131 lines
3.1 KiB
Bash
131 lines
3.1 KiB
Bash
|
#!/bin/bash
|
|||
|
|
# =========================================================
|
|||
|
|
# SSL Certificate Manager (Env-Strict & Safe)
|
|||
|
|
# =========================================================
|
|||
|
|
|
|||
|
|
CERT_DIR="certs"
|
|||
|
|
SELF_KEY="$CERT_DIR/selfsigned.key"
|
|||
|
|
SELF_CRT="$CERT_DIR/selfsigned.crt"
|
|||
|
|
REAL_KEY="$CERT_DIR/real.key"
|
|||
|
|
REAL_CRT="$CERT_DIR/real.crt"
|
|||
|
|
SAN_CONFIG="$CERT_DIR/san.cnf"
|
|||
|
|
|
|||
|
|
mkdir -p "$CERT_DIR"
|
|||
|
|
|
|||
|
|
# Load environment variables strictly
|
|||
|
|
if [ -f .env ]; then
|
|||
|
|
export $(grep -v '^#' .env | sed 's/#.*//' | grep -E '^[A-Z0-9_]+=.*' | xargs)
|
|||
|
|
else
|
|||
|
|
echo "❌ .env file not found. Exiting."
|
|||
|
|
exit 1
|
|||
|
|
fi
|
|||
|
|
|
|||
|
|
# Set safe defaults if any variables are missing
|
|||
|
|
C="${C:-US}"
|
|||
|
|
ST="${ST:-California}"
|
|||
|
|
L="${L:-San Francisco}"
|
|||
|
|
O="${O:-MyCompany}"
|
|||
|
|
OU="${OU:-IT}"
|
|||
|
|
CN="${CN:-localhost}"
|
|||
|
|
EMAIL="${EMAIL:-admin@localhost}"
|
|||
|
|
DNS="${DNS:-localhost}"
|
|||
|
|
IP="${IP:-127.0.0.1}"
|
|||
|
|
SSL_MODE="${SSL_MODE:-selfsigned}"
|
|||
|
|
|
|||
|
|
generate_self_signed() {
|
|||
|
|
echo "🔐 Generating self-signed certificate..."
|
|||
|
|
|
|||
|
|
cat > "$SAN_CONFIG" <<EOF
|
|||
|
|
[req]
|
|||
|
|
distinguished_name = req_distinguished_name
|
|||
|
|
req_extensions = v3_req
|
|||
|
|
prompt = no
|
|||
|
|
|
|||
|
|
[req_distinguished_name]
|
|||
|
|
C = $C
|
|||
|
|
ST = $ST
|
|||
|
|
L = $L
|
|||
|
|
O = $O
|
|||
|
|
OU = $OU
|
|||
|
|
CN = $CN
|
|||
|
|
emailAddress = $EMAIL
|
|||
|
|
|
|||
|
|
[v3_req]
|
|||
|
|
subjectAltName = @alt_names
|
|||
|
|
|
|||
|
|
[alt_names]
|
|||
|
|
DNS.1 = $DNS
|
|||
|
|
IP.1 = $IP
|
|||
|
|
EOF
|
|||
|
|
|
|||
|
|
openssl req -x509 -nodes -days 365 \
|
|||
|
|
-newkey rsa:2048 \
|
|||
|
|
-keyout "$SELF_KEY" \
|
|||
|
|
-out "$SELF_CRT" \
|
|||
|
|
-config "$SAN_CONFIG" \
|
|||
|
|
-extensions v3_req
|
|||
|
|
|
|||
|
|
if [ $? -eq 0 ]; then
|
|||
|
|
echo "✅ Self-signed certificate created:"
|
|||
|
|
echo " - $SELF_CRT"
|
|||
|
|
echo " - $SELF_KEY"
|
|||
|
|
else
|
|||
|
|
echo "❌ Failed to create self-signed certificate."
|
|||
|
|
exit 1
|
|||
|
|
fi
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
generate_real_cert() {
|
|||
|
|
DOMAIN=${DOMAIN:-$DNS} # Use DNS from .env if DOMAIN not explicitly set
|
|||
|
|
|
|||
|
|
if [ -z "$DOMAIN" ]; then
|
|||
|
|
echo "❌ DOMAIN or DNS must be set in .env for real certificate."
|
|||
|
|
exit 1
|
|||
|
|
fi
|
|||
|
|
|
|||
|
|
echo "📡 Using Certbot to generate certificate for $DOMAIN..."
|
|||
|
|
sudo certbot certonly --standalone -d "$DOMAIN"
|
|||
|
|
|
|||
|
|
if [ $? -eq 0 ]; then
|
|||
|
|
echo "✅ Certificate generated successfully."
|
|||
|
|
sudo cp /etc/letsencrypt/live/$DOMAIN/fullchain.pem "$REAL_CRT"
|
|||
|
|
sudo cp /etc/letsencrypt/live/$DOMAIN/privkey.pem "$REAL_KEY"
|
|||
|
|
echo "🔐 Real certificate saved:"
|
|||
|
|
echo " - $REAL_CRT"
|
|||
|
|
echo " - $REAL_KEY"
|
|||
|
|
else
|
|||
|
|
echo "❌ Certbot failed. Please check your domain and try again."
|
|||
|
|
exit 1
|
|||
|
|
fi
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
show_menu() {
|
|||
|
|
echo ""
|
|||
|
|
echo "🧰 SSL Certificate Manager"
|
|||
|
|
echo "--------------------------"
|
|||
|
|
echo "1. Generate self-signed certificate"
|
|||
|
|
echo "2. Generate real certificate via Let’s Encrypt"
|
|||
|
|
echo "3. Use default from .env: SSL_MODE=$SSL_MODE"
|
|||
|
|
echo "4. Exit"
|
|||
|
|
echo ""
|
|||
|
|
echo -n "Choose an option [1-4]: "
|
|||
|
|
read OPTION
|
|||
|
|
|
|||
|
|
case $OPTION in
|
|||
|
|
1) generate_self_signed ;;
|
|||
|
|
2) generate_real_cert ;;
|
|||
|
|
3)
|
|||
|
|
if [ "$SSL_MODE" = "real" ]; then
|
|||
|
|
generate_real_cert
|
|||
|
|
else
|
|||
|
|
generate_self_signed
|
|||
|
|
fi
|
|||
|
|
;;
|
|||
|
|
4) echo "👋 Goodbye!" && exit 0 ;;
|
|||
|
|
*) echo "❌ Invalid option. Try again." && show_menu ;;
|
|||
|
|
esac
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
# Start the menu
|
|||
|
|
show_menu
|