forked from littlebizzy/slickstack
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ss-encrypt-openssl.txt
191 lines (159 loc) · 12.9 KB
/
ss-encrypt-openssl.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
#!/bin/bash
####################################################################################################
#### author: SlickStack ############################################################################
#### link: https://slickstack.io ###################################################################
#### mirror: https://mirrors.slickstack.io/bash/ss-encrypt-openssl.txt #############################
#### path: /var/www/ss-encrypt-openssl #############################################################
#### destination: n/a (not a boilerplate) ##########################################################
#### purpose: Regenerates free self-signed OpenSSL certificate for use by Nginx (idempotent) #######
#### module version: OpenSSL 1.1.1x ################################################################
#### sourced by: ss-install-nginx-config ###########################################################
#### bash aliases: ss encrypt openssl, ss generate openssl #########################################
####################################################################################################
## SS-ENCRYPT PERFORMS BASIC NGINX CONFIG MODIFICATION REGARDLESS OF SS-INSTALL-NGINX ##
## IT WILL ALSO ATTEMPT TO REVERT TO OPENSSL IF LETS ENCRYPT CERTS ARE MISSING ##
## source ss-config ##
source /var/www/ss-config
## source ss-functions ##
source /var/www/ss-functions
## BELOW THIS RELIES ON SS-CONFIG AND SS-FUNCTIONS
####################################################################################################
#### TABLE OF CONTENTS (SS-Encrypt-OpenSSL) ########################################################
####################################################################################################
## A. Touch Timestamp File
## B. Message (Begin Script)
## C. Hide Bug In OpenSSL 1.1.1x
## D. Regenerate OpenSSL Certificate
## E. Reset Permissions (Nginx SSL)
## F. Restart Modules (Nginx)
####################################################################################################
#### A. SS-Encrypt-OpenSSL: Touch Timestamp File ###################################################
####################################################################################################
## this is a dummy timestamp file that will remember the last time this script was run ##
## it can be useful for developer reference and is sometimes used by SlickStack ##
## script timestamp ##
touch "$TIMESTAMP_SS_ENCRYPT_OPENSSL"
####################################################################################################
#### B. SS-Encrypt-OpenSSL: Message (Begin Script) #################################################
####################################################################################################
## this is a simple message that announces to the shell the purpose of this bash script ##
## it will only be noticed by sudo users who manually call ss core bash scripts ##
## echo message ##
echo -e "${PURPLE}Running ss-encrypt-openssl: Regenerates free self-signed OpenSSL certificate for use by Nginx (idempotent)... ${NOCOLOR}"
sleep "$SLEEP_MESSAGE_BEGIN"
####################################################################################################
#### C. SS-Encrypt-OpenSSL: Hide Bug In OpenSSL 1.1.1x #############################################
####################################################################################################
## hide error message (workaround) ##
touch /home/${SUDO_USER}/.rnd
touch /home/${SFTP_USER}/.rnd
####################################################################################################
#### D. SS-Encrypt-OpenSSL: Regenerate OpenSSL Certificate #########################################
####################################################################################################
## this will generate a new self-signed OpenSSL certificate every single time it runs ##
## there are no rate-limits and it pairs perfectly with CloudFlare SSL proxy ##
## make dirs ##
mkdir /var/www/certs
mkdir /var/www/certs/keys
## delete previous files ##
rm "$PATH_OPENSSL_CERTIFICATE"
rm "$PATH_OPENSSL_KEY"
