 |
do
|
| 189 |
echo "restarting $services"; systemctl restart $services; sleep 1
|
185 |
echo "restarting $services"; systemctl restart $services; sleep 1
|
| 190 |
done
|
186 |
done
|
| 191 |
fi
|
187 |
fi
|
| 192 |
;;
|
188 |
;;
|
| 193 |
*)
|
189 |
*)
|
| 194 |
echo "$usage"
|
190 |
echo "$usage"
|
| 195 |
;;
|
191 |
;;
|
| 196 |
esac
|
192 |
esac
|
| 197 |
|
193 |
|