#!/bin/bash #################################################################################################### #### author: SlickStack ############################################################################ #### link: https://slickstack.io ################################################################### #### mirror: https://mirrors.slickstack.io/bash/ss-encrypt-openssl.txt ############################# #### path: /var/www/ss-encrypt-openssl ############################################################# #### destination: n/a (not a boilerplate) ########################################################## #### purpose: Regenerates free self-signed OpenSSL certificate for use by Nginx (idempotent) ####### #### module version: OpenSSL 1.1.1x ################################################################ #### sourced by: ss-install-nginx-config ########################################################### #### bash aliases: ss encrypt openssl, ss generate openssl ######################################### #################################################################################################### ## SS-ENCRYPT PERFORMS BASIC NGINX CONFIG MODIFICATION REGARDLESS OF SS-INSTALL-NGINX ## ## IT WILL ALSO ATTEMPT TO REVERT TO OPENSSL IF LETS ENCRYPT CERTS ARE MISSING ## ## source ss-config ## source /var/www/ss-config ## source ss-functions ## source /var/www/ss-functions ## BELOW THIS RELIES ON SS-CONFIG AND SS-FUNCTIONS #################################################################################################### #### TABLE OF CONTENTS (SS-Encrypt-OpenSSL) ######################################################## #################################################################################################### ## this is a brief summary of the different code snippets you will find in this script ## ## each section should be commented so you understand what is being accomplished ## ## A. Touch Timestamp File ## B. Message (Begin Script) ## C. Hide Bug In OpenSSL 1.1.1x ## D. Regenerate OpenSSL Certificate ## E. Reset Permissions (Nginx SSL) ## F. Restart Modules (Nginx) #################################################################################################### #### A. SS-Encrypt-OpenSSL: Touch Timestamp File ################################################### #################################################################################################### ## this is a dummy timestamp file that will remember the last time this script was run ## ## it can be useful for developer reference and is sometimes used by SlickStack ## ## script timestamp ## ss_touch "${TIMESTAMP_SS_ENCRYPT_OPENSSL}" #################################################################################################### #### B. SS-Encrypt-OpenSSL: Message (Begin Script) ################################################# #################################################################################################### ## this is a simple message that announces to the shell the purpose of this bash script ## ## it will only be noticed by sudo users who manually call ss core bash scripts ## ## echo message ## ss_echo "${COLOR_INFO}Running ss-encrypt-openssl... ${COLOR_RESET}" #################################################################################################### #### C. SS-Encrypt-OpenSSL: Hide Bug In OpenSSL 1.1.1x ############################################# #################################################################################################### ## hide error message (workaround) ## ss_touch /home/${SUDO_USER}/.rnd ss_touch /home/${SFTP_USER}/.rnd #################################################################################################### #### D. SS-Encrypt-OpenSSL: Regenerate OpenSSL Certificate ######################################### #################################################################################################### ## this will generate a new self-signed OpenSSL certificate every single time it runs ## ## there are no rate-limits and it pairs perfectly with CloudFlare SSL proxy ## ## make dirs ## ss_mkdir /var/www/certs ss_mkdir /var/www/certs/keys ## delete previous files ## ss_rm "${PATH_OPENSSL_CERTIFICATE}" ss_rm "${PATH_OPENSSL_KEY}" ## generate self-signed certificate (valid 10 years) ## if [[ "$WP_MULTISITE" == "false" ]]; then openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \ -keyout /var/www/certs/keys/slickstack.key -out /var/www/certs/slickstack.crt -subj "/CN=${SITE_DOMAIN}" \ -addext "subjectAltName=DNS:${SITE_DOMAIN_EXCLUDING_WWW},DNS:${SITE_DOMAIN_INCLUDING_WWW},DNS:staging.