#!/bin/bash

####################################################################################################
#### author: SlickStack ############################################################################
#### link: https://slickstack.io ###################################################################
#### mirror: https://mirrors.slickstack.io/bash/ss-encrypt-openssl.txt #############################
#### path: /var/www/ss-encrypt-openssl #############################################################
#### destination: n/a (not a boilerplate) ##########################################################
#### purpose: Regenerates free self-signed OpenSSL certificate for use by Nginx (idempotent) #######
#### module version: OpenSSL 1.1.1x ################################################################
#### sourced by: ss-install-nginx-config ###########################################################
#### bash aliases: ss encrypt openssl, ss generate openssl #########################################
####################################################################################################

## SS-ENCRYPT PERFORMS BASIC NGINX CONFIG MODIFICATION REGARDLESS OF SS-INSTALL-NGINX ##
## IT WILL ALSO ATTEMPT TO REVERT TO OPENSSL IF LETS ENCRYPT CERTS ARE MISSING ##

## source ss-config ##
source /var/www/ss-config

## source ss-functions ##
source /var/www/ss-functions

## BELOW THIS RELIES ON SS-CONFIG AND SS-FUNCTIONS

####################################################################################################
#### TABLE OF CONTENTS (SS-Encrypt-OpenSSL) ########################################################
####################################################################################################

## this is a brief summary of the different code snippets you will find in this script ##
## each section should be commented so you understand what is being accomplished ##

## A. Touch Timestamp File
## B. Message (Begin Script)
## C. Hide Bug In OpenSSL 1.1.1x
## D. Regenerate OpenSSL Certificate
## E. Reset Permissions (Nginx SSL)
## F. Restart Modules (Nginx)

####################################################################################################
#### A. SS-Encrypt-OpenSSL: Touch Timestamp File ###################################################
####################################################################################################

## this is a dummy timestamp file that will remember the last time this script was run ##
## it can be useful for developer reference and is sometimes used by SlickStack ##

## script timestamp ##
ss_touch "${TIMESTAMP_SS_ENCRYPT_OPENSSL}"

####################################################################################################
#### B. SS-Encrypt-OpenSSL: Message (Begin Script) #################################################
####################################################################################################

## this is a simple message that announces to the shell the purpose of this bash script ##
## it will only be noticed by sudo users who manually call ss core bash scripts ##

## echo message ##
ss_echo "${COLOR_INFO}Running ss-encrypt-openssl... ${COLOR_RESET}"

####################################################################################################
#### C. SS-Encrypt-OpenSSL: Hide Bug In OpenSSL 1.1.1x #############################################
####################################################################################################

## hide error message (workaround) ##
ss_touch /home/${SUDO_USER}/.rnd
ss_touch /home/${SFTP_USER}/.rnd

####################################################################################################
#### D. SS-Encrypt-OpenSSL: Regenerate OpenSSL Certificate #########################################
####################################################################################################

## this will generate a new self-signed OpenSSL certificate every single time it runs ##
## there are no rate-limits and it pairs perfectly with CloudFlare SSL proxy ##

## make dirs ##
ss_mkdir /var/www/certs
ss_mkdir /var/www/certs/keys

## delete previous files ##
ss_rm "${PATH_OPENSSL_CERTIFICATE}"
ss_rm "${PATH_OPENSSL_KEY}"

## generate self-signed certificate (valid 10 years) ##
if [[ "$WP_MULTISITE" == "false" ]]; then 
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
    -keyout /var/www/certs/keys/slickstack.key -out /var/www/certs/slickstack.crt -subj "/CN=${SITE_DOMAIN}" \
    -addext "subjectAltName=DNS:${SITE_DOMAIN_EXCLUDING_WWW},DNS:${SITE_DOMAIN_INCLUDING_WWW},DNS:staging.${SITE_DOMAIN_EXCLUDING_WWW},DNS:dev.${SITE_DOMAIN_EXCLUDING_WWW},IP:${SYSTEM_IPV4_ADDRESS}" 2> /dev/null

elif [[ "$WP_MULTISITE" == "true" ]] && [[ "$WP_MULTISITE_SUBDOMAINS" != "false" ]]; then 
    openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
    -keyout /var/www/certs/keys/slickstack.key -out /var/www/certs/slickstack.crt -subj "/CN=${SITE_DOMAIN}" \
    -addext "subjectAltName=DNS:${SITE_DOMAIN_EXCLUDING_WWW},DNS:*.${SITE_DOMAIN_EXCLUDING_WWW},IP:${SYSTEM_IPV4_ADDRESS}" 2> /dev/null
    
