Created
June 7, 2019 22:53
-
-
Save mommel/eb910686b11739b0315eb8b1aa0bc4a6 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| _ACMEWORK="/home/docker/acme/out" | |
| cd $_ACMEWORK | |
| DOMAIN="top.tld" | |
| BACKUPFOLDER="${_ACMEWORK}/backup/" | |
| ISSUEINGFOLDER="${_ACMEWORK}/${DOMAIN}" | |
| _ckey="${ISSUEINGFOLDER}/${DOMAIN}.key" | |
| _ccert="${ISSUEINGFOLDER}/${DOMAIN}.cer" | |
| _cca="${ISSUEINGFOLDER}/ca.cer" | |
| _fullchain="${ISSUEINGFOLDER}/fullchain.cer" | |
| ARCHIVEFOLDER="/usr/local/etc/certificate/archive/S2344SD/" | |
| _today=`date +%Y-%m-%d` | |
| ERROR=0 | |
| checkResult () { | |
| if [ $1 -ne 0 ] | |
| then | |
| echo "ERROR HAPPENED - Will halt now" | |
| $ERROR=1 | |
| return 1 | |
| fi | |
| } | |
| deploy2Archive () { | |
| echo "STARTING Deployment - to ARCHIVE" | |
| local retval=0 | |
| # Copying Certifiates | |
| # FROM ISSUNING FOLDER TO ARCHIVE FOLDER | |
| rm ${ARCHIVEFOLDER}*.pem | |
| retval=$((retval + $?)) | |
| cp ${_ckey} ${ARCHIVEFOLDER}privkey.pem | |
| retval=$((retval + $?)) | |
| cp ${_ccert} ${ARCHIVEFOLDER}cert.pem | |
| retval=$((retval + $?)) | |
| cp ${_cca} ${ARCHIVEFOLDER}chain.pem | |
| retval=$((retval + $?)) | |
| cp ${_fullchain} ${ARCHIVEFOLDER}fullchain.pem | |
| retval=$((retval + $?)) | |
| chmod 400 /usr/local/etc/certificate/system/FQDN/*.pem | |
| retval=$((retval + $?)) | |
| return $retval | |
| } | |
| deploy2default () { | |
| echo "STARTING Deployment - to default" | |
| local retval=0 | |
| # Copying Certifiates | |
| # FROM ARCHIVE FOLDER TO default FOLDER | |
| rm /usr/local/etc/certificate/system/default/*.pem | |
| retval=$((retval + $?)) | |
| cp ${ARCHIVEFOLDER}*.pem /usr/local/etc/certificate/system/default/ | |
| retval=$((retval + $?)) | |
| chmod 755 /usr/syno/etc/certificate/system/default/*.pem | |
| retval=$((retval + $?)) | |
| return $retval | |
| } | |
| deploy2FQDN () { | |
| echo "STARTING Deployment - to FQDN" | |
| # Copying Certifiates | |
| # FROM ARCHIVE FOLDER TO FQDN FOLDER | |
| local retval=0 | |
| chmod 755 /usr/syno/etc/certificate/system/FQDN/*.pem | |
| retval=$((retval + $?)) | |
| rm /usr/syno/etc/certificate/system/FQDN/*.pem | |
| retval=$((retval + $?)) | |
| cp ${ARCHIVEFOLDER}*.pem /usr/syno/etc/certificate/system/FQDN/ | |
| retval=$((retval + $?)) | |
| chmod 400 /usr/syno/etc/certificate/system/FQDN/*.pem | |
| retval=$((retval + $?)) | |
| return $retval | |
| } | |
| make_cert_package() | |
| { | |
| local retval="" | |
| local package=$1 | |
| echo >&2 "Creating package for ${package}" | |
| local TARFILE=${package}.tar | |
| tar cfv ${TARFILE} ${package}/ | |
| cd ${_ACMEWORK}/${package} | |
| if [ -f $TARFILE ]; then | |
| rm $TARFILE | |
| fi | |
| if [ -f $TARFILE ]; then | |
| rm ${package}.tar.enc | |
| fi | |
| mv ../${package}.tar . | |
| local PRIVATEKEY="${package}.key" | |
