diff --git a/gui/apply b/gui/apply index c08d3e0..ef74d73 100755 --- a/gui/apply +++ b/gui/apply @@ -2,13 +2,15 @@ set -e -PKI_PWD=$(pwd) -export PKI_ROOT_CERT_BASE="$PKI_PWD/$PKI_ROOT_CERT_BASE" -export PKI_INT_CERT_BASE="$PKI_PWD/$PKI_INT_CERT_BASE" +baseDir=$(cd $(dirname $0) && pwd) +dataDir="$baseDir/data" + +export PKI_ROOT_CERT_BASE="$dataDir/root-ca" +export PKI_INT_CERT_BASE="$dataDir/issuer/ca-int" cd /wwwstatic -$PKI_PWD/apply-nginx +$baseDir/apply-nginx cp $PKI_ROOT_CERT_BASE.crl crl/ cp $PKI_ROOT_CERT_BASE.pem certs/ @@ -18,4 +20,4 @@ cp $PKI_INT_CERT_BASE.der certs/ cd /boulder/labca -$PKI_PWD/apply-boulder +$baseDir/apply-boulder diff --git a/gui/apply-boulder b/gui/apply-boulder index 7dbcbf9..3a94dfb 100755 --- a/gui/apply-boulder +++ b/gui/apply-boulder @@ -2,6 +2,57 @@ set -e +baseDir=$(dirname $0) +dataDir="$baseDir/data" + +PKI_DNS=$(grep dns $dataDir/config.json | perl -p0e 's/.*?:\s+(.*)/\1/' | sed -e 's/\",//g' | sed -e 's/\"//g') +if [ "$PKI_DNS" == "" ]; then + PKI_DNS="10.55.55.10:53" +fi +PKI_FQDN=$(grep fqdn $dataDir/config.json | sed -e 's/.*:[ ]*//' | sed -e 's/\",//g' | sed -e 's/\"//g') +PKI_DOMAIN=$(echo $PKI_FQDN | perl -p0e 's/.*?\.//') +PKI_DOMAIN_MODE=$(grep domain_mode $dataDir/config.json | sed -e 's/.*:[ ]*//' | sed -e 's/\",//g' | sed -e 's/\"//g') +PKI_LOCKDOWN_DOMAINS=$(grep lockdown $dataDir/config.json | grep -v domain_mode | sed -e 's/.*:[ ]*//' | sed -e 's/\",//g' | sed -e 's/\"//g') +PKI_WHITELIST_DOMAINS=$(grep whitelist $dataDir/config.json | grep -v domain_mode | sed -e 's/.*:[ ]*//' | sed -e 's/\",//g' | sed -e 's/\"//g') +PKI_ROOT_CERT_BASE="$dataDir/root-ca" +PKI_INT_CERT_BASE="$dataDir/issuer/ca-int" +PKI_ISSUER_NAME_ID=$(grep issuer_name_id $dataDir/config.json | sed -e 's/.*:[ ]*//' | sed -e 's/,//g' | sed -e 's/\"//g') +if [ -z "$PKI_ISSUER_NAME_ID" ] && [ -e "$PKI_INT_CERT_BASE.pem" ]; then + nmid=$($baseDir/nameidtool $PKI_INT_CERT_BASE.pem) + if [ $? == 0 ]; then + PKI_ISSUER_NAME_ID=$nmid + sed -i -e "s/\(^\s*\)\(\"keys\": {\)/\1\"issuer_name_id\": $PKI_ISSUER_NAME_ID,\n\1\2/g" $dataDir/config.json + fi +fi +extended_timeout=$(grep extended_timeout $dataDir/config.json | grep true || echo "") +if [ "$extended_timeout" != "" ]; then + PKI_EXTENDED_TIMEOUT=1 +else + PKI_EXTENDED_TIMEOUT=0 +fi +enabled=$(grep "email\": {" $dataDir/config.json -A1 | grep enable | head -1 | perl -p0e 's/.*?:\s+(.*)/\1/' | sed -e 's/\",//g' | sed -e 's/\"//g') +if [ "$enabled" == "true," ]; then + PKI_EMAIL_SERVER=$(grep server $dataDir/config.json | head -1 | perl -p0e 's/.*?:\s+(.*)/\1/' | sed -e 's/\",//g' | sed -e 's/\"//g') + PKI_EMAIL_PORT=$(grep port $dataDir/config.json | head -1 | perl -p0e 's/.*?:\s+(.*)/\1/' | sed -e 's/\",//g' | sed -e 's/\"//g') + PKI_EMAIL_USER=$(grep user $dataDir/config.json | head -1 | perl -p0e 's/.*?:\s+(.