diff --git a/script/self_signed/conf/_conf.sh b/script/self_signed/conf/_conf.sh new file mode 100644 index 0000000..aab84ca --- /dev/null +++ b/script/self_signed/conf/_conf.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash +CERTIFICATE_PATH="files" +ROOT_CA_KEY="${CERTIFICATE_PATH}/rootCA.key" +ROOT_CA_CRT="${CERTIFICATE_PATH}/rootCA.crt" +TRAEFIK_DEST_CERT="../../roles/traefik/files/etc/certs/" +LOCAL_KEY="${TRAEFIK_DEST_CERT}/local.fr.key" +LOCAL_CRT="${TRAEFIK_DEST_CERT}/local.fr.crt" +LOCAL_CSR="${TRAEFIK_DEST_CERT}/local.fr.csr" diff --git a/script/self_signed/files/local.cnf b/script/self_signed/files/local.cnf new file mode 100644 index 0000000..83d37f1 --- /dev/null +++ b/script/self_signed/files/local.cnf @@ -0,0 +1,12 @@ +[ req ] +prompt = no +distinguished_name = req_distinguished_name + +[ req_distinguished_name ] +C = FR +ST = France +L = Toulouse +O = local.fr +OU = local +CN = local +emailAddress = local.fr diff --git a/script/self_signed/files/local.fr.v3.ext b/script/self_signed/files/local.fr.v3.ext new file mode 100644 index 0000000..613cbc1 --- /dev/null +++ b/script/self_signed/files/local.fr.v3.ext @@ -0,0 +1,7 @@ +authorityKeyIdentifier=keyid,issuer +basicConstraints=CA:FALSE +keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment +subjectAltName = @alt_names + +[alt_names] +DNS.1 = *.local.fr diff --git a/script/self_signed/files/rootCA.crt b/script/self_signed/files/rootCA.crt new file mode 100644 index 0000000..c1c20dd --- /dev/null +++ b/script/self_signed/files/rootCA.crt @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFZTCCA02gAwIBAgIUATlkPDpIjH7jaqObcTtQNMHtNt4wDQYJKoZIhvcNAQEL +BQAwQjELMAkGA1UEBhMCRlIxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UE +CgwTRGVmYXVsdCBDb21wYW55IEx0ZDAeFw0yMjEwMDgxNTA5MTBaFw0yNTA3Mjgx +NTA5MTBaMEIxCzAJBgNVBAYTAkZSMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAa +BgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQwggIiMA0GCSqGSIb3DQEBAQUAA4IC +DwAwggIKAoICAQDcmqdBzfvljjqp/80+7Uzb8lZ9xJeJTsWcDddHVlT/XzW9nUO8 +PMjdef39aMLXzO3tsMCoJ+ch9E9zKYi37usizoec5tj3IYLganlJykYgJPeT8SKr +mxv2lJbtsllUpB3+surv0NvCMOK5r8GNSOKU/pB3+MD2o23JR1XkBoSXDubU3Dtv +ealann/zUNFrolFOPDxzBD5U0x8SOD+s7ZdLjlpz7kqLOWrL0DHrBRmpvCAJNQLU +mWH87kaALstvTR47be0X5+YOwcys3k26vQCxoDXtV0PaRrJCc1CLDllGmeI8mxLa +hs7EkkpndkmnMFNK8YQVyeWJQ70+m+fa07AdH7ZFztMf1lk06Z0i1LfMYpZ+pWYi +w2BDebAmYc5Y7E32jQTlixZrrq2lmDrsBZLdwv7FjAUv3sM4w9ynjRJ49dmoxTwq ++78rHWhr6HzH2Gvv41Hajdr0caBJAlLaVya9UL7FbTmHku91BGQ3vxjS16c0oXMd +tBabCf5Uk7CFZYu0icLDRq1I+C7nOyggPuB5wWHH6h/AVQA/s5BYhqgfb7S0kegp +DHjjur7yhMTv5j3iJpM9n9qPiXGT0Jo6nqeIXO8z/FuRSBUd3Q649ceSlEFBnGyu +EmnRcnozSqszwNJa90ipsGRU1M7ArUk5GTQvToooqRCTsj8F8r5yXAkv1QIDAQAB +o1MwUTAdBgNVHQ4EFgQUZEj1ZQDuf7yPxxLCp0JqiSOM7oUwHwYDVR0jBBgwFoAU +ZEj1ZQDuf7yPxxLCp0JqiSOM7oUwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B +AQsFAAOCAgEAW+lZATkVFybRHLtBx+02pHNJ8H7HYA/4+kMu7AaqENKn/pmryy6N +UJ61CKcY/UXUPNeAysa4Q+6/JDCXOIQSLlPuxlMimq2kpOiGOzEtzWG2MqTOK1hk +vkJweXxrh1AVYSBLVOGl2DrgKILPIVwvMFQjMQAz4QKMz6C0sNQ52Pth2sEQtmnx +1mY0c4b3MfnDtrEQIQqjydjqjUZ26Q1xq34uGCZchXKCax9H1QwPHusF0BvRJyJU +AT/QSBXoz1qS98uwQ6dkm/LBfUSjx4OKC7Eiauo9FspUDBoRvK1tM4smJxdGay9l +z7fAZ082lHGaByyOEk2wopsEXfwxUXv+ZYx+9zFKZthP1Tnc+jyHwFAyMm2WP/T4 +y3dEraTeNKx4VqhRBdGmygYVxuiCP9a+Yks9ZU6xBGgvJmOiMmL2ZJ6UBa77xnld +v1864p4P4Dw3y2mZwmAElmABuKVvW2OblOSG+m75735s62cQFfD0O/28S0gEAqYO +z6wiJ1hLlR4ssjhzlk8ZnS74SsCLnrtwvV+jOsOSxQLxcVxvZsgEPjY2vF/nU73Y +e2XhlxpK9uzB2vEPr/K3Bc1Lm8BV0JfOtWsou1UkYl7M8yQ1FkXu2afWeuGWMMvb +O5u8ZUg9lEE9sq/vP9ChKyhJHRpSfNPd7pPxh6cA5NZBYxHmQ0TmVUM= +-----END CERTIFICATE----- diff --git a/script/self_signed/files/rootCA.key b/script/self_signed/files/rootCA.key new file mode 100644 index 0000000..4d9dd0c --- /dev/null +++ b/script/self_signed/files/rootCA.key @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQDcmqdBzfvljjqp +/80+7Uzb8lZ9xJeJTsWcDddHVlT/XzW9nUO8PMjdef39aMLXzO3tsMCoJ+ch9E9z +KYi37usizoec5tj3IYLganlJykYgJPeT8SKrmxv2lJbtsllUpB3+surv0NvCMOK5 +r8GNSOKU/pB3+MD2o23JR1XkBoSXDubU3Dtvealann/zUNFrolFOPDxzBD5U0x8S +OD+s7ZdLjlpz7kqLOWrL0DHrBRmpvCAJNQLUmWH87kaALstvTR47be0X5+YOwcys +3k26vQCxoDXtV0PaRrJCc1CLDllGmeI8mxLahs7EkkpndkmnMFNK8YQVyeWJQ70+ +m+fa07AdH7ZFztMf1lk06Z0i1LfMYpZ+pWYiw2BDebAmYc5Y7E32jQTlixZrrq2l +mDrsBZLdwv7FjAUv3sM4w9ynjRJ49dmoxTwq+78rHWhr6HzH2Gvv41Hajdr0caBJ +AlLaVya9UL7FbTmHku91BGQ3vxjS16c0oXMdtBabCf5Uk7CFZYu0icLDRq1I+C7n +OyggPuB5wWHH6h/AVQA/s5BYhqgfb7S0kegpDHjjur7yhMTv5j3iJpM9n9qPiXGT +0Jo6nqeIXO8z/FuRSBUd3Q649ceSlEFBnGyuEmnRcnozSqszwNJa90ipsGRU1M7A +rUk5GTQvToooqRCTsj8F8r5yXAkv1QIDAQABAoICAAfsou3JX+85jOBBbkErQLO1 +QKfI5uae8UNEo1iOgIQh3+on8DXJUIUq1isDAd4YSu2wXTiid6TabqYvi5fhLwoe +NXSMkvuhn7QUWbdYWuzZrG5giZh00cF+9JhPlpzkk6fsC7tsmxBJNZkU9/9tavzj +fhNeg1P4v+oB3tMk7CC0VNS4SobxGFpxz3J76IyUv+tEXP7cBqnWYaCDwRR4U73P +kcPl/0CBYgA17NfJOZ2awo3Xcnq/kxZaWtGiR1rVVYIuAIfMzpCgzouL0BVRUmk5 +sjuMgxqf/Smc6dDs8DEJ4xIT7KPz7BEsmMae/aX8pZP6GVQNChVEXSkWwZ00iyLC +QbC+68sbExlBTF/3Cs+XTdky9xn0JISO9v0vgFbqON7oeEpvrRl/1v/uJ4B0jnAQ +yHRetFey9f4yTzBe58p17qJTuYpo40xUGdoV5448Yeb/bp5tdVkCEKxajMB5h1l3 +FC7bzmwtdNqH18UOK/M51HJy/ljLQJlj/cGZFnKbhf4v1mlifDwzg78HvBKtv6hZ +Tsz8o8NA0eCxfBhmsTOvNk5WZsJaD1wt6c0W7eeaxkUm+KMDg7vuNdnXnG7QjJIh +bVgXqORNg8ldA7kNkEnRwHMefsQ5mz3I7FQGNH0Og0WOaad0CTIw16ucK0/KngVI +gALWBMANbnaqGIJglVNxAoIBAQD6XSBiT8rHLmhDEi+FjDm6K/U4o/gPdMvODgyz +qxGrGBTthvx0dbgdWE2GzyoS7OT7lf0k8lpCL2gVnSWvyjcsXsMvAwKNgH8Lb/Hw +CCrfrqQKPabYOE5c1+HVi8BGYLmmwKsywLxpjyYMig8RATdAVOCIIa7C77zNHWVQ +bnp9fQsBEG9h31/YE9tg81VvjeYhOnGdCqvN2TshFCijZgW/ZZsW6YvZul+em9WZ +jSbHhowNhvgawouhnJs9ThtZ2LRqAa1f3/IBzU+vzAxhpvsAz7atFepr8i9jd3Ii +aZns1t03zK4Uv3I4SSAGmf8gqVqhmujW29iQw7cWxph7Wyw5AoIBAQDhkgTJ61el +rpjF5q7dRI0eGec8euBQXkv1HtSqXYT/AlKkkCKeAmNk6WxQVhsTJ/YSlcSPqoYW +VLoVYq8ulisEbUHxgnRXXjPK+lKrDRekEVTo6BFEBeF27A/B2nk9ZUBjCiAaCSb0 +RRHVQdtVaVJJJw33RHGKgnyqxBb9OOex5GSAGFvztQ+FWfezX6WDHHv+7ORKSEFu +EqUqNIBYPJqmSZpDsCV0h238tmMtn94R4UPNfoa2lNKGJldwofcJI23I5rosXsXj +ejifNtBS8/KSWE9nZ26zA0DS/YEakkKPtdDA5Km0HPxX2PdkMkjbukWVy2sGd0Yx +nDXqEVq12Vh9AoIBAC1Lxf0jdIt+0Ow5kRF3YkZVh6M8vzeEqQ7ZqeCjtamfzMGA +p5Imbi4Y+MXIG1ObOn5uD4OsuTm6O/mVGelpC3xilKufvsl9Ev8tvLbxs1gOz6zu +pI3/+eWARWKOSzYwb8ZEm3SuPChY9shT/g/UiXuBH7Jhba3lE+KES/02T8D+a4xA +vfYWJNACH7G1tKJfKOCgI0gHUzgF8lW0wPl3Dtkm9904Wc4FkyEuDoIecIKuzA3y +elbVFdAidk+sHvStaU64iPaMnMtIqv8iSqcsP8NQ0TsVePkYswwq4yJouqmH4jQj +OueUD4UxbbLkD62IFlagoTmmQtNGJYzgV1wSDbkCggEAEuf/OMFd/kgNDAFSxL77 +KPu40uvlozbUHP5xirn97LXQIXTnQeEnXYznBDDDYi6mRFaDPBtp07NUSXiVAE2b +22og7dImWDBQHQIwLaASTDEbsc3JrK7lf+c3RuM96DR1Whe+KxB7UFv9q6cycA08 +1V7Nn9z/u0FGm7WFy8GaQeHHvqjMBDg3zdCFn2Yz5DJd/jbyx3sY6NXtPAVcgIjL +2YYvxN6dtQ+o21aaJ3fP0CXWXgHt3p3Iq2/JQmqA3yY2DHGyRwfGhFN5LXcVrO4/ +dZ6rQRp9P8nVBBo1WPnLVGpDzfccdjk7uU05Jw/D5Y7OSEjddpRGsN/L8Qt1U+qc +rQKCAQAaKqbkfnf7JtEpcynxYNwMpxzlGP24kK/POZMBzW9RpERlTtH5pWhlj7OJ +WxSkL7FBq//Tpju9gW/lFeLJWPoEykrW8ETLznlkEHZM2LocNHNQeCJcyStGFgsg +y2Iw2sEJt5I/cVu1LYFfTrD1Ho+gjIunLqOHR5KcFeiZm83QwUuEt4d0hH7S6ay2 +4hrmSy2J3sNsl7d6Q7lmN2Z1Q8XoJqds16UOzm6qw0KuYs8L60AdvG3nsoI1dTmC +lFLd4QvIuDoN4rq4pB26efg2JmZtA5m/WpU2VJsHNiBFp29R6EWJdH37mhH0rIWw +lVPNis5NWoqUCgec9+i8AD/sLAcV +-----END PRIVATE KEY----- diff --git a/script/self_signed/selfsigned.sh b/script/self_signed/selfsigned.sh new file mode 100755 index 0000000..571f2bc --- /dev/null +++ b/script/self_signed/selfsigned.sh @@ -0,0 +1,127 @@ +#!/usr/bin/env bash +set -euo pipefail +IFS=$'\n\t' + +#/ Usage: selfsigned.sh +#/ Version: 1.0 +#/ Description: Script de génération automatique de certificat +#/ Examples: +#/ selfsigned.sh + +#/ +#/ Options: +#/ -h|--help : Display this help message +#/ -g|--generate-rootca : regenerate root ca, if present clean it +#/ -v|--verbose : verbose mode default: false + + + + +function usage() { grep '^#/' "$0" | cut -c4- ; exit 0 ; } + +####################################################### +## LOGGING FRAMEWORK +readonly NORMAL="\\e[0m" +readonly RED="\\e[1;31m" +readonly BOLD="\\e[1m" +readonly YELLOW="\\e[1;33m" +readonly GREEN="\\e[32m" +readonly DIM="\\e[2m" +LOG_FILE="/tmp/$(basename "$0").log"; readonly LOG_FILE +function log() { + ( flock -n 200 + color="$1"; level="$2"; message="$3" + printf "${color}%-9s %s\\e[m\\n" "[${level}]" "$message" | tee -a "$LOG_FILE" >&2 + ) 200>"/var/lock/.