mirror of
https://github.com/outbackdingo/labca.git
synced 2026-01-27 10:19:34 +00:00
207 lines
12 KiB
Bash
Executable File
207 lines
12 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
set -e
|
|
|
|
baseDir=$(cd $(dirname $0) && pwd)
|
|
dataDir="$baseDir/data"
|
|
|
|
PKI_DNS=$(grep "\"dns\"" $dataDir/config.json | perl -p0e 's/.*?:\s+(.*)/\1/' | sed -e 's/\",//g' | sed -e 's/\"//g')
|
|
if [ "$PKI_DNS" == "" ]; then
|
|
PKI_DNS="10.55.55.10:53"
|
|
fi
|
|
PKI_FQDN=$(grep fqdn $dataDir/config.json | sed -e 's/.*:[ ]*//' | sed -e 's/\",//g' | sed -e 's/\"//g')
|
|
PKI_DOMAIN=$(echo $PKI_FQDN | perl -p0e 's/.*?\.//')
|
|
PKI_DOMAIN_MODE=$(grep domain_mode $dataDir/config.json | sed -e 's/.*:[ ]*//' | sed -e 's/\",//g' | sed -e 's/\"//g')
|
|
PKI_LOCKDOWN_DOMAINS=$(grep lockdown $dataDir/config.json | grep -v domain_mode | sed -e 's/.*:[ ]*//' | sed -e 's/\",//g' | sed -e 's/\"//g')
|
|
PKI_WHITELIST_DOMAINS=$(grep whitelist $dataDir/config.json | grep -v domain_mode | sed -e 's/.*:[ ]*//' | sed -e 's/\",//g' | sed -e 's/\"//g')
|
|
PKI_ROOT_CERT_BASE="/opt/boulder/labca/certs/webpki/root-01-cert"
|
|
PKI_INT_CERT_BASE="/opt/boulder/labca/certs/webpki/issuer-01-cert"
|
|
PKI_ISSUER_NAME_ID=$(grep issuer_name_id $dataDir/config.json | sed -e 's/.*:[ ]*//' | sed -e 's/,//g' | sed -e 's/\"//g')
|
|
if [ -z "$PKI_ISSUER_NAME_ID" ] && [ -e "$PKI_INT_CERT_BASE.pem" ]; then
|
|
nmid=$(/opt/boulder/bin/nameid -s $PKI_INT_CERT_BASE.pem)
|
|
if [ $? == 0 ]; then
|
|
PKI_ISSUER_NAME_ID=$nmid
|
|
sed -i -e "s/\(^\s*\)\(\"keys\": {\)/\1\"issuer_name_id\": $PKI_ISSUER_NAME_ID,\n\1\2/g" $dataDir/config.json
|
|
fi
|
|
fi
|
|
extended_timeout=$(grep extended_timeout $dataDir/config.json | grep true || echo "")
