From bfb81969e91a5c33f68aa085e7525d8681fdbc32 Mon Sep 17 00:00:00 2001 From: Ian Kelling Date: Tue, 10 Nov 2020 15:00:48 -0500 Subject: [PATCH] indent, factor out certbot install --- certbot-setup | 37 +++++++ web-conf | 281 ++++++++++++++++++++++++++------------------------ 2 files changed, 184 insertions(+), 134 deletions(-) create mode 100755 certbot-setup diff --git a/certbot-setup b/certbot-setup new file mode 100755 index 0000000..caed0ad --- /dev/null +++ b/certbot-setup @@ -0,0 +1,37 @@ +#!/bin/bash + +# usage: $0 apache2|nginx + +if ! test "$BASH_VERSION"; then echo "error: shell is not bash" >&2; exit 1; fi +shopt -s inherit_errexit 2>/dev/null ||: # ignore fail in bash < 4.4 +set -eE -o pipefail +trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?. PIPESTATUS: ${PIPESTATUS[*]}" >&2' ERR +[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@" + +t=$1 + +if apt-cache show python3-certbot-apache &>/dev/null; then + pyver=3 +fi +pkgs=(certbot python${pyver}-certbot-${t%2}) +if ! dpkg -s -- ${pkgs[@]} 2>&1 | grep -Fx "Status: install ok installed" &> /dev/null; then + apt-get -y install --purge --auto-remove ${pkgs[@]} +fi +# Make a version of the certbot timer that emails me. +if [[ -e /a/bin/log-quiet/sysd-mail-once ]]; then + x=/systemd/system/certbot + md5=$(md5sum /lib$x.timer /lib$x.service 2>/dev/null) ||: + sed -r -f - /lib$x.timer <<'EOF' >/etc${x}mail.timer +s,^Description.*,\0 mail version, +EOF + sed -r -f - /lib$x.service <<'EOF' > /etc${x}mail.service +s,(ExecStart=).*,\1/a/bin/log-quiet/sysd-mail-once certbotmail /usr/bin/certbot renew, +EOF + if [[ $md5sum != "$(md5sum /lib$x.timer /lib$x.service)" ]]; then + systemctl daemon-reload + fi + systemctl stop certbot.timer + systemctl disable certbot.timer + systemctl start certbotmail.timer + systemctl enable certbotmail.timer +fi diff --git a/web-conf b/web-conf index db509d7..b27ec1a 100755 --- a/web-conf +++ b/web-conf @@ -18,18 +18,26 @@ set -eE -o pipefail trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR +readonly this_file="$(readlink -f -- "${BASH_SOURCE[0]}")" +readonly this_dir="${this_file%/*}" + shopt -s nullglob # used in apache config file expansion usage() { - cat </dev/null; then - # cerbot needs an existing virtualhost. - $0 -p 80 $t $h - # when generating an example config, add all relevant security options: - # --hsts --staple-ocsp --uir --must-staple - certbot certonly -n --email $email --no-self-upgrade \ - --agree-tos --${t%2} -d $h - rm $vhost_file - fi + + $this_dir/certbot-setup $t + + f=$cert_dir/fullchain.pem + threedays=259200 # in seconds + if [[ ! -e $f ]] || ! openssl x509 -checkend $threedays -noout -in $f >/dev/null; then + # cerbot needs an existing virtualhost. + $0 -p 80 $t $h + # when generating an example config, add all relevant security options: + # --hsts --staple-ocsp --uir --must-staple + certbot certonly -n --email $email --no-self-upgrade \ + --agree-tos --${t%2} -d $h + rm $vhost_file + fi + + fi if [[ $t == apache2 ]]; then - rm -f $se/000-default.conf - # note, we exepct ServerRoot of /etc/apache2 - # apache requires exactly 1 listen directive per port (when no ip is also given), - # so we have to parse the config to do it programatically. - listen_80=false - listen_port=false - cd /etc/apache2 - conf_files=(apache2.conf) - - - for (( i=0; i < ${#conf_files[@]}; i++ )); do - f="${conf_files[i]}" - # note: globs are expanded here. - conf_files+=( $(sed -rn "s,^\s*Include(Optional)?\s+(\S+).*,\2,p" "$f") ) - case $(readlink -f "$f") in - $vhost_file|$redir_file) continue ;; - esac - for p in $(sed -rn "s,^\s*listen\s+(\S+).