*)/\1/' | sed -e 's/\",//g' | sed -e 's/\"//g') + PKI_EMAIL_PASS=$(grep pass $dataDir/config.json | grep -v password | head -1 | perl -p0e 's/.*?:\s+(.*)/\1/' | sed -e 's/\",//g' | sed -e 's/\"//g') + pwd="" + if [ -e $baseDir/bin/labca-gui ]; then + pwd=$([ -e ] && $baseDir/bin/labca-gui -d $PKI_EMAIL_PASS || echo "") + elif [ -e $baseDir/bin/labca-gui_prev ]; then + pwd=$([ -e ] && $baseDir/bin/labca-gui_prev -d $PKI_EMAIL_PASS || echo "") + fi + PKI_EMAIL_PASS=$pwd + PKI_EMAIL_FROM=$(grep from $dataDir/config.json | head -1 | perl -p0e 's/.*?:\s+(.*)/\1/' | sed -e 's/\",//g' | sed -e 's/\"//g') +else + PKI_EMAIL_SERVER="localhost" + PKI_EMAIL_PORT="9380" + PKI_EMAIL_USER="cert-manager@example.com" + PKI_EMAIL_PASS="password" + PKI_EMAIL_FROM="Expiry bot " +fi + + perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1 \"$PKI_DNS\"\2/igs" config/va.json perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1 \"$PKI_DNS\"\2/igs" config/va-remote-a.json perl -i -p0e "s/(\"dnsResolvers\": \[\n).*?(\s+\],)/\1 \"$PKI_DNS\"\2/igs" config/va-remote-b.json @@ -131,16 +182,20 @@ rm -f test-root.pem rm -f test-root.der rm -f test-root.p8 -cp -p $PKI_INT_CERT_BASE.key test-ca.key -cp -p $PKI_INT_CERT_BASE.key.der test-ca.key.der -cp -p $PKI_INT_CERT_BASE.pem test-ca.pem -openssl rsa -in $PKI_INT_CERT_BASE.key -pubout > test-ca.pubkey.pem 2>/dev/null || openssl ec -in $PKI_INT_CERT_BASE.key -pubout > test-ca.pubkey.pem -openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in test-ca.key -out test-ca.p8 -cp -p $PKI_ROOT_CERT_BASE.key test-root.key -cp -p $PKI_ROOT_CERT_BASE.key.der test-root.key.der -cp -p $PKI_ROOT_CERT_BASE.pem test-root.pem -openssl rsa -in $PKI_ROOT_CERT_BASE.key -pubout > test-root.pubkey.pem 2>/dev/null || openssl ec -in $PKI_ROOT_CERT_BASE.key -pubout > test-root.pubkey.pem -openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in test-root.key -out test-root.p8 +if [ -e $PKI_INT_CERT_BASE.key ]; then + cp -p $PKI_INT_CERT_BASE.key test-ca.key + cp -p $PKI_INT_CERT_BASE.key.der test-ca.key.der + cp -p $PKI_INT_CERT_BASE.pem test-ca.pem + openssl rsa -in $PKI_INT_CERT_BASE.key -pubout > test-ca.pubkey.pem 2>/dev/null || openssl ec -in $PKI_INT_CERT_BASE.key -pubout > test-ca.pubkey.pem + openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in test-ca.key -out test-ca.p8 +fi +if [ -e $PKI_ROOT_CERT_BASE.key ]; then + cp -p $PKI_ROOT_CERT_BASE.key test-root.key + cp -p $PKI_ROOT_CERT_BASE.key.der test-root.key.der + cp -p $PKI_ROOT_CERT_BASE.pem test-root.pem + openssl rsa -in $PKI_ROOT_CERT_BASE.key -pubout > test-root.pubkey.pem 2>/dev/null || openssl ec -in $PKI_ROOT_CERT_BASE.key -pubout > test-root.pubkey.pem + openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in test-root.key -out test-root.p8 +fi chown -R `ls -l PKI.md | cut -d" " -f 3,4 | sed 's/ /:/g'` . diff --git a/gui/apply-nginx b/gui/apply-nginx index 4f834b8..fdc4c56 100755 --- a/gui/apply-nginx +++ b/gui/apply-nginx @@ -2,40 +2,67 @@ set -e +baseDir=$(dirname $0) +dataDir="$baseDir/data" + +PKI_WEB_TITLE=$(grep web_title $dataDir/config.json | sed -e 's/.