| local PUBLICKEY="${package}.last.cer" | |
| if [ -f $PUBLICKEY ]; then | |
| openssl smime -encrypt \ | |
| -binary -aes-256-cbc \ | |
| -in ${TARFILE} \ | |
| -out ${TARFILE}.enc \ | |
| -outform DER ${PUBLICKEY} | |
| fi | |
| echo >&2 "To Decrypt ${TARFILE}.enc" | |
| echo >&2 "please use the last ${PRIVATEKEY}" | |
| echo >&2 "and as Password an emptystring" | |
| echo >&2 "******************************" | |
| echo >&2 " | |
| openssl smime -decrypt \ | |
| -binary \ | |
| -in ${TARFILE}.enc \ | |
| -inform DER \ | |
| -out ${TARFILE}.dec.tar \ | |
| -inkey ${PRIVATEKEY} \ | |
| -passin pass:'' | |
| " | |
| local TIMESTAMP=`date +"%T"` | |
| mv ${package}.tar.enc ../KEYEXCHANGE/${package}.tar.enc | |
| mv ${package}.cer ${package}.last.cer | |
| checkanddeletefile ${package}.tar | |
| cd $_ACMEWORK | |
| return $retval | |
| } | |
| checkanddeletefile() | |
| { | |
| FILE=$1 | |
| if [ -f $FILE ]; then | |
| rm $FILE | |
| fi | |
| } | |
| deploy_cert() | |
| { | |
| echo >&2 "Deploy wildcard certificate for ${DOMAIN}" | |
| local retval=0 | |
| # Stopping Web Systems | |
| /sbin/initctl stop nginx | |
| retval=$((retval + $?)) | |
| synoservice --stop pkgctl-WebStation | |
| retval=$((retval + $?)) | |
| if [[ $retval -ne 0 ]]; then | |
| echo >&2 "Could not stop Webservices" | |
| exit 1 | |
| fi | |
| deploy2Archive | |
| if [[ $? -ne 0 ]]; then | |
| echo >&2 "Something went wrong while deploying ARCHIVE" | |
| exit 1 | |
| fi | |
| deploy2default | |
| if [[ $? -ne 0 ]]; then | |
| echo >&2 "Something went wrong while deploying to default" | |
| exit 1 | |
| fi | |
| deploy2FQDN | |
| if [[ $? -ne 0 ]]; then | |
| echo >&2 "Something went wrong while deploying to FQDN" | |
| exit 1 | |
| fi | |
| echo >&2 "Deployment DONE" | |
| echo >&2 "Staring Web Systems" | |
| # STARTING EVERYTHING | |
| /sbin/initctl start nginx | |
| retval=$((retval + $?)) | |
| /usr/syno/etc/rc.sysv/nginx.sh reload | |
| retval=$((retval + $?)) | |
| synoservice --start pkgctl-WebStation | |
| retval=$((retval + $?)) | |
| if [[ $retval -ne 0 ]]; then | |
| echo >&2 "Something went wrong while restart" | |
| $ERROR=1 | |
| exit 1 | |
| fi | |
| } | |
| function backupAll () { | |
| local retval=0 | |
| # Creating Backup | |
| echo >&2 "Staring Backup" | |
| mkdir -p ${BACKUPFOLDER} | |
| retval=$((retval + $?)) | |
| # Cleaning up the backup folder for backups older than half a year | |
| find ${BACKUPFOLDER}* -type d -mtime +180 -exec echo {} \; # CHANGE ECHO TO THE FOLLOWING TO NOT ONLY GET LOGGIN rm -rf {} \; | |
| retval=$((retval + $?)) | |
| _backup_today="${BACKUPFOLDER}${_today}/" | |
| mkdir -p ${_backup_today} | |
| retval=$((retval + $?)) | |
| mkdir -p ${_backup_today}_archive/ | |
| retval=$((retval + $?)) | |
| mkdir -p ${_backup_today}ISSUEINGFOLDER/ | |
| retval=$((retval + $?)) | |
