-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathletsencrypt-generate
73 lines (67 loc) · 2.32 KB
/
letsencrypt-generate
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
#!/usr/bin/env bash
##
## letsencrypt-generate
##
## This script generates a new keypair and certificate signing request
## for Let's Encrypt.
##
## Source: https://flippingbinary.com
##
## Copyright 2017 Jonathan Musselwhite
##
## Permission is hereby granted, free of charge, to any person obtaining a copy
## of this software and associated documentation files (the "Software"), to
## deal in the Software without restriction, including without limitation the
## rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
## sell copies of the Software, and to permit persons to whom the Software is
## furnished to do so, subject to the following conditions:
##
## The above copyright notice and this permission notice shall be included in
## all copies or substantial portions of the Software.
##
## THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
## IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
## FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
## AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
## LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
## OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
## THE SOFTWARE.
##
###
###### CHECK SETTINGS ######
MAIN_DIR=/etc/ssl/letsencrypt
###### CHECK SETTINGS ######
[ -f /etc/default/letsencrypt-tlsa ] && . /etc/default/letsencrypt-tlsa
if [ "$#" -lt 1 ]
then
echo "Usage: $0 domain [space-separated list of alternate domains]" >&2
exit 1
fi
DATE=$(date +%Y%m%d%H%M%S)
DOMAINS="DNS:$1"
COMMON_NAME="$1"
CSR_DIR=${MAIN_DIR}/csr/${COMMON_NAME}
PRIVKEY_DIR=${MAIN_DIR}/keys/${COMMON_NAME}
CSR_PATH="${CSR_DIR}/csr-${DATE}.der"
PRIVKEY_PATH="${PRIVKEY_DIR}/privkey-${DATE}.pem"
# Build the list of alternate domain names
shift
for x in "$@"
do
DOMAINS="$DOMAINS,DNS:$x"
done
# Create a few directories to prevent simple errors
mkdir -p ${CSR_DIR}
mkdir -p ${PRIVKEY_DIR}
chmod 700 ${PRIVKEY_DIR}
# Generate the actual keypair using OpenSSL
openssl req \
-config <(printf "[req]\ndistinguished_name=req_dn\n[req_dn]\ncommonName=${COMMON_NAME}\n[san]\nsubjectAltName=${DOMAINS}") \
-new \
-nodes \
-subj '/' \
-reqexts san \
-out "${CSR_PATH}" \
-keyout "${PRIVKEY_PATH}" \
-newkey rsa:4096 \
-outform DER