github-personal/labca
1
0
Fork 0
mirror of https://github.com/outbackdingo/labca.git synced 2026-01-27 10:19:34 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
5fecf57d62cc768223d2642e2e047dc8c8290326
labca/control_do.sh
Arjan H 5fecf57d62 Include optional custom nginx config files (#72) 
If you want to control e.g. the ssl_protocols or ssl_ciphers settings,
create a file named 'custom-ssl.inc' in the /home/labca/nginx_data/conf.d/
directory (or when using the docker-only setup, either add a volume mount
or edit the labca_nginx_conf volume to include the file). Similarly,
'custom-base.inc' can be created to e.g. define a custom log format, and
'custom.inc' could be created for any settings on the plain HTTP server
context.
2023-07-15 16:46:49 +02:00

135 lines
5.4 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
set -e
get_fqdn() {
local file_fqdn=""
if [ -e /opt/labca/data/config.json ]; then
file_fqdn=$(grep fqdn /opt/labca/data/config.json 2>/dev/null | cut -d ":" -f 2- | tr -d " \",")
fi
if [ "$file_fqdn" == "" ]; then
if [ "$LABCA_FQDN" == "notset" ]; then
echo "ERROR: environment variable LABCA_FQDN is not set!"
exit 1
else
echo -e "{\n \"config\": {\n \"complete\": false\n },\n \"labca\": {\n \"fqdn\": \"$LABCA_FQDN\"\n },\n \"version\": \"\"\n}" > /opt/labca/data/config.json
fi
elif [ "$LABCA_FQDN" != "notset" ] && [ "$LABCA_FQDN" != "$file_fqdn" ]; then
echo "WARNING: environment variable LABCA_FQDN ('$LABCA_FQDN') does not match config file. Using '$file_fqdn'..."
export LABCA_FQDN=$file_fqdn
fi
}
setup_boulder_data() {
cp -rp /opt/staging/boulder_labca/* /opt/boulder/labca/
cd /opt/boulder/labca
sed -i -e "s|https://boulder.service.consul:4431/terms/v7|https://$LABCA_FQDN/terms/v1|" config/wfe2.json
sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/wfe2.json
sed -i -e "s|http://127.0.0.1:4002/|http://$LABCA_FQDN/ocsp/|g" config/ca-a.json
sed -i -e "s|http://127.0.0.1:4002/|http://$LABCA_FQDN/ocsp/|g" config/ca-b.json
sed -i -e "s|http://example.com/cps|http://$LABCA_FQDN/cps/|g" config/ca-a.json
sed -i -e "s|http://example.com/cps|http://$LABCA_FQDN/cps/|g" config/ca-b.json
sed -i -e "s|http://example.com/crl|http://$LABCA_FQDN/crl/|g" config/ca-a.json
sed -i -e "s|http://example.com/crl|http://$LABCA_FQDN/crl/|g" config/ca-b.json
sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/va.json
sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/va.json
sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/va-remote-a.json
sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/va-remote-a.json
sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/va-remote-b.json
sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/va-remote-b.json
/opt/labca/apply-boulder
}
setup_nginx_data() {
rm -f /etc/nginx/conf.d/default.conf
cp -p /opt/staging/nginx.conf /etc/nginx/conf.d/labca.conf
cp -p /opt/staging/proxy.inc /etc/nginx/conf.d/proxy.inc
[ -e /opt/boulder/labca/setup_complete ] && perl -i -p0e 's/\n # BEGIN temporary redirect\n location = \/ \{\n return 302 \/admin\/;\n }\n # END temporary redirect\n//igs' /etc/nginx/conf.d/labca.conf || true
cd /var/www/html
mkdir -p .well-known/acme-challenge
find .well-known/acme-challenge/ -type f -mtime +10 -exec rm {} \; # Clean up files older than 10 days
mkdir -p crl
[ -e cert ] || ln -s certs cert
cp -rp /opt/staging/static/* .
[ -e /opt/labca/data/root-ca.crl ] && cp /opt/labca/data/root-ca.crl crl/ || true
[ -e /opt/labca/data/root-ca.pem ] && cp /opt/labca/data/root-ca.pem certs/ || true
[ -e /opt/labca/data/root-ca.der ] && cp /opt/labca/data/root-ca.der certs/ || true
[ -e /opt/labca/data/issuer/ca-int.pem ] && cp /opt/labca/data/issuer/ca-int.pem certs/ || true
[ -e /opt/labca/data/issuer/ca-int.pem ] && cp /opt/labca/data/issuer/ca-int.der certs/ || true
if [ ! -e /etc/nginx/ssl/labca_cert.pem ]; then
pushd /etc/nginx/ssl >/dev/null
openssl req -x509 -nodes -sha256 -newkey rsa:2048 -keyout labca_key.pem -out labca_cert.pem -days 7 \
-subj "/O=LabCA/CN=$LABCA_FQDN" -reqexts SAN -extensions SAN \
-config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nbasicConstraints=CA:FALSE\nnsCertType=server\nsubjectAltName=DNS:$LABCA_FQDN"))
popd >/dev/null
fi
/opt/labca/apply-nginx
}
setup_labca_data() {
cd /opt/labca/data
cp -rp /opt/staging/data/* .
sed -i -e "s|LABCA_FQDN|$LABCA_FQDN|g" openssl.cnf
sed -i -e "s|LABCA_FQDN|$LABCA_FQDN|g" issuer/openssl.cnf
}
selfsigned_cert() {
pushd /etc/nginx/ssl >/dev/null
openssl req -x509 -nodes -sha256 -newkey rsa:2048 -keyout labca_key.pem -out labca_cert.pem -days 7 \
-subj "/O=LabCA/CN=$LABCA_FQDN" -reqexts SAN -extensions SAN \
-config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nbasicConstraints=CA:FALSE\nnsCertType=server\nsubjectAltName=DNS:$LABCA_FQDN"))
popd >/dev/null
}
renew_near_expiry() {
pushd /etc/nginx/ssl >/dev/null
if ! expires=$(openssl x509 -checkend 86400 -noout -in /etc/nginx/ssl/labca_cert.pem); then
hash=$(openssl x509 -hash -noout -in /etc/nginx/ssl/labca_cert.pem)
issuer_hash=$(openssl x509 -issuer_hash -noout -in /etc/nginx/ssl/labca_cert.pem)
if [ "$hash" == "$issuer_hash" ]; then
selfsigned_cert
else
echo "acme-request" | /opt/labca/commander
fi
fi
popd >/dev/null
}
start_cron() {
[ -e /opt/boulder/labca/setup_complete ] && [ ! -e /etc/cron.d/labca ] && ln -sf /opt/labca/cron_d /etc/cron.d/labca || true
chmod g-w /opt/labca/cron_d
[ -e /opt/logs/cron.log ] || touch /opt/logs/cron.log
tail -f -n0 /opt/logs/cron.log &
service cron start
}
serve_commander() {
echo "Start serving commander script..."
tcpserver 0.0.0.0 3030 /opt/labca/commander
}
main() {
get_fqdn
setup_boulder_data
setup_nginx_data
setup_labca_data
[ -e /etc/nginx/ssl/labca_cert.pem ] || selfsigned_cert
renew_near_expiry
start_cron
serve_commander
}
main "$@"
Reference in New Issue View Git Blame Copy Permalink