|
|
if [ "$extended_timeout" != "" ]; then
|
|
PKI_EXTENDED_TIMEOUT=1
|
|
else
|
|
PKI_EXTENDED_TIMEOUT=0
|
|
fi
|
|
|
|
|
|
perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/remoteva-a.json
|
|
perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/remoteva-b.json
|
|
perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/remoteva-c.json
|
|
perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/va.json
|
|
perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/bad-key-revoker.json
|
|
|
|
# Disable DOH as long as it is a feature...
|
|
sed -i -e "s/\(\"DOH\":\s*\).*/\1false/" config/remoteva-a.json
|
|
sed -i -e "s/\(\"DOH\":\s*\).*/\1false/" config/remoteva-b.json
|
|
sed -i -e "s/\(\"DOH\":\s*\).*/\1false/" config/remoteva-c.json
|
|
sed -i -e "s/\(\"DOH\":\s*\).*/\1false/" config/va.json
|
|
|
|
for fl in $(grep -Rl maxConnectionAge config/); do
|
|
perl -i -p0e "s/(\s+\"maxConnectionAge\":[^\n]+)//igs" $fl
|
|
done
|
|
sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/remoteva-a.json
|
|
sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/remoteva-b.json
|
|
sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/remoteva-c.json
|
|
sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/va.json
|
|
sed -i -e "s/\"directoryCAAIdentity\": \".*\"/\"directoryCAAIdentity\": \"$PKI_DOMAIN\"/" config/wfe2.json
|
|
|
|
if ([ "$PKI_DOMAIN_MODE" == "lockdown" ] && [ "$PKI_LOCKDOWN_DOMAINS" != "" ]) || ([ "$PKI_DOMAIN_MODE" == "whitelist" ] && [ "$PKI_WHITELIST_DOMAINS" != "" ]); then
|
|
perl -i -p0e "s/(\"badResultsOnly\":[^\n]*).*?(\s+)(\"checkPeriod\":)/\1\2\"skipForbiddenDomains\": true,\2\3/igs" config/cert-checker.json
|
|
perl -i -p0e "s/(\"ignoredLints\": \[).*?(\s+)(\"w_subject_common_name_included\")/\1\2\"e_dnsname_not_valid_tld\",\2\"w_sub_cert_aia_contains_internal_names\",\2\3/igs" config/cert-checker.json
|
|
perl -i -p0e "s/(\"ignoredLints\": \[).*?(\s+)(\"w_subject_common_name_included\")/\1\2\"e_dnsname_not_valid_tld\",\2\"w_sub_cert_aia_contains_internal_names\",\2\3/igs" config/ca.json
|
|
perl -i -p0e "s/(\"modern\".*?)(\"ignoredLints\": \[).*?(\s+)(\"w_ext_subject_key_identifier_missing_sub_cert\")/\1\2\3\"e_dnsname_not_valid_tld\",\3\"w_sub_cert_aia_contains_internal_names\",\3\4/igs" config/ca.json
|
|
perl -i -p0e "s/(\"shortlived\".*?)(\"ignoredLints\": \[).*?(\s+)(\"w_ext_subject_key_identifier_missing_sub_cert\")/\1\2\3\"e_dnsname_not_valid_tld\",\3\"w_sub_cert_aia_contains_internal_names\",\3\4/igs" config/ca.json
|
|
|
|
perl -i -p0e "s/(\"pkilint:cabf.serverauth.subscriber_rsa_digitalsignature_and_keyencipherment_present\",).*?(\])/\1\n \"pkilint:cabf.internal_domain_name\",\n \"zlint:e_dnsname_not_valid_tld\",\n \"zlint:w_sub_cert_aia_contains_internal_names\",\n \"certlint:special_name_in_san\",\n \"certlint:unknown_tld_in_san\",\n \"certlint:br_certificates_must_include_an_http_url_of_the_ocsp_responder\",\n \"x509lint:no_ocsp_over_http\",\n\2/igs" config/zlint.toml
