1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
|
#!@@SHELL_BINARY@@
# -*- mode: sh; sh-shell: sh -*-
#
# default letsencrypt script for OE utilities
#
# Copyright (C) 2019 Rishabh Rishabh <rishabh0402@gmail.com>
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See <https://www.gnu.org/licenses/gpl2.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
# record original umask
umask=$(umask)
# CA certificates URL
CERT1="https://letsencrypt.org/certs/isrgrootx1.pem.txt"
CERT2="https://letsencrypt.org/certs/trustid-x3-root.pem.txt"
# Intermediate certificates URL and CERT4 Name
CERT3="https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt"
CERT4="https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt"
CERT4NAME="letsencryptauthorityx3.pem.txt"
# @@IPSEC_NSSDIR@@ variable for getting location to save the configuration files
# Installing for -server or -client
ServerClient=$1
HostName=$2
# function for checking if the command is run as root
check_root() {
# Checking if the command is run as root, This command needs to be run as root
if [ "$(id -u)" -ne 0 ]; then
echo "This command should be run as root."
exit 1
fi
}
# function for testing OE connection
test() {
# Checking for any existing OE connections
oeExisting=$(ipsec trafficstatus | grep private)
if [ ! -z "${oeExisting}" ]; then
echo "Existing OE Connections Found."
echo "Please stop the connections using 'ipsec restart' and try again."
echo "${oeExisting}"
exit 1
fi
# Establishing an OE connection and sending pings to letsencrypt.libreswan.org server
echo "Sending ping(IPv4) to letsencrypt.libreswan.org server."
ping -4 -c 5 letsencrypt.libreswan.org >/dev/null 2>/dev/null
# Checking the success of establishing OE connection
oeSuccess=$(ipsec trafficstatus | grep private)
if [ -z "${oeSuccess}" ]; then
echo "Failed to establish an OE connection."
echo "Try 'ipsec restart' and test again using 'ipsec letsencrypt --test'."
exit 1
else
echo "OE Connection established successfully."
# Displaying connection status
ipsec trafficstatus | grep private
fi
}
# Function for performaing Initial setup
setup() {
# Installing for client or server?
if [ "${ServerClient}" = "--client" ]; then
echo "Installing for Client."
else
echo "Installing for Server."
fi
# Downloading the letsencrypt certificates
echo "Downloading the letsencrypt certificates"
# set secure umask
umask 077
CERTDIR1=$(mktemp -d)
if [ $? -gt 0 ]; then
echo "ERROR: could not create temp directory"
exit 1
fi
CERTDIR2=$(mktemp -d)
if [ $? -gt 0 ]; then
echo "ERROR: could not create temp directory"
exit 1
fi
# Downloading the CA certificates
wget_output=$(wget -q -P "${CERTDIR1}" "${CERT1}" "${CERT2}")
if [ $? -ne 0 ]; then
echo "ERROR: CA Certificates NOT Found OR Saving the certificates in directory failed."
exit 1
fi
# Downloading the Intermediate certificates
wget_output=$(wget -q -P "${CERTDIR2}" "${CERT3}" "${CERT4}")
if [ $? -ne 0 ]; then
echo "ERROR: Intermediate Certificates NOT Found OR"
echo "Saving the certificates in directory failed."
exit 1
fi
# Checking if nss database exists
dbFileCheck=$(ls "@@IPSEC_NSSDIR@@"/*.db 2>/dev/null)
if [ -z "${dbFileCheck}" ]; then
# NSS database does not exist. Initializing the nss database
ipsec initnss
fi
# Importing the CA certificates in NSS database
echo "Importing the downloaded certificates into the database"
for file in "${CERTDIR1}"/*; do
file=${file##*/}
certutil -A -d "sql:@@IPSEC_NSSDIR@@" -n "${file%.pem.txt}" -i "${CERTDIR1}"/"${file}" -t "CT,,"
done
# Importing the Intermediate certificates in NSS database
for file in "${CERTDIR2}"/*; do
file=${file##*/}
certutil -A -d "sql:@@IPSEC_NSSDIR@@" -n "${file%.pem.txt}" -i "${CERTDIR2}"/"${file}" -t "u,u,u"
done
# restore umask
umask ${umask}
# Copying the required configuration
if [ "${ServerClient}" = "--server" ]; then
configFile="@@EXAMPLE_IPSEC_SYSCONFDIR@@/letsencrypt/oe-letsencrypt-server.conf"
configFileName="oe-letsencrypt-server.conf"
else
configFile="@@EXAMPLE_IPSEC_SYSCONFDIR@@/letsencrypt/oe-letsencrypt-client.conf"
configFileName="oe-letsencrypt-client.conf"
fi
echo "Saving the required configuration"
cp "${configFile}" "@@IPSEC_CONFDDIR@@/"
# restoring the security context of @@IPSEC_CONFDDIR@@/$configFileName using restorecon.
checkRestorecon=$(which restorecon 2>/dev/null)
if [ -n "${checkRestorecon}" -a -x "${checkRestorecon}" ]; then
restorecon "@@IPSEC_CONFDDIR@@/$configFileName"
fi
# Removing the temporary directories
rm -rf "${CERTDIR1}" "${CERTDIR2}"
echo "To confirm the success try running 'ipsec letsencrypt --test' on the client"
}
# function for generating a certificates
generate_certificate() {
# Generating the certificate using Certbot
certBotInstalled=$(which certbot 2>/dev/null)
if [ -n "${certBotInstalled}" -a -x "${certBotInstalled}" ]; then
certbot certonly --webroot -d "${HostName}"
else
echo "ERROR: Certbot not installed. Please install Certbot and try again."
exit 1
fi
# set secure umask
umask 077
CERTDIR=$(mktemp -d)
if [ $? -gt 0 ]; then
echo "ERROR: could not create temp directory"
exit 1
fi
wget_output=$(wget -q -P "${CERTDIR}" "${CERT4}")
if [ $? -ne 0 ]; then
echo "ERROR: Certificates NOT Found OR Saving the certificate in directory failed"
exit 1
fi
# Now generating the #pkcs12 (.p12) file
LetsEncryptCertDir="/etc/letsencrypt/live/${HostName}"
openssl pkcs12 -export -inkey "${LetsEncryptCertDir}/privkey.pem" -in "${LetsEncryptCertDir}/fullchain.pem" -CAfile "${CERTDIR}/${CERT4NAME}" -out "${LetsEncryptCertDir}/generatedCertificate.p12"
# Importing the certificate in nss database
echo "Importing the certificate in database. Password for PKCS12 file is the same as the Export Password you entered above."
pk12util -d "sql:@@IPSEC_NSSDIR@@" -i "${LetsEncryptCertDir}/generatedCertificate.p12"
# restore umask
umask ${umask}
# Displaying the certificates installed in nss database
certutil -L -d "sql:@@IPSEC_NSSDIR@@"
# Now generating the certbot configuration for reusing key
LetsEncryptConfFile="/etc/letsencrypt/renewal/${HostName}.conf"
echo "reuse_key = True" >>"${LetsEncryptConfFile}"
# creating a crontab for automatic cert renewals
if [ -d /etc/cron.d ]; then
if [ ! -f /etc/cron.d/ipsec-cert-renewal ]; then
echo "0 1 * * * root certbot renew --deploy-hook 'ipsec letsencrypt --update-certificate ${HostName}'" \
>>/etc/cron.d/ipsec-cert-renewal
fi
else
echo "0 1 * * * certbot renew --deploy-hook 'ipsec letsencrypt --update-certificate ${HostName}'" >>cert-renewal
crontab cert-renewal
rm cert-renewal
fi
# Removing the temporary directory
rm -fr "${CERTDIR}"
echo "try running 'ipsec restart' to load the latest certificates"
echo "To confirm the success try running 'ipsec letsencrypt --test' on the client"
}
# function for updating the issued certificates
update_certificate() {
# Generating #pkcs12 file, Downloading the required Intermediate certificate
# set secure umask
umask 077
CERTDIR=$(mktemp -d)
wget_output=$(wget -q -P "${CERTDIR}" "${CERT4}")
if [ $? -ne 0 ]; then
echo "ERROR: Certificates NOT Found OR Saving the certificate in directory failed"
exit 1
fi
# Now generating the #pkcs12 (.p12) file
LetsEncryptCertDir="/etc/letsencrypt/live/${HostName}"
openssl pkcs12 -export -inkey "${LetsEncryptCertDir}/privkey.pem" \
-in "${LetsEncryptCertDir}/fullchain.pem" \
-CAfile "${CERTDIR}/${CERT4NAME}" \
-out "${LetsEncryptCertDir}/generatedCertificate.p12"
# Importing the certificate in nss database
echo "Importing the certificate in database."
echo "Password for PKCS12 file is the same as the Export Password you entered above."
pk12util -d "sql:@@IPSEC_NSSDIR@@" -i "${LetsEncryptCertDir}/generatedCertificate.p12"
# restore umask
umask ${umask}
# Displaying the certificates installed in nss database
echo "Displaying the certificates installed in the database."
certutil -L -d "sql:@@IPSEC_NSSDIR@@"
# restarting ipsec to load all certificates
ipsec restart
# Removing the temporary directory
rm -fr "${CERTDIR}"
# To confirm the success try running the test connection script on the client
echo "To confirm the success try running 'ipsec letsencrypt --test' on the client"
}
# function for manual cert renewals
manual_cert_renew() {
# Renewing the certificate using Certbot
certBotInstalled=$(which certbot 2>/dev/null)
if [ -n "${certBotInstalled}" -a -x "${certBotInstalled}" ]; then
certbot renew --deploy-hook 'ipsec letsencrypt --update-certificate ${HostName}'
else
echo "ERROR: Certbot not installed. Please install Certbot and try again."
exit 1
fi
}
# function to disable ipsec by deleting the conf file in @@IPSEC_CONFDDIR@@
disable_ipsec() {
# Deleting the configuration files present in /etc/ipsec.d directory
rm -f "@@IPSEC_CONFDDIR@@"/oe-letsencrypt-*.conf
echo "Please restart the IPsec service using 'ipsec restart' for changes to take effect."
}
# function for showing help
help() {
echo "Usage: ipsec letsencrypt [arguments]"
echo "Available [arguments]"
echo "--server, --client, --test, --generate-certificate hostname, --renew hostname, --help, --disable"
echo
echo "--client : For initial client setup."
echo "usage: 'ipsec letsencrypt --client'"
echo
echo "--server : For initial server setup."
echo "usage: 'ipsec letsencrypt --server'"
echo
echo "--test : For testing the configuration/connections."
echo "usage: 'ipsec letsencrypt --test'"
echo
echo "--generate-certificate hostname : For generating the certificate."
echo "usage: 'ipsec letsencrypt --generate-certificate hostname'"
echo
echo "--renew hostname : For updating the generated certificate (keeping the private key same) use the following command."
echo "usage: 'ipsec letsencrypt --renew hostname'"
echo
echo "--disable : For disabling IPsec service."
echo "usage: 'ipsec letsencrypt --disable'"
}
case "${1}" in
--test)
check_root
test
;;
--server|--client)
check_root
setup
;;
--generate-certificate)
check_root
generate_certificate
;;
--update-certificate)
check_root
update_certificate
;;
--renew)
check_root
manual_cert_renew
;;
--disable)
check_root
disable_ipsec
;;
--help)
help
;;
*)
echo "[argument] \"${1}\" not found"
echo "try: 'ipsec letsencrypt --help' for help"
;;
esac
|
