From f781c70852bb48dee20f60560be4decf5dde06f0 Mon Sep 17 00:00:00 2001
From: 6543 <dasdfsafdsafdas453@freenet.de>
Date: Mon, 7 May 2018 22:43:55 +0200
Subject: [PATCH] log

---
 from_tyler/contact   |  1 +
 from_tyler/log       | 21 ++++++++++++++
 from_tyler/mksite.sh | 67 ++++++++++++++++++++++++++++++++++++++++++++
 from_tyler/sign.sh   | 48 +++++++++++++++++++++++++++++++
 4 files changed, 137 insertions(+)
 create mode 100644 from_tyler/contact
 create mode 100644 from_tyler/log
 create mode 100644 from_tyler/mksite.sh
 create mode 100644 from_tyler/sign.sh

diff --git a/from_tyler/contact b/from_tyler/contact
new file mode 100644
index 0000000..33a68b0
--- /dev/null
+++ b/from_tyler/contact
@@ -0,0 +1 @@
+mailto:tyler@tyzoid.com
diff --git a/from_tyler/log b/from_tyler/log
new file mode 100644
index 0000000..2612a7b
--- /dev/null
+++ b/from_tyler/log
@@ -0,0 +1,21 @@
+<tyzoid> I've got a wrapper script around that, and I configured my apache management scripts to reverse proxy the acme-verification uris to letsencrypt-nosudo
+<maddl> do you have a repo of that?
+<tyzoid> should be https://github.com/diafygi/acme-nosudo
+<tyzoid> I don't have a repo of my scripts, no
+<tyzoid> I can throw them up on my site, though
+<maddl> this setup is old ... it is from the begining of letsencrypt and i sould already structure it new
+<tyzoid> lol, letsencrypt-nosudo (apparently now acme-nosudo) is a bit old too
+<tyzoid> maddl: Here's the wrapper script I use. https://dl.tyzoid.com/security/sign.sh
+<tyzoid> It's quickly hacked together, so a lot of the paths are hardcoded
+<maddl> thanks
+<tyzoid> maddl: Here's my apache mksite script: https://dl.tyzoid.com/security/mksite.sh
+<tyzoid> Might need some adaptation, since you use nginx
+<tyzoid> but the workflow for me is `$ mksite <domain>`, `$ sign <domain>` `$ vim <domainconfig>`
+<maddl> your scripts are more for inspiration than to copy-paste it
+<tyzoid> :)
+<tyzoid> That last step is me just uncommenting all the commented out lines in the domain config
+<maddl> perhaps ill make a more general setup and publish it on github ...
+<tyzoid> Go for it!
+<maddl> we will se
+<tyzoid> If you do, just be sure to credit my stuff if you use it. I release pretty much all my stuff as MIT
+
diff --git a/from_tyler/mksite.sh b/from_tyler/mksite.sh
new file mode 100644
index 0000000..918b41a
--- /dev/null
+++ b/from_tyler/mksite.sh
@@ -0,0 +1,67 @@
+#!/bin/bash
+set -e;
+domain=$1;
+echo "Creating local site $domain";
+
+mkdir -p "/var/log/apache2/$domain";
+sudo mkdir -p "/var/www/$domain/web";
+
+cat > /etc/apache2/sites-enabled/$domain.conf <<_EOF_
+<VirtualHost *:80>
+	ServerAdmin webmaster@localhost
+	ServerName $domain
+
+	ProxyPass /.well-known/acme-challenge/ http://127.0.0.1:8082/.well-known/acme-challenge/
+
+#	RewriteEngine On
+#
+#	RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge.*
+#	RewriteRule ^(.*)$ https://%{HTTP_HOST} [R=301,L]
+
+
+	DocumentRoot /var/www/$domain/web
+	<Directory /var/www/$domain/web>
+		Options Indexes FollowSymLinks MultiViews
+		AllowOverride All
+		Order allow,deny
+		allow from all
+	</Directory>
+
+	ErrorLog /var/log/apache2/$domain/error.log
+
+	# Possible values include: debug, info, notice, warn, error, crit,
+	# alert, emerg.
+	LogLevel warn
+
+	CustomLog /var/log/apache2/$domain/access.log combined
+</VirtualHost>
+#<VirtualHost *:443>
+#	ServerAdmin webmaster@localhost
+#	ServerName $domain
+#
+#	DocumentRoot /var/www/$domain/web
+#	<Directory /var/www/$domain/web>
+#		Options Indexes FollowSymLinks MultiViews
+#		AllowOverride All
+#		Order allow,deny
+#		allow from all
+#	</Directory>
+#
+#	ErrorLog /var/log/apache2/$domain/error.log
+#
+#	# Possible values include: debug, info, notice, warn, error, crit,
+#	# alert, emerg.
+#	LogLevel warn
+#
+#	Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
+#
+#	CustomLog /var/log/apache2/$domain/access.log combined
+#
+#	SSLEngine on
+#	SSLCertificateFile /etc/apache2/ssl/$domain/$domain.crt
+#	SSLCertificateKeyFile /etc/apache2/ssl/$domain/$domain.key
+#	SSLCertificateChainFile /etc/apache2/ssl/$domain/lets-encrypt-x3-cross-signed.pem
+#</VirtualHost>
+_EOF_
+
+echo "Site set up, just restart apache when you are ready to initialize";
diff --git a/from_tyler/sign.sh b/from_tyler/sign.sh
new file mode 100644
index 0000000..ae53f15
--- /dev/null
+++ b/from_tyler/sign.sh
@@ -0,0 +1,48 @@
+#!/bin/bash
+
+if [ ! -d "$1" ]; then
+	mkdir "$1";
+	openssl genrsa -out "$1/$1".key 4096
+	openssl req -new -sha256 -key "$1/$1".key -out "$1/$1".csr
+fi
+
+rm -vf testfifo;
+mkfifo testfifo;
+nl=0;
+nsign=0;
+while read line; do
+	echo "$((nl+=1)): $line" >&2;
+
+	if grep -o 'openssl dgst -sha256 -sign user.key -out' &>/dev/null <<< "$line"; then
+		$line;
+		nsign=$((nsign+1));
+		if [ $nsign -gt 2 ]; then
+			echo
+		fi
+	fi
+
+	if grep -o 'sudo python -c "import BaseHTTPServer;' &>/dev/null <<< "$line"; then
+		#service apache2 stop >&2
+		python -c "$(cut -f2 -d'"' <<< "$line" | sed "s/'0.0.0.0', 80/'127.0.0.1', 8082/")" &
+		echo
+		sleep 5;
+		kill -9 $! &>/dev/null
+		sleep 2
+		#service apache2 start >&2
+	fi
+done < testfifo| python letsencrypt-nosudo/sign_csr.py -e '<<YOUR EMAIL/LETSENCRYPT USER HERE>>' -p user.pub "$1/$1.csr" 2>testfifo >"$1/$1.crt"
+
+rm -vf testfifo
+
+sudo mkdir -p "/etc/apache2/ssl/$1/"
+
+if [ -f "$1/$1.key" ]; then
+	sudo mv "$1/$1.key" "/etc/apache2/ssl/$1/$1.key" -v
+	sudo cp lets-encrypt-x3-cross-signed.pem "/etc/apache2/ssl/$1/" -v
+fi
+
+if [ -s "$1/$1.crt" ]; then
+	sudo mv "$1/$1.crt" "/etc/apache2/ssl/$1/$1.crt" -v
+else
+	rm -v "$1/$1.crt";
+fi