Adding some SSL support scripts

2021-01-01 12:45:34 -06:00
parent 17a9e9ef7d
commit 68ef34c3c6
2 changed files with 28 additions and 0 deletions
--- a/roles/SSL/files/manual-ssl-renew
+++ b/roles/SSL/files/manual-ssl-renew
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+if [ `whoami` != 'root' ]; then
+    sudo $0 $@
+    exit
+fi
+
+domain="$1"
+
+certbot certonly -d ${domain} -d "*.${domain}" --manual --force-interactive --reuse-key
+cat /etc/letsencrypt/live/${domain}/cert.pem /etc/letsencrypt/live/${domain}/privkey.pem > /etc/letsencrypt/live/${domain}/certkey.pem
+
+# PKCS12 for Emby
+echo | openssl pkcs12 -password stdin -export -out /etc/letsencrypt/live/${domain}/ssl.pfx -inkey /etc/letsencrypt/live/${domain}/privkey.pem -in /etc/letsencrypt/live/${domain}/cert.pem -certfile /etc/letsencrypt/live/${domain}/fullchain.pem
+cat /etc/letsencrypt/live/${domain}/ssl.pfx > /var/lib/emby/ssl/yggdrasil.pfx
+
+systemctl restart webserver
+systemctl restart yggdrasil
+
+echo
+echo "Don't forget to send \`/raw reloadmodule m_ssl_openssl.so\` to a NetAdmin session on AniNIX/IRC"
+echo Add these to the TLSA records for the domain
+
+bash ./tlsa-generation.bash
--- a/roles/SSL/files/tlsa-generation.bash
+++ b/roles/SSL/files/tlsa-generation.bash
@@ -0,0 +1,4 @@
+#!/bin/bash
+openssl x509 -in /etc/letsencrypt/live/aninix.net/chain.pem -noout -pubkey | openssl rsa -pubin -outform DER | openssl dgst -sha256 -hex | awk '{print "le-ca TLSA 2 1 1", $NF}'
+openssl x509 -in /etc/letsencrypt/live/aninix.net/cert.pem -noout -pubkey | openssl rsa -pubin -outform DER | openssl dgst -sha256 -hex | awk '{print "cert TLSA 3 1 1", $NF}'
+