*:[ ]*//' | sed -e 's/\",//g' | sed -e 's/\"//g') +if [ "$PKI_WEB_TITLE" == "" ]; then + export PKI_WEB_TITLE="LabCA" +fi +PKI_ROOT_CERT_BASE="$dataDir/root-ca" +PKI_INT_CERT_BASE="$dataDir/issuer/ca-int" +PKI_ISSUER_NAME_ID=$(grep issuer_name_id $dataDir/config.json | sed -e 's/.*:[ ]*//' | sed -e 's/,//g' | sed -e 's/\"//g') +if [ -z "$PKI_ISSUER_NAME_ID" ] && [ -e "$PKI_INT_CERT_BASE.pem" ]; then + nmid=$($baseDir/nameidtool $PKI_INT_CERT_BASE.pem) + if [ $? == 0 ]; then + PKI_ISSUER_NAME_ID=$nmid + sed -i -e "s/\(^\s*\)\(\"keys\": {\)/\1\"issuer_name_id\": $PKI_ISSUER_NAME_ID,\n\1\2/g" $dataDir/config.json + fi +fi +PKI_DEFAULT_O=$(grep organization $dataDir/config.json | sed -e 's/.*:[ ]*//' | sed -e 's/\",//g' | sed -e 's/\"//g') +PKI_FQDN=$(grep fqdn $dataDir/config.json | sed -e 's/.*:[ ]*//' | sed -e 's/\",//g' | sed -e 's/\"//g') + + sed -i -e "s|.*|$PKI_WEB_TITLE|g" 502.html sed -i -e "s|<\!-- BEGIN WEBTITLE -->.*<\!-- END WEBTITLE -->|<\!-- BEGIN WEBTITLE -->$PKI_WEB_TITLE<\!-- END WEBTITLE -->|g" 502.html -PKI_ROOT_DN=$(openssl x509 -noout -in $PKI_ROOT_CERT_BASE.pem -subject | sed -e "s/subject= //") -sed -i -e "s|<\!-- BEGIN PKI_ROOT_DN -->.*<\!-- END PKI_ROOT_DN -->|<\!-- BEGIN PKI_ROOT_DN -->$PKI_ROOT_DN<\!-- END PKI_ROOT_DN -->|g" certs/index.html -PKI_ROOT_VALIDITY="$(openssl x509 -noout -in $PKI_ROOT_CERT_BASE.pem -startdate | sed -e "s/.*=/Not Before: /")
$(openssl x509 -noout -in $PKI_ROOT_CERT_BASE.pem -enddate | sed -e "s/.*=/Not After: /")" -sed -i -e "s|<\!-- BEGIN PKI_ROOT_VALIDITY -->.*<\!-- END PKI_ROOT_VALIDITY -->|<\!-- BEGIN PKI_ROOT_VALIDITY -->$PKI_ROOT_VALIDITY<\!-- END PKI_ROOT_VALIDITY -->|g" certs/index.html -PKI_ROOT_CRL_VALIDITY="" -if [ -e "$PKI_ROOT_CERT_BASE.crl" ]; then - PKI_ROOT_CRL_VALIDITY="$(openssl crl -noout -in $PKI_ROOT_CERT_BASE.crl -lastupdate | sed -e "s/.*=/Last Update: /")
$(openssl crl -noout -in $PKI_ROOT_CERT_BASE.crl -nextupdate | sed -e "s/.*=/Next Update: /")" +if [ -e $PKI_ROOT_CERT_BASE.pem ]; then + PKI_ROOT_DN=$(openssl x509 -noout -in $PKI_ROOT_CERT_BASE.pem -subject | sed -e "s/subject= //") + sed -i -e "s|<\!-- BEGIN PKI_ROOT_DN -->.*<\!-- END PKI_ROOT_DN -->|<\!-- BEGIN PKI_ROOT_DN -->$PKI_ROOT_DN<\!-- END PKI_ROOT_DN -->|g" certs/index.html + PKI_ROOT_VALIDITY="$(openssl x509 -noout -in $PKI_ROOT_CERT_BASE.pem -startdate | sed -e "s/.*=/Not Before: /")
$(openssl x509 -noout -in $PKI_ROOT_CERT_BASE.pem -enddate | sed -e "s/.*=/Not After: /")" + sed -i -e "s|<\!-- BEGIN PKI_ROOT_VALIDITY -->.*<\!-- END PKI_ROOT_VALIDITY -->|<\!-- BEGIN PKI_ROOT_VALIDITY -->$PKI_ROOT_VALIDITY<\!-- END PKI_ROOT_VALIDITY -->|g" certs/index.html + PKI_ROOT_CRL_VALIDITY="" + if [ -e "$PKI_ROOT_CERT_BASE.crl" ]; then + PKI_ROOT_CRL_VALIDITY="$(openssl crl -noout -in $PKI_ROOT_CERT_BASE.crl -lastupdate | sed -e "s/.*=/Last Update: /")
