Browse Source

Reduce and simplify number of exported variables. Also allow any cert file to

append to previous file.
dnsconf
David Kerr 8 years ago
parent
commit
68d708e56d
  1. 33
      deploy/README.md
  2. 92
      deploy/ssh.sh

33
deploy/README.md

@ -42,15 +42,13 @@ export ACME_DEPLOY_SSH_USER="admin"
``` ```
Optional... Optional...
```bash ```bash
export ACME_DEPLOY_SSH_CMD=""
export ACME_DEPLOY_SSH_SERVER="qnap" export ACME_DEPLOY_SSH_SERVER="qnap"
export ACME_DEPLOY_SSH_PORT="22"
export ACME_DEPLOY_SSH_SERVICE_STOP=""
export ACME_DEPLOY_SSH_KEYFILE="/etc/stunnel/stunnel.pem" export ACME_DEPLOY_SSH_KEYFILE="/etc/stunnel/stunnel.pem"
export ACME_DEPLOY_SSH_CERTFILE="/etc/stunnel/stunnel.pem" export ACME_DEPLOY_SSH_CERTFILE="/etc/stunnel/stunnel.pem"
export ACME_DEPLOY_SSH_CAFILE="/etc/stunnel/uca.pem" export ACME_DEPLOY_SSH_CAFILE="/etc/stunnel/uca.pem"
export ACME_DEPLOY_SSH_FULLCHAIN="" export ACME_DEPLOY_SSH_FULLCHAIN=""
export ACME_DEPLOY_SSH_REMOTE_CMD="/etc/init.d/stunnel.sh restart" export ACME_DEPLOY_SSH_REMOTE_CMD="/etc/init.d/stunnel.sh restart"
export ACME_DEPLOY_SSH_SERVICE_START=""
``` ```
The values used above are illustrative only and represent those that could The values used above are illustrative only and represent those that could
be used to deploy certificates to a QNAP NAS device running QTS 4.2 be used to deploy certificates to a QNAP NAS device running QTS 4.2
@ -64,16 +62,13 @@ can login to USER@URL from the host running acme.sh before using this script.
The USER@URL at the remote server must also have has permissions to write to The USER@URL at the remote server must also have has permissions to write to
the target location of the certificate files and to execute any commands the target location of the certificate files and to execute any commands
(e.g. to stop/start services). (e.g. to stop/start services).
###ACME_DEPLOY_SSH_CMD
You can customize the ssh command used to connect to the remote host. For example
if you need to connect to a specific port at the remote server you can set this
to, for example, "ssh -p 22"
###ACME_DEPLOY_SSH_SERVER ###ACME_DEPLOY_SSH_SERVER
URL or IP Address of the remote server. If not provided then the domain URL or IP Address of the remote server. If not provided then the domain
name provided on the acme.sh --deploy command line is used. name provided on the acme.sh --deploy command line is used.
###ACME_DEPLOY_SSH_PORT
Port number that SSH will attempt to connect to at the remote server. If
not provided then defaults to 22.
###ACME_DEPLOY_SSH_SERVICE_STOP
Command to execute on the remote server prior to copying any certificates. This
would typically be used to stop the service for which the certificates are
being deployed.
###ACME_DEPLOY_SSH_KEYFILE ###ACME_DEPLOY_SSH_KEYFILE
Target filename for the private key issued by LetsEncrypt. Target filename for the private key issued by LetsEncrypt.
###ACME_DEPLOY_SSH_CERTFILE ###ACME_DEPLOY_SSH_CERTFILE
@ -82,22 +77,18 @@ is the same as that provided for ACME_DEPLOY_SSH_KEYFILE then this certificate
is appended to the same file as the private key. is appended to the same file as the private key.
###ACME_DEPLOY_SSH_CAFILE ###ACME_DEPLOY_SSH_CAFILE
Target filename for the CA intermediate certificate issued by LetsEncrypt. Target filename for the CA intermediate certificate issued by LetsEncrypt.
If this is the same as a previous filename then it is appended to the same
file
###ACME_DEPLOY_SSH_FULLCHAIN ###ACME_DEPLOY_SSH_FULLCHAIN
Target filename for the fullchain certificate issued by LetsEncrypt. Target filename for the fullchain certificate issued by LetsEncrypt.
If this is the same as a previous filename then it is appended to the same
file
###ACME_DEPLOY_SSH_REMOTE_CMD ###ACME_DEPLOY_SSH_REMOTE_CMD
Command to execute on the remote server after copying any certificates. This Command to execute on the remote server after copying any certificates. This
could be any additional command required prior to starting the service again,
or could be a all-inclusive restart (stop and start of service). If
ACME_DEPLOY_SSH_SERVICE_STOP value was provided then a 2 second sleep is
inserted prior to calling this command to allow the system to stabalize.