## generate self-signed certificate (valid 10 years) ##
if [[ "$WP_MULTISITE" == "false" ]]; then
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
-keyout /var/www/certs/keys/slickstack.key -out /var/www/certs/slickstack.crt -subj "/CN=${SITE_DOMAIN}" \
-addext "subjectAltName=DNS:${SITE_DOMAIN_EXCLUDING_WWW},DNS:${SITE_DOMAIN_INCLUDING_WWW},DNS:staging.${SITE_DOMAIN_EXCLUDING_WWW},DNS:dev.${SITE_DOMAIN_EXCLUDING_WWW},IP:${SYSTEM_IPV4_ADDRESS}"
elif [[ "$WP_MULTISITE" == "true" ]] && [[ "$WP_MULTISITE_SUBDOMAINS" != "false" ]]; then
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
-keyout /var/www/certs/keys/slickstack.key -out /var/www/certs/slickstack.crt -subj "/CN=${SITE_DOMAIN}" \
-addext "subjectAltName=DNS:${SITE_DOMAIN_EXCLUDING_WWW},DNS:*.${SITE_DOMAIN_EXCLUDING_WWW},IP:${SYSTEM_IPV4_ADDRESS}"
elif [[ "$WP_MULTISITE" == "true" ]] && [[ "$WP_MULTISITE_SUBDOMAINS" == "false" ]]; then
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
-keyout /var/www/certs/keys/slickstack.key -out /var/www/certs/slickstack.crt -subj "/CN=${SITE_DOMAIN}" \
-addext "subjectAltName=DNS:${SITE_DOMAIN_EXCLUDING_WWW},DNS:${SITE_DOMAIN_INCLUDING_WWW},DNS:staging.${SITE_DOMAIN_EXCLUDING_WWW},DNS:dev.${SITE_DOMAIN_EXCLUDING_WWW},IP:${SYSTEM_IPV4_ADDRESS}"
fi
####################################################################################################
#### E. SS-Encrypt-OpenSSL: Validate OpenSSL Certificate ###########################################
####################################################################################################
## validate openssl cert ##
openssl x509 -noout -text -in "$PATH_OPENSSL_CERTIFICATE"
####################################################################################################
#### E. SS-Encrypt-OpenSSL: Reset Permissions (Nginx SSL) ##########################################
####################################################################################################
## run ss-perms-nginx-ssl ##
source "$PATH_SS_PERMS_NGINX_SSL"
####################################################################################################
#### F. SS-Encrypt-OpenSSL: Restart Modules (Nginx) ################################################
####################################################################################################
## run ss-restart-nginx ##
source "$PATH_SS_RESTART_NGINX"
####################################################################################################
#### SlickStack: External References Used To Improve This Script (Thanks, Interwebz) ###############
####################################################################################################
## Ref: https://linuxize.com/post/secure-apache-with-let-s-encrypt-on-ubuntu-18-04/
## Ref: https://stackoverflow.com/questions/49172841/install-certbot-letsencrypt-without-interaction/57019299#57019299
## Ref: https://matthewlehner.net/lets-encrypt-with-nginx
## Ref: https://community.letsencrypt.org/t/how-often-should-i-run-the-cerbot-cron-job-to-update-the-certificates/18851
## Ref: https://community.letsencrypt.org/t/how-to-get-crt-and-key-files-from-i-just-have-pem-files/7348/2
## Ref: https://community.letsencrypt.org/t/certificate-path/24227
## Ref: https://www.cyberciti.biz/tips/linux-unix-pause-command.html
## Ref: https://stackoverflow.com/questions/9483633/how-to-use-bash-read-with-a-timeout/9483693#9483693
## Ref: https://stackoverflow.com/questions/229551/how-to-check-if-a-string-contains-a-substring-in-bash
## Ref: https://unix.stackexchange.com/questions/311758/remove-specific-word-in-variable
## Ref: https://stackoverflow.com/questions/13210880/replace-one-substring-for-another-string-in-shell-script
## Ref: https://github.com/certbot/certbot/issues/3039
## Ref: https://superuser.com/questions/1056183/using-a-wildcard-in-a-condition-to-match-the-beginning-of-a-string
## Ref: https://stackoverflow.com/questions/18730509/bash-substring-regex-matching-wildcard
## Ref: https://linuxize.com/post/how-to-create-symbolic-links-in-linux-using-the-ln-command/
## Ref: https://superuser.com/questions/81164/why-create-a-link-like-this-ln-nsf/81168
## Ref: https://support.cloudflare.com/hc/en-us/articles/214820528-Validating-a-Let-s-Encrypt-Certificate-on-a-Site-Already-Active-on-Cloudflare
## Ref: https://serverfault.com/questions/788220/lets-encrypt-certbot-validation-over-https
## Ref: https://certbot-dns-cloudflare.readthedocs.io/en/stable/
## Ref: https://dev.to/michaeldscherr/lets-encrypt-ssl-certificate-via-dns-challenge-8dd
## Ref: https://letsencrypt.org/docs/challenge-types/
## Ref: https://serverfault.com/questions/750902/how-to-use-lets-encrypt-dns-challenge-validation
## Ref: https://community.letsencrypt.org/t/do-i-need-copy-dhparam-pem-file-when-i-move-certificates-to-a-new-server/47346
## Ref: https://weakdh.org/sysadmin.html
## Ref: https://security.stackexchange.com/questions/38206/can-someone-explain-what-exactly-is-accomplished-by-generation-of-dh-parameters
## Ref: https://security.stackexchange.com/questions/94390/whats-the-purpose-of-dh-parameters
## Ref: https://wiki.mozilla.org/Security/Server_Side_TLS
## Ref: https://stackoverflow.com/questions/21251714/bash-script-countdown-timer-needs-to-detect-any-key-to-continue
## Ref: https://stackoverflow.com/questions/33614865/bash-countdown-to-execution-if-no-key-pressed
## Ref: https://unix.stackexchange.com/questions/293940/bash-how-can-i-make-press-any-key-to-continue
## Ref: https://serverfault.com/questions/532559/bash-script-count-down-5-minutes-display-on-single-line
## Ref: https://community.letsencrypt.org/t/confusing-on-root-domain-with-wildcard-cert/56113/2
## Ref: https://gist.github.com/joepie91/7e5cad8c0726fd6a5e90360a754fc568
## Ref: https://ma.ttias.be/how-to-read-ssl-certificate-info-from-the-cli/
## Ref: http://nginx.org/en/docs/http/configuring_https_servers.html#certificate_with_several_names
## Ref: https://dev.to/nabbisen/let-s-encrypt-wildcard-certificate-with-certbot-plo
## Ref: https://community.letsencrypt.org/t/wildcard-certificate-does-not-work/79041
## Ref: https://letsencrypt.org/docs/rate-limits/
## Ref: https://github.com/certbot/certbot/issues/2071
## Ref: https://community.letsencrypt.org/t/how-to-prevent-creation-of-etc-letsencrypt-live-domain-tld-0001-when-removing-domains-from-a-domain-tld-multidomain-certificate/8135/14
## Ref: https://community.letsencrypt.org/t/letsencrypt-webroot-verification-follows-http-to-https-redirect-for-self-signed-cert/19917
## Ref: https://stackoverflow.com/questions/205666/what-is-the-best-way-to-perform-timestamp-comparison-in-bash
## Ref: https://stackoverflow.com/questions/552724/how-do-i-check-in-bash-whether-a-file-was-created-more-than-x-time-ago
## Ref: https://unix.stackexchange.com/questions/145313/find-a-file-which-is-30-minutes-old
## Ref: https://easyengine.io/wordpress-nginx/tutorials/ssl/multidomain-ssl-subject-alternative-names/
## Ref: https://www.getpagespeed.com/server-setup/ssl-directory
## Ref: https://superuser.com/questions/556493/permissions-for-ssl-key
## Ref: https://fbcs.co.uk/self-signed-multiple-domain-ssl-certificates/
## Ref: https://serverfault.com/questions/259302/best-location-for-ssl-certificate-and-private-keys-on-ubuntu
## Ref: https://community.letsencrypt.org/t/error-creating-new-cert-too-many-certificates-already-issued-for-exact-set-of-domains/41542
## Ref: https://community.letsencrypt.org/t/correct-way-to-completely-remove-issued-certificate-s-for-a-domain/7409
## Ref: https://unix.stackexchange.com/questions/78376/in-linux-how-to-delete-all-files-except-the-pattern-txt
## Ref: https://unix.stackexchange.com/questions/417737/how-to-use-find-command-with-variables
## Ref: https://serverfault.com/questions/751057/which-permissions-should-i-set-to-dhparam-pem
## Ref: https://security.stackexchange.com/questions/175786/is-it-required-to-have-the-same-domain-name-and-common-name-for-ssl-certificate
## Ref: https://www.linode.com/docs/guides/using-openssls-subjectaltname-with-multiple-site-domains/
## Ref: https://serverfault.com/questions/886943/ssl-for-multiple-servers-and-sub-domains
## Ref: https://support.citrix.com/article/CTX135602_
## Ref: https://support.citrix.com/article/CTX227983
## Ref: https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line
## Ref: https://stackoverflow.com/questions/37035300/how-to-determine-the-default-location-for-openssl-cnf
## Ref: https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl/41366949#41366949
## Ref: https://www.freecodecamp.org/news/openssl-command-cheatsheet-b441be1e8c4a/
## Ref: https://www.redhat.com/sysadmin/6-openssl-commands
## Ref: https://geekflare.com/openssl-commands-certificates/
## Ref: https://stackoverflow.com/questions/1822268/how-do-i-create-my-own-wildcard-certificate-on-linux/1822279
## SS_EOF