dehydrated-bigip-common

#!/usr/bin/env bash
# dehydrated-bigip-common
#
# Common functions used in other dehydrated BIG-IP scripts
#

####### START F5CommonRESTAPIs.sh #######

#  Sample F5 BIGIP Reset Configuration script
#  John D. Allen
#  April, 2016
#
#-----------------------------------------------------------------------------------
# Software is distributed on an "AS IS" basis,
# WITHOUT WARRANTY OF ANY KIND, either express or implied. See
# the License for the specific language governing rights and limitations
# under the License.
#
# The Initial Developer of the Original Code is F5 Networks,
# Inc. Seattle, WA, USA. Portions created by F5 are Copyright (C) 2016 F5 Networks,
# Inc. All Rights Reserved.
#
# Author: John D. Allen, Solution Architect, F5 Networks
# Email: john.allen@f5.com
#-----------------------------------------------------------------------------------
# This file contains a number of common iControl REST API functions that are used
# by the other bash scripts.
#

#-------------------------------------------------------
# Function: log()
#-------------------------------------------------------
DATE='date +%m/%d/%Y:%H:%M:%S'
log() {
  echo `$DATE`" $*" >> $LOGFILE
}

#-------------------------------------------------------
# Function: isAvailable()
#   Tests to see if BIGIP is ready to accept API calls.
#-------------------------------------------------------
isAvailable() {
  OUT=$(restCall "GET" "/tm/ltm/available")
  log "isAvailable():`echo $OUT`"
  if [[ $(echo $OUT | grep '^{}')x != x ]]; then
    return 0
  else
    return 1
  fi
}

#-------------------------------------------------------
# Function: whenAvailable()
#  Waits for BIGIP to become available, within the
#  MAXTIMEOUT value.
#-------------------------------------------------------
whenAvailable() {
  # $SECONDS is a built-in Bash var for # of seconds Bash has been running.
  STARTTIME=$SECONDS
  while true; do
    sleep 1
    if (isAvailable); then
      return 0
    fi
    duration=$SECONDS
    if [[ $(($duration - $STARTTIME)) -gt $MAXTIMEOUT ]]; then
      return 1
    fi
  done
}

#-------------------------------------------------------
# Function: isActive()
#   Tests to see if BIGIP is Active in HA cluster.
#-------------------------------------------------------
isActive() {
  OUT=$(restCall "GET" "/tm/cm/failover-status")
  log "isActive():`echo $OUT`"
  if [[ $(echo $OUT | jsonq '["entries"]["https://localhost/mgmt/tm/cm/failover-status/0"]["nestedStats"]["entries"]["status"]["description"]') == ACTIVE ]]; then
    return 0
  else
    return 1
  fi
}


#-------------------------------------------------------
# Function: restCall()
#-------------------------------------------------------
restCall() {
  # $1 => Type (GET, PUT, POST, DELETE, PATCH, etc.)
  # $2 => URL past 'mgmt'  Example: "/tm/security/firewall/policy/~Common~TestPolicy1" for
  #       https://10.147.29.215/mgmt/tm/security/firewall/policy/~Common~TestPolicy1
  # $3 => JSON payload, if any.

  CONTTYPE='-H Content-Type: application/json'
  AUTH="--user $BIGIP_USERNAME:$BIGIP_PASSWORD"
  TIME="--connect-timeout $TIMEOUT"
  MAXTIME="-m $MAXTIMEOUT"
  URL="https://$BIGIP_DEVICE/mgmt$2"
  if [[ $1 == POST || $1 == PATCH || $1 == PUT ]]; then
    log "restCall():${CURL} -sk ${TIME} ${MAXTIME} ${CONTTYPE} ${AUTH} ${URL} -X $1 -d \"$3\""
    ${CURL} -sk ${TIME} ${MAXTIME} ${CONTTYPE} ${AUTH} ${URL} -X $1 -d "$3"
  else
    log "restCall():${CURL} -sk ${TIME} ${MAXTIME} ${CONTTYPE} ${AUTH} ${URL} -X $1 "
    ${CURL} -sk ${TIME} ${MAXTIME} ${CONTTYPE} ${AUTH} ${URL} -X $1
  fi
}

