Last active
January 4, 2018 04:44
-
-
Save Cerothen/e409bd4c6f48e5350434c8041f2471da to your computer and use it in GitHub Desktop.
LetsEncrypt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# This file is stored in the home directory on my system, update as you would see fit. | |
# certbot certonly --webroot -w /var/lib/haproxy $(/home/cert-domains.sh) | |
domainlist=( | |
'host.tld' | |
'sub001.host.tld' | |
'sub002.host.tld' | |
'sub003.host.tld' | |
'sub004.host.tld' | |
) | |
count=0 | |
while [ "x${domainlist[count]}" != "x" ] | |
do | |
output="$output -d ${domainlist[count]}" | |
count=$(( $count + 1 )) | |
done | |
echo $output |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# Scripts should be placed in "/etc/letsencrypt/renew-hook-actions/{DOMAIN}" and be made executable | |
# Parameters that will be passed to this script | |
# $1 = certificate | |
# $2 = private key | |
# $3 = chain certificate | |
# $4 = fullchain certificate | |
# $5 = bundle certificate | |
# $6 = pfx certificate | |
RMTIP="192.168.1.100" | |
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" | |
ssh-keygen -R "$RMTIP" > /dev/null | |
SSHKey=`ssh-keyscan $RMTIP 2> /dev/null` | |
echo "$SSHKey" | grep 'ssh-rsa' >> ~/.ssh/known_hosts | |
echo "Transfering cert to Emby VM" | |
sshpass -f $DIR/emby-vm-pass scp "$6" root@$RMTIP:/var/lib/emby-server/ssl/letsencrypt.pfx | |
echo "Restarting Emby" | |
sshpass -f $DIR/emby-vm-pass ssh root@$RMTIP "service emby-server restart > /dev/null" | |
echo "Logging action on remote system" | |
sshpass -f $DIR/emby-vm-pass ssh root@$RMTIP 'echo "[$(date)] emby-server restarted to apply new certificate from letsencrypt." >> "/home/emby-cronjobs.log"' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
global | |
chroot /var/lib/haproxy | |
daemon | |
# Letsencrypt Update Script Reference | |
lua-load /etc/haproxy/acme-http01-webroot.lua | |
# Default SSL material locations | |
ca-base /etc/letsencrypt/live | |
crt-base /etc/letsencrypt/live | |
# Default ciphers to use on SSL-enabled listening sockets. | |
tune.ssl.default-dh-param 2048 | |
ssl-default-bind-options no-sslv3 | |
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS | |
ssl-default-server-options no-sslv3 | |
ssl-default-server-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS | |
defaults | |
log global | |
# Set Layer 7 | |
mode http | |
# Options | |
option forwardfor | |
option httplog | |
option dontlognull | |
option redispatch | |
option http-server-close | |
option contstats | |
# Timeouts | |
timeout connect 5000 | |
timeout client 50000 | |
timeout server 50000 | |
timeout tunnel 3600000 | |
timeout http-keep-alive 1000 | |
timeout http-request 15000 | |
timeout queue 30000 | |
timeout tarpit 60000 | |
# Error Files | |
errorfile 400 /etc/haproxy/errors/400.http | |
errorfile 403 /etc/haproxy/errors/403.http | |
errorfile 408 /etc/haproxy/errors/408.http | |
errorfile 500 /etc/haproxy/errors/500.http | |
errorfile 502 /etc/haproxy/errors/502.http | |
errorfile 503 /etc/haproxy/errors/503.http | |
errorfile 504 /etc/haproxy/errors/504.http | |
#================================================================================== | |
#= Layer 7 Frontends | |
#================================================================================== | |
frontend upgrade_to_https | |
bind *:80 | |
# Letsencrypt request | |
acl url_acme_http01 path_beg /.well-known/acme-challenge/ | |
http-request use-service lua.acme-http01 if METH_GET url_acme_http01 | |
# Upgrade to https | |
redirect scheme https if !{ ssl_fc } | |
frontend https_in | |
bind *:443 ssl crt /etc/letsencrypt/live/{{YOUR DOMAIN HERE}}/bundle.pem | |
#------------------------------------------ | |
#- SSL HSTS | |
#------------------------------------------ | |
http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;" | |
#------------------------------------------ | |
#- Application Proxy subdomain | |
#------------------------------------------ | |
use_backend be_matrix if { hdr(Host) -i matrix.HOSTNAME.ca } | |
#------------------------------------------ | |
#- Application Proxy URI | |
#------------------------------------------ | |
use_backend be_matrix if { url_beg /riot } | |
use_backend be_matrix if { url_beg /_matrix } | |
#------------------------------------------ | |
#- Default proxy | |
#------------------------------------------ | |
default_backend be_organizr | |
#================================================================================== | |
