Subversion Repositories ALCASAR

Rev

Rev 1747 | Rev 1758 | Go to most recent revision | Details | Compare with Previous | Last modification | View Log

Rev Author Line No. Line
1710 richard 1 
#!/bin/sh
2 
 
3 
# alcasar-importcert.sh
1736 richard 4 
# by Raphaël, Hugo, Clément, Bettyna & rexy
1710 richard 5 
 
6 
# This script is distributed under the Gnu General Public License (GPL)
7 
 
8 
# Script permettant
9 
# - d'importer des certificats sur Alcasar
1733 richard 10 
# - de revenir au certificat par default
1710 richard 11 
 
12 
# This script allows
1733 richard 13 
# - to import a certificate in Alcasar
14 
# - to go back to the default certificate
1710 richard 15 
 
16 
SED="/bin/sed -ri"
17 
DIR_CERT="/etc/pki/tls"
1736 richard 18 
CONF_FILE="/usr/local/etc/alcasar.conf"
19 
PRIVATE_IP_MASK=`grep PRIVATE_IP $CONF_FILE|cut -d"=" -f2`
20 
PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`
1747 richard 21 
DEFAULT_FQDN='alcasar.localdomain'
1710 richard 22 
 
1733 richard 23 
usage="Usage: alcasar-importcert.sh -i /path/to/certificate.crt -k /path/to/privatekey.key (-c /path/to/serverchain.crt) || alcasar-importcert.sh -d (Cette utilisation permet de revenir au certificat par default)"
1710 richard 24 
nb_args=$#
1733 richard 25 
arg1=$1
1710 richard 26 
 
1733 richard 27 
 
28 
function defaultNdd()
29 
{
30 
	$SED 's/^DOMAIN=.*/DOMAIN=localdomain/g' /usr/local/etc/alcasar.conf
31 
	$SED 's/\.([a-zA-Z][a-zA-Z0-9-]+(\.[a-z]{2,4})?)/.localdomain/g' /etc/hosts
32 
	$SED 's/alcasar\.([a-zA-Z0-9-]+(\.[a-z]{2,4})?)/alcasar.localdomain/g' /etc/chilli.conf
33 
	$SED 's/^domain.*/domain\t\tlocaldomain/g' /etc/chilli.conf
34 
	$SED 's/^ServerName.*/ServerName alcasar.localdomain/g' /etc/httpd/conf/httpd.conf
1736 richard 35 
	$SED "s/^domain=.*/domain=localdomain/g" /etc/dnsmasq.conf /etc/dnsmasq-blackhole.conf /etc/dnsmasq-blacklist.conf /etc/dnsmasq-whitelist.conf
1740 richard 36 
	hostnamectl set-hostname alcasar.localdomain
37 
	$SED "s/^\tErrorDocument.*/\tErrorDocument 404 https:\/\/alcasar.localdomain\//g" /etc/httpd/conf/webapps.d/alcasar.conf
1747 richard 38 
	$SED "s/^\tAuthDigestDomain.*/\tAuthDigestDomain alcasar.localdomain/g" /etc/httpd/conf/webapps.d/alcasar.conf
39 
	$SED "s/^    ServerName.*/    ServerName alcasar.localdomain/g" /etc/httpd/conf/sites.d/00_default_vhosts.conf /etc/httpd/conf/sites.d/00_default_ssl_vhost.conf
1733 richard 40 
}
41 
 
42 
function defaultCert()
43 
{
1740 richard 44 
	mv -f $DIR_CERT/certs/alcasar.crt.old $DIR_CERT/certs/alcasar.crt
45 
	mv -f $DIR_CERT/private/alcasar.key.old $DIR_CERT/private/alcasar.key
46 
	if [ -f $DIR_CERT/certs/server-chain.crt.old ]
1733 richard 47 
	then
1740 richard 48 
		mv $DIR_CERT/certs/server-chain.crt.old $DIR_CERT/certs/server-chain.crt
1743 clement.si 49 
	#else
50 
	#	rm -f $DIR_CERT/certs/server-chain.crt
1733 richard 51 
	fi
52 
}
53 
 