#-------------------------------------------------------
# Function:  jsonq()
#   Extract JSON key value. Example:
#   {
#    "generation": 1,
#    "items": [
#        {
#            "active": true,
#            "build": "0.0.606",
#            "generation": 1
#        }
#     [,
#   }
# ... | jsonq '["items"][0]["active"]'
# True
#-------------------------------------------------------
jsonq() {
  python -c "import sys,json; input=json.load(sys.stdin); print input$1"
}

#-------------------------------------------------------
# Function: saveConfig()
#-------------------------------------------------------
saveConfig() {
  OUT=$(restCall "POST" "/tm/sys/config" '{"command": "save"}')
  log "saveConfig(): `echo $OUT | python -mjson.tool`"
  if [[ $(echo $OUT | jsonq '["kind"]') != "tm:sys:config:savestate" ]]; then
    echo "ERROR! Configuration Save was not successful."
    return 1
  fi
  return 0
}

#-------------------------------------------------------
# Function: runBashCommand()
#-------------------------------------------------------
runBashCommand() {
  log "runBashCommand()[command]: ${1}"

  OUT=$(restCall "POST" "/tm/util/bash" "{\"command\": \"run\", \"utilCmdArgs\": \"-c \\\"${1}\\\"\"}")
  log "runBashCommand(): `echo $OUT | python -mjson.tool`"
  if [[ $(echo $OUT | jsonq '["kind"]') != "tm:util:bash:runstate" ]]; then
    echo "ERROR! Command was not successful."
    return 1
  fi
  return 0
}

#-------------------------------------------------------
# Function: modifyHttpdCerts()
#-------------------------------------------------------
modifyHttpdCerts() {
  log "modifyHttpdCerts()[command]: ${1} ${2}"

  OUT=$(restCall "PATCH" "/tm/sys/httpd" "{\"sslCertfile\": \"${1}\", \"sslCertkeyfile\": \"${2}\"}")
  log "modifyHttpdCerts(): `echo $OUT | python -mjson.tool`"
  if [[ $(echo $OUT | jsonq '["sslCertfile"]') != "${1}" ]]; then
    echo "ERROR! Command was not successful."
    return 1
  fi
  return 0
}

#-------------------------------------------------------
# Function: restartService()
#-------------------------------------------------------
restartService() {
  log "restartService()[service]: ${1}"

  OUT=$(restCall "PATCH" "/tm/sys/service/~${1}" "{\"reinit\":true}")
  log "restartService(): `echo $OUT`"
  if [ "${OUT}x" != "x" ] ; then
    echo "ERROR! The service may not exist or may not have been restarted ($OUT)"
    return 1
  fi
  return 0
}


#-------------------------------------------------------
# Function: createCertFromUpload()
#   Creates a certificate/key object
# $1 => Name for certificate object
# $2 => Uploaded file name
#-------------------------------------------------------
createCertFromUpload() {
  NAME="/${BIGIP_PARTITION}/${1}"
  OUT=$(restCall "POST" "/tm/sys/crypto/cert" "{ \"command\": \"install\", \"name\": \"${NAME}\", \"from-local-file\": \"/var/config/rest/downloads/${2}\" }")
  log "createCertFromUpload()[Write Back Results]: `echo $OUT | python -mjson.tool`"
  if [ "`echo ${OUT} | grep 'key and certificate do not match'`x" != "x" ]; then
	#Output returns certificate and key mismatch, return error 2
	return 2
  fi
  return 0
}

#-------------------------------------------------------
# Function: ocspStapleCert()
#   Enables OCSP stapling on the cert
# $1 => Name for certificate object
# $2 => Name of OCSP validator profile
#-------------------------------------------------------
ocspStapleCert() {
  # Doesn't currently work in iControl REST with BIGIP v13.0.0 HF2 - no point implementing just yet
  return 0
}

#-------------------------------------------------------
# Function: createKeyFromUpload()
#   Creates a certificate/key object
# $1 => Name for certificate object
# $2 => Uploaded file name
#-------------------------------------------------------
createKeyFromUpload() {
  NAME="/${BIGIP_PARTITION}/${1}"
  OUT=$(restCall "POST" "/tm/sys/crypto/key" "{ \"command\": \"install\", \"name\": \"${NAME}\", \"from-local-file\": \"/var/config/rest/downloads/${2}\", \"securityType\": \"normal\" }")
  log "createKeyFromUpload()[Write Back Results]: `echo $OUT | python -mjson.tool`"
  return 0
}

#-------------------------------------------------------
# Function: createClientSSLProfile()
# Creates a client SSL profile on BIGIP
# $1 => name of client SSL profile
# $2 => parent SSL profile
# $3 => partition
# $4 => cert
# $5 => key
# $6 => chain
# $7 => server name
#-------------------------------------------------------
createClientSSLProfile() {
  EXISTENCE=$(restCall "GET" "/tm/ltm/profile/client-ssl/~${3}~${1}")
  log "createClientSSLProfile(): $EXISTENCE"

  if [ "`echo ${EXISTENCE} | grep '"kind":"tm:ltm:profile:client-ssl:client-sslstate"'`x" != "x" ] ; then
    # Profile already exists
    OUT=$(restCall "PATCH" "/tm/ltm/profile/client-ssl/~${3}~${1}" "{ \"defaultsFrom\": \"${2}\", \"cert\": \"${4}\", \"key\": \"${5}\", \"chain\": \"${6}\", \"serverName\": \"${7}\" }")
  else
    # Create new profile
    OUT=$(restCall "POST" "/tm/ltm/profile/client-ssl" "{ \"name\": \"${1}\", \"partition\": \"${3}\", \"defaultsFrom\": \"${2}\", \"cert\": \"${4}\", \"key\": \"${5}\", \"chain\": \"${6}\", \"serverName\": \"${7}\" }")
  fi

  log "createClientSSLProfile(): $OUT"

  #if [[ $(echo $OUT | jsonq '["kind"]') != "tm:ltm:data-group:internal:internalstate" ]] && [[ $(echo $OUT | jsonq '["kind"]') != "tm:ltm:profile:client-ssl:client-sslstate" ]]; then
  #  echo "ERROR: Unable to create client SSL profile ${1}"
  #  log "createClientSSLProfile(): $OUT"
  #  return 1
  #fi
#
#  log "createClientSSLProfile(): `echo $OUT | python -mjson.tool`"

  return 0
}

#-------------------------------------------------------
# Function: getCurrentCertSerialNumber()
# gets the current serialNumber from a certificate assigned to a ClientSSLProfile on a BIGIP
# $1 => name of client SSL profile
# $2 => partition
#-------------------------------------------------------
getCurrentCertSerialNumber() {
  SSLPROFILE=$(restCall "GET" "/tm/ltm/profile/client-ssl/~${2}~${1}")
  log "getCurrentCertSerialNumber() SSLPROFILE: $SSLPROFILE"


  if [ "`echo ${SSLPROFILE} | grep '"kind":"tm:ltm:profile:client-ssl:client-sslstate"'`x" != "x" ] ; then
    # Profile already exists
    # Get the certificate from the SSL profile
	#Get the certReference -> link property from the SSLClientProfile, and strip the hostname and /mgmt part of the link
    CERTLINK=$(echo $SSLPROFILE | jsonq '["certReference"]["link"]' | sed -E -s "s|https://[a-zA-Z0-9\-\.]*/mgmt/|/|" )
	log "getCurrentCertSerialNumber() CERTLINK: $CERTLINK"
    
    if [ "`echo ${CERTLINK}x`" != "x" ] ; then
	  #Certlink exits and is not empty
      CERT=$(restCall "GET" "$CERTLINK")
      log "getCurrentCertSerialNumber() CERT: $CERT"
	  
	  if [ "`echo ${CERT} | grep '"kind":"tm:sys:file:ssl-cert:ssl-certstate"'`x" != "x" ] ; then
	    SERIAL=$(echo $CERT | jsonq '["serialNumber"]' | sed -E -s "s|:||g" )
		log "getCurrentCertSerialNumber() SERIAL: $SERIAL"
		echo $SERIAL
	  else
	    log "Cert not found or valid"
		return 3
	  fi
    else
      log "SSL cert link not found, return empty"
      return 2
    fi
  else
    # profile does not exist, resturn empty string
    log "Profile not found, return empty"
    return 1
  fi
  
}


#-------------------------------------------------------
# Function: uploadFile()
#   Upload file to F5 BIG-IP
# $1 => Name of file to upload
# $2 => Destination file name
#-------------------------------------------------------
uploadFile() {
  log "uploadFile()[Upload File]: ${1} ${2}"

  # if we can't read the source file don't bother and error
  if [ ! -r ${1} ] ; then
    return 1
  fi

  # destination file name should be the same as source if not specified
  if [ "${2}x" == "x" ] ; then
    DEST_FILENAME=`basename ${1}`
  else
    DEST_FILENAME=${2}
  fi

  declare -i CHUNK_SIZE
  declare -i FILESIZE
  declare -i TMP_FILESIZE
  declare -i BYTES_START
  declare -i BYTES_END

  FILENAME=`basename ${1}`
  CHUNK_SIZE=$((512 * 1024))
  FILESIZE=`stat -L -c%s ${1}`
  CHUNKS=$((${FILESIZE} / ${CHUNK_SIZE}))

  if [ $((${CHUNKS} * ${CHUNK_SIZE})) -lt ${FILESIZE} ] ; then
    CHUNKS=$((${CHUNKS} + 1))
  fi

  BYTES_START=0

  if [ ${FILESIZE} -le ${CHUNK_SIZE} ] ; then
    OUT=$(/bin/bash -c "${CURL} -s --insecure -X POST --data-binary '@${1}' --user '${BIGIP_USERNAME}:${BIGIP_PASSWORD}' -H 'Content-Type: application/octet-stream' -H 'Content-Range: ${BYTES_START}-$((${FILESIZE} - 1))/${FILESIZE}' 'https://${BIGIP_DEVICE}/mgmt/shared/file-transfer/uploads/${DEST_FILENAME}'")
    log "${CURL} -s --insecure -X POST --data-binary '@${1}' --user '${BIGIP_USERNAME}:${BIGIP_PASSWORD}' -H 'Content-Type: application/octet-stream' -H 'Content-Range: ${BYTES_START}-$((${FILESIZE} - 1))/${FILESIZE}' 'https://${BIGIP_DEVICE}/mgmt/shared/file-transfer/uploads/${DEST_FILENAME}'"
  else
    TMP_FILE=`mktemp`
    COUNT=0
    while [ ${COUNT} -lt ${CHUNKS} ] ; do
      BYTES_START=$((${COUNT} * ${CHUNK_SIZE}))
      # echo "CHUNK #${COUNT}"
      echo -n '' > ${TMP_FILE}
      dd if="${1}" ibs=${CHUNK_SIZE} skip=${COUNT} bs=${CHUNK_SIZE} count=1 of="${TMP_FILE}" 1>/dev/null 2>&1
      TMP_FILESIZE=`stat -L -c%s ${TMP_FILE}`
      BYTES_END=$((${BYTES_START} + ${TMP_FILESIZE} - 1))
      OUT=$(/bin/bash -c "${CURL} -s --insecure -X POST --data-binary '@${TMP_FILE}' --user '${BIGIP_USERNAME}:${BIGIP_PASSWORD}' -H 'Content-Type: application/octet-stream' -H 'Content-Range: ${BYTES_START}-${BYTES_END}/${FILESIZE}' 'https://${BIGIP_DEVICE}/mgmt/shared/file-transfer/uploads/${DEST_FILENAME}'")
      log "${CURL} -v --insecure -X POST --data-binary '@${TMP_FILE}' --user '${BIGIP_USERNAME}:${BIGIP_PASSWORD}' -H 'Content-Type: application/octet-stream' -H 'Content-Range: ${BYTES_START}-${BYTES_END}/${FILESIZE}' 'https://${BIGIP_DEVICE}/mgmt/shared/file-transfer/uploads/${DEST_FILENAME}'"
      COUNT=$((${COUNT} + 1))
    done
  fi

