2 com="$SSH_ORIGINAL_COMMAND"
3 if [[ $UID == 0 ]]; then
4 echo "Run script as non-root-user"
7 if [[ $com == "update certs" || $com == "force update certs" ]]; then
9 if [[ $com == "force update certs" ]]; then
13 # In argument 1 is the path of the certificates to update: $1.crt and $1.key
14 function update_cert {
16 if [[ -f $name.crt ]] && openssl x509 -checkend $((365*24*60*60)) -in $name.crt > /dev/null && ! $force; then
20 openssl req -newkey rsa:4096 -subj "/CN=will-be-ignored" -nodes -out $folder/web.req -keyout $folder/web.key 2>/dev/null
23 if [[ $response == "SUCCESS" ]]; then
24 # read certificate count
26 printf '' > $folder/web.crt
27 for ((i=0;i<len;i++)); do
28 # read one certificate
29 openssl x509 -out $folder/web1.crt
30 cat $folder/web1.crt >> $folder/web.crt
33 crt=$(openssl x509 -in $folder/web.crt -noout -modulus)
34 key=$(openssl rsa -in $folder/web.key -noout -modulus)
35 if [[ $crt == $key ]]; then
37 cp $folder/web.crt $name.crt
38 chmod +r $folder/web.key
39 cp $folder/web.key $name.key
44 printf "%s\n" "$response"
48 update_cert "modules/quiz/files/web"
49 update_cert "modules/quiz/files/client"
50 update_cert "modules/gigi/files/gigi"
51 update_cert "modules/gigi/files/client"
52 update_cert "modules/gitweb/files/web"
53 update_cert "modules/motion/files/motion"
55 [[ -f $folder/web.crt ]] && rm $folder/web.crt
56 [[ -f $folder/web.req ]] && rm $folder/web.req
57 [[ -f $folder/web.key ]] && rm $folder/web.key
59 elif [[ $com == "reload certs" ]]; then
60 sudo puppet apply /etc/puppet/code/environments/production/manifests --verbose
61 sudo lxc-attach -n front-nginx -- puppet agent --verbose --onetime --no-daemonize
62 sudo lxc-attach -n quiz -- puppet agent --verbose --onetime --no-daemonize
63 sudo lxc-attach -n gigi -- puppet agent --verbose --onetime --no-daemonize
64 elif [[ $com == "update crls" ]]; then
65 if ! tar xv -C /data/crl; then
70 mkdir -p /data/crl/htdocs/g2
71 for i in /data/crl/*.crl; do
72 if ! [[ -h /data/crl/htdocs/g2/${i#/data/crl/} ]]; then
73 ln -vs /data-crl/${i#/data/crl/} /data/crl/htdocs/g2/${i#/data/crl/}
77 for i in /data/gigi-crl/*/ca.crl; do
78 j=$(echo $i | sed "s#^/data/gigi-crl/\([a-zA-Z]*\)_\([0-9]*\)_\([0-9]\)/ca.crl#\2/\1-\3.crl#")
79 mkdir -p /data/crl/htdocs/g2/$(dirname $j)
80 if ! [[ -h /data/crl/htdocs/g2/$j ]]; then
81 ln -vs /data-crl-gigi/${i#/data/gigi-crl/} /data/crl/htdocs/g2/$j
85 mkdir -p /data/crl/crt-htdocs/g2
86 for i in modules/nre/files/config/ca/*; do
87 [[ $i == *_* ]] && continue
88 if ! [[ -f /data/crl/crt-htdocs/g2/$(basename $i) ]]; then
89 cp -v $i /data/crl/crt-htdocs/g2/$(basename $i)
92 for i in /data/gigi-crl/*/ca.crt; do
93 j=$(echo $i | sed "s#^/data/gigi-crl/\([a-zA-Z]*\)_\([0-9]*\)_\([0-9]\)/ca.crt#\2/\1-\3.crt#")
94 mkdir -p /data/crl/crt-htdocs/g2/$(dirname $j)
95 if ! [[ -h /data/crl/crt-htdocs/g2/$j ]]; then
96 ln -vs /data-crl-gigi/${i#/data/gigi-crl/} /data/crl/crt-htdocs/g2/$j