-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcertificate.sh
276 lines (248 loc) · 8.52 KB
/
certificate.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
#!/bin/bash
LOGD() {
echo -e "\033[1;34m[DEBUG] $*\033[0m"
}
LOGI() {
echo -e "\033[1;32m[INFO] $*\033[0m"
}
LOGE() {
echo -e "\033[1;31m[ERROR] $*\033[0m"
}
confirm() {
read -p "$1" -n 1 -r
echo
if [[ $REPLY =~ ^[Yy]$ ]]; then
return 0
else
return 1
fi
}
ssl_cert_issue() {
local method=""
echo -E ""
LOGD "******使用说明******"
LOGI "该脚本提供两种方式实现证书签发,证书安装路径均为/root/cert"
LOGI "方式1:acme standalone mode,需要保持端口开放"
LOGI "方式2:acme DNS API mode,需要提供Cloudflare Global API Key"
LOGI "如域名属于免费域名,则推荐使用方式1进行申请"
LOGI "如域名非免费域名且使用Cloudflare进行解析使用方式2进行申请"
read -p "请选择你想使用的方式,输入数字1或者2后回车: " method
LOGI "你所使用的方式为${method}"
case "${method}" in
1) ssl_cert_issue_standalone ;;
2) ssl_cert_issue_by_cloudflare ;;
*) LOGE "输入无效,请检查你的输入,脚本将退出..."; exit 1 ;;
esac
}
install_acme() {
cd ~
LOGI "开始安装acme脚本..."
curl https://get.acme.sh | sh
if [ $? -ne 0 ]; then
LOGE "acme安装失败"
return 1
else
LOGI "acme安装成功"
fi
return 0
}
#method for standalone mode
# shellcheck disable=SC2120
ssl_cert_issue_standalone() {
#check for acme.sh first
if ! command -v ~/.acme.sh/acme.sh &>/dev/null; then
install_acme
if [ $? -ne 0 ]; then
LOGE "安装 acme 失败,请检查日志"
exit 1
fi
fi
#install socat second
if [[ x"${release}" == x"centos" ]]; then
yum install socat -y
else
apt install socat -y
fi
if [ $? -ne 0 ]; then
LOGE "无法安装socat,请检查错误日志"
exit 1
else
LOGI "socat安装成功..."
fi
#creat a directory for install cert
certPath=/root/cert
if [ ! -d "$certPath" ]; then
mkdir $certPath
fi
#get the domain here,and we need verify it
local domain=""
read -p "请输入你的域名:" domain
LOGD "你输入的域名为:${domain},正在进行域名合法性校验..."
#here we need to judge whether there exists cert already
local currentCert=$(~/.acme.sh/acme.sh --list | grep ${domain} | wc -l)
if [ ${currentCert} -ne 0 ]; then
local certInfo=$(~/.acme.sh/acme.sh --list)
LOGE "域名合法性校验失败,当前环境已有对应域名证书,不可重复申请,当前证书详情:"
LOGI "$certInfo"
exit 1
else
LOGI "域名合法性校验通过..."
fi
#get needed port here
local WebPort=80
read -p "请输入你所希望使用的端口,如回车将使用默认80端口:" WebPort
if [[ ${WebPort} -gt 65535 || ${WebPort} -lt 1 ]]; then
LOGE "你所选择的端口${WebPort}为无效值,将使用默认80端口进行申请"
fi
LOGI "将会使用${WebPort}进行证书申请,请确保端口处于开放状态..."
#NOTE:This should be handled by user
#open the port and kill the occupied progress
~/.acme.sh/acme.sh --set-default-ca --server letsencrypt
~/.acme.sh/acme.sh --issue -d ${domain} --standalone --httpport ${WebPort}
if [ $? -ne 0 ]; then
LOGE "证书申请失败,原因请参见报错信息"
rm -rf ~/.acme.sh/${domain}
exit 1
else
LOGI "证书申请成功,开始安装证书..."
fi
#install cert
# 设置证书目录
cert_dir="/etc/nginx/cert/${domain}"
# 检查目录是否存在,若不存在则创建该目录
if [ ! -d "$cert_dir" ]; then
echo "目录 $cert_dir 不存在,正在创建..."
mkdir -p "$cert_dir"
else
echo "目录 $cert_dir 已存在,跳过创建。"
fi
# 安装证书并指定证书存放路径
~/.acme.sh/acme.sh --installcert -d "${domain}" \
--ca-file "${cert_dir}//ca.cer" \
--cert-file "${cert_dir}/${domain}.cer" \
--key-file "${cert_dir}/${domain}.key" \
--fullchain-file "${cert_dir}/fullchain.cer"
echo "证书和密钥已生成并保存到 ${cert_dir} 目录下。"
if [ $? -ne 0 ]; then
LOGE "证书安装失败,脚本退出"
rm -rf ~/.acme.sh/${domain}
exit 1
else
LOGI "证书安装成功,开启自动更新..."