$(openssl crl -noout -in $PKI_ROOT_CERT_BASE.crl -nextupdate | sed -e "s/.*=/Next Update: /")" + fi + sed -i -e "s|<\!-- BEGIN PKI_ROOT_CRL_VALIDITY -->.*<\!-- END PKI_ROOT_CRL_VALIDITY -->|<\!-- BEGIN PKI_ROOT_CRL_VALIDITY -->$PKI_ROOT_CRL_VALIDITY<\!-- END PKI_ROOT_CRL_VALIDITY -->|g" certs/index.html fi -sed -i -e "s|<\!-- BEGIN PKI_ROOT_CRL_VALIDITY -->.*<\!-- END PKI_ROOT_CRL_VALIDITY -->|<\!-- BEGIN PKI_ROOT_CRL_VALIDITY -->$PKI_ROOT_CRL_VALIDITY<\!-- END PKI_ROOT_CRL_VALIDITY -->|g" certs/index.html -PKI_INT_DN=$(openssl x509 -noout -in $PKI_INT_CERT_BASE.pem -subject | sed -e "s/subject= //") -sed -i -e "s|<\!-- BEGIN PKI_INT_DN -->.*<\!-- END PKI_INT_DN -->|<\!-- BEGIN PKI_INT_DN -->$PKI_INT_DN<\!-- END PKI_INT_DN -->|g" certs/index.html -PKI_INT_VALIDITY="$(openssl x509 -noout -in $PKI_INT_CERT_BASE.pem -startdate | sed -e "s/.*=/Not Before: /")
$(openssl x509 -noout -in $PKI_INT_CERT_BASE.pem -enddate | sed -e "s/.*=/Not After: /")" -sed -i -e "s|<\!-- BEGIN PKI_INT_VALIDITY -->.*<\!-- END PKI_INT_VALIDITY -->|<\!-- BEGIN PKI_INT_VALIDITY -->$PKI_INT_VALIDITY<\!-- END PKI_INT_VALIDITY -->|g" certs/index.html -PKI_INT_CRL_LINK="" -PKI_INT_CRL_VALIDITY="" -if [ -e "crl/$PKI_ISSUER_NAME_ID.crl" ]; then - PKI_INT_CRL_LINK="$PKI_ISSUER_NAME_ID.crl" - PKI_INT_CRL_VALIDITY="$(openssl crl -noout -inform der -in crl/$PKI_ISSUER_NAME_ID.crl -lastupdate | sed -e "s/.*=/Last Update: /")
$(openssl crl -noout -inform der -in crl/$PKI_ISSUER_NAME_ID.crl -nextupdate | sed -e "s/.*=/Next Update: /")" +if [ -e $PKI_INT_CERT_BASE.pem ]; then + PKI_INT_DN=$(openssl x509 -noout -in $PKI_INT_CERT_BASE.pem -subject | sed -e "s/subject= //") + sed -i -e "s|<\!-- BEGIN PKI_INT_DN -->.*<\!-- END PKI_INT_DN -->|<\!-- BEGIN PKI_INT_DN -->$PKI_INT_DN<\!-- END PKI_INT_DN -->|g" certs/index.html + PKI_INT_VALIDITY="$(openssl x509 -noout -in $PKI_INT_CERT_BASE.pem -startdate | sed -e "s/.*=/Not Before: /")
$(openssl x509 -noout -in $PKI_INT_CERT_BASE.pem -enddate | sed -e "s/.*=/Not After: /")" + sed -i -e "s|<\!-- BEGIN PKI_INT_VALIDITY -->.*<\!-- END PKI_INT_VALIDITY -->|<\!-- BEGIN PKI_INT_VALIDITY -->$PKI_INT_VALIDITY<\!-- END PKI_INT_VALIDITY -->|g" certs/index.html + PKI_INT_CRL_LINK="" + PKI_INT_CRL_VALIDITY="" + if [ -e "crl/$PKI_ISSUER_NAME_ID.crl" ]; then + PKI_INT_CRL_LINK="$PKI_ISSUER_NAME_ID.crl" + PKI_INT_CRL_VALIDITY="$(openssl crl -noout -inform der -in crl/$PKI_ISSUER_NAME_ID.crl -lastupdate | sed -e "s/.*=/Last Update: /")