elif [[ "$WP_MULTISITE" == "true" ]] && [[ "$WP_MULTISITE_SUBDOMAINS" == "false" ]]; then 
    openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
    -keyout /var/www/certs/keys/slickstack.key -out /var/www/certs/slickstack.crt -subj "/CN=${SITE_DOMAIN}" \
    -addext "subjectAltName=DNS:${SITE_DOMAIN_EXCLUDING_WWW},DNS:${SITE_DOMAIN_INCLUDING_WWW},DNS:staging.${SITE_DOMAIN_EXCLUDING_WWW},DNS:dev.${SITE_DOMAIN_EXCLUDING_WWW},IP:${SYSTEM_IPV4_ADDRESS}" 2> /dev/null
    
fi

####################################################################################################
#### E. SS-Encrypt-OpenSSL: Validate OpenSSL Certificate ###########################################
####################################################################################################

# Move to ss-stack-overview ?
## validate openssl cert ##
# openssl x509 -noout -text -in "${PATH_OPENSSL_CERTIFICATE}"

####################################################################################################
#### E. SS-Encrypt-OpenSSL: Reset Permissions (Nginx SSL) ##########################################
####################################################################################################

## run ss-perms-nginx-ssl ##
source "${PATH_SS_PERMS_NGINX_SSL}"

####################################################################################################
#### PLACEHOLDER: Reset Permissions (SlickStack Scripts) ###########################################
####################################################################################################

## we include this permissions reset in all cron jobs and bash scripts for redundancy ##
## chmod 0700 means only the root/sudo users can execute any SlickStack scripts ##

## THIS SNIPPET DOES NOT RELY ON SS-CONFIG OR SS-FUNCTIONS
## SNIPPET: ss bash scripts, ss cron jobs
## UPDATED: 02JUL2022

chown root:root /var/www/ss* ## must be root:root
chown root:root /var/www/crons/*cron* ## must be root:root
chown root:root /var/www/crons/custom/*cron* ## must be root:root
chmod 0700 /var/www/ss* ## 0700 means only root/sudo can execute
chmod 0700 /var/www/crons/*cron* ## 0700 means only root/sudo can execute
chmod 0700 /var/www/crons/custom/*cron* ## 0700 means only root/sudo can execute

####################################################################################################
#### SlickStack: External References Used To Improve This Script (Thanks, Interwebz) ###############
####################################################################################################