fi
~/.acme.sh/acme.sh --upgrade --auto-upgrade
if [ $? -ne 0 ]; then
LOGE "自动更新设置失败,脚本退出"
ls -lah cert
chmod 755 $certPath
exit 1
else
LOGI "证书已安装且已开启自动更新,具体信息如下"
ls -lah cert
chmod 755 $certPath
fi
}
#method for DNS API mode
ssl_cert_issue_by_cloudflare() {
echo -E ""
LOGD "******使用说明******"
LOGI "该脚本将使用Acme脚本申请证书,使用时需保证:"
LOGI "1.知晓Cloudflare 注册邮箱"
LOGI "2.知晓Cloudflare Global API Key"
LOGI "3.域名已通过Cloudflare进行解析到当前服务器"
LOGI "4.该脚本申请证书默认安装路径为/root/cert目录"
install_acme
if [ $? -ne 0 ]; then
LOGE "无法安装acme,请检查错误日志"
exit 1
fi
CF_GlobalKey=""
CF_AccountEmail=""
certPath=/root/cert
if [ ! -d "$certPath" ]; then
mkdir $certPath
fi
LOGD "请设置域名:"
CF_Domain=""
while [ -z "$CF_Domain" ]; do
read -p "Input your domain here: " CF_Domain
if [ -z "$CF_Domain" ]; then
LOGE "域名不能为空,请重新输入"
fi
done
LOGD "你的域名设置为:${CF_Domain},正在进行域名合法性校验..."
# 检查证书是否已存在
if [ -f ~/.acme.sh/acme.sh ]; then
local currentCert=$(~/.acme.sh/acme.sh --list | grep -w "${CF_Domain}" | wc -l)
if [ "${currentCert}" -ne 0 ]; then
local certInfo=$(~/.acme.sh/acme.sh --list | grep -w "${CF_Domain}")
LOGE "域名合法性校验失败,当前环境已有对应域名证书,不可重复申请,当前证书详情:"
LOGI "$certInfo"
exit 1
else
LOGI "域名合法性校验通过..."
fi
else
LOGI "acme.sh 还未安装,跳过证书存在性检查..."
fi
LOGD "请设置API密钥:"
read -p "Input your key here:" CF_GlobalKey
LOGD "你的API密钥为:${CF_GlobalKey}"
LOGD "请设置注册邮箱:"
read -p "Input your email here:" CF_AccountEmail
LOGD "你的注册邮箱为:${CF_AccountEmail}"
~/.acme.sh/acme.sh --set-default-ca --server letsencrypt
if [ $? -ne 0 ]; then
LOGE "修改默认CA为Lets'Encrypt失败,脚本退出"
exit 1
fi
export CF_Key="${CF_GlobalKey}"
export CF_Email=${CF_AccountEmail}
~/.acme.sh/acme.sh --issue --dns dns_cf -d ${CF_Domain} -d *.${CF_Domain} --log
if [ $? -ne 0 ]; then
LOGE "证书签发失败,脚本退出"
rm -rf ~/.acme.sh/${CF_Domain}
exit 1
else
LOGI "证书签发成功,安装中..."
fi
# 设置证书目录
cert_dir="/etc/nginx/cert/${CF_Domain}"
# 检查目录是否存在,若不存在则创建该目录
if [ ! -d "$cert_dir" ]; then
echo "目录 $cert_dir 不存在,正在创建..."
mkdir -p "$cert_dir"
else
echo "目录 $cert_dir 已存在,跳过创建。"
fi
# 安装证书并指定证书存放路径
~/.acme.sh/acme.sh --installcert -d "${CF_Domain}" \
--ca-file "${cert_dir}/ca.cer" \
--cert-file "${cert_dir}/${CF_Domain}.cer" \
--key-file "${cert_dir}/${CF_Domain}.key" \
--fullchain-file "${cert_dir}/fullchain.cer"
echo "证书和密钥已生成并保存到 ${cert_dir} 目录下。"
#
# ~/.acme.sh/acme.sh --installcert -d ${CF_Domain} -d *.${CF_Domain} --ca-file /root/cert/ca.cer \
# --cert-file /root/cert/${CF_Domain}.cer --key-file /root/cert/${CF_Domain}.key \
# --fullchain-file /root/cert/fullchain.cer
if [ $? -ne 0 ]; then
LOGE "证书安装失败,脚本退出"
rm -rf ~/.acme.sh/${CF_Domain}
exit 1
else
LOGI "证书安装成功,开启自动更新..."
fi
~/.acme.sh/acme.sh --upgrade --auto-upgrade
if [ $? -ne 0 ]; then
LOGE "自动更新设置失败,脚本退出"
ls -lah cert
chmod 755 $certPath
exit 1
else
LOGI "证书已安装且已开启自动更新,具体信息如下"
ls -lah cert
chmod 755 $certPath
fi
}
ssl_cert_issue