github-personal/labca
1
0
Fork 0
mirror of https://github.com/outbackdingo/labca.git synced 2026-01-27 10:19:34 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
fd44d68df36ad218ff040224afc2408d3b8d6dde
labca/gui/apply-nginx
Arjan H 6d72d32398 Use ceremony tool for generating keys and certs; store keys on SoftHSM 
Replace openssl certificate / CRL generation with the tool as used by
Let's Encrypt, storing the keys on SoftHSMv2, a simulated HSM (Hardware
Security Module).
Include migration of old setups where key files were also stored on
disk.
2025-01-31 20:44:48 +01:00

118 lines
9.4 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
set -e
baseDir=$(cd $(dirname $0) && pwd)
dataDir="$baseDir/data"
PKI_WEB_TITLE=$(grep web_title $dataDir/config.json | sed -e 's/.*:[ ]*//' | sed -e 's/\",//g' | sed -e 's/\"//g')
if [ "$PKI_WEB_TITLE" == "" ]; then
export PKI_WEB_TITLE="LabCA"
fi
PKI_ROOT_CERT_BASE="/opt/boulder/labca/certs/webpki/root-01-cert"
[ ! -d "/home/labca/boulder_labca/certs/webpki" ] || PKI_ROOT_CERT_BASE="/home/labca/boulder_labca/certs/webpki/root-01-cert"
PKI_INT_CERT_BASE="/opt/boulder/labca/certs/webpki/issuer-01-cert"
[ ! -d "/home/labca/boulder_labca/certs/webpki" ] || PKI_INT_CERT_BASE="/home/labca/boulder_labca/certs/webpki/issuer-01-cert"
PKI_ISSUER_NAME_ID=$(grep issuer_name_id $dataDir/config.json | sed -e 's/.*:[ ]*//' | sed -e 's/,//g' | sed -e 's/\"//g')
if [ -z "$PKI_ISSUER_NAME_ID" ] && [ -e "$PKI_INT_CERT_BASE.pem" ]; then
nmid=$(/opt/boulder/bin/nameid -s $PKI_INT_CERT_BASE.pem)
if [ $? == 0 ]; then
PKI_ISSUER_NAME_ID=$nmid
sed -i -e "s/\(^\s*\)\(\"keys\": {\)/\1\"issuer_name_id\": $PKI_ISSUER_NAME_ID,\n\1\2/g" $dataDir/config.json
fi
fi
PKI_DEFAULT_O=$(grep organization $dataDir/config.json | sed -e 's/.*:[ ]*//' | sed -e 's/\",//g' | sed -e 's/\"//g')
PKI_FQDN=$(grep fqdn $dataDir/config.json | sed -e 's/.*:[ ]*//' | sed -e 's/\",//g' | sed -e 's/\"//g')
sed -i -e "s|<title>.*</title>|<title>$PKI_WEB_TITLE</title>|g" 502.html
sed -i -e "s|<\!-- BEGIN WEBTITLE -->.*<\!-- END WEBTITLE -->|<\!-- BEGIN WEBTITLE -->$PKI_WEB_TITLE<\!-- END WEBTITLE -->|g" 502.html
if [ -e $PKI_ROOT_CERT_BASE.pem ]; then
PKI_ROOT_DN=$(openssl x509 -noout -in $PKI_ROOT_CERT_BASE.pem -subject | sed -e "s/subject=//")
sed -i -e "s|<\!-- BEGIN PKI_ROOT_DN -->.*<\!-- END PKI_ROOT_DN -->|<\!-- BEGIN PKI_ROOT_DN -->$PKI_ROOT_DN<\!-- END PKI_ROOT_DN -->|g" certs/index.html
ROOT_BASE_NAME=$(basename $PKI_ROOT_CERT_BASE)