$(openssl crl -noout -inform der -in crl/$PKI_ISSUER_NAME_ID.crl -nextupdate | sed -e "s/.*=/Next Update: /")" + fi + sed -i -e "s|<\!-- BEGIN PKI_INT_CRL_LINK -->.*<\!-- END PKI_INT_CRL_LINK -->|<\!-- BEGIN PKI_INT_CRL_LINK -->$PKI_INT_CRL_LINK<\!-- END PKI_INT_CRL_LINK -->|g" certs/index.html + sed -i -e "s|<\!-- BEGIN PKI_INT_CRL_VALIDITY -->.*<\!-- END PKI_INT_CRL_VALIDITY -->|<\!-- BEGIN PKI_INT_CRL_VALIDITY -->$PKI_INT_CRL_VALIDITY<\!-- END PKI_INT_CRL_VALIDITY -->|g" certs/index.html fi -sed -i -e "s|<\!-- BEGIN PKI_INT_CRL_LINK -->.*<\!-- END PKI_INT_CRL_LINK -->|<\!-- BEGIN PKI_INT_CRL_LINK -->$PKI_INT_CRL_LINK<\!-- END PKI_INT_CRL_LINK -->|g" certs/index.html -sed -i -e "s|<\!-- BEGIN PKI_INT_CRL_VALIDITY -->.*<\!-- END PKI_INT_CRL_VALIDITY -->|<\!-- BEGIN PKI_INT_CRL_VALIDITY -->$PKI_INT_CRL_VALIDITY<\!-- END PKI_INT_CRL_VALIDITY -->|g" certs/index.html sed -i -e "s|.*|Certificates \| $PKI_WEB_TITLE|g" certs/index.html sed -i -e "s|<\!-- BEGIN WEBTITLE -->.*<\!-- END WEBTITLE -->|<\!-- BEGIN WEBTITLE -->$PKI_WEB_TITLE<\!-- END WEBTITLE -->|g" certs/index.html sed -i -e "s|<\!-- BEGIN PKI_COMPANY_NAME -->.*<\!-- END PKI_COMPANY_NAME -->|<\!-- BEGIN PKI_COMPANY_NAME -->$PKI_DEFAULT_O<\!-- END PKI_COMPANY_NAME -->|g" cps/index.html sed -i -e "s|<\!-- BEGIN PKI_ROOT_DN -->.*<\!-- END PKI_ROOT_DN -->|<\!-- BEGIN PKI_ROOT_DN -->$PKI_ROOT_DN<\!-- END PKI_ROOT_DN -->|g" cps/index.html -PKI_ROOT_FINGERPRINT="$(openssl x509 -noout -in $PKI_ROOT_CERT_BASE.pem -fingerprint | sed -e "s/.*=//" | sed -e "s/.\{21\}/&\\\n/g")" -sed -i -e "s|<\!-- BEGIN PKI_ROOT_FINGERPRINT -->.*<\!-- END PKI_ROOT_FINGERPRINT -->|<\!-- BEGIN PKI_ROOT_FINGERPRINT -->$PKI_ROOT_FINGERPRINT<\!-- END PKI_ROOT_FINGERPRINT -->|g" cps/index.html -sed -i -e "s|<\!-- BEGIN PKI_ROOT_VALIDITY -->.*<\!-- END PKI_ROOT_VALIDITY -->|<\!-- BEGIN PKI_ROOT_VALIDITY -->$PKI_ROOT_VALIDITY<\!-- END PKI_ROOT_VALIDITY -->|g" cps/index.html +if [ -e $PKI_ROOT_CERT_BASE.pem ]; then + PKI_ROOT_FINGERPRINT="$(openssl x509 -noout -in $PKI_ROOT_CERT_BASE.pem -fingerprint | sed -e "s/.*=//" | sed -e "s/.\{21\}/&\\\n/g")" + sed -i -e "s|<\!-- BEGIN PKI_ROOT_FINGERPRINT -->.*<\!-- END PKI_ROOT_FINGERPRINT -->|<\!-- BEGIN PKI_ROOT_FINGERPRINT -->$PKI_ROOT_FINGERPRINT<\!-- END PKI_ROOT_FINGERPRINT -->|g" cps/index.html + sed -i -e "s|<\!-- BEGIN PKI_ROOT_VALIDITY -->.*<\!-- END PKI_ROOT_VALIDITY -->|<\!-- BEGIN PKI_ROOT_VALIDITY -->$PKI_ROOT_VALIDITY<\!-- END PKI_ROOT_VALIDITY -->|g" cps/index.html +fi sed -i -e "s|.*|CPS \| $PKI_WEB_TITLE|g" cps/index.html sed -i -e "s|<\!-- BEGIN WEBTITLE -->.*<\!-- END WEBTITLE -->|<\!-- BEGIN WEBTITLE -->$PKI_WEB_TITLE<\!