###ACME_DEPLOY_SSH_SERVICE_START
Command to execute on the remote server after copying any certificates. This
would typically be used to stop the service for which the certificates are
being deployed. If ACME_DEPLOY_SSH_SERVICE_STOP or ACME_DEPLOY_SSH_REMOTE_CMD
values were provided then a 2 second sleep is inserted prior to calling
this command to allow the system to stabalize.
could be any additional command required for example to stop and restart
the service.
##Backups
###Backups
Before writing a certificate file to the remote server the existing Before writing a certificate file to the remote server the existing
certificate will be copied to a backup directory on the remote server. certificate will be copied to a backup directory on the remote server.
These are placed in a hidden directory in the home directory of the SSH These are placed in a hidden directory in the home directory of the SSH

92
deploy/ssh.sh

@ -12,16 +12,14 @@
# Only a username is required. All others are optional. # Only a username is required. All others are optional.
# #
# The following examples are for QNAP NAS running QTS 4.2 # The following examples are for QNAP NAS running QTS 4.2
# export ACME_DEPLOY_SSH_CMD=""
# export ACME_DEPLOY_SSH_USER="admin" # export ACME_DEPLOY_SSH_USER="admin"
# export ACME_DEPLOY_SSH_SERVER="qnap" # export ACME_DEPLOY_SSH_SERVER="qnap"
# export ACME_DEPLOY_SSH_PORT="22"
# export ACME_DEPLOY_SSH_SERVICE_STOP=""
# export ACME_DEPLOY_SSH_KEYFILE="/etc/stunnel/stunnel.pem" # export ACME_DEPLOY_SSH_KEYFILE="/etc/stunnel/stunnel.pem"
# export ACME_DEPLOY_SSH_CERTFILE="/etc/stunnel/stunnel.pem" # export ACME_DEPLOY_SSH_CERTFILE="/etc/stunnel/stunnel.pem"
# export ACME_DEPLOY_SSH_CAFILE="/etc/stunnel/uca.pem" # export ACME_DEPLOY_SSH_CAFILE="/etc/stunnel/uca.pem"
# export ACME_DEPLOY_SSH_FULLCHAIN="" # export ACME_DEPLOY_SSH_FULLCHAIN=""
# export ACME_DEPLOY_SSH_REMOTE_CMD="/etc/init.d/stunnel.sh restart" # export ACME_DEPLOY_SSH_REMOTE_CMD="/etc/init.d/stunnel.sh restart"
# export ACME_DEPLOY_SSH_SERVICE_START=""
######## Public functions ##################### ######## Public functions #####################
@ -67,26 +65,15 @@ ssh_deploy() {
Le_Deploy_ssh_server="$_cdomain" Le_Deploy_ssh_server="$_cdomain"
fi fi
# PORT is optional. If not provided then use port 22
if [ -n "$ACME_DEPLOY_SSH_PORT" ]; then
Le_Deploy_ssh_port="$ACME_DEPLOY_SSH_PORT"
_savedomainconf Le_Deploy_ssh_port "$Le_Deploy_ssh_port"
elif [ -z "$Le_Deploy_ssh_port" ]; then
Le_Deploy_ssh_port="22"
# CMD is optional. If not provided then use ssh
if [ -n "$ACME_DEPLOY_SSH_CMD" ]; then
Le_Deploy_ssh_cmd="$ACME_DEPLOY_SSH_CMD"
_savedomainconf Le_Deploy_ssh_cmd "$Le_Deploy_ssh_cmd"
elif [ -z "$Le_Deploy_ssh_cmd" ]; then
Le_Deploy_ssh_cmd="ssh"
fi fi
_info "Deploy certificates to remote server $Le_Deploy_ssh_user@$Le_Deploy_ssh_server on port $Le_Deploy_ssh_port"
# SERVICE_STOP is optional.
# If provided then this command will be executed on remote host.
if [ -n "$ACME_DEPLOY_SSH_SERVICE_STOP" ]; then
Le_Deploy_ssh_service_stop="$ACME_DEPLOY_SSH_SERVICE_STOP"
_savedomainconf Le_Deploy_ssh_service_stop "$Le_Deploy_ssh_service_stop"
fi
if [ -n "$Le_Deploy_ssh_service_stop" ]; then
_cmdstr="$_cmdstr $Le_Deploy_ssh_service_stop ;"
_info "Will stop remote service with command $Le_Deploy_ssh_service_stop"
fi
_info "Deploy certificates to remote server $Le_Deploy_ssh_user@$Le_Deploy_ssh_server"
# KEYFILE is optional. # KEYFILE is optional.
# If provided then private key will be copied to provided filename. # If provided then private key will be copied to provided filename.
