Last active
June 5, 2022 08:12
-
-
Save Rillke/90ea0f0b09b6a697b007802c4b736573 to your computer and use it in GitHub Desktop.
Taskit task in order to deploy a certficate during CI
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This was used to deploy Certificates during CI deployments from GitLab CI | |
# You need files at HTTPS_KEY and HTTPS_CERT (easily done with GitLab Variables of type file) | |
# HTTPS_CERT is expected to contain a chain | |
Task::deploy_cert () { | |
: @desc "Deploy certificate from GitLab runner to its designated position" | |
: @param target_dir="$HOME/ilias" | |
: @param cert_dir_name="certs-$(date +'%Y-%m-%d_%H-%M-%S%z')" | |
echo "[HTTPS CERT] Deploying certificate and private key." | |
if [ -z ${HTTPS_CERT+x} ] | |
then | |
echo "HTTPS/TLS Certificate not specified for this run." | |
echo " Set a CI/CD Variable of type 'file' and named HTTPS_CERT" | |
echo " containing the certificate and the chain without the root" | |
echo " certificate and redeploy if this is unexpected." | |
echo " Note that only the SSL-termination proxy (nginx) speaks HTTPS." | |
return 0 | |
fi | |
if [ -z ${HTTPS_KEY+x} ] | |
then | |
echo "HTTPS/TLS Certificate not specified for this run." | |
echo " Set a CI/CD Variable of type 'file' and named HTTPS_KEY" | |
echo " containing the certificate and redeploy if this is unexpected." | |
echo " Note that only the SSL-termination proxy (nginx) speaks HTTPS." | |
return 0 | |
fi | |
if [ ! -d "$_target_dir" ] | |
then | |
echo "[ERROR]" | |
echo "target directory ($_target_dir) does not exist." | |
exit 1 | |
fi | |
if [ "$_cert_dir_name" = "" ] | |
then | |
echo "[ERROR]" | |
echo "Cert dir name must not be empty." | |
exit 1 | |
fi | |
if [ ! -f "$HTTPS_CERT" ] | |
then | |
echo "[ERROR]" | |
echo "certifcate ($HTTPS_CERT) does not exist." | |
exit 1 | |
fi | |
if [ ! -f "$HTTPS_KEY" ] | |
then | |
echo "[ERROR]" | |
echo "private key ($HTTPS_KEY) does not exist." | |
exit 1 | |
fi | |
_CERT="$(openssl x509 -in "$HTTPS_CERT" -text -noout)" | |
echo "$_CERT" | |
# Host name covered by certificate? | |
if [ -z ${HTTPS_ALLOW_INVALID+x} ] && [[ $_CERT != *"$NGINX_SERVER_NAME"* ]] | |
then | |
echo "[ERROR]" | |
echo "Certificate is not valid for $NGINX_SERVER_NAME." | |
echo " Either supply a valid certificate through HTTPS_CERT, correct" | |
echo " NGINX_SERVER_NAME, or set HTTPS_ALLOW_INVALID in" | |
echo " https://git.itz.uni-halle.de/elearning/ilias/ilias-docker/-/settings/ci_cd" | |
echo " section 'Variables'" | |
exit 1 | |
fi | |
# Chain included? | |
_NUMBER_OF_CERTS="$(grep -c "END CERTIFICATE" "$HTTPS_CERT")" | |
if [ "$_NUMBER_OF_CERTS" -lt "2" ]; then | |
echo "[ERROR]" | |
echo "The certificate HTTPS_CERT at $HTTPS_CERT must contain the certifcate" | |
echo "chain, the host-specific cert on top, the root certificate can and should" | |
echo "be omitted." | |
echo "Expected multiple 'END CERTIFICATE' but got only $_NUMBER_OF_CERTS" | |
exit 1 | |
fi | |
PUBKEY_FROM_CERT="$(openssl x509 -in "$HTTPS_CERT" -pubkey -noout)" | |
PUBKEY_FROM_KEY="$(openssl rsa -in "$HTTPS_KEY" -pubout)" | |
if [ "$PUBKEY_FROM_CERT" != "$PUBKEY_FROM_KEY" ] | |
then | |
echo "private key ($HTTPS_KEY) and certificate ($HTTPS_CERT) do not match." | |
fi | |
# Still valid for 1h? | |
if [ -z ${HTTPS_ALLOW_INVALID+x} ] && ! openssl x509 -checkend 3600 -noout -in "$HTTPS_CERT" | |
then | |
echo "[ERROR]" | |
echo "Certificate $HTTPS_CERT (HTTPS_CERT) has expired or will do so within 1 hour!" | |
echo "(or is invalid/not found)" | |
exit 1 | |
fi | |
# Still valid for 1m? | |
if ! openssl x509 -checkend 2592000 -noout -in "$HTTPS_CERT" | |
then | |
echo "[WARN]" | |
echo "Certificate $HTTPS_CERT (HTTPS_CERT) will expire within 1 month!" | |
fi | |
echo "[HTTPS CERT] Checks passed." | |
CERT_DIR="$_target_dir/$_cert_dir_name" | |
# shellcheck disable=SC2174 | |
mkdir -pm 750 "$CERT_DIR" | |
cp -a "$HTTPS_CERT" "$CERT_DIR/ilias.chain.pem" | |
cp -a "$HTTPS_KEY" "$CERT_DIR/ilias.key" | |
chmod 640 "$CERT_DIR/ilias.chain.pem" | |
chmod 000 "$CERT_DIR/ilias.key" | |
rm -f "$HTTPS_CERT" "$HTTPS_KEY" | |
ln -sfn "$CERT_DIR" "$_target_dir/certs-latest" | |
ln -sfn "$CERT_DIR" "./https-cert" | |
echo "Done updating $CERT_DIR." | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment