File: //bigscoots/wpo/extras/gen_ss_ssl.bs
#!/bin/bash
DOMAIN=$1
if [ ! -f /usr/local/nginx/conf/ssl ]; then
mkdir -p /usr/local/nginx/conf/ssl
fi
if [ ! -d /usr/local/nginx/conf/ssl/${DOMAIN} ]; then
mkdir -p /usr/local/nginx/conf/ssl/${DOMAIN}
fi
if [ ! -f /usr/local/nginx/conf/ssl_include.conf ]; then
cat > "/usr/local/nginx/conf/ssl_include.conf"<<EVS
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 60m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
EVS
fi
cd /usr/local/nginx/conf/ssl/${DOMAIN}
SELFSIGNEDSSL_O="$DOMAIN"
SELFSIGNEDSSL_OU="$DOMAIN"
# self-signed ssl cert with SANs
cat > /tmp/req.cnf <<EOF
[req]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = ${DOMAIN}
L = ${DOMAIN}
O = ${DOMAIN}
OU = ${DOMAIN}
CN = ${DOMAIN}
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${DOMAIN}
DNS.2 = www.${DOMAIN}
EOF
cat > /tmp/v3ext.cnf <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${DOMAIN}
DNS.2 = www.${DOMAIN}
EOF
echo
cat /tmp/req.cnf
echo
cat /tmp/v3ext.cnf
echo
openssl req -new -newkey rsa:2048 -sha256 -nodes -out ${DOMAIN}.csr -keyout ${DOMAIN}.key -config /tmp/req.cnf
openssl req -noout -text -in ${DOMAIN}.csr | grep DNS
openssl x509 -req -days 36500 -sha256 -in ${DOMAIN}.csr -signkey ${DOMAIN}.key -out ${DOMAIN}.crt -extfile /tmp/v3ext.cnf
rm -f /tmp/req.cnf
rm -f /tmp/v3ext.cnf
if nginx -t > /dev/null 2>&1
then
ngxreload > /dev/null 2>&1
elif [[ $(nginx -t 2>&1) == *"ssl_certificate\" is defined for the \"listen"* ]]
then
DOMAIN=$(nginx -t 2>&1 | grep -o "/usr/.*" | head -1 | cut -f1 -d":" | sed 's/\// /g' | awk '{print $6}' | sed 's/.ssl.conf//g')
if ! grep -q ssl_certificate /usr/local/nginx/conf/conf.d/"$DOMAIN".ssl.conf
then
sed -i "/\/usr\/local\/nginx\/conf\/ssl_include.conf/a \ ssl_certificate_key \/usr\/local\/nginx\/conf\/ssl\/$DOMAIN\/$DOMAIN.key;" /usr/local/nginx/conf/conf.d/"$DOMAIN".ssl.conf
sed -i "/\/usr\/local\/nginx\/conf\/ssl_include.conf/a \ ssl_certificate \/usr\/local\/nginx\/conf\/ssl\/$DOMAIN\/$DOMAIN.crt;" /usr/local/nginx/conf/conf.d/"$DOMAIN".ssl.conf
if nginx -t > /dev/null 2>&1
then
ngxreload > /dev/null 2>&1
else
nginx -t 2>&1 | mail -s "WPO URGENT - Nginx conf fail during fixing missing SSL. - $HOSTNAME" [email protected]
exit 1
fi
else
nginx -t 2>&1 | mail -s "WPO URGENT - Nginx conf fail during IP Block - $HOSTNAME" [email protected]
exit 1
fi
fi