--- /dev/null
+#!/bin/sh
+
+
+if [ -d /etc/letsencrypt ]
+then
+ mv /etc/letsencrypt /etc/letsencrypt.orig
+fi
+/usr/local/bin/getletsencrypt.sh
+if [ $? -eq 0 ]
+then
+ echo '10 3 * * * root /usr/local/bin/getletsencrypt.sh' >>/etc/crontab
+fi
INSTANCE_NAME=user
-/usr/local/bin/getletsencrypt.sh
-
-
/usr/local/bin/restorefds.sh
if [ $? -eq 0 ]
then
rm --force $LDIF_FILE
/usr/local/bin/replacedirsrvcerts.sh
-
-dsctl $INSTANCE_NAME restart
#!/bin/sh
-if [ -d /etc/letsencrypt ]
-then
- rm --force --recursive /etc/letsencrypt.old
- cp --archive /etc/letsencrypt /etc/letsencrypt.old
-fi
+# cases are:
+# 1: /etc/letsencrypt does not exist
+# 2: /etc/letsencrypt exists
+# 2.1: /etc/letsencrypt.staging does not exist
+# 2.2: /etc/letsencrypt.staging exists
+# 2.2.1: staging differs from current
+# 2.2.2: staging is the same as current
+
+
+LE_DIRECTORY=/etc/letsencrypt
+OLD_LE_DIRECTORY=/etc/letsencrypt.old
+STAGING_DIRECTORY=/etc/letsencrypt.staging
+TMP_DIRECTORY=$(mktemp --directory)
+
/usr/bin/rsync \
--archive \
--delete-after \
--info=STATS \
pki.in.useribm.hu::letsencrypt \
- /etc/letsencrypt
+ $TMP_DIRECTORY
+if [ $? -ne 0 ]
+then
+ rm --force --recursive $TMP_DIRECTORY
+ exit 1
+fi
+
+if [ -d $LE_DIRECTORY ]
+then
+ # case 2
+ if [ -d $STAGING_DIRECTORY ]
+ then
+ # case 2.2
+ diff --brief --recursive $STAGING_DIRECTORY $TMP_DIRECTORY
+ DIFFERS=$?
+ if [ $DIFFERS -eq 0 ]
+ then
+ # case 2.2.2
+ rm --force --recursive $OLD_LE_DIRECTORY
+ rm --force --recursive $TMP_DIRECTORY
+ mv $LE_DIRECTORY $OLD_LE_DIRECTORY
+ mv $STAGING_DIRECTORY $LE_DIRECTORY
+ /usr/local/bin/replacedirsrvcerts.sh
+ else
+ # case 2.2.1
+ rm --force --recursive $STAGING_DIRECTORY
+ mv $TMP_DIRECTORY $STAGING_DIRECTORY
+ fi
+ else
+ # case 2.1
+ diff --brief --recursive $LE_DIRECTORY $TMP_DIRECTORY
+ DIFFERS=$?
+ if [ $DIFFERS -eq 0 ]
+ then
+ rm --force --recursive $TMP_DIRECTORY
+ else
+ mv $TMP_DIRECTORY $STAGING_DIRECTORY
+ fi
+ fi
+else
+ # case 1
+ mv $TMP_DIRECTORY $LE_DIRECTORY
+fi
INSTANCE_NAME=user
+TMP_PATH=$(mktemp --directory)
if [ -d /etc/letsencrypt ]
LETSENCRYPT_BASE=/etc/letsencrypt
CERT_PATH=$LETSENCRYPT_BASE/live/useribm
- dsconf $INSTANCE_NAME security ca-certificate list \
- | grep '^Certificate Name:' | cut -f 2- -d ':' \
- | while read CA_NAME
+ for CACERT in ca-certificate certificate
do
- dsconf $INSTANCE_NAME security ca-certificate del "$CA_NAME"
+ dsconf $INSTANCE_NAME security $CACERT list \
+ | grep '^Certificate Name:' | cut -f 2- -d ':' \
+ | while read CACERT_NAME
+ do
+ dsconf $INSTANCE_NAME security $CACERT del "$CACERT_NAME"
+ done
done
- dsconf $INSTANCE_NAME security ca-certificate add \
- --file $CERT_PATH/chain.pem \
- --name "Let's Encrypt Certificate Authority"
- dsconf $INSTANCE_NAME security ca-certificate set-trust-flags \
- "Let's Encrypt Certificate Authority" \
- --flags "CT,,"
+ CA_SERIAL=0
+ cat $CERT_PATH/chain.pem | while read LINE
+ do
+ echo $LINE | grep 'BEGIN CERTIFICATE'
+ if [ $? -eq 0 ]
+ then
+ CA_SERIAL=$(( $CA_SERIAL + 1 ))
+ CA_FILE=$TMP_PATH/ca${CA_SERIAL}.pem
+ fi
+ echo $LINE >>$CA_FILE
+ done
+ for CERT_FILE in $TMP_PATH/ca*.pem
+ do
+ CERT_SUBJECT=$(openssl x509 -noout -subject -in $CERT_FILE \
+ | sed 's/^.*O \?= \?\([^,]*\), \?CN \?= \?\(.*\)$/\1 \2/')
+ dsconf $INSTANCE_NAME security ca-certificate add \
+ --file $CERT_FILE \
+ --name "$CERT_SUBJECT"
+ done
+ # cannot use dsconf, need key as well
dsctl $INSTANCE_NAME tls import-server-key-cert \
$CERT_PATH/cert.pem \
$CERT_PATH/privkey.pem
+ dsctl $INSTANCE_NAME restart
fi
+
+rm --force --recursive $TMP_PATH
DISTRIBUTION=Fedora
DISTRIBUTION_VERSION=36
-SPEC_PACKAGES="389-ds-base cockpit cockpit-389-ds openssh-clients openssh-server rsync"
+SPEC_PACKAGES="389-ds-base acl cockpit cockpit-389-ds cronie"
+SPEC_PACKAGES="$SPEC_PACKAGES openssh-clients openssh-server rsync"
7200 ; Retry (2 hours)
2419200 ; Expire (4 weeks)
3600) ; Minimum (1 hour)
-; 0 1 2
+; 1 2
; 12345678901234567890123456
; abcdefghijklmnopqrstuvwxyz
+; 123456789
@ IN NS pns
@ IN MX 10 mx
https://git.useribm.hu / user-lxc.git / commitdiff