summaryrefslogtreecommitdiffstats
path: root/scripts/install-https
blob: dd7b1db88258fb220f5c14daa8cbe0b3c9ba0ad9 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
#!/bin/bash

declare -rg CERT_KEY_FILE="/etc/lighttpd/server.pem"
declare -rg PUB_CERT_FILE="/etc/lighttpd/pub-cert.pem"
declare -rg CHAIN_FILE="/etc/lighttpd/chain.pem"
declare -rg REDIR_FLAG="/etc/lighttpd/redirect.flag"

op_disable ()
{
	[ -e "$CERT_KEY_FILE" ] || exit 0
	rm -f -- "$CERT_KEY_FILE" || exit 1
	rm -f -- "$CHAIN_FILE"
}

op_test ()
{
	[ $# -eq 2 ] || exit 1
	local K=$1
	local C=$2
	[ -r "$K" ] || exit 2
	[ -r "$C" ] || exit 3
	# Encrypt something, then decrypt again and compare
	local TEST_IN=$(mktemp --tmpdir bwlp-XXXXXXXX)
	local TEST_OUT=$(mktemp --tmpdir bwlp-XXXXXXXX)
	local TEST_DIFF=$(mktemp --tmpdir bwlp-XXXXXXXX)
	[ -z "$TEST_IN" ] && exit 4
	[ -z "$TEST_OUT" ] && exit 5
	[ -z "$TEST_DIFF" ] && exit 6
	date > "$TEST_IN"
	openssl smime -encrypt -binary -aes-256-cbc -in "$TEST_IN" -out "$TEST_OUT" -outform DER "$C" || exit 7
	openssl smime -decrypt -binary -in "$TEST_OUT" -inform DER -out "$TEST_DIFF" -inkey "$K" || exit 8
	diff -q "$TEST_IN" "$TEST_DIFF" || exit 9
	exit 0 # No restart either way
}

op_import ()
{
	[ $# -lt 2 ] && exit 1
	local K=$1
	local C=$2
	local CHAIN=$3
	[ -r "$K" ] || exit 2
	[ -r "$C" ] || exit 3
	rm -f -- "$CHAIN_FILE"
	# Create server.pem
	{
		cat "$C"
		echo
		cat "$K"
	} > "$CERT_KEY_FILE"
	chmod 0600 "$CERT_KEY_FILE" || exit 4
	rm -f -- "$C" "$K"
	# If we have a chainfile, try to use it aswell
	if [ -s "$CHAIN" ]; then
		openssl x509 -noout -hash -in "$CHAIN" >/dev/null 2>&1 && cp "$CHAIN" "$CHAIN_FILE"
	fi
	post_setup_hook
	return 0
}

op_random ()
{
	[ -z "$1" ] && exit 1
	rm -f -- "$CHAIN_FILE"
	openssl req -x509 -new -newkey rsa:4096 -keyout "$CERT_KEY_FILE" -out "$CERT_KEY_FILE" -days 5000 -nodes -subj "/C=DE/ST=Nowhere/L=Springfield/O=bwLehrpool/CN=$1" || exit 2
	chmod 0600 "$CERT_KEY_FILE" || exit 3
	post_setup_hook
	return 0
}

post_setup_hook ()
{
	rm -f -- "$PUB_CERT_FILE"
	openssl x509 -outform pem -in "$CERT_KEY_FILE" -out "$PUB_CERT_FILE"
	local DHPARAM="/etc/lighttpd/dhparam.pem"
	if ! [ -s "$DHPARAM" ]; then
		echo "Generating DH parameters (this takes a while)..."
		if openssl dhparam -out "$DHPARAM" 2048 >/dev/null 2>&1; then
			echo "done"
		else
			echo "failed"
			rm -f -- "$DHPARAM"
		fi
	fi
}

setup_redirect ()
{
	if [ -n "$REDIR" ]; then
		touch "$REDIR_FLAG"
	else
		rm -f -- "$REDIR_FLAG"
	fi
}

RE_ONLY=
REDIR=
while true; do
	case "$1" in
	--redirect-only)
		RE_ONLY=tru
		;;
	--redirect)
		REDIR=truh
		;;
	*)
		break
		;;
	esac
	shift
done

setup_redirect

if [ -z "$RE_ONLY" ]; then

	OP=$1
	shift

	case "$OP" in
		--random) op_random "$@" ;;
		--test) op_test "$@" ;;
		--import) op_import "$@" ;;
		--disable) op_disable ;;
		*)
			echo "Invalid operation: $1"
			exit 1
			;;
	esac

fi

sleep .5
systemctl restart lighttpd

exit 0