  if [ "${TMP_FILE}x" != "x" ] && test -e "${TMP_FILE}" ; then
    rm -f "${TMP_FILE}"
  fi

  ##  Overwrite the old records list with the new one.
  # OUT=$(restCall "POST" "/mgmt/shared/file-transfer/uploads/~${BIGIP_PARTITION}~${1}" "{ \"records\": ${TT} }")
  log "uploadFile()[Upload results]: `echo $OUT | python -mjson.tool`"

  return 0
}

deploy_traffic_cert() {
    local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}" BIGIP_DEVICE="${7}"

    if [ "${TIMESTAMP}x" != "x" ] && [ "${BIGIP_DEVICE}x" == "x" ] ; then
      BIGIP_DEVICE=${TIMESTAMP}
      TIMESTAMP="UNKNOWN"
    fi

    # This hook is called once for each certificate that has been
    # produced. Here you might, for instance, copy your new certificates
    # to service-specific locations and reload the service.
    #
    # Parameters:
    # - DOMAIN
    #   The primary domain name, i.e. the certificate common
    #   name (CN).
    # - KEYFILE
    #   The path of the file containing the private key.
    # - CERTFILE
    #   The path of the file containing the signed certificate.
    # - FULLCHAINFILE
    #   The path of the file containing the full certificate chain.
    # - CHAINFILE
    #   The path of the file containing the intermediate certificate(s).

    echo "NOTE: Deploying certs to F5 BIG-IP ${BIGIP_DEVICE} (${DOMAIN}#${KEYFILE}#${CERTFILE}#${FULLCHAINFILE}#${CHAINFILE})"

    if [ "${TIMESTAMP_NAME}x" == "1x" ] && [ "${TIMESTAMP}x" != "x" ] ; then
      CERTFILE_NAME="${DOMAIN}-${TIMESTAMP}.crt"
      KEYFILE_NAME="${DOMAIN}-${TIMESTAMP}.key"
      FULLCHAINFILE_NAME="${DOMAIN}-${TIMESTAMP}-FULLCHAIN.crt"
      CHAINFILE_NAME="${DOMAIN}-${TIMESTAMP}-CHAIN.crt"
    else
      CERTFILE_NAME="${DOMAIN}.crt"
      KEYFILE_NAME="${DOMAIN}.key"
      FULLCHAINFILE_NAME="${DOMAIN}-FULLCHAIN.crt"
      CHAINFILE_NAME="${DOMAIN}-CHAIN.crt"
    fi

    if [ -r ${CERTFILE} ] ; then
        OUT=$(uploadFile ${CERTFILE} ${DOMAIN}.crt)
        if ! $OUT; then
          echo "Error: Certificate for ${DOMAIN} was not uploaded correctly!"
          exit 1
        fi

