#!/bin/bash CERTFILE="/etc/lighttpd/server.pem" CHAINFILE="/etc/lighttpd/chain.pem" op_disable () { [ -e "$CERTFILE" ] || exit 0 rm -f -- "$CERTFILE" || exit 1 rm -f -- "$CHAINFILE" } op_test () { [ $# -eq 2 ] || exit 1 local K=$1 local C=$2 [ -r "$K" ] || exit 2 [ -r "$C" ] || exit 3 # Encrypt something, then decrypt again and compare local TEST_IN=$(mktemp --tmpdir bwlp-XXXXXXXX) local TEST_OUT=$(mktemp --tmpdir bwlp-XXXXXXXX) local TEST_DIFF=$(mktemp --tmpdir bwlp-XXXXXXXX) [ -z "$TEST_IN" ] && exit 4 [ -z "$TEST_OUT" ] && exit 5 [ -z "$TEST_DIFF" ] && exit 6 date > "$TEST_IN" openssl smime -encrypt -binary -aes-256-cbc -in "$TEST_IN" -out "$TEST_OUT" -outform DER "$C" || exit 7 openssl smime -decrypt -binary -in "$TEST_OUT" -inform DER -out "$TEST_DIFF" -inkey "$K" || exit 8 diff -q "$TEST_IN" "$TEST_DIFF" || exit 9 exit 0 # No restart either way } op_import () { [ $# -lt 2 ] && exit 1 local K=$1 local C=$2 local CHAIN=$3 [ -r "$K" ] || exit 2 [ -r "$C" ] || exit 3 rm -f -- "$CHAINFILE" # Create server.pem cat "$C" "$K" > "$CERTFILE" chmod 0600 "$CERTFILE" || exit 4 rm -f -- "$C" "$K" # If we have a chainfile, try to use it aswell if [ -s "$CHAIN" ]; then openssl x509 -noout -hash -in "$CHAIN" >/dev/null 2>&1 && cp "$CHAIN" "$CHAINFILE" fi generate_dh return 0 } op_random () { [ -z "$1" ] && exit 1 rm -f -- "$CHAINFILE" openssl req -x509 -new -newkey rsa:4096 -keyout "$CERTFILE" -out "$CERTFILE" -days 5000 -nodes -subj "/C=DE/ST=Nowhere/L=Springfield/O=bwLehrpool/CN=$1" || exit 2 chmod 0600 "$CERTFILE" || exit 3 generate_dh return 0 } generate_dh () { local DHPARAM="/etc/lighttpd/dhparam.pem" if ! [ -s "$DHPARAM" ]; then echo "Generating DH parameters (this takes a while)..." if openssl dhparam -out "$DHPARAM" 2048 >/dev/null 2>&1; then echo "done" else echo "failed" rm -f -- "$DHPARAM" fi fi } OP=$1 shift case "$OP" in --random) op_random "$@" ;; --test) op_test "$@" ;; --import) op_import "$@" ;; --disable) op_disable ;; *) echo "Invalid operation: $1" exit 1 ;; esac systemctl restart lighttpd exit 0