From d275cfeac63a25fa74f7d43e04d26cf2ee4aa288 Mon Sep 17 00:00:00 2001 From: Mario Fetka Date: Sun, 7 Jan 2024 12:01:42 +0100 Subject: [PATCH] add NPM scripts --- README.md | 4 ++- nginx-proxy-manager/README.md | 13 +++++++++ nginx-proxy-manager/certs-bucket | 28 +++++++++++++++++++ nginx-proxy-manager/site-ssl | 48 ++++++++++++++++++++++++++++++++ 4 files changed, 92 insertions(+), 1 deletion(-) create mode 100644 nginx-proxy-manager/README.md create mode 100755 nginx-proxy-manager/certs-bucket create mode 100755 nginx-proxy-manager/site-ssl diff --git a/README.md b/README.md index 8dd3762..5ca9949 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,4 @@ -# snippets +# Script Collection + +Welcome to the Geos One Snippets - a collection of useful Bash, Perl, and Python scripts for . diff --git a/nginx-proxy-manager/README.md b/nginx-proxy-manager/README.md new file mode 100644 index 0000000..0573fb9 --- /dev/null +++ b/nginx-proxy-manager/README.md @@ -0,0 +1,13 @@ +# Nginx Proxy Manager Cert Deploy + +These scripts expect that the install of the NPM is done with the Proxmox Helper Scripts from https://tteck.github.io/Proxmox/ + +The script bucket-ssl schould be copied to /etc/cron.daily/ and the exicution bit set + +scp bucket-ssl root@aaa.bbb.ccc.ddd:/etc/cron.daily/ +ssh root@aaa.bbb.ccc.ddd -f 'chmod +x /etc/cron.daily/bucket-ssl' + +The script for the sites must be edited to your liking and also copied to the host where the script is needed. + +scp site-ssl root@eee.fff.ggg.hhh:/etc/cron.daily/ +ssh root@eee.fff.ggg.hhh -f 'chmod +x /etc/cron.daily/site-ssl' diff --git a/nginx-proxy-manager/certs-bucket b/nginx-proxy-manager/certs-bucket new file mode 100755 index 0000000..cce2a23 --- /dev/null +++ b/nginx-proxy-manager/certs-bucket @@ -0,0 +1,28 @@ +#!/usr/bin/env bash + +# Then endpoint for the s3 compatible storage in most cases a minio install +ENDPOINT_URL="https://minio.example.com" + +# Some services prefere a pfx cert store file the follwing password ist for that store. +PFX_PASSWORD=securepw + +#################################################### +set -e + +RENEWED_DOMAINS=`ls /etc/letsencrypt/live/` +echo $RENEWED_DOMAINS +for domain in $RENEWED_DOMAINS; do +echo $domain + DOMAINNAME=`openssl x509 -noout -text -in /etc/letsencrypt/live/$domain/cert.pem | grep DNS: | sed 's/^.*,//' | sed 's/^.*DNS://'` + cat "/etc/letsencrypt/live/$domain/fullchain.pem" "/etc/letsencrypt/live/$domain/privkey.pem" > /tmp/$DOMAINNAME.pem + openssl pkcs12 -export -out /tmp/$DOMAINNAME.pfx -inkey "/etc/letsencrypt/live/$domain/privkey.pem" -in "/etc/letsencrypt/live/$domain/cert.pem" -certfile "/etc/letsencrypt/live/$domain/chain.pem" -certfile "/etc/letsencrypt/live/$domain/fullchain.pem" -password pass:$PFX_PASSWORD + # Just an example, you can use any non-sensitive storage medium you want + aws --endpoint-url $ENDPOINT_URL s3 cp --follow-symlinks "/etc/letsencrypt/live/$domain/fullchain.pem" "s3://certs/$DOMAINNAME.fullchain" + aws --endpoint-url $ENDPOINT_URL s3 cp --follow-symlinks "/etc/letsencrypt/live/$domain/chain.pem" "s3://certs/$DOMAINNAME.chain" + aws --endpoint-url $ENDPOINT_URL s3 cp --follow-symlinks "/etc/letsencrypt/live/$domain/cert.pem" "s3://certs/$DOMAINNAME.crt" + aws --endpoint-url $ENDPOINT_URL s3 cp --follow-symlinks "/etc/letsencrypt/live/$domain/privkey.pem" "s3://certs/$DOMAINNAME.key" + aws --endpoint-url $ENDPOINT_URL s3 cp --follow-symlinks "/tmp/$DOMAINNAME.pem" "s3://certs/$DOMAINNAME.pem" + aws --endpoint-url $ENDPOINT_URL s3 cp --follow-symlinks "/tmp/$DOMAINNAME.pfx" "s3://certs/$DOMAINNAME.pfx" + rm -f /tmp/$DOMAINNAME.pem + rm -f /tmp/$DOMAINNAME.pfx +done diff --git a/nginx-proxy-manager/site-ssl b/nginx-proxy-manager/site-ssl new file mode 100755 index 0000000..9a0df3a --- /dev/null +++ b/nginx-proxy-manager/site-ssl @@ -0,0 +1,48 @@ +#!/usr/bin/env bash + +# Domain specifies the site for withc you download the certs +DOMAIN="site.example.com" + +# Bucket is the source for the cert +BUCKET="https://minio.example.com/certs" + +# Service is the service that needs to be restarted for nginx apache2 postfix ... this script works out of the box +# for other services the download path must be changed acordingly. +# std for my preferred setup is the certs for the service is in a ssl folder in the config dir for the service +SERVICE="nginx" + +MAXWAIT=30 + +# Put this in crontab for every 12 hours +# Assuming Apache, and that your private key and certificate are located in +# - /etc/apache2/privkey.pem +# - /etc/apache2/fullchain.pem , respectively + +#set -euf -o pipefail + +sleep $((RANDOM % MAXWAIT)) + +# Create teh needed Directory in the Service Config Directory +mkdir -p /etc/$SERVICE/ssl + +# Download the latest certificate to a temporarily location so we can check validity +curl -s -o /etc/$SERVICE/ssl/$DOMAIN.fullchain $BUCKET/$DOMAIN.fullchain +curl -s -o /etc/$SERVICE/ssl/$DOMAIN.chain $BUCKET/$DOMAIN.chain +curl -s -o /etc/$SERVICE/ssl/$DOMAIN.crt $BUCKET/$DOMAIN.crt +curl -s -o /etc/$SERVICE/ssl/$DOMAIN.key $BUCKET/$DOMAIN.key +curl -s -o /etc/$SERVICE/ssl/$DOMAIN.pem $BUCKET/$DOMAIN.pem +curl -s -o /etc/$SERVICE/ssl/$DOMAIN.pfx $BUCKET/$DOMAIN.pfx + + +# Verify the certificate is valid for our existing key (should be) +MOD_CRT=`openssl x509 -modulus -noout -in /etc/$SERVICE/ssl/$DOMAIN.crt | openssl md5` +MOD_KEY=`openssl rsa -modulus -noout -in /etc/$SERVICE/ssl/$DOMAIN.key | openssl md5` +if [ "$MOD_CRT" != "$MOD_KEY" ]; then + echo "Key didn't match: $MOD_CRT vs $MOD_KEY" + #exit 1 +fi + +# Deploy the certificate and graceful reload +echo "New certificate: " `openssl x509 -in /etc/$SERVICE/ssl/$DOMAIN.fullchain -noout -subject -dates -issuer` + +systemctl reload $SERVICE \ No newline at end of file