1710 richard 54 
function domainName() # change the domain name in the conf files
55 
{
56 
 
1744 clement.si 57 
	fqdn=$(openssl x509 -noout -subject -in $cert | sed -n '/^subject/s/^.*CN=//p' | cut -d'/' -f 1)
1736 richard 58 
	hostname=`echo $fqdn | awk -F'.' '{ print $1 }'`
59 
	domain=`echo $fqdn | awk -F'.' '{$1="";OFS=".";print $0}' |sed 's/^.//'`
60 
	echo "fqdn=$fqdn hostname=$hostname domain=$domain"
61 
	if [ "$fqdn" != "" ]
1733 richard 62 
	then
1736 richard 63 
		$SED "s/^DOMAIN=.*/DOMAIN=$domain/g" /usr/local/etc/alcasar.conf
64 
		cat <<EOF > /etc/hosts
65 
127.0.0.1	localhost
66 
$PRIVATE_IP	$fqdn $hostname
67 
EOF
68 
		$SED "s/^domain.*/domain\t\t$domain/g" /etc/chilli.conf
69 
		$SED "s/^locationname.*/locationname\t$fqdn/g" /etc/chilli.conf
70 
		$SED "s/^uamserver.*/uamserver\thttps:\/\/$fqdn\/intercept.php/g" /etc/chilli.conf
71 
		$SED "s/^radiusnasid.*/radiusnasid\t$fqdn/g" /etc/chilli.conf
72 
		$SED "s/^uamallowed.*/uamallowed\t$hostname,$fqdn/g" /etc/chilli.conf
73 
		$SED "s/^ServerName.*/ServerName $fqdn/g" /etc/httpd/conf/httpd.conf
74 
		$SED "s/^domain=.*/domain=$domain/g" /etc/dnsmasq.conf /etc/dnsmasq-blackhole.conf /etc/dnsmasq-blacklist.conf /etc/dnsmasq-whitelist.conf
1740 richard 75 
		hostnamectl set-hostname $fqdn
76 
		$SED "s/^\tErrorDocument.*/\tErrorDocument 404 https:\/\/$fqdn\//g" /etc/httpd/conf/webapps.d/alcasar.conf
1747 richard 77 
		$SED "s/^\tAuthDigestDomain.*/\tAuthDigestDomain $fqdn/g" /etc/httpd/conf/webapps.d/alcasar.conf
78 
		$SED "s/^    ServerName.*/    ServerName $fqdn/g" /etc/httpd/conf/sites.d/00_default_vhosts.conf /etc/httpd/conf/sites.d/00_default_ssl_vhost.conf /etc/httpd/conf/vhosts-ssl.default
1710 richard 79 
	fi
80 
}
81 
 
82 
function certImport()
83 
{
1740 richard 84 
	if [ ! -f "$DIR_CERT/certs/alcasar.crt.old" ]
1710 richard 85 
	then
86 
		echo "Backup of old cert (alcasar.crt)"
1740 richard 87 
		mv $DIR_CERT/certs/alcasar.crt $DIR_CERT/certs/alcasar.crt.old
1710 richard 88 
	fi
1740 richard 89 
	if [ ! -f "$DIR_CERT/private/alcasar.key.old" ]
1710 richard 90 
	then
91 
		echo "Backup of old private key (alcasar.key)"
1740 richard 92 
		mv $DIR_CERT/private/alcasar.key $DIR_CERT/private/alcasar.key.old
1710 richard 93 
	fi
1740 richard 94 
	cp $cert $DIR_CERT/certs/alcasar.crt
95 
	cp $key $DIR_CERT/private/alcasar.key
1733 richard 96 
 