#= Layer 7 Backends | |
#================================================================================== | |
backend be_matrix | |
redirect location /riot unless { url_beg /_matrix || url_beg /riot } | |
use-server ct_matrix_protocol if { url_beg /_matrix } | |
use-server ct_matrix_riot if { url_beg /riot } | |
server ct_matrix_protocol 192.168.1.101:8008 check | |
server ct_matrix_riot 192.168.1.101:80 check | |
backend be_organizr | |
server ct_organizr_1 192.168.1.99:80 check |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# Scripts should be placed in "/etc/letsencrypt/renew-hook-actions/{DOMAIN}" and be made executable | |
# Parameters that will be passed to this script | |
# $1 = certificate | |
# $2 = private key | |
# $3 = chain certificate | |
# $4 = fullchain certificate | |
# $5 = bundle certificate | |
# $6 = pfx certificate | |
service haproxy reload |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# Scripts should be placed in "/etc/letsencrypt/renew-hook-actions/{DOMAIN}" and be made executable | |
# Parameters that will be passed to this script | |
# $1 = certificate | |
# $2 = private key | |
# $3 = chain certificate | |
# $4 = fullchain certificate | |
# $5 = bundle certificate | |
# $6 = pfx certificate | |
RMTIP="192.168.10.5" | |
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" | |
ssh-keygen -R "$RMTIP" > /dev/null | |
SSHKey=`ssh-keyscan $RMTIP 2> /dev/null` | |
echo "$SSHKey" | grep 'ssh-rsa' >> ~/.ssh/known_hosts | |
echo "Transfering cert files to Proxmox" | |
sshpass -f $DIR/pve-pass scp "$4" root@$RMTIP:/etc/pve/nodes/pve01/pveproxy-ssl.pem | |
sshpass -f $DIR/pve-pass scp "$2" root@$RMTIP:/etc/pve/nodes/pve01/pveproxy-ssl.key | |
echo "Restarting Proxmox Proxy" | |
sshpass -f $DIR/pve-pass ssh root@$RMTIP systemctl restart pveproxy | |
echo "Logging action on remote system" | |
sshpass -f $DIR/pve-pass ssh root@$RMTIP 'echo "[$(date)] pveproxy restarted to apply new certificate from letsencrypt." >> "/etc/pve/nodes/pve01/letsencrypt.log"' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# This script should be executed with the letsencrypt live path as the parameter (should happen with the renew hook from certbot) | |
# This will create a bundle and pbx certificate for use in other applications and run scripts in the "/etc/letsencrypt/renew-hook-actions/{DOMAIN}" | |
# folder which will perform the specific actions as needed. | |
# /home/renew.sh "/etc/letsencrypt/live/{DOMAIN}" | |
if [ "$LOGDIR" = "" ]; then | |
export LOGDIR="/var/log/letsencrypt/renew.log" | |
fi | |
if [ "$RENEWED_LINEAGE" = "" ]; then | |
if [ -e "$1" ]; then | |
export RENEWED_LINEAGE="$1" | |
else | |
echo "No path specified in RENEWED_LINEAGE global variable or no parameter specified" | |
exit 1 | |
fi | |
fi | |
if [ "$RENEWED_LINEAGE" = "" ]; then | |
echo "No path specified in RENEWED_LINEAGE global variable" | |
exit 1 | |
else | |
if [ -e "$RENEWED_LINEAGE/fullchain.pem" ]; then | |
echo "============ Generating Additional Certificates ============" | |
#Resolve basename | |
base=$(basename "$RENEWED_LINEAGE") | |
echo "[$(date)] $base certificate was renewed, processing." >> $LOGDIR | |
# Get configuration | |
leconf=$(cat "/etc/letsencrypt/renewal/$base.conf") | |
# Pull certificate file paths | |
cert=$(echo "$leconf" | sed -n 's/^cert *= *//p') | |
privkey=$(echo "$leconf" | sed -n 's/^privkey *= *//p') | |
chain=$(echo "$leconf" | sed -n 's/^chain *= *//p') | |
fullchain=$(echo "$leconf" | sed -n 's/^fullchain *= *//p') | |
# Generated Cert Paths | |
bundle="$RENEWED_LINEAGE/bundle.pem" | |
pfx="$RENEWED_LINEAGE/hostcert.pfx" | |
# Create bundle | |
cat "$fullchain" "$privkey" > "$bundle" | |
# Create .PFX certificate with no password | |
openssl pkcs12 -export -out "$pfx" -inkey "$privkey" -in "$cert" -certfile "$chain" -passout pass: | |
# Process action scripts in folder | |
actiondir="/etc/letsencrypt/renew-hook-actions/$base" | |
for f in $(ls "$actiondir") | |
do | |
if [[ -x "$actiondir/$f" ]]; then | |
echo "============ Processing $f ============" | |
"$actiondir/$f" "$cert" "$privkey" "$chain" "$fullchain" "$bundle" "$pfx" | |
echo "[$(date)] $base - $f distribution script was executed" >> $LOGDIR | |
else | |
echo "============ $f is not executable! ============" | |
fi | |
done | |
exit 0 | |
else | |
echo "$RENEWED_LINEAGE appears to not be a cert directory" | |
exit 1 | |
fi | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment