add admin option and domain IP check

This commit is contained in:
VirtuBox 2018-09-27 16:15:56 +02:00
parent 7cc5c1cd3a
commit 4ab3361276
1 changed files with 138 additions and 81 deletions

View File

@ -1,4 +1,14 @@
#!/bin/bash
#
# ee-acme-sh Bash script
# Bash script to install Let's Encrypt SSL certificates automatically using acme.sh with EasyEngine
#
# Version 2.1 - 2018-09-27
# Published & maintained by VirtuBox - https://virtubox.net
#
# Sources :
# https://github.com/VirtuBox/ee-acme-sh
#
# install acme.sh if needed
echo ""
@ -8,7 +18,20 @@ if [ ! -f ~/.acme.sh/acme.sh ]; then
echo ""
echo "installing acme.sh"
echo ""
wget -O - https://get.acme.sh | sh
wget -O - https://get.acme.sh | sh
fi
echo ""
echo "checking if dig is available"
echo ""
if [ ! -x /usr/bin/dig ]; then
apt-get install bind9-host -y >>/dev/null
fi
echo ""
echo "checking if curl is available"
echo ""
if [ ! -x /usr/bin/curl ]; then
apt-get install curl -y >>/dev/null
fi
_help() {
@ -23,6 +46,7 @@ _help() {
echo " --cf ..... acme challenge in dns mode with Cloudflare"
echo " Options:"
echo " --cert-only ... do not change nginx configuration, only display it"
echo " --admin ... secure easyengine backend with the certificate"
echo " -h, --help, help ... displays this help information"
echo "Examples:"
echo ""
@ -38,6 +62,9 @@ _help() {
echo "domain.tld + www.domain.tld in standalone mode without editing Nginx configuration :"
echo " ee-acme -d domain.tld --standalone --cert-only"
echo ""
echo "sub.domain.tld in standalone mode to secure easyengine backend on port 22222 :"
echo " ee-acme -s sub.domain.tld --standalone --admin"
echo ""
return 0
}
@ -51,44 +78,48 @@ fi
while [[ $# -gt 0 ]]; do
arg="$1"
case $arg in
-d | --domain)
domain_name=$2
domain_type=domain
shift
-d | --domain)
domain_name=$2
domain_type=domain
shift
;;
-s | --subdomain)
domain_name=$2
domain_type=subdomain
shift
-s | --subdomain)
domain_name=$2
domain_type=subdomain
shift
;;
-w | --wildcard)
domain_name=$2
domain_type=wildcard
shift
-w | --wildcard)
domain_name=$2
domain_type=wildcard
shift
;;
--cf)
acme_validation=cloudflare
shift
--cf)
acme_validation=cloudflare
shift
;;
--standalone)
acme_validation=standalone
shift
--standalone)
acme_validation=standalone
shift
;;
--cert-only)
cert_only=1
shift
--cert-only)
cert_only=1
shift
;;
-h | --help | help)
_help
exit 1
--admin)
easyengine_backend=1
shift
;;
*) # positional args
-h | --help | help)
_help
exit 1
;;
*) # positional args
;;
esac
shift
done
if [ -z "$domain_name" ]; then
if [ -z "${domain_name}" ]; then
echo ""
echo "What is your domain ?: "
read -r domain_name
@ -108,18 +139,18 @@ if [ -z "$acme_validation" ]; then
fi
if [ "$acme_choice" = "1" ]; then
acme_validation=standalone
elif [ "$acme_choice" = "2" ]; then
elif [ "$acme_choice" = "2" ]; then
acme_validation=cloudflare
fi
if [ ! -f /etc/nginx/sites-available/$domain_name ]; then
if [ ! -f /etc/nginx/sites-available/${domain_name} ] && [ "$cert_only" = "0" ] && [ -z "$easyengine_backend" ]; then
echo "Error: non existant domain"
exit 1
fi
CF_ACME_ACCOUNT_CHECK=$(grep "CF" .acme.sh/account.conf)
if [[ $acme_validation = "cloudflare" && -z "$CF_ACME_ACCOUNT_CHECK" ]]; then
if [ $acme_validation = "cloudflare" ] && [ -z "$CF_ACME_ACCOUNT_CHECK" ]; then
echo ""
echo "What is your Cloudflare email address ? :"
echo ""
@ -127,106 +158,119 @@ if [[ $acme_validation = "cloudflare" && -z "$CF_ACME_ACCOUNT_CHECK" ]]; then
echo "What is your Cloudflare API Key ? You API Key is available on https://www.cloudflare.com/a/profile"
read -r cf_api_key
echo "SAVED_CF_Key='$cf_api_key'" >> .acme.sh/account.conf
echo "SAVED_CF_Email='$cf_email'" >> .acme.sh/account.conf
echo "SAVED_CF_Key='$cf_api_key'" >>.acme.sh/account.conf
echo "SAVED_CF_Email='$cf_email'" >>.acme.sh/account.conf
fi
if [ ! -d $HOME/.acme.sh/${domain_name}_ecc ]; then
SERVER_PUBLIC_IP=$(curl -s http://v4.vtbox.net)
DOMAIN_IP=$(dig +short @8.8.8.8 $domain_name)
if [ ! -d $HOME/.acme.sh/${domain_name}_ecc ] && [ ! -f /etc/letsencrypt/live/${domain_name}/fullchain.pem ]; then
if [ $acme_validation = "cloudflare" ]; then
if [ $domain_type = "domain" ]; then
$HOME/.acme.sh/acme.sh --issue -d $domain_name -d www.$domain_name --keylength ec-384 --dns dns_cf --dnssleep 60
elif [ $domain_type = "subdomain" ]; then
$HOME/.acme.sh/acme.sh --issue -d $domain_name --keylength ec-384 --dns dns_cf --dnssleep 60
elif [ $domain_type = "wildcard" ]; then
$HOME/.acme.sh/acme.sh --issue -d $domain_name -d "*.$domain_name" --keylength ec-384 --dns dns_cf --dnssleep 60
$HOME/.acme.sh/acme.sh --issue -d ${domain_name} -d www.${domain_name} --keylength ec-384 --dns dns_cf --dnssleep 60
elif [ $domain_type = "subdomain" ]; then
$HOME/.acme.sh/acme.sh --issue -d ${domain_name} --keylength ec-384 --dns dns_cf --dnssleep 60
elif [ $domain_type = "wildcard" ]; then
$HOME/.acme.sh/acme.sh --issue -d ${domain_name} -d "*.${domain_name}" --keylength ec-384 --dns dns_cf --dnssleep 60
fi
elif [ $acme_validation = "standalone" ]; then
elif [ $acme_validation = "standalone" ]; then
sudo apt-get install socat -y
if [ $domain_type = "domain" ]; then
$HOME/.acme.sh/acme.sh --issue -d $domain_name -d www.$domain_name --keylength ec-384 --standalone --pre-hook "service nginx stop " --post-hook "service nginx start"
if [ "$SERVER_PUBLIC_IP" = "$DOMAIN_IP" ]; then
if [ $domain_type = "domain" ]; then
$HOME/.acme.sh/acme.sh --issue -d ${domain_name} -d www.${domain_name} --keylength ec-384 --standalone --pre-hook "service nginx stop " --post-hook "service nginx start"
elif [ $domain_type = "subdomain" ]; then
$HOME/.acme.sh/acme.sh --issue -d $domain_name --keylength ec-384 --standalone --pre-hook "service nginx stop " --post-hook "service nginx start"
$HOME/.acme.sh/acme.sh --issue -d ${domain_name} --keylength ec-384 --standalone --pre-hook "service nginx stop " --post-hook "service nginx start"
elif [ $domain_type = "wildcard" ]; then
echo "standalone mode do not support wildcard certificates"
echo "standalone mode do not support wildcard certificates"
exit 1
fi
else
echo "domain do not resolve server public IP"
exit 1
fi
fi
else
echo "certificate already exist !"
echo "certificate already exit"
exit 1
fi
# check if folder already exist
if [ -d /etc/letsencrypt/live/$domain_name ]; then
sudo rm -rf /etc/letsencrypt/live/$domain_name/*
if [ -d /etc/letsencrypt/live/${domain_name} ]; then
sudo rm -rf /etc/letsencrypt/live/${domain_name}/*
else
# create folder to store certificate
sudo mkdir -p /etc/letsencrypt/live/$domain_name
sudo mkdir -p /etc/letsencrypt/live/${domain_name}
fi
# install the cert and reload nginx
if [ -f $HOME/.acme.sh/${domain_name}_ecc/fullchain.cer ]; then
$HOME/.acme.sh/acme.sh --install-cert -d ${domain_name} --ecc \
--cert-file /etc/letsencrypt/live/${domain_name}/cert.pem \
--key-file /etc/letsencrypt/live/${domain_name}/key.pem \
--fullchain-file /etc/letsencrypt/live/${domain_name}/fullchain.pem \
--reloadcmd "sudo systemctl reload nginx.service"
--cert-file /etc/letsencrypt/live/${domain_name}/cert.pem \
--key-file /etc/letsencrypt/live/${domain_name}/key.pem \
--fullchain-file /etc/letsencrypt/live/${domain_name}/fullchain.pem \
--reloadcmd "sudo systemctl reload nginx.service"
else
echo "acme.sh failed to issue certificate"
exit 1
fi
if [ ! -d /var/www/${domain_name}/conf/nginx ]; then
if [ ! -d /var/www/${domain_name}/conf/nginx ] && [ -z "$easyengine_backend" ]; then
cert_only=1
fi
if [ "$cert_only" = "0" ]; then
if [ "$cert_only" = "0" ] && [ -z "$easyengine_backend" ]; then
if [ -f /etc/letsencrypt/live/${domain_name}/fullchain.pem ] && [ -f /etc/letsencrypt/live/${domain_name}/key.pem ]; then
# add certificate to the nginx vhost configuration
CURRENT=$(nginx -v 2>&1 | awk -F "/" '{print $2}' | grep 1.15)
if [ -z "$CURRENT" ]; then
cat <<EOF >/var/www/$domain_name/conf/nginx/ssl.conf
cat <<EOF >/var/www/${domain_name}/conf/nginx/ssl.conf
# SSL configuration added by ee-acme-sh
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl on;
ssl_certificate /etc/letsencrypt/live/$domain_name/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$domain_name/key.pem;
ssl_trusted_certificate /etc/letsencrypt/live/$domain_name/cert.pem;
ssl_certificate /etc/letsencrypt/live/${domain_name}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${domain_name}/key.pem;
ssl_trusted_certificate /etc/letsencrypt/live/${domain_name}/cert.pem;
EOF
else
cat <<EOF >/var/www/$domain_name/conf/nginx/ssl.conf
cat <<EOF >/var/www/${domain_name}/conf/nginx/ssl.conf
# SSL configuration added by ee-acme-sh
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/$domain_name/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$domain_name/key.pem;
ssl_trusted_certificate /etc/letsencrypt/live/$domain_name/cert.pem;
ssl_certificate /etc/letsencrypt/live/${domain_name}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${domain_name}/key.pem;
ssl_trusted_certificate /etc/letsencrypt/live/${domain_name}/cert.pem;
EOF
fi
# add redirection from http to https
if [ $domain_type = "domain" ]; then
cat <<EOF >/etc/nginx/conf.d/force-ssl-$domain_name.conf
cat <<EOF >/etc/nginx/conf.d/force-ssl-${domain_name}.conf
server {
# SSL redirection added by ee-acme-sh
listen 80;
listen [::]:80;
server_name $domain_name www.$domain_name;
return 301 https://$domain_name\$request_uri;
server_name ${domain_name} www.${domain_name};
return 301 https://${domain_name}\$request_uri;
}
EOF
elif [ $domain_type = "subdomain" ]; then
cat <<EOF >/etc/nginx/conf.d/force-ssl-$domain_name.conf
elif [ $domain_type = "subdomain" ]; then
cat <<EOF >/etc/nginx/conf.d/force-ssl-${domain_name}.conf
server {
# SSL redirection added by ee-acme-sh
listen 80;
listen [::]:80;
server_name $domain_name;
return 301 https://$domain_name\$request_uri;
server_name ${domain_name};
return 301 https://${domain_name}\$request_uri;
}
EOF
elif [ $domain_type = "wildcard" ]; then
cat <<EOF >/etc/nginx/conf.d/force-ssl-$domain_name.conf
elif [ $domain_type = "wildcard" ]; then
cat <<EOF >/etc/nginx/conf.d/force-ssl-${domain_name}.conf
server {
# SSL redirection added by ee-acme-sh
listen 80;
listen [::]:80;
server_name $domain_name *.$domain_name;
server_name ${domain_name} *.${domain_name};
return 301 https://\$host\$request_uri;
}
@ -247,6 +291,23 @@ EOF
echo "Nginx configuration is not correct"
echo "####################################"
fi
elif [ "$easyengine_backend" = "1" ]; then
if [ -f /etc/letsencrypt/live/${domain_name}/fullchain.pem ] && [ -f /etc/letsencrypt/live/${domain_name}/key.pem ]; then
sed -i "s/ssl_certificate \/var\/www\/22222\/cert\/22222.crt;/ssl_certificate \/etc\/letsencrypt\/live\/${domain_name}\/fullchain.pem;/" /etc/nginx/sites-available/22222
sed -i "s/ssl_certificate_key \/var\/www\/22222\/cert\/22222.key;/ssl_certificate_key \/etc\/letsencrypt\/live\/${domain_name}\/key.pem;/" /etc/nginx/sites-available/22222
fi
VERIFY_NGINX_CONFIG=$(nginx -t 2>&1 | grep failed)
if [ -z "$VERIFY_NGINX_CONFIG" ]; then
echo "####################################"
echo "Reloading Nginx"
echo "####################################"
sudo service nginx reload
else
echo "####################################"
echo "Nginx configuration is not correct"
echo "####################################"
fi
else
if [ -f /etc/letsencrypt/live/${domain_name}/fullchain.pem ] && [ -f /etc/letsencrypt/live/${domain_name}/key.pem ]; then
# add certificate to the nginx vhost configuration
@ -257,18 +318,18 @@ else
echo " listen 443 ssl http2;"
echo " listen [::]:443 ssl http2;"
echo " ssl on;"
echo " ssl_certificate /etc/letsencrypt/live/$domain_name/fullchain.pem;"
echo " ssl_certificate_key /etc/letsencrypt/live/$domain_name/key.pem;"
echo " ssl_trusted_certificate /etc/letsencrypt/live/$domain_name/cert.pem;"
echo " ssl_certificate /etc/letsencrypt/live/${domain_name}/fullchain.pem;"
echo " ssl_certificate_key /etc/letsencrypt/live/${domain_name}/key.pem;"
echo " ssl_trusted_certificate /etc/letsencrypt/live/${domain_name}/cert.pem;"
echo ""
else
echo "###### Nginx configuration"
echo ""
echo " listen 443 ssl http2;"
echo " listen [::]:443 ssl http2;"
echo " ssl_certificate /etc/letsencrypt/live/$domain_name/fullchain.pem;"
echo " ssl_certificate_key /etc/letsencrypt/live/$domain_name/key.pem;"
echo " ssl_trusted_certificate /etc/letsencrypt/live/$domain_name/cert.pem;"
echo " ssl_certificate /etc/letsencrypt/live/${domain_name}/fullchain.pem;"
echo " ssl_certificate_key /etc/letsencrypt/live/${domain_name}/key.pem;"
echo " ssl_trusted_certificate /etc/letsencrypt/live/${domain_name}/cert.pem;"
echo ""
fi
@ -277,7 +338,3 @@ else
exit 1
fi
fi