        OUT=$(createCertFromUpload ${CERTFILE_NAME} ${DOMAIN}.crt)
		case "$?" in
		0)
		  #Everything Okay, continue
		  ;;
		2)
		  #Error returned in REST call, filename of cert/key probably exists already with other key, rename and try again
          CERTFILE_NAME="${DOMAIN}_${TIMESTAMP}.crt"
          KEYFILE_NAME="${DOMAIN}_${TIMESTAMP}.key"
          FULLCHAINFILE_NAME="${DOMAIN}-FULLCHAIN_${TIMESTAMP}.crt"
          CHAINFILE_NAME="${DOMAIN}-CHAIN_${TIMESTAMP}.crt"
			
          #Try uploading again with new filename
          OUT=$(createCertFromUpload ${CERTFILE_NAME} ${DOMAIN}.crt)
		  ;;
		*)
          echo "Error: Certificate for ${DOMAIN} was not created correctly!"
          exit 1
		  ;;
		esac
			
    else
        echo "Error: File ${CERTFILE} does not exist or is unreadable!"
        exit 1
    fi

    if [ -r ${KEYFILE} ] ; then
        OUT=$(uploadFile ${KEYFILE} ${DOMAIN}.key)
        if ! $OUT; then
          echo "Error: Certificate for ${DOMAIN} was not uploaded correctly!"
        fi

        OUT=$(createKeyFromUpload ${KEYFILE_NAME} ${DOMAIN}.key)
        if ! $OUT; then
          echo "Error: Certificate for ${DOMAIN} was not created correctly!"
        fi
    else
        echo "Error: File ${KEYFILE} does not exist or is unreadable!"
        exit 1
    fi

    if [ -r ${FULLCHAINFILE} ] ; then
        OUT=$(uploadFile ${FULLCHAINFILE} ${DOMAIN}-FULLCHAIN.crt)
        if ! $OUT; then
          echo "Error: Certificate for ${DOMAIN} was not uploaded correctly!"
        fi

        OUT=$(createCertFromUpload ${FULLCHAINFILE_NAME} ${DOMAIN}-FULLCHAIN.crt)
        if ! $OUT; then
          echo "Error: Certificate for ${DOMAIN} was not created correctly!"
        fi
    else
        echo "Error: File ${FULLCHAINFILE} does not exist or is unreadable!"
        exit 1
    fi

    if [ -r ${CHAINFILE} ] ; then
        OUT=$(uploadFile ${CHAINFILE} ${DOMAIN}-CHAIN.crt)
        if ! $OUT; then
          echo "Error: Certificate for ${DOMAIN} was not uploaded correctly!"
        fi

        OUT=$(createCertFromUpload ${CHAINFILE_NAME} ${DOMAIN}-CHAIN.crt)
        if ! $OUT; then
          echo "Error: Certificate for ${DOMAIN} was not created correctly!"
        fi
    else
        echo "Error: File ${CHAINFILE} does not exist or is unreadable!"
        exit 1
    fi

    # Enable OCSP Stapling on certs
    # TBC

    # Create ClientSSL certificate
    # Read SAN's from certificate
    if test -r "${CERTFILE}" ; then
      SAN_LIST=`openssl x509 -in ${CERTFILE} -text | awk '/X509v3 Subject Alternative Name/ {getline;gsub(/ /, "", $0);gsub(/,/, " ", $0);gsub(/DNS:/, "", $0); print}'`
      NAME_LIST=`for i in ${DOMAIN} ${SAN_LIST} ; do echo ${i} ; done | sort -u | grep -v -E -e '^[0-9]{1,3}\.^[0-9]{1,3}\.^[0-9]{1,3}\.^[0-9]{1,3}$' -`
      for SERVER_NAME in ${PRIMARY_DOMAIN} ${SAN_LIST} ; do
        CLIENTSSL_NAME="${SERVER_NAME}"

        echo "Creating Client SSL profile ${CLIENTSSL_NAME} for ${SERVER_NAME} from ${CERTFILE}"
        OUT=$(createClientSSLProfile ${CLIENTSSL_NAME} ${BIGIP_CLIENT_SSL_PARENT} ${BIGIP_PARTITION} ${CERTFILE_NAME} ${KEYFILE_NAME} ${CHAINFILE_NAME} ${SERVER_NAME})
      done
    fi
}

deploy_mgmt_cert() {
    local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}" BIGIP_DEVICE="${7}"

    if [ "${TIMESTAMP}x" != "x" ] && [ "${BIGIP_DEVICE}x" == "x" ] ; then
      BIGIP_DEVICE=${TIMESTAMP}
      TIMESTAMP="UNKNOWN"
    fi