## Ref: https://linuxize.com/post/secure-apache-with-let-s-encrypt-on-ubuntu-18-04/
## Ref: https://stackoverflow.com/questions/49172841/install-certbot-letsencrypt-without-interaction/57019299#57019299
## Ref: https://matthewlehner.net/lets-encrypt-with-nginx
## Ref: https://community.letsencrypt.org/t/how-often-should-i-run-the-cerbot-cron-job-to-update-the-certificates/18851
## Ref: https://community.letsencrypt.org/t/how-to-get-crt-and-key-files-from-i-just-have-pem-files/7348/2
## Ref: https://community.letsencrypt.org/t/certificate-path/24227
## Ref: https://www.cyberciti.biz/tips/linux-unix-pause-command.html
## Ref: https://stackoverflow.com/questions/9483633/how-to-use-bash-read-with-a-timeout/9483693#9483693
## Ref: https://stackoverflow.com/questions/229551/how-to-check-if-a-string-contains-a-substring-in-bash
## Ref: https://unix.stackexchange.com/questions/311758/remove-specific-word-in-variable
## Ref: https://stackoverflow.com/questions/13210880/replace-one-substring-for-another-string-in-shell-script
## Ref: https://github.com/certbot/certbot/issues/3039
## Ref: https://superuser.com/questions/1056183/using-a-wildcard-in-a-condition-to-match-the-beginning-of-a-string
## Ref: https://stackoverflow.com/questions/18730509/bash-substring-regex-matching-wildcard
## Ref: https://linuxize.com/post/how-to-create-symbolic-links-in-linux-using-the-ln-command/
## Ref: https://superuser.com/questions/81164/why-create-a-link-like-this-ln-nsf/81168
## Ref: https://support.cloudflare.com/hc/en-us/articles/214820528-Validating-a-Let-s-Encrypt-Certificate-on-a-Site-Already-Active-on-Cloudflare
## Ref: https://serverfault.com/questions/788220/lets-encrypt-certbot-validation-over-https
## Ref: https://certbot-dns-cloudflare.readthedocs.io/en/stable/
## Ref: https://dev.to/michaeldscherr/lets-encrypt-ssl-certificate-via-dns-challenge-8dd
## Ref: https://letsencrypt.org/docs/challenge-types/
## Ref: https://serverfault.com/questions/750902/how-to-use-lets-encrypt-dns-challenge-validation
## Ref: https://community.letsencrypt.org/t/do-i-need-copy-dhparam-pem-file-when-i-move-certificates-to-a-new-server/47346
## Ref: https://weakdh.org/sysadmin.html
## Ref: https://security.stackexchange.com/questions/38206/can-someone-explain-what-exactly-is-accomplished-by-generation-of-dh-parameters
## Ref: https://security.stackexchange.com/questions/94390/whats-the-purpose-of-dh-parameters
## Ref: https://wiki.mozilla.org/Security/Server_Side_TLS
## Ref: https://stackoverflow.com/questions/21251714/bash-script-countdown-timer-needs-to-detect-any-key-to-continue
## Ref: https://stackoverflow.com/questions/33614865/bash-countdown-to-execution-if-no-key-pressed
## Ref: https://unix.stackexchange.com/questions/293940/bash-how-can-i-make-press-any-key-to-continue
## Ref: https://serverfault.com/questions/532559/bash-script-count-down-5-minutes-display-on-single-line
## Ref: https://community.letsencrypt.org/t/confusing-on-root-domain-with-wildcard-cert/56113/2
## Ref: https://gist.github.com/joepie91/7e5cad8c0726fd6a5e90360a754fc568
## Ref: https://ma.ttias.be/how-to-read-ssl-certificate-info-from-the-cli/
## Ref: http://nginx.org/en/docs/http/configuring_https_servers.html#certificate_with_several_names
## Ref: https://dev.to/nabbisen/let-s-encrypt-wildcard-certificate-with-certbot-plo
## Ref: https://community.letsencrypt.org/t/wildcard-certificate-does-not-work/79041
## Ref: https://letsencrypt.org/docs/rate-limits/
## Ref: https://github.com/certbot/certbot/issues/2071
## Ref: https://community.letsencrypt.org/t/how-to-prevent-creation-of-etc-letsencrypt-live-domain-tld-0001-when-removing-domains-from-a-domain-tld-multidomain-certificate/8135/14
## Ref: https://community.letsencrypt.org/t/letsencrypt-webroot-verification-follows-http-to-https-redirect-for-self-signed-cert/19917
## Ref: https://stackoverflow.com/questions/205666/what-is-the-best-way-to-perform-timestamp-comparison-in-bash
## Ref: https://stackoverflow.com/questions/552724/how-do-i-check-in-bash-whether-a-file-was-created-more-than-x-time-ago
## Ref: https://unix.stackexchange.com/questions/145313/find-a-file-which-is-30-minutes-old
## Ref: https://easyengine.io/wordpress-nginx/tutorials/ssl/multidomain-ssl-subject-alternative-names/
## Ref: https://www.getpagespeed.com/server-setup/ssl-directory
## Ref: https://superuser.com/questions/556493/permissions-for-ssl-key
## Ref: https://fbcs.co.uk/self-signed-multiple-domain-ssl-certificates/
## Ref: https://serverfault.com/questions/259302/best-location-for-ssl-certificate-and-private-keys-on-ubuntu
## Ref: https://community.letsencrypt.org/t/error-creating-new-cert-too-many-certificates-already-issued-for-exact-set-of-domains/41542
## Ref: https://community.letsencrypt.org/t/correct-way-to-completely-remove-issued-certificate-s-for-a-domain/7409
## Ref: https://unix.stackexchange.com/questions/78376/in-linux-how-to-delete-all-files-except-the-pattern-txt
## Ref: https://unix.stackexchange.com/questions/417737/how-to-use-find-command-with-variables
## Ref: https://serverfault.com/questions/751057/which-permissions-should-i-set-to-dhparam-pem
## Ref: https://security.stackexchange.com/questions/175786/is-it-required-to-have-the-same-domain-name-and-common-name-for-ssl-certificate
## Ref: https://www.linode.com/docs/guides/using-openssls-subjectaltname-with-multiple-site-domains/
## Ref: https://serverfault.com/questions/886943/ssl-for-multiple-servers-and-sub-domains
## Ref: https://support.citrix.com/article/CTX135602_
## Ref: https://support.citrix.com/article/CTX227983
## Ref: https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line
## Ref: https://stackoverflow.com/questions/37035300/how-to-determine-the-default-location-for-openssl-cnf
## Ref: https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl/41366949#41366949
## Ref: https://www.freecodecamp.org/news/openssl-command-cheatsheet-b441be1e8c4a/
## Ref: https://www.redhat.com/sysadmin/6-openssl-commands
## Ref: https://geekflare.com/openssl-commands-certificates/
## Ref: https://stackoverflow.com/questions/1822268/how-do-i-create-my-own-wildcard-certificate-on-linux/1822279

## SS_EOF