-- END WEBTITLE -->|g" cps/index.html diff --git a/gui/main.go b/gui/main.go index 541116b..4c1906a 100644 --- a/gui/main.go +++ b/gui/main.go @@ -1735,50 +1735,6 @@ func randToken() string { } func _applyConfig() error { - os.Setenv("PKI_ROOT_CERT_BASE", "data/root-ca") - os.Setenv("PKI_INT_CERT_BASE", "data/issuer/ca-int") - os.Setenv("PKI_DEFAULT_O", viper.GetString("labca.organization")) - if viper.GetString("labca.web_title") == "" { - os.Setenv("PKI_WEB_TITLE", "LabCA") - } else { - os.Setenv("PKI_WEB_TITLE", viper.GetString("labca.web_title")) - } - os.Setenv("PKI_DNS", viper.GetString("labca.dns")) - domain := viper.GetString("labca.fqdn") - os.Setenv("PKI_FQDN", domain) - pos := strings.Index(domain, ".") - if pos > -1 { - pos = pos + 1 - domain = domain[pos:] - } - os.Setenv("PKI_DOMAIN", domain) - os.Setenv("PKI_DOMAIN_MODE", viper.GetString("labca.domain_mode")) - os.Setenv("PKI_LOCKDOWN_DOMAINS", viper.GetString("labca.lockdown")) - os.Setenv("PKI_WHITELIST_DOMAINS", viper.GetString("labca.whitelist")) - os.Setenv("PKI_ISSUER_NAME_ID", viper.GetString("issuer_name_id")) - if viper.GetBool("labca.extended_timeout") { - os.Setenv("PKI_EXTENDED_TIMEOUT", "1") - } else { - os.Setenv("PKI_EXTENDED_TIMEOUT", "0") - } - if viper.GetBool("labca.email.enable") { - os.Setenv("PKI_EMAIL_SERVER", viper.GetString("labca.email.server")) - os.Setenv("PKI_EMAIL_PORT", viper.GetString("labca.email.port")) - os.Setenv("PKI_EMAIL_USER", viper.GetString("labca.email.user")) - res, err := _decrypt(viper.GetString("labca.email.pass")) - if err != nil { - log.Println("WARNING: could not decrypt stored password: " + err.Error()) - } - os.Setenv("PKI_EMAIL_PASS", string(res)) - os.Setenv("PKI_EMAIL_FROM", viper.GetString("labca.email.from")) - } else { - os.Setenv("PKI_EMAIL_SERVER", "localhost") - os.Setenv("PKI_EMAIL_PORT", "9380") - os.Setenv("PKI_EMAIL_USER", "cert-master@example.com") - os.Setenv("PKI_EMAIL_PASS", "password") - os.Setenv("PKI_EMAIL_FROM", "Expiry bot ") - } - _, err := exeCmd("./apply") if err != nil { fmt.Println("") @@ -2803,6 +2759,7 @@ func init() { init := flag.Bool("init", false, "Initialize the application for running standalone, create/update the config file") port := flag.Int("port", 0, "Port to listen on (default 3000 when using init)") versionFlag := flag.Bool("version", false, "Show version number and exit") + decrypt := flag.String("d", "", "Decrypt a value") flag.Parse() if *versionFlag { @@ -2829,6 +2786,16 @@ func init() { panic(fmt.Errorf("fatal error config file: '%s'", err)) } + if *decrypt != "" { + plain, err := _decrypt(*decrypt) + if err == nil { + fmt.Println(string(plain)) + os.Exit(0) + } else { + os.Exit(1) + } + } + var err error if *init || viper.GetBool("standalone") { tmpls, err = templates.New().ParseEmbed(embeddedTemplates, "templates/") diff --git a/install b/install index 574154d..35639d9 100755 --- a/install +++ b/install @@ -314,7 +314,7 @@ has_domain() { # existing configuration or full hostname. get_fqdn() { local cfgFile="$adminDir/data/config.json" - local cfgFqdn=$(grep fqdn $cfgFile 2>/dev/null | grep -v LABCA_FQDN | cut -d ":" -f 2- | tr -d " \",") + local cfgFqdn=$(grep fqdn $cfgFile 2>/dev/null | grep -v LABCA_FQDN | cut -d ":" -f 2- | tr -d " \"," || echo "") LABCA_FQDN=${cfgFqdn:-$(hostname -f)} while [ "$cfgFqdn" == "" ]; do @@ -492,8 +492,6 @@ static_web() { mkdir -p crl [ -e cert ] || ln -s certs cert cp -rp $cloneDir/gui/static/* . - sed -i -e "s|<\!