131 lines
3.1 KiB
Bash
Executable file
131 lines
3.1 KiB
Bash
Executable file
#!/bin/bash
|
||
# =========================================================
|
||
# SSL Certificate Manager (Env-Strict & Safe)
|
||
# =========================================================
|
||
|
||
CERT_DIR="certs"
|
||
SELF_KEY="$CERT_DIR/selfsigned.key"
|
||
SELF_CRT="$CERT_DIR/selfsigned.crt"
|
||
REAL_KEY="$CERT_DIR/real.key"
|
||
REAL_CRT="$CERT_DIR/real.crt"
|
||
SAN_CONFIG="$CERT_DIR/san.cnf"
|
||
|
||
mkdir -p "$CERT_DIR"
|
||
|
||
# Load environment variables strictly
|
||
if [ -f .env ]; then
|
||
export $(grep -v '^#' .env | sed 's/#.*//' | grep -E '^[A-Z0-9_]+=.*' | xargs)
|
||
else
|
||
echo "❌ .env file not found. Exiting."
|
||
exit 1
|
||
fi
|
||
|
||
# Set safe defaults if any variables are missing
|
||
C="${C:-US}"
|
||
ST="${ST:-California}"
|
||
L="${L:-San Francisco}"
|
||
O="${O:-MyCompany}"
|
||
OU="${OU:-IT}"
|
||
CN="${CN:-localhost}"
|
||
EMAIL="${EMAIL:-admin@localhost}"
|
||
DNS="${DNS:-localhost}"
|
||
IP="${IP:-127.0.0.1}"
|
||
SSL_MODE="${SSL_MODE:-selfsigned}"
|
||
|
||
generate_self_signed() {
|
||
echo "🔐 Generating self-signed certificate..."
|
||
|
||
cat > "$SAN_CONFIG" <<EOF
|
||
[req]
|
||
distinguished_name = req_distinguished_name
|
||
req_extensions = v3_req
|
||
prompt = no
|
||
|
||
[req_distinguished_name]
|
||
C = $C
|
||
ST = $ST
|
||
L = $L
|
||
O = $O
|
||
OU = $OU
|
||
CN = $CN
|
||
emailAddress = $EMAIL
|
||
|
||
[v3_req]
|
||
subjectAltName = @alt_names
|
||
|
||
[alt_names]
|
||
DNS.1 = $DNS
|
||
IP.1 = $IP
|
||
EOF
|
||
|
||
openssl req -x509 -nodes -days 365 \
|
||
-newkey rsa:2048 \
|
||
-keyout "$SELF_KEY" \
|
||
-out "$SELF_CRT" \
|
||
-config "$SAN_CONFIG" \
|
||
-extensions v3_req
|
||
|
||
if [ $? -eq 0 ]; then
|
||
echo "✅ Self-signed certificate created:"
|
||
echo " - $SELF_CRT"
|
||
echo " - $SELF_KEY"
|
||
else
|
||
echo "❌ Failed to create self-signed certificate."
|
||
exit 1
|
||
fi
|
||
}
|
||
|
||
generate_real_cert() {
|
||
DOMAIN=${DOMAIN:-$DNS} # Use DNS from .env if DOMAIN not explicitly set
|
||
|
||
if [ -z "$DOMAIN" ]; then
|
||
echo "❌ DOMAIN or DNS must be set in .env for real certificate."
|
||
exit 1
|
||
fi
|
||
|
||
echo "📡 Using Certbot to generate certificate for $DOMAIN..."
|
||
sudo certbot certonly --standalone -d "$DOMAIN"
|
||
|
||
if [ $? -eq 0 ]; then
|
||
echo "✅ Certificate generated successfully."
|
||
sudo cp /etc/letsencrypt/live/$DOMAIN/fullchain.pem "$REAL_CRT"
|
||
sudo cp /etc/letsencrypt/live/$DOMAIN/privkey.pem "$REAL_KEY"
|
||
echo "🔐 Real certificate saved:"
|
||
echo " - $REAL_CRT"
|
||
echo " - $REAL_KEY"
|
||
else
|
||
echo "❌ Certbot failed. Please check your domain and try again."
|
||
exit 1
|
||
fi
|
||
}
|
||
|
||
show_menu() {
|
||
echo ""
|
||
echo "🧰 SSL Certificate Manager"
|
||
echo "--------------------------"
|
||
echo "1. Generate self-signed certificate"
|
||
echo "2. Generate real certificate via Let’s Encrypt"
|
||
echo "3. Use default from .env: SSL_MODE=$SSL_MODE"
|
||
echo "4. Exit"
|
||
echo ""
|
||
echo -n "Choose an option [1-4]: "
|
||
read OPTION
|
||
|
||
case $OPTION in
|
||
1) generate_self_signed ;;
|
||
2) generate_real_cert ;;
|
||
3)
|
||
if [ "$SSL_MODE" = "real" ]; then
|
||
generate_real_cert
|
||
else
|
||
generate_self_signed
|
||
fi
|
||
;;
|
||
4) echo "👋 Goodbye!" && exit 0 ;;
|
||
*) echo "❌ Invalid option. Try again." && show_menu ;;
|
||
esac
|
||
}
|
||
|
||
# Start the menu
|
||
show_menu
|