2 com="$SSH_ORIGINAL_COMMAND"
3 if [[ $UID == 0 ]]; then
4 echo "Run script as non-root-user"
7 if [[ $com == "update certs" || $com == "force update certs" ]]; then
9 if [[ $com == "force update certs" ]]; then
13 # In argument 1 is the path of the certificates to update: $1.crt and $1.key
14 function update_cert {
16 if [[ -f $name.crt ]] && openssl x509 -checkend $((365*24*60*60)) -in $name.crt > /dev/null && ! $force; then
20 openssl req -newkey rsa:4096 -subj "/CN=will-be-ignored" -nodes -out $folder/web.req -keyout $folder/web.key 2>/dev/null
23 if [[ $response == "SUCCESS" ]]; then
24 # read certificate count
26 printf '' > $folder/web.crt
27 for ((i=0;i<len;i++)); do
28 # read one certificate
29 openssl x509 -out $folder/web1.crt
30 cat $folder/web1.crt >> $folder/web.crt
33 crt=$(openssl x509 -in $folder/web.crt -noout -modulus)
34 key=$(openssl rsa -in $folder/web.key -noout -modulus)
35 if [[ $crt == $key ]]; then
37 cp $folder/web.crt $name.crt
38 chmod +r $folder/web.key
39 cp $folder/web.key $name.key
44 printf "%s\n" "$response"
48 update_cert "modules/quiz/files/web"
49 update_cert "modules/quiz/files/client"
50 update_cert "modules/gigi/files/gigi"
51 update_cert "modules/gigi/files/client"
52 update_cert "modules/gitweb/files/web"
54 [[ -f $folder/web.crt ]] && rm $folder/web.crt
55 [[ -f $folder/web.req ]] && rm $folder/web.req
56 [[ -f $folder/web.key ]] && rm $folder/web.key
58 elif [[ $com == "reload certs" ]]; then
59 sudo puppet apply /etc/puppet/code/environments/production/manifests --verbose
60 sudo lxc-attach -n front-nginx -- puppet agent --verbose --onetime --no-daemonize
61 sudo lxc-attach -n quiz -- puppet agent --verbose --onetime --no-daemonize
62 sudo lxc-attach -n gigi -- puppet agent --verbose --onetime --no-daemonize
63 elif [[ $com == "update crls" ]]; then
64 if ! tar xv -C /data/crl; then
69 mkdir -p /data/crl/htdocs/g2
70 for i in /data/crl/*.crl; do
71 if ! [[ -h /data/crl/htdocs/g2/${i#/data/crl/} ]]; then
72 ln -vs /data-crl/${i#/data/crl/} /data/crl/htdocs/g2/${i#/data/crl/}
76 for i in /data/gigi-crl/*/ca.crl; do
77 j=$(echo $i | sed "s#^/data/gigi-crl/\([a-zA-Z]*\)_\([0-9]*\)_\([0-9]\)/ca.crl#\2/\1-\3.crl#")
78 mkdir -p /data/crl/htdocs/g2/$(dirname $j)
79 if ! [[ -h /data/crl/htdocs/g2/$j ]]; then
80 ln -vs /data-crl-gigi/${i#/data/gigi-crl/} /data/crl/htdocs/g2/$j
84 mkdir -p /data/crl/crt-htdocs/g2
85 for i in modules/nre/files/config/ca/*; do
86 [[ $i == *_* ]] && continue
87 if ! [[ -f /data/crl/crt-htdocs/g2/$(basename $i) ]]; then
88 cp -v $i /data/crl/crt-htdocs/g2/$(basename $i)
91 for i in /data/gigi-crl/*/ca.crt; do
92 j=$(echo $i | sed "s#^/data/gigi-crl/\([a-zA-Z]*\)_\([0-9]*\)_\([0-9]\)/ca.crt#\2/\1-\3.crt#")
93 mkdir -p /data/crl/crt-htdocs/g2/$(dirname $j)
94 if ! [[ -h /data/crl/crt-htdocs/g2/$j ]]; then
95 ln -vs /data-crl-gigi/${i#/data/gigi-crl/} /data/crl/crt-htdocs/g2/$j