-- BEGIN LABCA_CPS_LOCATION -->.*<\!-- END LABCA_CPS_LOCATION -->|<\!-- BEGIN LABCA_CPS_LOCATION -->http://$LABCA_FQDN/cps/<\!-- END LABCA_CPS_LOCATION -->|g" cps/index.html - sed -i -e "s|<\!-- BEGIN LABCA_CERTS_LOCATION -->.*<\!-- END LABCA_CERTS_LOCATION -->|<\!-- BEGIN LABCA_CERTS_LOCATION -->http://$LABCA_FQDN/certs/<\!-- END LABCA_CERTS_LOCATION -->|g" cps/index.html [ -e $adminDir/data/root-ca.crl ] && cp $adminDir/data/root-ca.crl crl/ || true [ -e $adminDir/data/root-ca.pem ] && cp $adminDir/data/root-ca.pem certs/ || true [ -e $adminDir/data/root-ca.der ] && cp $adminDir/data/root-ca.der certs/ || true @@ -502,27 +500,6 @@ static_web() { local have_config=$(grep restarted $adminDir/data/config.json | grep true) if [ "$have_config" != "" ]; then - export PKI_ROOT_CERT_BASE="$adminDir/data/root-ca" - export PKI_INT_CERT_BASE="$adminDir/data/issuer/ca-int" - export PKI_DEFAULT_O=$(grep organization $adminDir/data/config.json | sed -e 's/.*:[ ]*//' | sed -e 's/\",//g' | sed -e 's/\"//g') - export PKI_FQDN=$LABCA_FQDN - export PKI_WEB_TITLE=$(grep web_title $adminDir/data/config.json | sed -e 's/.*:[ ]*//' | sed -e 's/\",//g' | sed -e 's/\"//g') - if [ "$PKI_WEB_TITLE" == "" ]; then - export PKI_WEB_TITLE="LabCA" - fi - - export PKI_ISSUER_NAME_ID=$(grep issuer_name_id $adminDir/data/config.json | sed -e 's/.*:[ ]*//' | sed -e 's/,//g' | sed -e 's/\"//g') - if [ -z "$PKI_ISSUER_NAME_ID" ] && [ -e "$adminDir/data/issuer/ca-int.pem" ]; then - local img=$(grep "&boulder_image" $boulderDir/docker-compose.yml | sed -e "s/.*boulder_image \(.*\)/\1/") - eval img=$img - docker run --rm -v $cloneDir/utils:/utils -w /utils $img go build nameidtool.go &>>$installLog - nmid=$($cloneDir/utils/nameidtool $adminDir/data/issuer/ca-int.pem) - if [ $? == 0 ]; then - export PKI_ISSUER_NAME_ID=$nmid - sed -i -e "s/\(^\s*\)\(\"keys\": {\)/\1\"issuer_name_id\": $PKI_ISSUER_NAME_ID,\n\1\2/g" /home/labca/admin/data/config.json - fi - fi - $adminDir/apply-nginx fi @@ -698,44 +675,6 @@ config_boulder() { local have_config=$(grep restarted $adminDir/data/config.json | grep true) if [ "$have_config" != "" ]; then - export PKI_ROOT_CERT_BASE="$adminDir/data/root-ca" - export PKI_INT_CERT_BASE="$adminDir/data/issuer/ca-int" - export PKI_DNS=$(grep dns $adminDir/data/config.json | perl -p0e 's/.*?:\s+(.*)/\1/' | sed -e 's/\",//g' | sed -e 's/\"//g') - export PKI_FQDN=$(grep fqdn $adminDir/data/config.json | sed -e 's/.*:[ ]*//' | sed -e 's/\",//g' | sed -e 's/\"//g') - export PKI_DOMAIN=$(echo $PKI_FQDN | perl -p0e 's/.*?\.//') - export PKI_DOMAIN_MODE=$(grep domain_mode $adminDir/data/config.json | sed -e 's/.