@ -110,78 +97,72 @@ ssh_deploy() {
fi fi
if [ -n "$Le_Deploy_ssh_certfile" ]; then if [ -n "$Le_Deploy_ssh_certfile" ]; then
if [ "$Le_Deploy_ssh_certfile" = "$Le_Deploy_ssh_keyfile" ]; then if [ "$Le_Deploy_ssh_certfile" = "$Le_Deploy_ssh_keyfile" ]; then
# if filename is same as that provided for private key then append.
_cmdstr="$_cmdstr echo \"$(cat "$_ccert")\" >> $Le_Deploy_ssh_certfile ;"
_info "will append certificate to same file"
# if filename is same as previous file then append.
_pipe=">>"
else else
# backup file we are about to overwrite. # backup file we are about to overwrite.
_cmdstr="$_cmdstr cp $Le_Deploy_ssh_certfile $_backupdir ;" _cmdstr="$_cmdstr cp $Le_Deploy_ssh_certfile $_backupdir ;"
_pipe=">"
fi
# copy new certificate into file. # copy new certificate into file.
_cmdstr="$_cmdstr echo \"$(cat "$_ccert")\" > $Le_Deploy_ssh_certfile ;"
_cmdstr="$_cmdstr echo \"$(cat "$_ccert")\" $_pipe $Le_Deploy_ssh_certfile ;"
_info "will copy certificate to remote file $Le_Deploy_ssh_certfile" _info "will copy certificate to remote file $Le_Deploy_ssh_certfile"
fi fi
fi
# CAFILE is optional. # CAFILE is optional.
# If provided then CA intermediate certificate will be copied to provided filename.
# If provided then CA intermediate certificate will be copied or appended to provided filename.
if [ -n "$ACME_DEPLOY_SSH_CAFILE" ]; then if [ -n "$ACME_DEPLOY_SSH_CAFILE" ]; then
Le_Deploy_ssh_cafile="$ACME_DEPLOY_SSH_CAFILE" Le_Deploy_ssh_cafile="$ACME_DEPLOY_SSH_CAFILE"
_savedomainconf Le_Deploy_ssh_cafile "$Le_Deploy_ssh_cafile" _savedomainconf Le_Deploy_ssh_cafile "$Le_Deploy_ssh_cafile"
fi fi
if [ -n "$Le_Deploy_ssh_cafile" ]; then if [ -n "$Le_Deploy_ssh_cafile" ]; then
if [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_keyfile" ] ||
[ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_certfile" ]; then
# if filename is same as previous file then append.
_pipe=">>"
else
# backup file we are about to overwrite. # backup file we are about to overwrite.
_cmdstr="$_cmdstr cp $Le_Deploy_ssh_cafile $_backupdir ;" _cmdstr="$_cmdstr cp $Le_Deploy_ssh_cafile $_backupdir ;"
_pipe=">"
fi
# copy new certificate into file. # copy new certificate into file.
_cmdstr="$_cmdstr echo \"$(cat "$_cca")\" > $Le_Deploy_ssh_cafile ;"
_cmdstr="$_cmdstr echo \"$(cat "$_cca")\" $_pipe $Le_Deploy_ssh_cafile ;"
_info "will copy CA file to remote file $Le_Deploy_ssh_cafile" _info "will copy CA file to remote file $Le_Deploy_ssh_cafile"
fi fi
# FULLCHAIN is optional. # FULLCHAIN is optional.
# If provided then fullchain certificate will be copied to provided filename.
# If provided then fullchain certificate will be copied or appended to provided filename.
if [ -n "$ACME_DEPLOY_SSH_FULLCHAIN" ]; then if [ -n "$ACME_DEPLOY_SSH_FULLCHAIN" ]; then
Le_Deploy_ssh_fullchain="$ACME_DEPLOY_SSH_FULLCHAIN" Le_Deploy_ssh_fullchain="$ACME_DEPLOY_SSH_FULLCHAIN"
_savedomainconf Le_Deploy_ssh_fullchain "$Le_Deploy_ssh_fullchain" _savedomainconf Le_Deploy_ssh_fullchain "$Le_Deploy_ssh_fullchain"
fi fi
if [ -n "$Le_Deploy_ssh_fullchain" ]; then if [ -n "$Le_Deploy_ssh_fullchain" ]; then