PKI_ROOT_LINK="<a class=\"public\" href=\"$ROOT_BASE_NAME.pem\">$ROOT_BASE_NAME.pem</a></td>"
sed -i -e "s|<\!-- BEGIN PKI_ROOT_LINK -->.*<\!-- END PKI_ROOT_LINK -->|<\!-- BEGIN PKI_ROOT_LINK -->$PKI_ROOT_LINK<\!-- END PKI_ROOT_LINK -->|g" certs/index.html
PKI_ROOT_VALIDITY="$(openssl x509 -noout -in $PKI_ROOT_CERT_BASE.pem -startdate | sed -e "s/.*=/Not Before: /")<br/> $(openssl x509 -noout -in $PKI_ROOT_CERT_BASE.pem -enddate | sed -e "s/.*=/Not After: /")"
sed -i -e "s|<\!-- BEGIN PKI_ROOT_VALIDITY -->.*<\!-- END PKI_ROOT_VALIDITY -->|<\!-- BEGIN PKI_ROOT_VALIDITY -->$PKI_ROOT_VALIDITY<\!-- END PKI_ROOT_VALIDITY -->|g" certs/index.html
ROOT_CRL_FILE=${PKI_ROOT_CERT_BASE/-cert/-crl}.pem
PKI_ROOT_CRL_LINK=""
PKI_ROOT_CRL_VALIDITY=""
if [ -e $ROOT_CRL_FILE ]; then
ROOT_CRL_NAME=$(basename $ROOT_CRL_FILE)
[ -e "crl/$ROOT_CRL_NAME" ] || cp $ROOT_CRL_FILE crl/$ROOT_CRL_NAME
PKI_ROOT_CRL_LINK="<a class=\"public\" href=\"../crl/$ROOT_CRL_NAME\">$ROOT_CRL_NAME</a></td>"
PKI_ROOT_CRL_VALIDITY="$(openssl crl -noout -in $ROOT_CRL_FILE -lastupdate | sed -e "s/.*=/Last Update: /")<br/> $(openssl crl -noout -in $ROOT_CRL_FILE -nextupdate | sed -e "s/.*=/Next Update: /")"
fi
sed -i -e "s|<\!-- BEGIN PKI_ROOT_CRL_LINK -->.*<\!-- END PKI_ROOT_CRL_LINK -->|<\!-- BEGIN PKI_ROOT_CRL_LINK -->$PKI_ROOT_CRL_LINK<\!-- END PKI_ROOT_CRL_LINK -->|g" certs/index.html
sed -i -e "s|<\!-- BEGIN PKI_ROOT_CRL_VALIDITY -->.*<\!-- END PKI_ROOT_CRL_VALIDITY -->|<\!-- BEGIN PKI_ROOT_CRL_VALIDITY -->$PKI_ROOT_CRL_VALIDITY<\!-- END PKI_ROOT_CRL_VALIDITY -->|g" certs/index.html
fi
if [ -e $PKI_INT_CERT_BASE.pem ]; then
PKI_INT_DN=$(openssl x509 -noout -in $PKI_INT_CERT_BASE.pem -subject | sed -e "s/subject=//")
sed -i -e "s|<\!-- BEGIN PKI_INT_DN -->.*<\!-- END PKI_INT_DN -->|<\!-- BEGIN PKI_INT_DN -->$PKI_INT_DN<\!-- END PKI_INT_DN -->|g" certs/index.html
INT_BASE_NAME=$(basename $PKI_INT_CERT_BASE)
PKI_INT_LINK="<a class=\"public\" href=\"$INT_BASE_NAME.pem\">$INT_BASE_NAME.pem</a></td>"
sed -i -e "s|<\!-- BEGIN PKI_INT_LINK -->.*<\!-- END PKI_INT_LINK -->|<\!-- BEGIN PKI_INT_LINK -->$PKI_INT_LINK<\!-- END PKI_INT_LINK -->|g" certs/index.html
PKI_INT_VALIDITY="$(openssl x509 -noout -in $PKI_INT_CERT_BASE.pem -startdate | sed -e "s/.*=/Not Before: /")<br/> $(openssl x509 -noout -in $PKI_INT_CERT_BASE.pem -enddate | sed -e "s/.*=/Not After: /")"
sed -i -e "s|<\!-- BEGIN PKI_INT_VALIDITY -->.*<\!-- END PKI_INT_VALIDITY -->|<\!-- BEGIN PKI_INT_VALIDITY -->$PKI_INT_VALIDITY<\!-- END PKI_INT_VALIDITY -->|g" certs/index.html
