verify-haproxy-pem.sh

#!/bin/bash

# Script to verify key, cert. Generate a pem bundle for haproxy.

AWS_PROFILE=${AWS_PROFILE:-NODEFAULT}
CERT_BUCKET=${CERT_BUCKET:-DODEFAULT}
fqdn=$1
shortname=${fqdn/.example.com/}

# Error checking
[ -z "$fqdn" ] && echo "Usage: ./$(basename $0) <fqdn>" && exit 1

if ! aws --profile ${AWS_PROFILE} sts get-caller-identity > /dev/null ;
then
  echo "Cannot verify ${AWS_PROFILE}. Use export AWS_PROFILE=<myprofile> to set default."
  exit 1 
fi

# Remove trailing slashes in bucket name, if any.
my_bucket=$(echo $CERT_BUCKET | sed 's%/$%%g' )
if [ -z "${my_bucket}" ] || ! aws --profile ${AWS_PROFILE} s3 ls ${my_bucket}/ > /dev/null ;
then
  echo Cannot verify ${my_bucket}.
  echo use export CERT_BUCKET=s3://... to set default.
  exit 1 
fi

echo Checking key file $fqdn
[ ! -f $fqdn.key ] && echo "$fqdn.key doesn't exit." && exit 1
keymd5=$(openssl  rsa -noout -modulus -in $fqdn.key | openssl md5)
echo "md5 = $keymd5"

echo Checking server cert $cert
[ ! -f $fqdn.crt ] && echo "$fqdn.crt doesn't exit." && exit 1
certmd5=$(openssl x509 -noout -modulus -in $fqdn.crt | openssl md5)
echo "md5 = $certmd5"

if [ "$keymd5" != "$certmd5" ]
then
  echo "Certificate and private key doesn't match."
  exit 1
fi

for i in $fqdn.crt $fqdn.key
do
  cat $i
  echo ""
done | tr '\r' '\n' > $shortname.pem

echo "$shortname.pem is saved. "
echo "uploading to s3."
aws --profile ${AWS_PROFILE} s3 cp $shortname.pem ${my_bucket}/$shortname.pem
aws --profile ${AWS_PROFILE} s3 ls ${my_bucket}/