6543/certbot-scrypts
1
0
Fork 0
Code Issues 1 Pull Requests Releases Wiki Activity

log

Browse Source
This commit is contained in:
6543 2018-05-07 22:43:55 +02:00
parent d9d135f1a6
commit f781c70852
4 changed files with 137 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
from_tyler/contact Normal file
View File

@ -0,0 +1 @@
mailto:tyler@tyzoid.com

21
from_tyler/log Normal file
View File

@ -0,0 +1,21 @@
<tyzoid> I've got a wrapper script around that, and I configured my apache management scripts to reverse proxy the acme-verification uris to letsencrypt-nosudo
<maddl> do you have a repo of that?
<tyzoid> should be https://github.com/diafygi/acme-nosudo
<tyzoid> I don't have a repo of my scripts, no
<tyzoid> I can throw them up on my site, though
<maddl> this setup is old ... it is from the begining of letsencrypt and i sould already structure it new
<tyzoid> lol, letsencrypt-nosudo (apparently now acme-nosudo) is a bit old too
<tyzoid> maddl: Here's the wrapper script I use. https://dl.tyzoid.com/security/sign.sh
<tyzoid> It's quickly hacked together, so a lot of the paths are hardcoded
<maddl> thanks
<tyzoid> maddl: Here's my apache mksite script: https://dl.tyzoid.com/security/mksite.sh
<tyzoid> Might need some adaptation, since you use nginx
<tyzoid> but the workflow for me is `$ mksite <domain>`, `$ sign <domain>` `$ vim <domainconfig>`
<maddl> your scripts are more for inspiration than to copy-paste it
<tyzoid> :)
<tyzoid> That last step is me just uncommenting all the commented out lines in the domain config
<maddl> perhaps ill make a more general setup and publish it on github ...
<tyzoid> Go for it!
<maddl> we will se
<tyzoid> If you do, just be sure to credit my stuff if you use it. I release pretty much all my stuff as MIT

67
from_tyler/mksite.sh Normal file
View File

@ -0,0 +1,67 @@
#!/bin/bash
set -e;
domain=$1;
echo "Creating local site $domain";

mkdir -p "/var/log/apache2/$domain";
sudo mkdir -p "/var/www/$domain/web";

cat > /etc/apache2/sites-enabled/$domain.conf <<_EOF_
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName $domain

ProxyPass /.well-known/acme-challenge/ http://127.0.0.1:8082/.well-known/acme-challenge/

# RewriteEngine On
#
# RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge.*
# RewriteRule ^(.*)$ https://%{HTTP_HOST} [R=301,L]


DocumentRoot /var/www/$domain/web
<Directory /var/www/$domain/web>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>

ErrorLog /var/log/apache2/$domain/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog /var/log/apache2/$domain/access.log combined
</VirtualHost>
#<VirtualHost *:443>
# ServerAdmin webmaster@localhost
# ServerName $domain
#
# DocumentRoot /var/www/$domain/web
# <Directory /var/www/$domain/web>
# Options Indexes FollowSymLinks MultiViews
# AllowOverride All
# Order allow,deny
# allow from all
# </Directory>
#
# ErrorLog /var/log/apache2/$domain/error.log
#
# # Possible values include: debug, info, notice, warn, error, crit,
# # alert, emerg.
# LogLevel warn
#
# Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
#
# CustomLog /var/log/apache2/$domain/access.log combined
#
# SSLEngine on
# SSLCertificateFile /etc/apache2/ssl/$domain/$domain.crt
# SSLCertificateKeyFile /etc/apache2/ssl/$domain/$domain.key
# SSLCertificateChainFile /etc/apache2/ssl/$domain/lets-encrypt-x3-cross-signed.pem
#</VirtualHost>
_EOF_

echo "Site set up, just restart apache when you are ready to initialize";

48
from_tyler/sign.sh Normal file
View File

@ -0,0 +1,48 @@
#!/bin/bash

if [ ! -d "$1" ]; then
mkdir "$1";
openssl genrsa -out "$1/$1".key 4096
openssl req -new -sha256 -key "$1/$1".key -out "$1/$1".csr
fi

rm -vf testfifo;
mkfifo testfifo;
nl=0;
nsign=0;
while read line; do
echo "$((nl+=1)): $line" >&2;

if grep -o 'openssl dgst -sha256 -sign user.key -out' &>/dev/null <<< "$line"; then
$line;
nsign=$((nsign+1));
if [ $nsign -gt 2 ]; then
echo
fi
fi

if grep -o 'sudo python -c "import BaseHTTPServer;' &>/dev/null <<< "$line"; then
#service apache2 stop >&2
python -c "$(cut -f2 -d'"' <<< "$line" | sed "s/'0.0.0.0', 80/'127.0.0.1', 8082/")" &
echo
sleep 5;
kill -9 $! &>/dev/null
sleep 2
#service apache2 start >&2
fi
done < testfifo| python letsencrypt-nosudo/sign_csr.py -e '<<YOUR EMAIL/LETSENCRYPT USER HERE>>' -p user.pub "$1/$1.csr" 2>testfifo >"$1/$1.crt"

rm -vf testfifo

sudo mkdir -p "/etc/apache2/ssl/$1/"

if [ -f "$1/$1.key" ]; then
sudo mv "$1/$1.key" "/etc/apache2/ssl/$1/$1.key" -v
sudo cp lets-encrypt-x3-cross-signed.pem "/etc/apache2/ssl/$1/" -v
fi

if [ -s "$1/$1.crt" ]; then
sudo mv "$1/$1.crt" "/etc/apache2/ssl/$1/$1.crt" -v
else
rm -v "$1/$1.crt";
fi