INT_CRL_NAME=${INT_BASE_NAME/-cert/-crl}.pem
PKI_INT_CRL_LINK=""
PKI_INT_CRL_VALIDITY=""
if [ -e "crl/$PKI_ISSUER_NAME_ID.crl" ]; then
[ -L "crl/$INT_CRL_NAME" ] || ln -sf $PKI_ISSUER_NAME_ID.crl crl/$INT_CRL_NAME
PKI_INT_CRL_LINK="<a class=\"public\" href=\"../crl/$INT_CRL_NAME\">$INT_CRL_NAME</a></td>"
PKI_INT_CRL_VALIDITY="$(openssl crl -noout -inform der -in crl/$PKI_ISSUER_NAME_ID.crl -lastupdate | sed -e "s/.*=/Last Update: /")<br/> $(openssl crl -noout -inform der -in crl/$PKI_ISSUER_NAME_ID.crl -nextupdate | sed -e "s/.*=/Next Update: /")"
fi
sed -i -e "s|<\!-- BEGIN PKI_INT_CRL_LINK -->.*<\!-- END PKI_INT_CRL_LINK -->|<\!-- BEGIN PKI_INT_CRL_LINK -->$PKI_INT_CRL_LINK<\!-- END PKI_INT_CRL_LINK -->|g" certs/index.html
sed -i -e "s|<\!-- BEGIN PKI_INT_CRL_VALIDITY -->.*<\!-- END PKI_INT_CRL_VALIDITY -->|<\!-- BEGIN PKI_INT_CRL_VALIDITY -->$PKI_INT_CRL_VALIDITY<\!-- END PKI_INT_CRL_VALIDITY -->|g" certs/index.html
fi
sed -i -e "s|<title>.*</title>|<title>Certificates \| $PKI_WEB_TITLE</title>|g" certs/index.html
sed -i -e "s|<\!-- BEGIN WEBTITLE -->.*<\!-- END WEBTITLE -->|<\!-- BEGIN WEBTITLE -->$PKI_WEB_TITLE<\!-- END WEBTITLE -->|g" certs/index.html
sed -i -e "s|<\!-- BEGIN PKI_COMPANY_NAME -->.*<\!-- END PKI_COMPANY_NAME -->|<\!-- BEGIN PKI_COMPANY_NAME -->$PKI_DEFAULT_O<\!-- END PKI_COMPANY_NAME -->|g" cps/index.html
sed -i -e "s|<\!-- BEGIN PKI_ROOT_DN -->.*<\!-- END PKI_ROOT_DN -->|<\!-- BEGIN PKI_ROOT_DN -->$PKI_ROOT_DN<\!-- END PKI_ROOT_DN -->|g" cps/index.html
if [ -e $PKI_ROOT_CERT_BASE.pem ]; then
PKI_ROOT_FINGERPRINT="$(openssl x509 -noout -in $PKI_ROOT_CERT_BASE.pem -fingerprint | sed -e "s/.*=//" | sed -e "s/.\{21\}/&\\\n/g")"
sed -i -e "s|<\!-- BEGIN PKI_ROOT_FINGERPRINT -->.*<\!-- END PKI_ROOT_FINGERPRINT -->|<\!-- BEGIN PKI_ROOT_FINGERPRINT -->$PKI_ROOT_FINGERPRINT<\!-- END PKI_ROOT_FINGERPRINT -->|g" cps/index.html
sed -i -e "s|<\!-- BEGIN PKI_ROOT_VALIDITY -->.*<\!-- END PKI_ROOT_VALIDITY -->|<\!-- BEGIN PKI_ROOT_VALIDITY -->$PKI_ROOT_VALIDITY<\!-- END PKI_ROOT_VALIDITY -->|g" cps/index.html
fi
sed -i -e "s|<title>.*</title>|<title>CPS \| $PKI_WEB_TITLE</title>|g" cps/index.html
sed -i -e "s|<\!-- BEGIN WEBTITLE -->.*<\!-- END WEBTITLE -->|<\!-- BEGIN WEBTITLE -->$PKI_WEB_TITLE<\!-- END WEBTITLE -->|g" cps/index.html
sed -i -e "s|<\!-- BEGIN LABCA_CPS_LOCATION -->.*<\!-- END LABCA_CPS_LOCATION -->|<\!-- BEGIN LABCA_CPS_LOCATION --><a class=\"public\" href=\"http://$PKI_FQDN/cps/\">http://$PKI_FQDN/cps/</a><\!-- END LABCA_CPS_LOCATION -->|g" cps/index.html
