diff options
| author | Georg Pfuetzenreuter | 2022-05-31 21:51:28 +0200 |
|---|---|---|
| committer | Georg Pfuetzenreuter | 2022-05-31 21:51:28 +0200 |
| commit | f655c72534d1700010c6448e6719ae9491680b5d (patch) | |
| tree | b2b6c72e2df0ed34cfa056f17a5a2559c6c92a60 | |
| parent | f33ae8debd7edbea976eb0deccfb790f7dcdc82c (diff) | |
| download | system-f655c72534d1700010c6448e6719ae9491680b5d.tar.gz system-f655c72534d1700010c6448e6719ae9491680b5d.tar.bz2 system-f655c72534d1700010c6448e6719ae9491680b5d.zip | |
Update certificate hook script
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| -rwxr-xr-x | scripts/certificate_hook.sh | 28 |
1 files changed, 16 insertions, 12 deletions
diff --git a/scripts/certificate_hook.sh b/scripts/certificate_hook.sh index 36e4422..7d84ed9 100755 --- a/scripts/certificate_hook.sh +++ b/scripts/certificate_hook.sh @@ -2,18 +2,21 @@ #to-do: make this universal / not specific to a certain service set -C -set -e +#set -e set -u certname="irc.casa" mailto="system@lysergic.dev" -hosts="dericom01 deriweb01" +#hosts="dericom01 deriweb01" +hosts="dericom01" OUTPUT="/var/log/lysergic/certificate-scripts/$certname.log" crt="/etc/ssl/lego/certificates/$certname.crt" key="/etc/ssl/lego/certificates/$certname.key" -crtdest="/etc/ssl/irc/crt" -keydest="/etc/ssl/irc/key" -sshkey="/home/brain/.ssh/id_ed25519_brain" +destdir="/etc/ssl/irc/" +#crtdest="/etc/ssl/irc/crt" +#keydest="/etc/ssl/irc/key" +sshuser="brain" +sshkey="/home/brain/.ssh/id_lysergic" sshopts=" -qi $sshkey" cn=`openssl x509 -in $crt -noout -text | grep "CN ="` @@ -25,22 +28,22 @@ fp_crt=`openssl x509 -fingerprint -sha256 -noout -in $crt` install () { local host="$1" local source="$2" - local target="$host:$3" + local target="$sshuser@$host:$3" echo "$host: Installing $target ..." >> $OUTPUT - scp $sshopts $source $target >> $OUTPUT 2>&1 + scp $sshopts "$source" "$target" >> $OUTPUT 2>&1 } reload () { local host="$1" local service="$2" echo "$host: Reloading $service ..." >> $OUTPUT - ssh $sshopts "/usr/bin/sudo /usr/bin/systemctl reload $service.service" >> $OUTPUT 2>&1 + ssh $sshopts "$sshuser:$host" "/usr/bin/sudo /usr/bin/systemctl reload $service.service" >> $OUTPUT 2>&1 } check () { local host="$1" local port="$2" - echo "Performing self-check [$host:$port]..." > $OUTPUT + echo "Performing self-check [$host:$port]..." >> $OUTPUT local fp_remote=`openssl s_client -connect "$host":"$port" < /dev/null 2>/dev/null | openssl x509 -fingerprint -sha256 -noout -in /dev/stdin` echo "Remote fingerprint: $fp_crt" >> $OUTPUT if [ "$fp_crt" = "$fp_crt" ]; then @@ -51,6 +54,7 @@ check () { } echo "Last renewal happened on `date`" >| $OUTPUT + echo "$cn" >> $OUTPUT echo "$alt" >> $OUTPUT echo "$notbefore" >> $OUTPUT @@ -58,10 +62,10 @@ echo "$notafter" | grep "Not After" >> $OUTPUT echo "Installing files ..." >> $OUTPUT -for host in "$hosts" +for host in $hosts do - install "$host" "$crt" "$crtdest" - install "$host" "$key" "$keydest" + install "$host" "$crt" "$destdir" + install "$host" "$key" "$destdir" done # do we really need this certificate on the webserver? |