${SITE_DOMAIN_EXCLUDING_WWW},DNS:dev.${SITE_DOMAIN_EXCLUDING_WWW},IP:${SYSTEM_IPV4_ADDRESS}" 2> /dev/null elif [[ "$WP_MULTISITE" == "true" ]] && [[ "$WP_MULTISITE_SUBDOMAINS" != "false" ]]; then openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \ -keyout /var/www/certs/keys/slickstack.key -out /var/www/certs/slickstack.crt -subj "/CN=${SITE_DOMAIN}" \ -addext "subjectAltName=DNS:${SITE_DOMAIN_EXCLUDING_WWW},DNS:*.${SITE_DOMAIN_EXCLUDING_WWW},IP:${SYSTEM_IPV4_ADDRESS}" 2> /dev/null elif [[ "$WP_MULTISITE" == "true" ]] && [[ "$WP_MULTISITE_SUBDOMAINS" == "false" ]]; then openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \ -keyout /var/www/certs/keys/slickstack.key -out /var/www/certs/slickstack.crt -subj "/CN=${SITE_DOMAIN}" \ -addext "subjectAltName=DNS:${SITE_DOMAIN_EXCLUDING_WWW},DNS:${SITE_DOMAIN_INCLUDING_WWW},DNS:staging.${SITE_DOMAIN_EXCLUDING_WWW},DNS:dev.${SITE_DOMAIN_EXCLUDING_WWW},IP:${SYSTEM_IPV4_ADDRESS}" 2> /dev/null fi #################################################################################################### #### E. SS-Encrypt-OpenSSL: Validate OpenSSL Certificate ########################################### #################################################################################################### # Move to ss-stack-overview ? ## validate openssl cert ## # openssl x509 -noout -text -in "${PATH_OPENSSL_CERTIFICATE}" #################################################################################################### #### E. SS-Encrypt-OpenSSL: Reset Permissions (Nginx SSL) ########################################## #################################################################################################### ## run ss-perms-nginx-ssl ## source "${PATH_SS_PERMS_NGINX_SSL}" #################################################################################################### #### PLACEHOLDER: Reset Permissions (SlickStack Scripts) ########################################### #################################################################################################### ## we include this permissions reset in all cron jobs and bash scripts for redundancy ## ## chmod 0700 means only the root/sudo users can execute any SlickStack scripts ## ## THIS SNIPPET DOES NOT RELY ON SS-CONFIG OR SS-FUNCTIONS ## SNIPPET: ss bash scripts, ss cron jobs ## UPDATED: 02JUL2022 chown root:root /var/www/ss* ## must be root:root chown root:root /var/www/crons/*cron* ## must be root:root chown root:root /var/www/crons/custom/*cron* ## must be root:root chmod 0700 /var/www/ss* ## 0700 means only root/sudo can execute chmod 0700 /var/www/crons/*cron* ## 0700 means only root/sudo can execute chmod 0700 /var/www/crons/custom/*cron* ## 0700 means only root/sudo can execute #################################################################################################### #### SlickStack: External References Used To Improve This Script (Thanks, Interwebz) ############### #################################################################################################### ## Ref: https://linuxize.com/post/secure-apache-with-let-s-encrypt-on-ubuntu-18-04/ ## Ref: https://stackoverflow.com/questions/49172841/install-certbot-letsencrypt-without-interaction/57019299#57019299 ## Ref: https://matthewlehner.net/lets-encrypt-with-nginx ## Ref: https://community.letsencrypt.org/t/how-often-should-i-run-the-cerbot-cron-job-to-update-the-certificates/18851 ## Ref: https://community.letsencrypt.org/t/how-to-get-crt-and-key-files-from-i-just-have-pem-files/7348/2 ## Ref: https://community.letsencrypt.org/t/certificate-path/24227 ## Ref: https://www.cyberciti.biz/tips/linux-unix-pause-command.html ## Ref: https://stackoverflow.com/questions/9483633/how-to-use-bash-read-with-a-timeout/9483693#9483693 ## Ref: https://stackoverflow.com/questions/229551/how-to-check-if-a-string-contains-a-substring-in-bash ## Ref: https://unix.stackexchange.com/questions/311758/remove-specific-word-in-variable ## Ref: https://stackoverflow.com/questions/13210880/replace-one-substring-for-another-string-in-shell-script ## Ref: https://github.com/certbot/certbot/issues/3039 ## Ref: https://superuser.com/questions/1056183/using-a-wildcard-in-a-condition-to-match-the-beginning-of-a-string ## Ref: https://stackoverflow.com/questions/18730509/bash-substring-regex-matching-wildcard ## Ref: https://linuxize.com/post/how-to-create-symbolic-links-in-linux-using-the-ln-command/ ## Ref: https://superuser.com/questions/81164/why-create-a-link-like-this-ln-nsf/81168 ## Ref: https://support.cloudflare.com/hc/en-us/articles/214820528-Validating-a-Let-s-Encrypt-Certificate-on-a-Site-Already-Active-on-Cloudflare ## Ref: https://serverfault.com/questions/788220/lets-encrypt-certbot-validation-over-https ## Ref: https://certbot-dns-cloudflare.readthedocs.io/en/stable/ ## Ref: https://dev.to/michaeldscherr/lets-encrypt-ssl-certificate-via-dns-challenge-8dd ## Ref: https://letsencrypt.org/docs/challenge-types/ ## Ref: https://serverfault.com/questions/750902/how-to-use-lets-encrypt-dns-challenge-validation ## Ref: https://community.letsencrypt.org/t/do-i-need-copy-dhparam-pem-file-when-i-move-certificates-to-a-new-server/47346 ## Ref: https://weakdh.org/sysadmin.html ## Ref: https://security.stackexchange.com/questions/38206/can-someone-explain-what-exactly-is-accomplished-by-generation-of-dh-parameters ## Ref: https://security.stackexchange.com/questions/94390/whats-the-purpose-of-dh-parameters ## Ref: https://wiki.mozilla.org/Security/Server_Side_TLS ## Ref: https://stackoverflow.com/questions/21251714/bash-script-countdown-timer-needs-to-detect-any-key-to-continue ## Ref: https://stackoverflow.com/questions/33614865/bash-countdown-to-execution-if-no-key-pressed ## Ref: https://unix.stackexchange.com/questions/293940/bash-how-can-i-make-press-any-key-to-continue ## Ref: https://serverfault.com/questions/532559/bash-script-count-down-5-minutes-display-on-single-line ## Ref: https://community.letsencrypt.org/t/confusing-on-root-domain-with-wildcard-cert/56113/2 ## Ref: https://gist.github.com/joepie91/7e5cad8c0726fd6a5e90360a754fc568 ## Ref: https://ma.ttias.be/how-to-read-ssl-certificate-info-from-the-cli/ ## Ref: http://nginx.org/en/docs/http/configuring_https_servers.html#certificate_with_several_names ## Ref: https://dev.to/nabbisen/let-s-encrypt-wildcard-certificate-with-certbot-plo ## Ref: https://community.letsencrypt.org/t/wildcard-certificate-does-not-work/79041 ## Ref: https://letsencrypt.org/docs/rate-limits/ ## Ref: https://github.com/certbot/certbot/issues/2071 ## Ref: https://community.letsencrypt.org/t/how-to-prevent-creation-of-etc-letsencrypt-live-domain-tld-0001-when-removing-domains-from-a-domain-tld-multidomain-certificate/8135/14 ## Ref: https://community.letsencrypt.org/t/letsencrypt-webroot-verification-follows-http-to-https-redirect-for-self-signed-cert/19917 ## Ref: https://stackoverflow.com/questions/205666/what-is-the-best-way-to-perform-timestamp-comparison-in-bash ## Ref: https://stackoverflow.com/questions/552724/how-do-i-check-in-bash-whether-a-file-was-created-more-than-x-time-ago ## Ref: https://unix.stackexchange.com/questions/145313/find-a-file-which-is-30-minutes-old ## Ref: https://easyengine.io/wordpress-nginx/tutorials/ssl/multidomain-ssl-subject-alternative-names/ ## Ref: https://www.getpagespeed.com/server-setup/ssl-directory ## Ref: https://superuser.com/questions/556493/permissions-for-ssl-key ## Ref: https://fbcs.co.uk/self-signed-multiple-domain-ssl-certificates/ ## Ref: https://serverfault.com/questions/259302/best-location-for-ssl-certificate-and-private-keys-on-ubuntu ## Ref: https://community.letsencrypt.org/t/error-creating-new-cert-too-many-certificates-already-issued-for-exact-set-of-domains/41542 ## Ref: https://community.letsencrypt.org/t/correct-way-to-completely-remove-issued-certificate-s-for-a-domain/7409 ## Ref: https://unix.stackexchange.com/questions/78376/in-linux-how-to-delete-all-files-except-the-pattern-txt ## Ref: https://unix.stackexchange.com/questions/417737/how-to-use-find-command-with-variables ## Ref: https://serverfault.com/questions/751057/which-permissions-should-i-set-to-dhparam-pem ## Ref: https://security.stackexchange.com/questions/175786/is-it-required-to-have-the-same-domain-name-and-common-name-for-ssl-certificate ## Ref: https://www.linode.com/docs/guides/using-openssls-subjectaltname-with-multiple-site-domains/ ## Ref: https://serverfault.com/questions/886943/ssl-for-multiple-servers-and-sub-domains ## Ref: https://support.citrix.com/article/CTX135602_ ## Ref: https://support.citrix.com/article/CTX227983 ## Ref: https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line ## Ref: https://stackoverflow.com/questions/37035300/how-to-determine-the-default-location-for-openssl-cnf ## Ref: https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl/41366949#41366949 ## Ref: https://www.freecodecamp.org/news/openssl-command-cheatsheet-b441be1e8c4a/ ## Ref: https://www.redhat.com/sysadmin/6-openssl-commands ## Ref: https://geekflare.com/openssl-commands-certificates/ ## Ref: https://stackoverflow.com/questions/1822268/how-do-i-create-my-own-wildcard-certificate-on-linux/1822279 ## SS_EOF