if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_keyfile" ] ||
[ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_certfile" ] ||
[ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_cafile" ]; then
# if filename is same as previous file then append.
_pipe=">>"
else
# backup file we are about to overwrite. # backup file we are about to overwrite.
_cmdstr="$_cmdstr cp $Le_Deploy_ssh_fullchain $_backupdir ;" _cmdstr="$_cmdstr cp $Le_Deploy_ssh_fullchain $_backupdir ;"
_pipe=">"
fi
# copy new certificate into file. # copy new certificate into file.
_cmdstr="$_cmdstr echo \"$(cat "$_cfullchain")\" > $Le_Deploy_ssh_fullchain ;"
_cmdstr="$_cmdstr echo \"$(cat "$_cfullchain")\" $_pipe $Le_Deploy_ssh_fullchain ;"
_info "will copy fullchain to remote file $Le_Deploy_ssh_fullchain" _info "will copy fullchain to remote file $Le_Deploy_ssh_fullchain"
fi fi
# REMOTE_CMD is optional. # REMOTE_CMD is optional.
# If provided then this command will be executed on remote host. # If provided then this command will be executed on remote host.
# A 2 second delay is inserted to allow system to stabalize after
# executing a service stop.
if [ -n "$ACME_DEPLOY_SSH_REMOTE_CMD" ]; then if [ -n "$ACME_DEPLOY_SSH_REMOTE_CMD" ]; then
Le_Deploy_ssh_remote_cmd="$ACME_DEPLOY_SSH_REMOTE_CMD" Le_Deploy_ssh_remote_cmd="$ACME_DEPLOY_SSH_REMOTE_CMD"
_savedomainconf Le_Deploy_ssh_remote_cmd "$Le_Deploy_ssh_remote_cmd" _savedomainconf Le_Deploy_ssh_remote_cmd "$Le_Deploy_ssh_remote_cmd"
fi fi
if [ -n "$Le_Deploy_ssh_remote_cmd" ]; then if [ -n "$Le_Deploy_ssh_remote_cmd" ]; then
if [ -n "$Le_Deploy_ssh_service_stop" ]; then
_cmdstr="$_cmdstr sleep 2 ;"
fi
_cmdstr="$_cmdstr $Le_Deploy_ssh_remote_cmd ;" _cmdstr="$_cmdstr $Le_Deploy_ssh_remote_cmd ;"
_info "Will execute remote command $Le_Deploy_ssh_remote_cmd" _info "Will execute remote command $Le_Deploy_ssh_remote_cmd"
fi fi
# SERVICE_START is optional.
# If provided then this command will be executed on remote host.
# A 2 second delay is inserted to allow system to stabalize after
# executing a service stop or previous command.
if [ -n "$ACME_DEPLOY_SSH_SERVICE_START" ]; then
Le_Deploy_ssh_service_start="$ACME_DEPLOY_SSH_SERVICE_START"
_savedomainconf Le_Deploy_ssh_service_start "$Le_Deploy_ssh_service_start"
fi
if [ -n "$Le_Deploy_ssh_service_start" ]; then
if [ -n "$Le_Deploy_ssh_service_stop" ] || [ -n "$Le_Deploy_ssh_remote_cmd" ]; then
_cmdstr="$_cmdstr sleep 2 ;"
fi
_cmdstr="$_cmdstr $Le_Deploy_ssh_service_start ;"
_info "Will start remote service with command $Le_Deploy_ssh_remote_cmd"
fi
if [ -z "$_cmdstr" ]; then if [ -z "$_cmdstr" ]; then
_err "No remote commands to excute. Failed to deploy certificates to remote server" _err "No remote commands to excute. Failed to deploy certificates to remote server"
return 1 return 1
@ -199,7 +180,12 @@ ssh_deploy() {
_info "Submitting sequence of commands to remote server by ssh" _info "Submitting sequence of commands to remote server by ssh"
# quotations in bash cmd below intended. Squash travis spellcheck error # quotations in bash cmd below intended. Squash travis spellcheck error
# shellcheck disable=SC2029 # shellcheck disable=SC2029
ssh -T -p "$Le_Deploy_ssh_port" "$Le_Deploy_ssh_user@$Le_Deploy_ssh_server" sh -c "'$_cmdstr'"
$Le_Deploy_ssh_cmd -T "$Le_Deploy_ssh_user@$Le_Deploy_ssh_server" sh -c "'$_cmdstr'"
_ret="$?"
if [ "$_ret" != "0" ]; then
_err "Error code $_ret returned from $Le_Deploy_ssh_cmd"
fi
return $?
return $_ret
} }
Loading…
Cancel
Save