#!/bin/bash targetHost=$1 targetHost=${targetHost%/} source config source "$targetHost/config" if [[ ! -f admin-key ]]; then ssh-keygen -t ed25519 -N "" -f admin-key printf >&2 'Warning: generated admin-key without passphrase\n' fi if [[ "$2" == "install" ]]; then ssh_target "cat >> modules/hop/files/authorized_keys <<< 'command=\"/home/admin/commands\",restrict,pty $(cat admin-key.pub)'" ssh_target -t 'sudo lxc-attach -n hop -- bash -c "ssh-keyscan -H 10.0.3.1 > /home/admin/.ssh/known_hosts"' ssh_target -t 'sudo lxc-attach -n hop -- puppet agent --test --verbose' exit 0; fi read_admin_email read_admin_password echo -n "cat >> modules/hop/files/authorized_keys <<< 'command=\"/home/admin/commands\",restrict,pty $(cat admin-key.pub)' && " echo -n 'sudo lxc-attach -n hop -- bash -c "ssh-keyscan -H 10.0.3.1 > /home/admin/.ssh/known_hosts" && ' echo 'sudo lxc-attach -n hop -- puppet agent --test --verbose' read -p "Keys installed? " _ folder=.tmpdata mkdir -p $folder function csrf { grep csrf | ${1:-cat} | ${2:-cat} | sed "s/.*value='\([^']*\)'.*/\\1/" } [[ -f root.crt ]] || curl -s "http://www.$domain/roots?pem" > root.crt echo "Opening Gigi connection" rm -f $folder/cookie-jar csrf=$(mcurl login -c $folder/cookie-jar|csrf) if ! [[ -f $folder/cookie-jar ]]; then echo "Need cookies." >&2 exit 1; fi mcurl login --data-urlencode "username=$admin_email" --data-urlencode "password=$admin_password" --data-urlencode "csrf=$csrf" -c $folder/cookie-jar > /dev/null csrf=$(mcurl account/details | csrf "tail -n 1") mcurl account/details --data "orgaForm=orga&org%3A3=yes&csrf=$csrf" echo "Gigi is ready" function issue0 { options=$1 csr=$2 csrf=$(mcurl "account/certs/new" | csrf "head -n 1") encoded=$(cat "$csr" | tr '\n' '?' | sed "s/=/%3D/g;s/+/%2B/g;s/\?/%0A/g") mcurl account/certs/new -d "CSR=$encoded&process=Next&csrf=$csrf" > /dev/null serial=$(mcurl account/certs/new -d "$options&OU=&hash_alg=SHA256&validFrom=now&validity=2y&login=1&description=&process=Issue+Certificate&csrf=$csrf" -v 2>&1 | tee $folder/certlog | grep "< Location: " | sed "s_.*/\([a-f0-9]*\)[^0-9]*_\1_") echo "Certificate: $serial" if [[ $serial != "" ]]; then mcurl "account/certs/$serial.crt?chain&noAnchor" > $folder/cert.crt return 0; else return 1; fi } force="" if [[ "$2" == "force" ]]; then force="force " fi coproc { admin_ssh "${force}update certs" read -r end } updated="false" while true; do read -r line <&${COPROC[0]} || break; echo "Command: $line" if [[ "$line" = "SKIP "* ]]; then echo "Skipping: $line" elif [[ "$line" = "ISSUE "* ]]; then openssl req -out $folder/web.req <&${COPROC[0]} echo "CSR received, contacting Gigi" options="profile=server-orga&CN=&SANs=quiz.$domain" case ${line#ISSUE } in "modules/gigi/files/gigi") options="profile=server-orga&CN=&SANs=www.$domain%0Asecure.$domain%0Astatic.$domain%0Aapi.$domain%0A" ;; "modules/pootle/files/web") options="profile=server-orga&CN=&SANs=pootle.$domain" ;; "modules/gigi/files/client") options="profile=mail-orga&CN=&SANs=gigi@$domain" ;; "modules/quiz/files/web") options="profile=server-orga&CN=&SANs=quiz.$domain" ;; "modules/gitweb/files/web") options="profile=server-orga&CN=&SANs=code.$domain" ;; "modules/quiz/files/client") options="profile=client-orga&CN=Quiz+Api+User&SANs=quiz@$domain" ;; *) echo "Unknown certificate in $line, rejecting" echo "FAIL" >&${COPROC[1]} continue; ;; esac if issue0 "$options" $folder/web.req; then echo "gigi issued successfully" echo "SUCCESS" >&${COPROC[1]} updated="true" cnt=$(grep "BEGIN CERTIFICATE" $folder/cert.crt | wc -l) echo "chain of length $cnt" echo "$cnt" >&${COPROC[1]} cat $folder/cert.crt >&${COPROC[1]} read -r reply <&${COPROC[0]}; echo $reply else echo "FAIL" >&${COPROC[1]} fi elif [[ "$line" = "DONE" ]]; then sleep 1 break; fi done echo "end process" >&${COPROC[1]} cat <&${COPROC[0]} mcurl logout > /dev/null if [[ "$updated" == "true" ]]; then admin_ssh -t "reload certs" fi