| mkdir -p ${_backup_today}default/ | |
| retval=$((retval + $?)) | |
| mkdir -p ${_backup_today}FQDN/ | |
| retval=$((retval + $?)) | |
| cp ${ARCHIVEFOLDER}/*.* ${_backup_today}_archive/ | |
| retval=$((retval + $?)) | |
| cp /usr/syno/etc/certificate/system/default/*.* ${_backup_today}default/ | |
| retval=$((retval + $?)) | |
| cp /usr/syno/etc/certificate/system/FQDN/*.* ${_backup_today}FQDN/ | |
| retval=$((retval + $?)) | |
| checkResult $retval | |
| return $retval; | |
| } | |
| stop_container() | |
| { | |
| local retval=0 | |
| subdomain=$1 | |
| docker stop acme.sh_${subdomain} | |
| if [ "$?" = "0" ]; then | |
| sleep 15 | |
| else | |
| retval=1 | |
| fi | |
| docker rm acme.sh_${subdomain} | |
| if [ "$?" = "0" ]; then | |
| sleep 15 | |
| else | |
| retval=1 | |
| fi | |
| return $retval; | |
| } | |
| start_container() | |
| { | |
| retval=0 | |
| subdomain=$1 | |
| #docker run \ | |
| # Automatically remove the container when it exits | |
| #--rm \ | |
| # Mount volume into container | |
| #-itd -v $_ACMEWORK:/acme.sh \ | |
| # Connect a container to a network | |
| #--net=host \ | |
| # Assign a name to the container | |
| #--name=`acme.sh_${subdomain}` \ | |
| # start with daemon user | |
| #neilpang/acme.sh daemon | |
| docker run --rm -itd -v "${_ACMEWORK}":/acme.sh --net=host --name=acme.sh_${subdomain} neilpang/acme.sh daemon >&2 | |
| retval=$((retval + $?)) | |
| return $retval | |
| } | |
| check_if_old_instances_running() | |
| { | |
| retval=0 | |
| local subdomain=$1 | |
| local counter=$2 | |
| let counter++ | |
| echo >&2 " Checking if acme.sh_${subdomain} exists and is still running" | |
| local OLDIMAGESRUNNING=`docker ps | grep "acme.sh_${subdomain}"` >&2 | |
| if [ "${OLDIMAGESRUNNING}" != "" ]; then | |
| local resContainerstop=`stop_container "${subdomain}"` >&2 | |
| retval=$((retval + $?)) | |
| sleep 15 | |
| if [ "$retval" -lt "1" ]; then | |
| local OLDIMAGESRUNNING2=`docker ps | grep "acme.sh_${subdomain}"` >&2 | |
| if [ "${OLDIMAGESRUNNING2}" != "" ]; then | |
| docker kill "acme.sh_${subdomain}" >&2 | |
| retval=$((retval + $?)) | |
| sleep 15 | |
| if [ $counter -lt 4]; then | |
| check_if_old_instances_running ${subdomain} $counter | |
| else | |
| echo >&2 "Cannot kill the running instances will halt now" | |
| retval=$((retval + 1)) | |
| exit $retval | |
| fi | |
| fi | |
| fi | |
| fi | |
| } | |
| start_n_check_container() | |
| { | |
| local retval=0 | |
| local subdomain=$1 | |
| local counter=$2 | |
| let counter++ | |
| check_if_old_instances_running ${subdomain} 0 | |
| local resFromStart=`start_container ${subdomain}` | |
| local retval=$((retval + $?)) | |
| if [ "$retval" -lt "1" ]; then | |
| echo >&2 "Container start initiated" | |
| fi | |
| local IMAGENAME=`docker ps | grep "acme.sh_${subdomain}"` | |