1743 clement.si 97 
	rm $cert $key
98 
 
1740 richard 99 
	chown root:apache $DIR_CERT/certs/alcasar.crt
100 
	chown root:apache $DIR_CERT/private/alcasar.key
1710 richard 101 
 
1740 richard 102 
	chmod 750 $DIR_CERT/certs/alcasar.crt
103 
	chmod 750 $DIR_CERT/private/alcasar.key
1710 richard 104 
	if [ "$sc" != "" ]
105 
	then
106 
		echo "cert-chain exists"
1740 richard 107 
		if [ ! -f "$DIR_CERT/certs/server-chain.crt.old" ]
1710 richard 108 
		then
109 
			echo "Backup of old cert-chain (server-chain.crt)"
1740 richard 110 
			mv $DIR_CERT/certs/server-chain.crt $DIR_CERT/certs/server-chain.crt.old
1710 richard 111 
		fi
1740 richard 112 
		cp $sc $DIR_CERT/certs/server-chain.crt
1743 clement.si 113 
		rm $sc
1740 richard 114 
		chown root:apache $DIR_CERT/certs/server-chain.crt
115 
		chmod 750 $DIR_CERT/certs/server-chain.crt
1710 richard 116 
	fi
117 
}
118 
 
1733 richard 119 
 
120 
if [ $nb_args -eq 0 ]
1710 richard 121 
then
1733 richard 122 
	echo "$usage"
123 
	exit 1
1710 richard 124 
fi
125 
 
1733 richard 126 
case $arg1 in
1710 richard 127 
	-\? | -h* | --h*)
128 
		echo "$usage"
129 
		exit 0
130 
		;;
131 
	-i)
1733 richard 132 
		arg3=$3
133 
		arg5=$5
134 
		cert=$2
135 
		key=$4
136 
		sc=$6
137 
 
138 
		if [ "$cert" == "" ] || [ "$key" == "" ]
139 
		then
140 
			echo "$usage"
141 
			exit 1
142 
		fi
143 
 
144 
		if [ ! -f "$cert" -o ! -f "$key" ]
145 
		then
146 
			echo "Certificate and/or private key not found"
147 
			exit 1
148 
		fi
149 
 
150 
		if [ ${cert: -4} != ".crt" ]
151 
		then
152 
			echo "Invalid certificate file"
153 
			exit 1
154 
		fi
155 
 
156 
		if [ ${key: -4} != ".key" ]
157 
		then
158 
			echo "Invalid private key"
159 
			exit 1
160 
		fi
161 
 
162 
		if [ "$arg5" != "-c" ] || [ ! -f "$sc" ]
163 
		then
164 
			echo "No server-chain given"
165 
			echo "Importing certificate $cert with private key $key"
166 
			sc=""
167 
		else
168 
			echo "Importing certificate $cert with private key $key and server-chain $sc"
169 
		fi
170 
		domainName $cert
171 
		certImport $cert $key $sc
1736 richard 172 
		for services in chilli httpd dnsmasq dnsmasq-blackhole dnsmasq-blacklist dnsmasq-whitelist
1740 richard 173 
		do
174 
			echo "restarting $services"; systemctl restart $services; sleep 1
175 
		done
1710 richard 176 
		;;
1733 richard 177 
	-d)
178 
		if [ -f "/etc/pki/tls/certs/alcasar.crt.old" -a -f "/etc/pki/tls/private/alcasar.key.old" ]
179 
		then
180 
			echo "Restoring default certificate"
181 
			defaultCert
182 
			defaultNdd
1740 richard 183 
			for services in chilli httpd dnsmasq dnsmasq-blackhole dnsmasq-blacklist dnsmasq-whitelist
184 
			do
185 
				echo "restarting $services"; systemctl restart $services; sleep 1
186 
			done
1733 richard 187 
		fi
188 
		;;
1710 richard 189 
	*)
190 
		echo "$usage"
191 
		;;
192 
esac