123 lines
3.3 KiB
Bash
123 lines
3.3 KiB
Bash
#!/bin/bash
|
|
|
|
# SSL Setup Script for Sibedas PBG Web
|
|
# This script handles SSL certificate generation and renewal
|
|
|
|
set -e
|
|
|
|
DOMAIN="${DOMAIN:-sibedas.yourdomain.com}"
|
|
EMAIL="${EMAIL:-admin@yourdomain.com}"
|
|
SSL_DIR="/etc/nginx/ssl"
|
|
CERT_FILE="$SSL_DIR/sibedas.crt"
|
|
KEY_FILE="$SSL_DIR/sibedas.key"
|
|
|
|
# Function to generate self-signed certificate
|
|
generate_self_signed() {
|
|
echo "Generating self-signed SSL certificate for $DOMAIN..."
|
|
|
|
# Create SSL directory if it doesn't exist
|
|
mkdir -p "$SSL_DIR"
|
|
|
|
# Generate self-signed certificate
|
|
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
|
|
-keyout "$KEY_FILE" \
|
|
-out "$CERT_FILE" \
|
|
-subj "/C=ID/ST=Jakarta/L=Jakarta/O=Sibedas/OU=IT/CN=$DOMAIN/emailAddress=$EMAIL"
|
|
|
|
echo "Self-signed certificate generated successfully!"
|
|
}
|
|
|
|
# Function to setup Let's Encrypt certificate
|
|
setup_letsencrypt() {
|
|
echo "Setting up Let's Encrypt certificate for $DOMAIN..."
|
|
|
|
# Check if certbot is available
|
|
if ! command -v certbot &> /dev/null; then
|
|
echo "Certbot not found. Installing..."
|
|
apk add --no-cache certbot certbot-nginx
|
|
fi
|
|
|
|
# Stop nginx temporarily
|
|
nginx -s stop || true
|
|
|
|
# Get certificate
|
|
certbot certonly --standalone \
|
|
--email "$EMAIL" \
|
|
--agree-tos \
|
|
--no-eff-email \
|
|
-d "$DOMAIN"
|
|
|
|
# Copy certificates to nginx ssl directory
|
|
cp /etc/letsencrypt/live/$DOMAIN/fullchain.pem "$CERT_FILE"
|
|
cp /etc/letsencrypt/live/$DOMAIN/privkey.pem "$KEY_FILE"
|
|
|
|
# Set proper permissions
|
|
chmod 644 "$CERT_FILE"
|
|
chmod 600 "$KEY_FILE"
|
|
|
|
# Start nginx
|
|
nginx
|
|
|
|
echo "Let's Encrypt certificate setup completed!"
|
|
}
|
|
|
|
# Function to renew Let's Encrypt certificate
|
|
renew_certificate() {
|
|
echo "Renewing Let's Encrypt certificate..."
|
|
|
|
certbot renew --quiet
|
|
|
|
# Copy renewed certificates
|
|
cp /etc/letsencrypt/live/$DOMAIN/fullchain.pem "$CERT_FILE"
|
|
cp /etc/letsencrypt/live/$DOMAIN/privkey.pem "$KEY_FILE"
|
|
|
|
# Reload nginx
|
|
nginx -s reload
|
|
|
|
echo "Certificate renewal completed!"
|
|
}
|
|
|
|
# Function to check certificate validity
|
|
check_certificate() {
|
|
if [ -f "$CERT_FILE" ] && [ -f "$KEY_FILE" ]; then
|
|
echo "Certificate files exist."
|
|
echo "Certificate details:"
|
|
openssl x509 -in "$CERT_FILE" -text -noout | grep -E "(Subject:|Not Before|Not After)"
|
|
return 0
|
|
else
|
|
echo "Certificate files not found."
|
|
return 1
|
|
fi
|
|
}
|
|
|
|
# Main script logic
|
|
case "${1:-setup}" in
|
|
"setup")
|
|
if [ "$SSL_TYPE" = "letsencrypt" ]; then
|
|
setup_letsencrypt
|
|
else
|
|
generate_self_signed
|
|
fi
|
|
;;
|
|
"renew")
|
|
renew_certificate
|
|
;;
|
|
"check")
|
|
check_certificate
|
|
;;
|
|
"self-signed")
|
|
generate_self_signed
|
|
;;
|
|
"letsencrypt")
|
|
setup_letsencrypt
|
|
;;
|
|
*)
|
|
echo "Usage: $0 {setup|renew|check|self-signed|letsencrypt}"
|
|
echo ""
|
|
echo "Environment variables:"
|
|
echo " DOMAIN: Domain name (default: sibedas.yourdomain.com)"
|
|
echo " EMAIL: Email address for Let's Encrypt (default: admin@yourdomain.com)"
|
|
echo " SSL_TYPE: Type of SSL (letsencrypt or self-signed, default: self-signed)"
|
|
exit 1
|
|
;;
|
|
esac |