forked from diafygi/acme-nosudo
-
Notifications
You must be signed in to change notification settings - Fork 1
/
create_cert.sh
executable file
·80 lines (70 loc) · 2.19 KB
/
create_cert.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
#!/usr/bin/env bash
#
# LEDIR contains following dirs and files:
# certs/ dir for successfully created csr, key and crt files
# certs-test/ dir used when testing
# user.pub user account public key
# user.key optional user account private key for automatic signing
: ${LEDIR:=~/letsencrypt}
# "default" means webmaster@[shortest domain name of provided]
: ${EMAIL:=default}
: ${ACCOUNT_PUB:=$LEDIR/user.pub}
# if unset or non-existent you will get prompted to run openssl commands
: ${ACCOUNT_KEY:=$LEDIR/user.key}
: ${CERTSDIR:=$LEDIR/certs${TESTING:+-test}}
# optional WEBROOTS is dir that contains per-domain symlinks to their vhosts DocRoots.
# the idea is that sign_csr will write challenge data to $WEBROOTS/$DOMAIN/challenge-uri
# for LE to automatically verify the request (setting symlinks and permissions is up to you)
: ${WEBROOTS:=$LEDIR/webroots}
usage() {
cat << EOF
Usage:
create_certs.sh main.domain [some extra domains...]
TESTING=1 create_certs.sh some.testing
create_certs.sh domain.name
create_certs.sh domain.name another.domain.name and.another.one
EOF
exit 0
}
custom_ssl_config() {
cat /etc/ssl/openssl.cnf
printf "[letsencryptSAN]\n"
printf "subjectAltName=DNS:%s" $1
shift
for dom; do
printf ",DNS:%s" $dom
done
}
gencsr() { # list of domains
local base=$TMP/$1
openssl genrsa 4096 > "$base.key" 2>/dev/null
openssl req -new -sha256 -key "$base.key" -subj "/" \
-reqexts letsencryptSAN \
-config <(custom_ssl_config "$@") > "$base.csr"
}
sign() { # csr name
local csr="$1"
python sign_csr.py --email "$EMAIL" \
--public-key "$ACCOUNT_PUB" \
${ACCOUNT_KEY:+--private-key "$ACCOUNT_KEY"} \
${WEBROOTS:+--webroots "$WEBROOTS"} \
${TESTING:+--testing} \
"$csr" > "${csr%.csr}.crt"
}
info() { # cert file
openssl x509 -in "$1" -noout -text -certopt no_pubkey,no_sigdump,no_aux,no_version
}
main() {
set -e # exit if anything below fails
[ -z "$1" ] && usage
[ -f "$ACCOUNT_KEY" ] || unset ACCOUNT_KEY
[ -d "$WEBROOTS" ] || unset WEBROOTS
TMP=$(mktemp -d)
trap "rm -rf '$TMP'" EXIT
mkdir -p "$CERTSDIR/"
gencsr "$@"
sign "$TMP/$1.csr"
mv -f "$TMP/$1".* "$CERTSDIR/"
info "$CERTSDIR/$1.crt"
}
main "$@"