wiki:support-team/update-ssl-certificate

Version 3 (modified by Steve Revilak, 7 years ago) (diff)

--

Script for updating server ssls

#!/bin/bash

# This script copies a PositiveSSL zip file to the specified server
# and installs it.
#
# Usage ./update-ssl-certificate.sh SERVER_NAME /PATH/TO/CERTIFICATE.ZIP
#
# Example ./update-ssl-certificate.sh malcolm /home/ross/malcolm_mayfirst_org.zip

if [[ $# -lt 2 ]] ; then
    echo 'Please supply server name and path to zip file.'
    exit 1
fi

# if anything goes wrong, stop
set -e

echo "Creating /etc/ssl/temp directory..."
ssh -t root@$1.mayfirst.org "mkdir -p /etc/ssl/temp && rm -rf /etc/ssl/temp/*"

echo "Copying zip file $2"
scp $2 root@$1.mayfirst.org:/etc/ssl/temp

echo "Unzipping zip file..."
ssh -t root@$1.mayfirst.org "cd /etc/ssl/temp/ && unzip $1_mayfirst_org.zip -d /etc/ssl/temp"

echo "Building $1.mayfirst.org.crt.new..."
ssh -t root@$1.mayfirst.org "cat /etc/ssl/temp/COMODORSAAddTrustCA.crt >> /etc/ssl/temp/$1_mayfirst_org.crt && cat /etc/ssl/temp/COMODORSADomainValidationSecureServerCA.crt >> /etc/ssl/temp/$1_mayfirst_org.crt && mv /etc/ssl/temp/$1_mayfirst_org.crt /etc/ssl/$1.mayfirst.org.crt.new"

echo "Creating $1.mayfirst.org.pem.new"
ssh -t root@$1.mayfirst.org  "cd /etc/ssl/private && umask 177; cat $1.mayfirst.org.safe.key >> $1.mayfirst.org.pem.new && cat ../$1.mayfirst.org.crt.new >> $1.mayfirst.org.pem.new; umask 133"

# Use this line for brand new servers
# ssh -t root@$1.mayfirst.org  "cd /etc/ssl/private && umask 177; cat $1.mayfirst.org.key.uncertified >> $1.mayfirst.org.pem.new && cat ../$1.mayfirst.org.crt.new >> $1.mayfirst.org.pem.new; umask 133"

echo "Moving new files into place..."
# ssh -t root@$1.mayfirst.org "mv /etc/ssl/$1.mayfirst.org.crt{,.old} && mv /etc/ssl/$1.mayfirst.org.crt{.new,} && mv /etc/ssl/private/$1.mayfirst.org.pem{,.old} && mv /etc/ssl/private/$1.mayfirst.org.pem{.new,} && [[ -a /etc/ssl/private/$1.mayfirst.org.key ]] && mv /etc/ssl/private/$1.mayfirst.org.key{,.old} || echo 'No old key to move' && mv /etc/ssl/private/$1.mayfirst.org.safe.key /etc/ssl/private/$1.mayfirst.org.key && /usr/local/sbin/freepuppet-run"

# a variation on the line above, which attempts to cope with missing files
ssh -t root@$1.mayfirst.org "(test ! -f /etc/ssl/$1.mayfirst.org.crt || \
       mv -v /etc/ssl/$1.mayfirst.org.crt{,.old}) && \
  mv -v /etc/ssl/$1.mayfirst.org.crt{.new,} && \
  (test ! -f /etc/ssl/private/$1.mayfirst.org.pem || \
       mv -v /etc/ssl/private/$1.mayfirst.org.pem{,.old}) && \
  mv -v /etc/ssl/private/$1.mayfirst.org.pem{.new,} && \
  (test ! -f /etc/ssl/private/$1.mayfirst.org.key || \
       mv -v /etc/ssl/private/$1.mayfirst.org.key{,.old}) && \
  mv -v /etc/ssl/private/$1.mayfirst.org.safe.key \
     /etc/ssl/private/$1.mayfirst.org.key && \
  /usr/local/sbin/freepuppet-run"


# Use this line for brand new servers
# ssh -t root@$1.mayfirst.org "mv /etc/ssl/$1.mayfirst.org.crt{,.old} && mv /etc/ssl/$1.mayfirst.org.crt{.new,} && mv /etc/ssl/private/$1.mayfirst.org.pem{,.old} && mv /etc/ssl/private/$1.mayfirst.org.pem{.new,} && /usr/local/sbin/freepuppet-run"

echo "Restarting services..."
ssh -t root@$1.mayfirst.org "service apache2 restart && service courier-imap-ssl restart && service courier-pop-ssl restart && service postfix restart"

echo "Verifying $1.mayfirst.org.pem file..."

a=$(echo "LOGOUT" | gnutls-cli -V --port imaps $1.mayfirst.org | grep "Handshake was completed")
echo "$a";
if [ "$a" = "- Handshake was completed" ];
then
    echo "Cleaning up.."
    echo "Removing /etc/ssl/temp directory and old files..."
    ssh -t root@$1.mayfirst.org "rm -rf /etc/ssl/temp/ && rm -f /etc/ssl/*.old && rm -f /etc/ssl/private/*.old"
    
else

    printf "**** Something has gone wrong, please check the server. ****\n\n"
    printf "Try running \n\n"
    printf "gnutls-cli -V --port imaps $1.mayfirst.org\n\n"
    printf "for additional information.\n"
fi