|
|
perl -i -p0e "s/(\[e_pkimetal_lint_cabf_serverauth_crl\].*)(ignore_lints = \[).*(\])/\1\2\"zlint:e_crl_next_update_invalid\"\3/igs" config/zlint.toml
|
|
fi
|
|
|
|
[ -e ../test/ident-policy.yaml ] && cp ../test/ident-policy.yaml ./ || true
|
|
[ -e ../boulder/test/ident-policy.yaml ] && cp ../boulder/test/ident-policy.yaml ./ || true
|
|
[ -e hostname-policy.yaml ] && rm hostname-policy.yaml || true
|
|
[ -e config/expired-authz-purger2.json ] && rm config/expired-authz-purger2.json || true
|
|
[ -e config/janitor.json ] && rm config/janitor.json || true
|
|
cat ident-policy.yaml | tr '\n' '\r' | sed -e "s/\r# Lockdown.*//" | tr '\r' '\n' > ident-policy.yaml.bak && mv ident-policy.yaml.bak ident-policy.yaml
|
|
cat ident-policy.yaml | tr '\n' '\r' | sed -e "s/\r# Whitelist.*//" | tr '\r' '\n' > ident-policy.yaml.bak && mv ident-policy.yaml.bak ident-policy.yaml
|
|
if [ "$PKI_DOMAIN_MODE" == "lockdown" ] && [ "$PKI_LOCKDOWN_DOMAINS" != "" ]; then
|
|
echo >> ident-policy.yaml
|
|
echo "# Lockdown are the domains that this LabCA instance can issue certificates for" >> ident-policy.yaml
|
|
echo "Lockdown:" >> ident-policy.yaml
|
|
for d in $(echo $PKI_LOCKDOWN_DOMAINS | sed -e "s/\\\r/ /g" | sed -e "s/\\\n/ /g" | tr '\r' ' '); do
|
|
echo " - \"$d\"" >> ident-policy.yaml
|
|
done
|
|
|
|
allow_public="false"
|
|
ld_public_contacts=$(grep ld_public_contacts $dataDir/config.json | grep true || echo "")
|
|
if [ "$ld_public_contacts" != "" ]; then
|
|
allow_public="true"
|
|
fi
|
|
|
|
echo >> ident-policy.yaml
|
|
echo "LockdownAllowPublicContacts: $allow_public" >> ident-policy.yaml
|
|
fi
|
|
if [ "$PKI_DOMAIN_MODE" == "whitelist" ] && [ "$PKI_WHITELIST_DOMAINS" != "" ]; then
|
|
echo >> ident-policy.yaml
|
|
echo "# Whitelist are the domains that this LabCA instance can issue certificates for" >> ident-policy.yaml
|
|
echo "# in *addition* to all normal public domains" >> ident-policy.yaml
|
|
echo "Whitelist:" >> ident-policy.yaml
|
|
for d in $(echo $PKI_WHITELIST_DOMAINS | sed -e "s/\\\r/ /g" | sed -e "s/\\\n/ /g" | tr '\r' ' '); do
|
|
echo " - \"$d\"" >> ident-policy.yaml
|
|
done
|
|
fi
|
|
if [ "$PKI_DOMAIN_MODE" == "lockdown" ] || [ "$PKI_DOMAIN_MODE" == "whitelist" ]; then
|
|
sed -i -e "s/\(\"w_subject_common_name_included\"\).*\]/\1,\"e_dnsname_not_valid_tld\"\]/" config/ca.json
|
|
|
|
REPLACEMENT=""
|
|
REPLACEMENT2=""
|
|
LABCA_DOMAINS=""
|
|
if [ "$PKI_DOMAIN_MODE" == "lockdown" ] && [ "$PKI_LOCKDOWN_DOMAINS" != "" ]; then
|
|
for d in $(echo $PKI_LOCKDOWN_DOMAINS | sed -e "s/\\\r/ /g" | sed -e "s/\\\n/ /g" | tr '\r' ' '); do