sed -i -e "s|<\!-- BEGIN LABCA_CERTS_LOCATION -->.*<\!-- END LABCA_CERTS_LOCATION -->|<\!-- BEGIN LABCA_CERTS_LOCATION --><a class=\"public\" href=\"http://$PKI_FQDN/certs/\">http://$PKI_FQDN/certs/</a><\!-- END LABCA_CERTS_LOCATION -->|g" cps/index.html
sed -i -e "s|<title>.*</title>|<title>$PKI_WEB_TITLE</title>|g" index.html
sed -i -e "s|<\!-- BEGIN WEBTITLE -->.*<\!-- END WEBTITLE -->|<\!-- BEGIN WEBTITLE -->$PKI_WEB_TITLE<\!-- END WEBTITLE -->|g" index.html
if [ "$PKI_WEB_TITLE" == "LabCA" ]; then
sed -i -e "s|<\!-- BEGIN WEBTITLE_X1 -->.*<\!-- END WEBTITLE_X1 -->|<\!-- BEGIN WEBTITLE_X1 -->$PKI_WEB_TITLE<\!-- END WEBTITLE_X1 -->|g" index.html
sed -i -e "s|<\!-- BEGIN WEBTITLE_X2 -->.*<\!-- END WEBTITLE_X2 -->|<\!-- BEGIN WEBTITLE_X2 -->this $PKI_WEB_TITLE instance<\!-- END WEBTITLE_X2 -->|g" index.html
else
sed -i -e "s|<\!-- BEGIN WEBTITLE_X1 -->.*<\!-- END WEBTITLE_X1 -->|<\!-- BEGIN WEBTITLE_X1 -->$PKI_WEB_TITLE is running LabCA, which<\!-- END WEBTITLE_X1 -->|g" index.html
sed -i -e "s|<\!-- BEGIN WEBTITLE_X2 -->.*<\!-- END WEBTITLE_X2 -->|<\!-- BEGIN WEBTITLE_X2 -->$PKI_WEB_TITLE<\!-- END WEBTITLE_X2 -->|g" index.html
fi
sed -i -e "s|<title>.*</title>|<title>Rate Limits \| $PKI_WEB_TITLE</title>|g" rate-limits.html
sed -i -e "s|<\!-- BEGIN WEBTITLE -->.*<\!-- END WEBTITLE -->|<\!-- BEGIN WEBTITLE -->$PKI_WEB_TITLE<\!-- END WEBTITLE -->|g" rate-limits.html
if [ "$PKI_WEB_TITLE" == "LabCA" ]; then
sed -i -e "s|<\!-- BEGIN WEBTITLE_X2 -->.*<\!-- END WEBTITLE_X2 -->|<\!-- BEGIN WEBTITLE_X2 -->this $PKI_WEB_TITLE instance<\!-- END WEBTITLE_X2 -->|g" rate-limits.html
else
sed -i -e "s|<\!-- BEGIN WEBTITLE_X2 -->.*<\!-- END WEBTITLE_X2 -->|<\!-- BEGIN WEBTITLE_X2 -->$PKI_WEB_TITLE<\!-- END WEBTITLE_X2 -->|g" rate-limits.html
fi
sed -i -e "s|<\!-- BEGIN PKI_COMPANY_NAME -->.*<\!-- END PKI_COMPANY_NAME -->|<\!-- BEGIN PKI_COMPANY_NAME -->$PKI_DEFAULT_O<\!-- END PKI_COMPANY_NAME -->|g" terms/v1.html
sed -i -e "s|<title>.*</title>|<title>Terms \| $PKI_WEB_TITLE</title>|g" terms/v1.html
sed -i -e "s|<\!-- BEGIN WEBTITLE -->.*<\!-- END WEBTITLE -->|<\!-- BEGIN WEBTITLE -->$PKI_WEB_TITLE<\!-- END WEBTITLE -->|g" terms/v1.html
if [ -e /opt/boulder/sfe/templates/layout.html ]; then
# TODO: move the SFE pages to nginx static files ?
sed -i -e "s|<\!-- BEGIN WEBTITLE -->.*<\!-- END WEBTITLE -->|<\!-- BEGIN WEBTITLE -->$PKI_WEB_TITLE<\!-- END WEBTITLE -->|g" /opt/boulder/sfe/templates/layout.html
fi
Reference in New Issue View Git Blame Copy Permalink