*,\1,Ip" "$f"); do - case $p in - 80) listen_80=true ;;& - $port) listen_port=true ;; - esac - done + rm -f $se/000-default.conf + # note, we exepct ServerRoot of /etc/apache2 + # apache requires exactly 1 listen directive per port (when no ip is also given), + # so we have to parse the config to do it programatically. + listen_80=false + listen_port=false + cd /etc/apache2 + conf_files=(apache2.conf) + + + for (( i=0; i < ${#conf_files[@]}; i++ )); do + f="${conf_files[i]}" + # note: globs are expanded here. + conf_files+=( $(sed -rn "s,^\s*Include(Optional)?\s+(\S+).*,\2,p" "$f") ) + case $(readlink -f "$f") in + $vhost_file|$redir_file) continue ;; + esac + for p in $(sed -rn "s,^\s*listen\s+(\S+).*,\1,Ip" "$f"); do + case $p in + 80) listen_80=true ;;& + $port) listen_port=true ;; + esac done + done - cat >$vhost_file <$vhost_file < ServerName $h ServerAlias www.$h @@ -168,36 +181,36 @@ DocumentRoot $root EOF - if [[ $extra_settings ]]; then - cat -- $extra_settings >>$vhost_file - fi + if [[ $extra_settings ]]; then + cat -- $extra_settings >>$vhost_file + fi - # go faster! - if [[ -e /etc/apache2/mods-available/http2.load ]]; then - # https://httpd.apache.org/docs/2.4/mod/mod_http2.html - a2enmod -q http2 - cat >>$vhost_file <>$vhost_file <>$vhost_file <>$vhost_file <>$vhost_file <>$vhost_file <$redir_file <$redir_file < ServerName $h ServerAdmin webmaster@localhost @@ -223,15 +236,15 @@ RewriteCond %{SERVER_NAME} =$h RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent] EOF - if ! $listen_80; then - cat >>$redir_file <<'EOF' + if ! $listen_80; then + cat >>$redir_file <<'EOF' Listen 80 EOF - fi + fi - # this is a copy of a file certbot, see below. - echo "$0: creating $common_ssl_conf" - cat >$common_ssl_conf <<'EOF' + # this is a copy of a file certbot, see below. + echo "$0: creating $common_ssl_conf" + cat >$common_ssl_conf <<'EOF' # This file contains important security parameters. If you modify this file # manually, Certbot will be unable to automatically provide future security # updates. Instead, Certbot will print and log an error message with a path to @@ -253,9 +266,9 @@ LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_c LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common EOF - upstream=https://raw.githubusercontent.com/certbot/certbot/master/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf - if ! diff -u <(wget -q -O - $upstream) $common_ssl_conf; then - cat <>$vhost_file <<'EOF' + cat >>$vhost_file <<'EOF' ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log vhost_time_combined EOF - if ! $listen_port; then - # reference: https://httpd.apache.org/docs/2.4/mod/mpm_common.html#listen - cat >>$vhost_file <>$vhost_file </dev/null; then - # fun fact: nginx can be configured to do http2 without ssl. - ssl_arg+=" http2" - fi + common_ssl_conf=/etc/nginx/common-ssl.conf + + rm -f $se/default + cd /etc/nginx + [[ -e dh2048.pem ]] || openssl dhparam -out dh2048.pem 2048 + + if $ssl; then + ssl_arg=ssl + if nginx -V |& grep -- '--with-http_v2_module\b' &>/dev/null; then + # fun fact: nginx can be configured to do http2 without ssl. + ssl_arg+=" http2" fi + fi - cat >$common_ssl_conf <<'EOF' + cat >$common_ssl_conf <<'EOF' # let's encrypt gives us a bad nginx config, so use this: # https://mozilla.github.io/server-side-tls/ssl-config-generator/ # using modern config. last checked 2017/4/22 @@ -338,7 +351,7 @@ ssl_stapling_verify on; # ian: commented out, our local dns is expected to work fine. #resolver ; EOF - cat >$vhost_file <$vhost_file <>$vhost_file <>$vhost_file <$redir_file <$redir_file <>$vhost_file - fi + if [[ $extra_settings ]]; then + cat $extra_settings >>$vhost_file + fi - if [[ $proxy ]]; then - cat >>$vhost_file <>$vhost_file <>$vhost_file <>$vhost_file <