$(basename "$0").log.lock" +} +function debug() { if [ "$verbose" = true ]; then log "$DIM" "DEBUG " "$*"; fi } +function info() { log "$NORMAL" "INFO " "$*"; } +function important() { log "$YELLOW" "IMPORTANT " "$*"; } +function warn() { log "$YELLOW" "WARNING" "$*"; } +function error() { log "$RED" "ERROR " "$*"; } +function fatal() { log "$RED" "FATAL " "$*"; exit 1 ; } +function source_defs { + resource=$1 + if [ -f "$resource" ]; then + # shellcheck source=_functions.sh + # shellcheck disable=SC1091 + source "$resource" + else + # shellcheck source=_functions.sh + # shellcheck disable=SC1091 + source "${0%/*}/.irun-resources/$resource" + fi +} + +####################################################### + +function cleanup() { + # Remove temporary files + # Restart services + # ... + return +} + +function check_prerequisites() { + if ! command -v openssl > /dev/null; then + echo "Missing openssl: install it " + return + fi +} + +function cleaning_files() { + local files; files="$1" + if [[ -f "${files}" ]]; then + debug "${files} exists." + info "cleaning..${files}" + rm -f "${files}" + else + info "${files} doesn't exist no need clean" + fi +} + +if [[ "${BASH_SOURCE[0]}" = "$0" ]]; then + trap cleanup EXIT + + # Parse command line arguments + # All entry parameters quand be used globally + POSITIONAL=() + verbose=false + generate_root_ca=false + while [[ $# -gt 0 ]]; do + key="$1" + case $key in + -h|--help) + usage + ;; + -v|--verbose) + declare -r verbose=true + shift + ;; + -g|--generate-rootca) + declare -r generate_root_ca=true + shift + ;; + *) # unknown option + POSITIONAL+=("$1") # save it in an array for later + shift # past argument + ;; + esac + done + set -- "${POSITIONAL[@]}" # restore positional parameters + + source_defs conf/_conf.sh + check_prerequisites + if [ "${generate_root_ca}" = "true" ]; then + cleaning_files "${ROOT_CA_KEY}" + cleaning_files "${ROOT_CA_CRT}" + openssl genrsa -out "${ROOT_CA_KEY}" 4096 + openssl req -x509 -new -nodes -key "${ROOT_CA_KEY}" -sha256 -days 1024 -out "${ROOT_CA_CRT}" + openssl genrsa -out "${LOCAL_KEY}" + fi + openssl genrsa -out "${LOCAL_KEY}" + openssl req -config "${CERTIFICATE_PATH}/local.cnf" -new -key "${LOCAL_KEY}" -out "${LOCAL_CSR}" + openssl x509 -req -in "${LOCAL_CSR}" \ + -CA "${ROOT_CA_CRT}" -CAkey "${ROOT_CA_KEY}" -CAcreateserial \ + -out "${LOCAL_CRT}" -extfile "${CERTIFICATE_PATH}/local.fr.v3.ext" -days 365 -sha256 +fi \ No newline at end of file