You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

187 lines
5.1 KiB

  1. #!/bin/bash
  2. #Here is the script to deploy the cert to your s3 bucket.
  3. #export S3_BUCKET=acme
  4. #export S3_REGION=eu-central-1
  5. #export AWS_ACCESS_KEY_ID=exampleid
  6. #export AWS_SECRET_ACCESS_KEY=examplekey
  7. # Checks to see if awscli present
  8. # If not, use curl + aws v4 signature to upload object
  9. # Make sure your keys have access to upload objects.
  10. # Also make sure your default region is correct, otherwise, override with $S3_REGION
  11. ######## Public functions #####################
  12. #domain keyfile certfile cafile fullchain
  13. s3_deploy() {
  14. _cdomain="$1"
  15. _ckey="$2"
  16. _ccert="$3"
  17. _cca="$4"
  18. _cfullchain="$5"
  19. if [ -z "$S3_BUCKET" ] ; then
  20. _err "You haven't specified the bucket name yet."
  21. _err "Please set it via export and try again."
  22. _err "e.g. export S3_BUCKET=acme"
  23. return 1
  24. fi
  25. if ! command -v aws; then
  26. _debug "AWS CLI not installed, defaulting to curl method"
  27. _aws_cli_installed=0
  28. else
  29. _debug "AWS CLI installed, defaulting ignoring curl method"
  30. _aws_cli_installed=1
  31. fi
  32. if [ "$_aws_cli_installed" -eq "0" ] && ([ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]); then
  33. _err "AWS_ACCESS_KEY_ID or AWS_SECRET_ACCESS_KEY not set."
  34. _err "Please set them via export, or use the aws-cli."
  35. return 1
  36. fi
  37. if [ -z "$S3_REGION" ]; then
  38. S3_REGION="us-east-1"
  39. fi
  40. # Save s3 options if it's succesful (First run case)
  41. _saveaccountconf S3_BUCKET "$S3_BUCKET"
  42. _saveaccountconf S3_REGION "$S3_REGION"
  43. _debug _cdomain "$_cdomain"
  44. _debug _ckey "$_ckey"
  45. _debug _ccert "$_ccert"
  46. _debug _cca "$_cca"
  47. _debug _cfullchain "$_cfullchain"
  48. _debug S3_BUCKET "$S3_BUCKET"
  49. _debug AWS_ACCESS_KEY_ID "$AWS_ACCESS_KEY_ID"
  50. _debug AWS_SECRET_ACCESS_KEY "$AWS_SECRET_ACCESS_KEY"
  51. # REMOVE BEFORE COMMIT, ONLY FOR DEBUGGING
  52. _aws_cli_installed=1
  53. _info "Deploying certificate to s3 bucket: $S3_BUCKET in $S3_REGION"
  54. if [ "$_aws_cli_installed" -eq "0" ]; then
  55. _debug "deploying with curl method"
  56. else
  57. _debug "deploying with aws cli method"
  58. fi
  59. # private
  60. _deploy_to_bucket $_ckey "$_cdomain/$_cdomain.key"
  61. # public
  62. _deploy_to_bucket $_ccert "$_cdomain/$_cdomain.cer"
  63. # ca
  64. _deploy_to_bucket $_cca "$_cdomain/ca.cer"
  65. # fullchain
  66. _deploy_to_bucket $_cfullchain "$_cdomain/fullchain.cer"
  67. return 0
  68. }
  69. #################### Private functions below ##################################
  70. _deploy_to_bucket() {
  71. if [ "$_aws_cli_installed" -eq "0" ]; then
  72. _deploy_with_curl $1 $2
  73. else
  74. _deploy_with_awscli $1 $2
  75. fi
  76. }
  77. _deploy_with_awscli() {
  78. file="$1"
  79. bucket="$S3_BUCKET"
  80. prefix="$2"
  81. region="$S3_REGION"
  82. aws s3 cp "$file" s3://"$bucket"/"$prefix" --region "$region"
  83. }
  84. _deploy_with_curl() {
  85. file="${1}"
  86. bucket="${S3_BUCKET}"
  87. prefix="${2}"
  88. region="${S3_REGION}"
  89. acl="private"
  90. timestamp="$(date -u "+%Y-%m-%d %H:%M:%S")"
  91. signed_headers="date;host;x-amz-acl;x-amz-content-sha256;x-amz-date"
  92. if [[ $(uname) == "Darwin" ]]; then
  93. iso_timestamp=$(date -ujf "%Y-%m-%d %H:%M:%S" "${timestamp}" "+%Y%m%dT%H%M%SZ")
  94. date_scope=$(date -ujf "%Y-%m-%d %H:%M:%S" "${timestamp}" "+%Y%m%d")
  95. date_header=$(date -ujf "%Y-%m-%d %H:%M:%S" "${timestamp}" "+%a, %d %h %Y %T %Z")
  96. else
  97. iso_timestamp=$(date -ud "${timestamp}" "+%Y%m%dT%H%M%SZ")
  98. date_scope=$(date -ud "${timestamp}" "+%Y%m%d")
  99. date_header=$(date -ud "${timestamp}" "+%a, %d %h %Y %T %Z")
  100. fi
  101. _info "Uploading $S3_BUCKET/$prefix"
  102. curl \
  103. -T "${file}" \
  104. -H "Authorization: AWS4-HMAC-SHA256 Credential=${AWS_ACCESS_KEY_ID}/${date_scope}/${region}/s3/aws4_request,SignedHeaders=${signed_headers},Signature=$(_signature)" \
  105. -H "Date:${date_header}" \
  106. -H "x-amz-acl:${acl}" \
  107. -H "x-amz-content-sha256:$(_payload_hash)" \
  108. -H "x-amz-date:${iso_timestamp}" \
  109. "https://${bucket}.s3.${region}.amazonaws.com/${prefix}"
  110. }
  111. _payload_hash() {
  112. local output=$(shasum -ba 256 "$file")
  113. echo "${output%% *}"
  114. }
  115. _canonical_request() {
  116. echo "PUT"
  117. echo "/${prefix}"
  118. echo ""
  119. echo "date:${date_header}"
  120. echo "host:${bucket}.s3.${region}.amazonaws.com"
  121. echo "x-amz-acl:${acl}"
  122. echo "x-amz-content-sha256:$(_payload_hash)"
  123. echo "x-amz-date:${iso_timestamp}"
  124. echo ""
  125. echo "${signed_headers}"
  126. printf "$(_payload_hash)"
  127. }
  128. _canonical_request_hash() {
  129. local output=$(_canonical_request | shasum -a 256)
  130. echo "${output%% *}"
  131. }
  132. _string_to_sign() {
  133. echo "AWS4-HMAC-SHA256"
  134. echo "${iso_timestamp}"
  135. echo "${date_scope}/${region}/s3/aws4_request"
  136. printf "$(_canonical_request_hash)"
  137. }
  138. _signature_key() {
  139. local secret=$(printf "AWS4${AWS_SECRET_ACCESS_KEY?}" | _hex_key)
  140. local date_key=$(printf ${date_scope} | _hmac_sha256 "${secret}" | _hex_key)
  141. local region_key=$(printf ${region} | _hmac_sha256 "${date_key}" | _hex_key)
  142. local service_key=$(printf "s3" | _hmac_sha256 "${region_key}" | _hex_key)
  143. printf "aws4_request" | _hmac_sha256 "${service_key}" | _hex_key
  144. }
  145. _hex_key() {
  146. hexdump -ve '1/1 "%.2x"'; echo
  147. }
  148. _hmac_sha256() {
  149. local hexkey=$1
  150. openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:${hexkey}
  151. }
  152. _signature() {
  153. _string_to_sign | _hmac_sha256 $(_signature_key) | _hex_key | sed "s/^.* //"
  154. }