blob: 9d3cc88f733d880da7b473722fcf86ce9dc23742 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
#!/bin/bash
#
# Import certs into nodes.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public
# License along with this program. If not, see
# <http://www.gnu.org/licenses/>.
# Load
source $APP_BASE/lib/hydra/functions || exit 1
hydra_config_load
# Parameters
NODES="$*"
PRIVATE="/etc/ssl/private"
SERVICES="apache2 postfix dovecot nginx lighttpd mumble"
# Build node list
if [ -z "$NODES" ]; then
NODES="`hydra $HYDRA nodes`"
fi
# Check if there are certs at all
if [ ! -d "$HYDRA_FOLDER/keyring/keys/ssl" ]; then
echo "Please create some certs first :)"
exit 1
fi
# Deploy
for node in $NODES; do
hostname="`hydra_get_fqdn_from_nodename $node`"
echo "-----------------------------------------------------"
echo "Importing certs and keys into $hostname:/etc/ssl... "
echo "-----------------------------------------------------"
echo "Creating folder structure at $hostname:/etc/ssl..."
$HYDRA_CONNECT $hostname <<EOF
sudo mkdir -p /etc/ssl/private
sudo mkdir -p /etc/ssl/certs
sudo chown root.ssl-cert /etc/ssl/private
sudo chown root.ssl-cert /etc/ssl/certs
sudo chmod 750 /etc/ssl/private
sudo chmod 755 /etc/ssl/certs
EOF
keyringer $HYDRA ls -1 ssl/ | grep crt | while read cert; do
cert="`basename $cert .asc`"
priv="`basename $cert .crt`.pem"
prefix="`basename $cert .crt`"
domain="`facter domain`"
$HYDRA_CONNECT $hostname <<EOF
sudo touch /etc/ssl/certs/$cert
sudo chown root.ssl-cert /etc/ssl/certs/$cert
sudo chmod 644 /etc/ssl/certs/$cert
sudo touch /etc/ssl/private/$priv
sudo chown root.ssl-cert /etc/ssl/private/$priv
sudo chmod 640 /etc/ssl/private/$priv
EOF
echo "Importing $cert from keyringer to $hostname:/etc/ssl/certs..."
keyringer $HYDRA decrypt ssl/$cert | \
$HYDRA_CONNECT $hostname "cat - | sudo tee /etc/ssl/certs/$cert > /dev/null"
echo "Importing $priv from keyringer to $hostname:/etc/ssl/private..."
keyringer $HYDRA decrypt ssl/$priv | \
$HYDRA_CONNECT $hostname "cat - | sudo tee /etc/ssl/private/$priv > /dev/null"
# Post-processing
$HYDRA_CONNECT $hostname <<EOF
# Symlinks for the main cert and key
if [ "$prefix" = "$domain" ] && [ ! -e "/etc/ssl/certs/cert.crt" ]; then
cd /etc/ssl/certs && sudo ln -sf $cert cert.crt
cd /etc/ssl/private && sudo ln -sf $priv cert.pem
fi
# Concatenated cert
sudo touch $PRIVATE/$prefix-concat.pem
sudo chown root.ssl-cert $PRIVATE/$prefix-concat.pem
sudo chmod 640 $PRIVATE/$prefix-concat.pem
sudo cp /etc/ssl/certs/$cert $PRIVATE/$prefix-concat.pem
sudo cat $PRIVATE/$priv | sudo tee -a $PRIVATE/$prefix-concat.pem > /dev/null
# Restart services
for service in $SERVICES; do
if systemctl list-units | grep active | grep -q \$service'.service'; then
sudo service \$service restart
fi
done
EOF
done
done
|
