-
Notifications
You must be signed in to change notification settings - Fork 0
/
update_ssl_radius.sh
151 lines (125 loc) · 6.95 KB
/
update_ssl_radius.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
#!/bin/sh
# unifi-utils
# controller_update_ssl.sh
# UniFi Controller SSL Certificate update script for Unix/Linux Systems
# by Dubz <https://github.com/Dubz>
# from unifi-utils <https://github.com/Dubz/unifi-utils>
# Incorporates ideas from https://github.com/stevejenkins/ubnt-linux-utils/unifi_ssl_import.sh
# Incorporates ideas from https://source.sosdg.org/brielle/lets-encrypt-scripts
# Version 0.3
# Last Updated July 27, 2019
# REQUIREMENTS
# 1) Assumes you already have a valid SSL certificate
# 2) ./config-default file copied to ./config and edited as necessary
# 3) Identities to be set up in ~/.ssh/config as needed
# KEY BACKUP
# Even though this script attempts to be clever and careful in how it backs up your existing key/cert,
# it's never a bad idea to manually back up your key/cert (located at /etc/ssl/private/ssl-cert-snakeoil.key
# and /etc/ssl/certs/ssl-cert-snakeoil.pem on the USG) to a separate directory before running this script.
# If anything goes wrong, you can restore from your backup, restart the RADIUS service,
# and be back online immediately.
# Load the config file
if [ -z "${CONFIG_LOADED+x}" ]; then
if [ ! -s "config" ]; then
echo "CONFIG FILE NOT FOUND!"
echo -n "Copying config-default to config..."
cp "./config-default" "./config"
echo "done!"
echo "Please configure your settings by editing the config file"
exit 1
fi
source config
fi
if [ "${CERTBOT_RUN_RADIUS}" != "true" ]; then
echo "RADIUS is not to be updated based on ./config"
return
exit 0
fi
# Clone from external server to local server (if used)
if [ "${CERTBOT_USE_EXTERNAL}" == "true" ] && [ "${BRIDGE_SYNCED}" != "true" ]; then
source update_ssl_bridge.sh
fi
# Are the required cert files there?
for f in cert.pem fullchain.pem privkey.pem
do
if [ ! -s "${CERTBOT_LOCAL_DIR_CONFIG}/live/${RADIUS_HOST}/${f}" ]; then
echo "Missing file: ${f} - aborting!"
return
exit 1
fi
done
# Create cache directory/file if not existing
if [ ! -s "${CERTBOT_LOCAL_DIR_CACHE}/${RADIUS_HOST}/sha512" ]; then
if [ ! -d "${CERTBOT_LOCAL_DIR_CACHE}/${RADIUS_HOST}/" ]; then
mkdir --parents "${CERTBOT_LOCAL_DIR_CACHE}/${RADIUS_HOST}/"
fi
touch "${CERTBOT_LOCAL_DIR_CACHE}/${RADIUS_HOST}/sha512"
fi
# Check integrity and for any changes/differences, before doing anything on the RADIUS server
# We'll check all 3 just because, even though we're only using 2 of them
echo -n "Checking certificate integrity..."
sha512_cert=$(openssl x509 -noout -modulus -in "${CERTBOT_LOCAL_DIR_CONFIG}/live/${RADIUS_HOST}/cert.pem" | openssl sha512)
sha512_fullchain=$(openssl x509 -noout -modulus -in "${CERTBOT_LOCAL_DIR_CONFIG}/live/${RADIUS_HOST}/fullchain.pem" | openssl sha512)
sha512_privkey=$(openssl rsa -noout -modulus -in "${CERTBOT_LOCAL_DIR_CONFIG}/live/${RADIUS_HOST}/privkey.pem" | openssl sha512)
sha512_last=$(<"${CERTBOT_LOCAL_DIR_CACHE}/${RADIUS_HOST}/sha512")
if [ "${sha512_privkey}" != "${sha512_cert}" ]; then
echo "Private key and cert do not match!"
exit 1
elif [ "${sha512_privkey}" != "${sha512_fullchain}" ]; then
echo "Private key and full chain do not match!"
exit 1
else
echo "integrity passed!"
# Did the key change? If not, no sense in continuing...
if [ "${sha512_privkey}" == "${sha512_last}" ]; then
# Did it change there? If no, no sense in continuing...
sha512_controller=$(ssh -o LogLevel=error ${RADIUS_USER}@${RADIUS_HOST} "sudo openssl rsa -noout -modulus -in \"${RADIUS_KEY}\" | openssl sha512")
if [ "${sha512_privkey}" != "${sha512_controller}" ]; then
echo "Key is not on controller, installer will continue!"
else
echo "Key did not change, stopping!"
exit 0
fi
else
echo "New key detected, installer will continue!"
fi
fi
# Everything is prepped, time to interact with the RADIUS server!
# Backups backups backups!
# Backup original key/cert on RADIUS
# echo -n "Creating backups of key and cert on server..."
# ssh -o LogLevel=error ${RADIUS_USER}@${RADIUS_HOST} "if sudo test -s \"${RADIUS_CERT}.orig\"; then echo -n \"Backup of original cert exists! Creating non-destructive backup as ${RADIUS_CERT}.bak...\"; sudo cp \"${RADIUS_CERT}\" \"${RADIUS_CERT}.bak\"; else echo -n \"no original cert backup found. Creating backup as ${RADIUS_CERT}.orig...\"; sudo cp \"${RADIUS_CERT}\" \"${RADIUS_CERT}.orig\"; fi; if sudo test -s \"${RADIUS_KEY}.orig\"; then echo -n \"Backup of original key exists! Creating non-destructive backup as ${RADIUS_KEY}.bak...\"; sudo cp \"${RADIUS_KEY}\" \"${RADIUS_KEY}.bak\"; else echo -n \"no original key backup found. Creating backup as ${RADIUS_KEY}.orig...\"; sudo cp \"${RADIUS_KEY}\" \"${RADIUS_KEY}.orig\"; fi"
echo -n "Creating backup of pem key on server..."
ssh -o LogLevel=error ${RADIUS_USER}@${RADIUS_HOST} "if sudo test -s \"${RADIUS_PEM}.orig\"; then echo -n \"Backup of original pem exists! Creating non-destructive backup as ${RADIUS_PEM}.bak...\"; sudo cp \"${RADIUS_PEM}\" \"${RADIUS_PEM}.bak\"; else echo -n \"no original pem backup found. Creating backup as ${RADIUS_PEM}.orig...\"; sudo cp \"${RADIUS_PEM}\" \"${RADIUS_PEM}.orig\"; fi;"
echo "done!"
# Copy over...
# Copy to RADIUS Server
echo -n "Merging cert files to server.pem for lighttpd..."
# lighttpd
cat "${CERTBOT_LOCAL_DIR_CONFIG}/live/${RADIUS_HOST}/privkey.pem" "${CERTBOT_LOCAL_DIR_CONFIG}/live/${RADIUS_HOST}/fullchain.pem" > "${CERTBOT_LOCAL_DIR_CACHE}/${RADIUS_HOST}/server.pem"
echo -n "Copying files to RADIUS server..."
# radius
scp -q "${CERTBOT_LOCAL_DIR_CONFIG}/live/${RADIUS_HOST}/fullchain.pem" ${RADIUS_USER}@${RADIUS_HOST}:"~/fullchain.pem"
scp -q "${CERTBOT_LOCAL_DIR_CONFIG}/live/${RADIUS_HOST}/privkey.pem" ${RADIUS_USER}@${RADIUS_HOST}:"~/privkey.pem"
# lighttpd
scp -q "${CERTBOT_LOCAL_DIR_CACHE}/${RADIUS_HOST}/server.pem" ${RADIUS_USER}@${RADIUS_HOST}:"~/server.pem"
echo -n "moving to proper location..."
# radius
ssh -o LogLevel=error ${RADIUS_USER}@${RADIUS_HOST} "sudo mv -f ~/fullchain.pem ${RADIUS_CERT}; sudo mv -f ~/privkey.pem ${RADIUS_KEY}; sudo chmod 644 ${RADIUS_CERT}; sudo chown root:ssl-cert ${RADIUS_CERT}; sudo chmod 640 ${RADIUS_KEY}; sudo chown root:ssl-cert ${RADIUS_KEY}"
# lighttpd
ssh -o LogLevel=error ${RADIUS_USER}@${RADIUS_HOST} "sudo mv -f ~/server.pem ${RADIUS_PEM}; sudo chmod 400 ${RADIUS_PEM}; sudo chown root:root ${RADIUS_PEM};"
echo "done!"
# Reload service on the
echo -n "Restarting ${RADIUS_SERVICE} and lighttpd..."
ssh -o LogLevel=error ${RADIUS_USER}@${RADIUS_HOST} 'sudo service '${RADIUS_SERVICE}' restart; sudo kill -SIGTERM $(cat /var/run/lighttpd.pid); sudo /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf'
echo "done!"
# Save the new key hash to the cache for next run
echo -n "Caching cert hash..."
echo ${sha512_privkey} > "${CERTBOT_LOCAL_DIR_CACHE}/${RADIUS_HOST}/sha512"
# Log for reference
echo ${sha512_privkey} >> "${CERTBOT_LOCAL_DIR_CACHE}/${RADIUS_HOST}/sha512.log"
echo "done!"
# Done!
echo "Process completed!"
return
exit 0