*:[ ]*//' | sed -e 's/\",//g' | sed -e 's/\"//g') - export PKI_LOCKDOWN_DOMAINS=$(grep lockdown $adminDir/data/config.json | grep -v domain_mode | sed -e 's/.*:[ ]*//' | sed -e 's/\",//g' | sed -e 's/\"//g') - export PKI_WHITELIST_DOMAINS=$(grep whitelist $adminDir/data/config.json | grep -v domain_mode | sed -e 's/.*:[ ]*//' | sed -e 's/\",//g' | sed -e 's/\"//g') - export PKI_ISSUER_NAME_ID=$(grep issuer_name_id $adminDir/data/config.json | sed -e 's/.*:[ ]*//' | sed -e 's/,//g' | sed -e 's/\"//g') - if [ -z "$PKI_ISSUER_NAME_ID" ] && [ -e "$adminDir/data/issuer/ca-int.pem" ]; then - local img=$(grep "&boulder_image" $boulderDir/docker-compose.yml | sed -e "s/.*boulder_image \(.*\)/\1/") - eval img=$img - docker run --rm -v $cloneDir/utils:/utils -w /utils $img go build nameidtool.go &>>$installLog - nmid=$($cloneDir/utils/nameidtool $adminDir/data/issuer/ca-int.pem) - if [ $? == 0 ]; then - export PKI_ISSUER_NAME_ID=$nmid - sed -i -e "s/\(^\s*\)\(\"keys\": {\)/\1\"issuer_name_id\": $PKI_ISSUER_NAME_ID,\n\1\2/g" /home/labca/admin/data/config.json - fi - fi - - enabled=$(grep "email\": {" $adminDir/data/config.json -A1 | grep enable | head -1 | perl -p0e 's/.*?:\s+(.*)/\1/' | sed -e 's/\",//g' | sed -e 's/\"//g') - if [ "$enabled" == "true," ]; then - export PKI_EMAIL_SERVER=$(grep server $adminDir/data/config.json | head -1 | perl -p0e 's/.*?:\s+(.*)/\1/' | sed -e 's/\",//g' | sed -e 's/\"//g') - export PKI_EMAIL_PORT=$(grep port $adminDir/data/config.json | head -1 | perl -p0e 's/.*?:\s+(.*)/\1/' | sed -e 's/\",//g' | sed -e 's/\"//g') - export PKI_EMAIL_USER=$(grep user $adminDir/data/config.json | head -1 | perl -p0e 's/.*?:\s+(.*)/\1/' | sed -e 's/\",//g' | sed -e 's/\"//g') - export PKI_EMAIL_FROM=$(grep from $adminDir/data/config.json | head -1 | perl -p0e 's/.*?:\s+(.*)/\1/' | sed -e 's/\",//g' | sed -e 's/\"//g') - else - export PKI_EMAIL_SERVER="localhost" - export PKI_EMAIL_PORT="9380" - export PKI_EMAIL_USER="cert-manager@example.com" - export PKI_EMAIL_FROM="Expiry bot " - fi - - local extended_timeout=$(grep extended_timeout $adminDir/data/config.json | grep true) - if [ "$extended_timeout" != "" ]; then - export PKI_EXTENDED_TIMEOUT=1 - fi - $adminDir/apply-boulder &>>$installLog else chown -R labca:labca "$boulderLabCADir" @@ -787,13 +726,13 @@ startup() { cd "$boulderDir" cnt=$(docker-compose ps | wc -l) - if [ "$cnt" == "2" ]; then + if [ "$cnt" -le "2" ]; then msg="Download docker images and build containers" fi msg_info "$msg (this will take a while!!)" docker-compose pull -q &>>$installLog - cnt=$(count $PS_CONTROL) + cnt=$(count $PS_CONTROL || echo "0") docker-compose stop boulder bmysql labca nginx bconsul &>>$installLog || true for ct in boulder_bhsm_1 boulder_bredis_1 boulder_bredis_2 boulder_bredis_3 boulder_bredis_4 boulder_bredis_5 boulder_bredis_6; do [ -z "$(docker ps | grep $ct)" ] || docker stop $ct &>>$installLog