|
|
REPLACEMENT+=" $d: 10000\r"
|
|
REPLACEMENT2+=" - id: $d\r comment: LabCA lockdown domain\r"
|
|
if [ "$LABCA_DOMAINS" != "" ]; then
|
|
LABCA_DOMAINS+=",\n"
|
|
fi
|
|
LABCA_DOMAINS+="\t\t\t\"$d\""
|
|
done
|
|
fi
|
|
if [ "$PKI_DOMAIN_MODE" == "whitelist" ] && [ "$PKI_WHITELIST_DOMAINS" != "" ]; then
|
|
for d in $(echo $PKI_WHITELIST_DOMAINS | sed -e "s/\\\r/ /g" | sed -e "s/\\\n/ /g" | tr '\r' ' '); do
|
|
REPLACEMENT+=" $d: 10000\r"
|
|
REPLACEMENT2+=" - id: $d\r comment: LabCA whitelist domain\r"
|
|
if [ "$LABCA_DOMAINS" != "" ]; then
|
|
LABCA_DOMAINS+=",\n"
|
|
fi
|
|
LABCA_DOMAINS+="\t\t\t\"$d\""
|
|
done
|
|
fi
|
|
cat rate-limit-policies.yml | tr '\n' '\r' | sed -e "s/\(must-staple.le.wtf: 10000\).*\( registrationOverrides:\)/\1\n$REPLACEMENT\2/" | tr '\r' '\n' > rate-limit-policies.yml.bak && mv rate-limit-policies.yml.bak rate-limit-policies.yml
|
|
cat rate-limit-policies.yml | tr '\n' '\r' | sed -e "s|\(certificatesPerFQDNSet:.*must-staple.le.wtf: 10000\).*\(certificatesPerFQDNSetFast:.*\)|\1\n${REPLACEMENT}rateLimitsURL: http://$PKI_FQDN/rate-limits\n\2|" | tr '\r' '\n' > rate-limit-policies.yml.bak && mv rate-limit-policies.yml.bak rate-limit-policies.yml
|
|
|
|
cat config/wfe2-ratelimit-overrides.yml | tr '\n' '\r' | sed -e "s/\(- CertificatesPerDomain:.*ratelimit.me.*\)\(- CertificatesPerDomain:\)/\2/" | tr '\r' '\n' > config/wfe2-ratelimit-overrides.yml.bak && mv config/wfe2-ratelimit-overrides.yml.bak config/wfe2-ratelimit-overrides.yml
|
|
cat config/wfe2-ratelimit-overrides.yml | tr '\n' '\r' | sed -e "s/\(- CertificatesPerDomain:.*ids:\)\(.*\)\(- CertificatesPerFQDNSet:\)/\1\r$REPLACEMENT2\3/" | tr '\r' '\n' > config/wfe2-ratelimit-overrides.yml.bak && mv config/wfe2-ratelimit-overrides.yml.bak config/wfe2-ratelimit-overrides.yml
|
|
cat config/wfe2-ratelimit-overrides.yml | tr '\n' '\r' | sed -e "s/\(- CertificatesPerFQDNSet:.*ids:\)\(.*\)/\1\r$REPLACEMENT2/" | tr '\r' '\n' > config/wfe2-ratelimit-overrides.yml.bak && mv config/wfe2-ratelimit-overrides.yml.bak config/wfe2-ratelimit-overrides.yml
|
|
|
|
perl -i -p0e "s/(\"labcaDomains\": \[\n).*?(\])/\1$LABCA_DOMAINS\n\t\t\2/igs" config/remoteva-a.json
|
|
perl -i -p0e "s/(\"labcaDomains\": \[\n).*?(\])/\1$LABCA_DOMAINS\n\t\t\2/igs" config/remoteva-b.json
|
|
perl -i -p0e "s/(\"labcaDomains\": \[\n).*?(\])/\1$LABCA_DOMAINS\n\t\t\2/igs" config/remoteva-c.json
|
|
perl -i -p0e "s/(\"labcaDomains\": \[\n).*?(\])/\1$LABCA_DOMAINS\n\t\t\2/igs" config/va.json
|
|
fi
|
|
|
|
CRLINT=24h
|
|
CRLLIFE=96h
|
|
CRLCONF=$(grep crl_interval $dataDir/config.json | perl -p0e 's/.*?:\s+(.*)/\1/' | sed -e 's/\",//g' | sed -e 's/\"//g')
|
|
if [ "$CRLCONF" != "" ]; then
|
|
CRLINT=$(echo $CRLCONF | cut -d "|" -f 1)
|
|
