3 targetHost=${targetHost%/}
5 source "$targetHost/config"
7 if [[ ! -f admin-key ]]; then
8 ssh-keygen -t ed25519 -N "" -f admin-key
9 printf >&2 'Warning: generated admin-key without passphrase\n'
12 if [[ "$2" == "install" ]]; then
13 ssh_target "cat >> modules/hop/files/authorized_keys <<< 'command=\"/home/admin/commands\",restrict,pty $(cat admin-key.pub)'"
14 ssh_target -t 'sudo lxc-attach -n hop -- bash -c "ssh-keyscan -H 10.0.3.1 > /home/admin/.ssh/known_hosts"'
15 ssh_target -t 'sudo lxc-attach -n hop -- puppet agent --test --verbose'
23 echo -n "cat >> modules/hop/files/authorized_keys <<< 'command=\"/home/admin/commands\",restrict,pty $(cat admin-key.pub)' && "
24 echo -n 'sudo lxc-attach -n hop -- bash -c "ssh-keyscan -H 10.0.3.1 > /home/admin/.ssh/known_hosts" && '
25 echo 'sudo lxc-attach -n hop -- puppet agent --test --verbose'
26 read -p "Keys installed? " _
30 grep csrf | ${1:-cat} | ${2:-cat} | sed "s/.*value='\([^']*\)'.*/\\1/"
33 [[ -f root.crt ]] || curl -s "http://www.$domain/roots?pem" > root.crt
34 echo "Opening Gigi connection"
35 rm -f $folder/cookie-jar
36 curl -v --cacert root.crt -c "$folder/cookie-jar" -E gigi-key.pem "https://secure.$domain/login"
37 if ! [[ -f $folder/cookie-jar ]]; then
38 echo "Need cookies." >&2
41 csrf=$(mscurl account/details | csrf "tail -n 1")
42 mscurl account/details --data "orgaForm=orga&org%3A3=yes&csrf=$csrf"
47 csrf=$(mscurl "account/certs/new" | csrf "head -n 1")
49 encoded=$(cat "$csr" | tr '\n' '?' | sed "s/=/%3D/g;s/+/%2B/g;s/\?/%0A/g")
51 mscurl account/certs/new -d "CSR=$encoded&process=Next&csrf=$csrf" > /dev/null
53 serial=$(mscurl account/certs/new -d "$options&OU=&hash_alg=SHA256&validFrom=now&validity=2y&login=1&description=&process=Issue+Certificate&csrf=$csrf" -v 2>&1 | tee $folder/certlog | grep "< Location: " | sed "s_.*/\([a-f0-9]*\)[^0-9]*_\1_")
54 echo "Certificate: $serial"
55 if [[ $serial != "" ]]; then
56 mscurl "account/certs/$serial.crt?chain&noAnchor" > $folder/cert.crt
63 if [[ "$2" == "force" ]]; then
67 admin_ssh "${force}update certs"
72 read -r line <&${COPROC[0]} || break;
74 if [[ "$line" = "SKIP "* ]]; then
75 echo "Skipping: $line"
76 elif [[ "$line" = "ISSUE "* ]]; then
77 openssl req -out $folder/web.req <&${COPROC[0]}
78 echo "CSR received, contacting Gigi"
79 options="profile=server-orga&CN=&SANs=quiz.$domain"
80 case ${line#ISSUE } in
81 "modules/gigi/files/gigi")
82 options="profile=server-orga&CN=&SANs=www.$domain%0Asecure.$domain%0Astatic.$domain%0Aapi.$domain%0Alink.$domain%0A"
84 "modules/pootle/files/web")
85 options="profile=server-orga&CN=&SANs=pootle.$domain"
87 "modules/gigi/files/client")
88 options="profile=mail-orga&CN=&SANs=gigi@$domain"
90 "modules/quiz/files/web")
91 options="profile=server-orga&CN=&SANs=quiz.$domain"
93 "modules/gitweb/files/web")
94 options="profile=server-orga&CN=&SANs=code.$domain"
96 "modules/quiz/files/client")
97 options="profile=client-orga&CN=Quiz+Api+User&SANs=quiz@$domain"
99 "modules/motion/files/motion")
100 options="profile=server-orga&CN=&SANs=motion.$domain"
103 echo "Unknown certificate in $line, rejecting"
104 echo "FAIL" >&${COPROC[1]}
108 if issue0 "$options" $folder/web.req; then
109 echo "gigi issued successfully"
110 echo "SUCCESS" >&${COPROC[1]}
112 cnt=$(grep "BEGIN CERTIFICATE" $folder/cert.crt | wc -l)
113 echo "chain of length $cnt"
114 echo "$cnt" >&${COPROC[1]}
115 cat $folder/cert.crt >&${COPROC[1]}
116 read -r reply <&${COPROC[0]};
119 echo "FAIL" >&${COPROC[1]}
121 elif [[ "$line" = "DONE" ]]; then
126 echo "end process" >&${COPROC[1]}
128 mscurl logout > /dev/null
130 if [[ "$updated" == "true" ]]; then
131 admin_ssh -t "reload certs"