manager/admin-manage-certificates

   1 #!/bin/bash
   2 targetHost=$1
   3 targetHost=${targetHost%/}
   4 source config
   5 source "$targetHost/config"
   6
   7 if [[ ! -f admin-key ]]; then
   8     ssh-keygen -t ed25519 -N "" -f admin-key
   9     printf >&2 'Warning: generated admin-key without passphrase\n'
  10 fi
  11
  12 if [[ "$2" == "install" ]]; then
  13     ssh_target "cat >> modules/hop/files/authorized_keys <<< 'command=\"/home/admin/commands\",restrict,pty $(cat admin-key.pub)'"
  14     ssh_target -t 'sudo lxc-attach -n hop -- bash -c "ssh-keyscan -H 10.0.3.1 > /home/admin/.ssh/known_hosts"'
  15     ssh_target -t 'sudo lxc-attach -n hop -- puppet agent --test --verbose'
  16     exit 0;
  17 fi
  18
  19
  20 read_admin_email
  21 read_admin_password
  22
  23 echo -n "cat >> modules/hop/files/authorized_keys <<< 'command=\"/home/admin/commands\",restrict,pty $(cat admin-key.pub)' && "
  24 echo -n 'sudo lxc-attach -n hop -- bash -c "ssh-keyscan -H 10.0.3.1 > /home/admin/.ssh/known_hosts" && '
  25 echo 'sudo lxc-attach -n hop -- puppet agent --test --verbose'
  26 read -p "Keys installed? " _
  27 folder=.tmpdata
  28 mkdir -p $folder
  29 function csrf {
  30     grep csrf | ${1:-cat}  | ${2:-cat} | sed "s/.*value='\([^']*\)'.*/\\1/"
  31 }
  32
  33 [[ -f root.crt ]] || curl -s "http://www.$domain/roots?pem" > root.crt
  34 echo "Opening Gigi connection"
  35 rm -f $folder/cookie-jar
  36 csrf=$(mcurl login -c $folder/cookie-jar|csrf)
  37 if ! [[ -f $folder/cookie-jar ]]; then
  38     echo "Need cookies." >&2
  39     exit 1;
  40 fi
  41 mcurl login --data-urlencode "username=$admin_email" --data-urlencode "password=$admin_password" --data-urlencode "csrf=$csrf" -c $folder/cookie-jar > /dev/null
  42
  43 csrf=$(mcurl account/details | csrf "tail -n 1")
  44 mcurl account/details --data "orgaForm=orga&org%3A3=yes&csrf=$csrf"
  45 echo "Gigi is ready"
  46 function issue0 {
  47     options=$1
  48     csr=$2
  49     csrf=$(mcurl "account/certs/new" | csrf "head -n 1")
  50
  51     encoded=$(cat "$csr" | tr '\n' '?' | sed "s/=/%3D/g;s/+/%2B/g;s/\?/%0A/g")
  52
  53     mcurl account/certs/new -d "CSR=$encoded&process=Next&csrf=$csrf" > /dev/null
  54
  55     serial=$(mcurl account/certs/new -d "$options&OU=&hash_alg=SHA256&validFrom=now&validity=2y&login=1&description=&process=Issue+Certificate&csrf=$csrf" -v 2>&1 | tee $folder/certlog | grep "< Location: " | sed "s_.*/\([a-f0-9]*\)[^0-9]*_\1_")
  56     echo "Certificate: $serial"
  57     if [[ $serial != "" ]]; then
  58         mcurl "account/certs/$serial.crt?chain&noAnchor" > $folder/cert.crt
  59         return 0;
  60     else
  61         return 1;
  62     fi
  63 }
  64 force=""
  65 if [[ "$2" == "force" ]]; then
  66     force="force "
  67 fi
  68 coproc {
  69     admin_ssh "${force}update certs"
  70     read -r end
  71 }
  72 updated="false"
  73 while true; do
  74     read -r line <&${COPROC[0]} || break;
  75     echo "Command: $line"
  76     if [[ "$line" = "SKIP "* ]]; then
  77         echo "Skipping: $line"
  78     elif [[ "$line" = "ISSUE "* ]]; then
  79         openssl req -out $folder/web.req <&${COPROC[0]}
  80         echo "CSR received, contacting Gigi"
  81         options="profile=server-orga&CN=&SANs=quiz.$domain"
  82         case ${line#ISSUE } in
  83             "modules/gigi/files/gigi")
  84                 options="profile=server-orga&CN=&SANs=www.$domain%0Asecure.$domain%0Astatic.$domain%0Aapi.$domain%0A"
  85                 ;;
  86             "modules/pootle/files/web")
  87                 options="profile=server-orga&CN=&SANs=pootle.$domain"
  88                 ;;
  89             "modules/gigi/files/client")
  90                 options="profile=mail-orga&CN=&SANs=gigi@$domain"
  91                 ;;
  92             "modules/quiz/files/web")
  93                 options="profile=server-orga&CN=&SANs=quiz.$domain"
  94                 ;;
  95             "modules/gitweb/files/web")
  96                 options="profile=server-orga&CN=&SANs=code.$domain"
  97                 ;;
  98             "modules/quiz/files/client")
  99                 options="profile=client-orga&CN=Quiz+Api+User&SANs=quiz@$domain"
 100                 ;;
 101             "modules/motion/files/motion")
 102                 options="profile=server-orga&CN=&SANs=motion.$domain"
 103                 ;;
 104             *)
 105                 echo "Unknown certificate in $line, rejecting"
 106                 echo "FAIL" >&${COPROC[1]}
 107                 continue;
 108                 ;;
 109         esac
 110         if issue0 "$options" $folder/web.req; then
 111             echo "gigi issued successfully"
 112             echo "SUCCESS" >&${COPROC[1]}
 113             updated="true"
 114             cnt=$(grep "BEGIN CERTIFICATE" $folder/cert.crt | wc -l)
 115             echo "chain of length $cnt"
 116             echo "$cnt" >&${COPROC[1]}
 117             cat $folder/cert.crt >&${COPROC[1]}
 118             read -r reply <&${COPROC[0]};
 119             echo $reply
 120         else
 121             echo "FAIL" >&${COPROC[1]}
 122         fi
 123     elif [[ "$line" = "DONE" ]]; then
 124         sleep 1
 125         break;
 126     fi
 127 done
 128 echo "end process" >&${COPROC[1]}
 129 cat <&${COPROC[0]}
 130 mcurl logout > /dev/null
 131
 132 if [[ "$updated" == "true" ]]; then
 133     admin_ssh -t "reload certs"
 134 fi