    # This hook is called once for each certificate that has been
    # produced. Here you might, for instance, copy your new certificates
    # to service-specific locations and reload the service.
    #
    # Parameters:
    # - DOMAIN
    #   The primary domain name, i.e. the certificate common
    #   name (CN).
    # - KEYFILE
    #   The path of the file containing the private key.
    # - FULLCHAINFILE
    #   The path of the file containing the full certificate chain.

    echo "NOTE: Deploying management interface certs and key to F5 BIG-IP (${DOMAIN}#${KEYFILE}#${FULLCHAINFILE})"

    if [ "${TIMESTAMP_NAME}x" == "1x" ] && [ "${TIMESTAMP}x" != "x" ] ; then
      CERTFILE_NAME="${DOMAIN}-${TIMESTAMP}.crt"
      KEYFILE_NAME="${DOMAIN}-${TIMESTAMP}.key"
      FULLCHAINFILE_NAME="${DOMAIN}-${TIMESTAMP}-FULLCHAIN.crt"
      CHAINFILE_NAME="${DOMAIN}-${TIMESTAMP}-CHAIN.crt"
    else
      CERTFILE_NAME="${DOMAIN}.crt"
      KEYFILE_NAME="${DOMAIN}.key"
      FULLCHAINFILE_NAME="${DOMAIN}-FULLCHAIN.crt"
      CHAINFILE_NAME="${DOMAIN}-CHAIN.crt"
    fi

    echo "NOTE: Uploading full certificate chain and key"

    if [ -r ${KEYFILE} ] ; then
        OUT=$(uploadFile ${KEYFILE} ${DOMAIN}.key)
        if ! $OUT; then
          echo "Error: Certificate for ${DOMAIN} was not uploaded correctly!"
          exit 1
        else
          OUT=$(runBashCommand "cp /var/config/rest/downloads/${DOMAIN}.key /etc/httpd/conf/ssl.key/${DOMAIN}.key")
        fi
    else
        echo "Error: File ${KEYFILE} does not exist or is unreadable!"
        exit 1
    fi

    if [ -r ${FULLCHAINFILE} ] ; then
        OUT=$(uploadFile ${FULLCHAINFILE} ${DOMAIN}-FULLCHAIN.crt)
        if ! $OUT; then
          echo "Error: Certificate for ${DOMAIN} was not uploaded correctly!"
          exit 1
        else
          OUT=$(runBashCommand "cp /var/config/rest/downloads/${DOMAIN}-FULLCHAIN.crt /etc/httpd/conf/ssl.crt/${DOMAIN}.crt")
        fi
    else
        echo "Error: File ${FULLCHAINFILE} does not exist or is unreadable!"
        exit 1
    fi

    # cleanup upload files
    OUT=$(runBashCommand "rm -fv /var/config/rest/downloads/${DOMAIN}.key /var/config/rest/downloads/${DOMAIN}-FULLCHAIN.crt")
    echo "NOTE: Removed uploaded files ($OUT)"

    # TODO add validation command to check all files are in place correctly before modifying httpd config

    # modify httpd config
    OUT=$(modifyHttpdCerts /etc/httpd/conf/ssl.crt/${DOMAIN}.crt /etc/httpd/conf/ssl.key/${DOMAIN}.key)
    echo "NOTE: Modified httpd config ($OUT)"

    # restart service to use new cert/key
    OUT=$(restartService "httpd")
    echo "NOTE: Restarted httpd service ($OUT)"
}

# EOF