CRLLIFE=$(echo $CRLCONF | cut -d "|" -f 2)
|
|
fi
|
|
sed -i -e "s/\"shardWidth\": \".*\"/\"shardWidth\": \"$CRLINT\"/" config/crl-updater.json
|
|
sed -i -e "s/\"updatePeriod\": \".*\"/\"updatePeriod\": \"$CRLINT\"/" config/crl-updater.json
|
|
sed -i -e "s/\"lookbackPeriod\": \".*\"/\"lookbackPeriod\": \"$CRLLIFE\"/" config/crl-updater.json
|
|
sed -i -e "s/\"lifespanCRL\": \".*\"/\"lifespanCRL\": \"$CRLLIFE\"/" config/ca.json
|
|
rm -f config/contact-exporter.json
|
|
rm -f config/nonce.json
|
|
rm -f config/ocsp-updater.json
|
|
rm -f config/wfe.json
|
|
rm -f config/orphan-finder.json
|
|
rm -f config/ca-a.json
|
|
rm -f config/ca-b.json
|
|
|
|
INT_BASE_NAME=$(basename $PKI_INT_CERT_BASE.pem)
|
|
INT_CRL_BASE_NAME=${INT_BASE_NAME/-cert/-crl}
|
|
sed -i -e "s|\"issuerURL\": \".*\"|\"issuerURL\": \"http://$PKI_FQDN/certs/$INT_BASE_NAME\"|" config/ca.json
|
|
sed -i -e "s|\"ocspURL\": \".*\"|\"ocspURL\": \"http://$PKI_FQDN/ocsp/\"|" config/ca.json
|
|
sed -i -e "s|\"crlURLBase\": \".*\"|\"crlURLBase\": \"http://$PKI_FQDN/crl/$INT_CRL_BASE_NAME\"|" config/ca.json
|
|
|
|
if [ "$PKI_EXTENDED_TIMEOUT" == "1" ]; then
|
|
sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/ca.json
|
|
sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/admin.json
|
|
sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/wfe2.json
|
|
sed -i -e "s/\"timeout\": \"20s\"/\"timeout\": \"40s\"/" config/wfe2.json
|
|
sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/ra.json
|
|
sed -i -e "s/\"timeout\": \"20s\"/\"timeout\": \"40s\"/" config/ra.json
|
|
sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/crl-storer.json
|
|
sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/crl-updater.json
|
|
|
|
sed -i -e "s/timeout = .*/timeout = 30000000000 # 30 seconds/" config/zlint.toml
|
|
else
|
|
sed -i -e "s/timeout = .*/timeout = 10000000000 # 10 seconds/" config/zlint.toml
|
|
fi
|
|
sed -i -e "s/\"timeout\": \"1s\"/\"timeout\": \"5s\"/" config/health-checker.json
|
|
|
|
sed -i -e "s/\"purgeInterval\": \".*\"/\"purgeInterval\": \"1s\"/" config/akamai-purger.json
|
|
|
|
for fl in $(grep -Rl maxOpenConns config/); do
|
|
set +e
|
|
m=$(grep "connMaxIdleTime" $fl)
|
|
set -e
|
|
if [ -z "$m" ]; then
|
|
perl -i -p0e "s/([ \t]+)(\"maxOpenConns\": .*)/\1\2,\n\1\"connMaxIdleTime\": \"30s\"/g" $fl
|
|
fi
|
|
done
|
|
|
|
rm -f test-ca.key
|
|
rm -f test-ca.key.der
|
|
rm -f test-ca.pem
|
|
rm -f test-ca.der
|
|
rm -f test-ca.p8
|
|
rm -f test-root.key
|
|
rm -f test-root.key.der
|
|
rm -f test-root.pem
|
|
rm -f test-root.der
|
|
rm -f test-root.p8
|
|
|
|
chown -R `ls -l helpers.py | cut -d" " -f 3,4 | sed 's/ /:/g'` .
|
|
|
|
if [ -e $PKI_INT_CERT_BASE.pem ] && [ -e $PKI_ROOT_CERT_BASE.pem ]; then
|
|
[ -f setup_complete ] || touch setup_complete
|
|
fi
|