| if [ "${IMAGENAME}" != "" ]; then | |
| echo >&2 "DOCKER Started for ${subdomain}" | |
| else | |
| echo >&2 "trying again ..." | |
| if [ $counter -lt 5]; then | |
| local resFromStartNCheck=`start_n_check_container $subdomain $counter` | |
| else | |
| echo >&2 "Cant get the container up and running" | |
| local retval=$((retval + 1)) | |
| fi | |
| fi | |
| echo >&2 "Container start and check done - #$retval" | |
| return $retval | |
| } | |
| ## ISSUE CERTIFICATES | |
| issue_certificates() | |
| { | |
| retval=0 | |
| if [ "wildcard" == "$1" ]; then | |
| local subdomain="wildcard" | |
| else | |
| local subdomain=$1 | |
| fi | |
| local resFromStartNCheck=`start_n_check_container ${subdomain} 0` | |
| retval=$((retval + $?)) | |
| if [ "$resFromStartNCheck" == "" ]; then | |
| if [ "wildcard" == "${subdomain}" ]; then | |
| echo >&2 "Start ISSUEING CERTIFICATES for *.home.${DOMAIN}" | |
| local resFromBackup=`backupAll` | |
| retval=$((retval + $?)) | |
| if [$retval -gt 0 ]; then | |
| echo >&2 "Backup failed" | |
| resContainerstop=`stop_container "wildcard"` | |
| retval=$((retval + $?)) | |
| echo >&2 "$resContainerstop" | |
| exit $retval; | |
| fi | |
| local issuingresult=`docker exec acme.sh_wildcard --issue --force --dns dns_inwx -d home.${DOMAIN} -d "*.home.${DOMAIN}"` >&2 | |
| retval=$((retval + $?)) | |
| deploy_cert | |
| retval=$((retval + $?)) | |
| if [$retval -gt 0 ]; then | |
| echo >&2 "Deployment for wildcard failed" | |
| echo >&2 $issuingresult | |
| local resContainerstop=`stop_container "wildcard"` | |
| retval=$((retval + $?)) | |
| echo >&2 "$resContainerstop" | |
| exit $retval; | |
| fi | |
| local resContainerstop=`stop_container "wildcard"` >&2 | |
| retval=$((retval + $?)) | |
| echo >&2 "$resContainerstop" | |
| else | |
| echo "Start ISSUEING CERTIFICATES for home.${DOMAIN} and ${subdomain}" | |
| local issuingresult=`docker exec acme.sh_${subdomain} --issue --force --dns dns_inwx -d "${subdomain}" -d home.${DOMAIN}` >&2 | |
| retval=$((retval + $?)) | |
| if [ "$retval" -gt "0" ]; then | |
| echo >&2 "Issuing for ${subdomain} failed" | |
| echo >&2 "$issuingresult" | |
| local resContainerstop=`stop_container "${subdomain}"` | |
| retval=$((retval + $?)) | |
| echo >&2 "$resContainerstop" | |
| exit §retval; | |
| fi | |
| local resMakePackage=`make_cert_package "${subdomain}"` | |
| local resContainerstop=`stop_container "${subdomain}"` | |
| retval=$((retval + $?)) | |
| echo >&2 "$resContainerstop" | |
| fi | |
| echo >&2 "---DONE---" | |
| else | |
| echo >&2 "Exiting now for ${subdomain}" | |
| local resContainerstop=`stop_container "${subdomain}"` | |
| echo >&2 "$resContainerstop" | |
| retval=$((retval + $?)) | |
| exit $retval; | |
| fi | |
| return $retval | |
| } | |
| issue_certificates "wildcard" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment