Holger Böhnke
8 years ago
1 changed files with 145 additions and 0 deletions
-
145deploy/scp.sh
@ -0,0 +1,145 @@ |
|||
#!/usr/bin/env sh |
|||
|
|||
########################################################################## |
|||
# This is a very simple deployment script to move certificates to a remote |
|||
# server. The deployment uses scp (the remote cp method of ssh) and simply |
|||
# drops certs into a target directory. Targets have the original scp format |
|||
# e.g. like: |
|||
# |
|||
# server.com:/var/spool/acme.sh/certs/ |
|||
# user@server.com:/var/spool/acme.sh/certs/ |
|||
# configuredserver:/var/spool/acme.sh/certs/ |
|||
# |
|||
# You may use something like "configuredserver" which is the name of a host |
|||
# configuration in the ~/.ssh/config file. If you have a more complex setup |
|||
# like different ports, identity files, users or hostnames you are strongly |
|||
# encouraged to use an entry in your ~/.ssh/config file. This saves this |
|||
# little script from reimplementing every possible scp switch. |
|||
# |
|||
# You might wanto to configure ssh on the target server to use a special |
|||
# account with key based authentication and allow scp only. Have a further |
|||
# look at the rssh shell to allow scp only. You might as well put the user |
|||
# into a chroot. |
|||
# |
|||
# The main reason for this form of deployment is, that the acme.sh script |
|||
# can run in a safe and controlled environment. The acme.sh script needs |
|||
# detailed and sensitive information e.g. like your acme private keys or |
|||
# your dns providers credentials. Information like this you certainly don't |
|||
# want to have lying around on your public webserver. |
|||
# |
|||
# Further deployment of the certificates should be handled by a cron job on |
|||
# the remote server. That remote script could then move the new cert's to |
|||
# their proper position, set file owner and permissions and restart the |
|||
# belonging service. |
|||
# |
|||
# An example script for apache (on debian systems) might be: |
|||
# |
|||
# #!/usr/bin/env sh |
|||
# chown root:root /var/spool/acme.sh/certs/* |
|||
# mv /var/spool/acme.sh/certs/* /etc/apache2/ssl.crt/ |
|||
# systemctl restart apache2 |
|||
# |
|||
# To avoid misunderstandings, this script is NOT like other deployment |
|||
# scripts that target a specific type of server (apache/cyrus/exim/...) |
|||
# and do all ssl configuration for you. With this script YOU do all your |
|||
# ssl configuration on your target server yourself. Then, and only after |
|||
# the target server is properly configured, you use this script to deploy |
|||
# the forthcoming LE certificates. |
|||
|
|||
# When called for the first time use the following env vars to setup the |
|||
# configuration. The vars will be stored on a per domain basis. |
|||
#DEPLOY_SCP_CA_TARGET="user@server.com:/etc/apache2/ssl.crt" |
|||
#DEPLOY_SCP_KEY_TARGET="user@server.com:/etc/apache2/ssl.key" |
|||
#DEPLOY_SCP_CERT_TARGET="user@server.com:/etc/apache2/ssl.crt" |
|||
#DEPLOY_SCP_FULLCHAIN_TARGET="user@server.com:/etc/apache2/ssl.crt" |
|||
|
|||
######## public functions ##################### |
|||
|
|||
#domain keyfile certfile cafile fullchain |
|||
scp_deploy() { |
|||
_cdomain="$1" |
|||
_ckey="$2" |
|||
_ccert="$3" |
|||
_cca="$4" |
|||
_cfullchain="$5" |
|||
|
|||
_SCP_check_params |
|||
if [ "$?" -ne 0 ]; then |
|||
_err "Please specify at least one scp target. For instance:" |
|||
_info "DEPLOY_SCP_CERT_TARGET=\"user@server.com:/etc/apache2/ssl.crt\"" |
|||
_info "The target directory has to be writable by the user." |
|||
_info "See the header of this script for more information." |
|||
return 1 |
|||
fi |
|||
|
|||
_debug _cdomain "$_cdomain" |
|||
_debug _cca "$_cca" |
|||
_debug _ckey "$_ckey" |
|||
_debug _ccert "$_ccert" |
|||
_debug _cfullchain "$_cfullchain" |
|||
|
|||
if [ ! -z "$DEPLOY_SCP_CA_TARGET" ]; then |
|||
scp "$_cca" "$DEPLOY_SCP_CA_TARGET" |
|||
if [ "$?" -ne 0 ]; then |
|||
_err "scp copy to server failed" |
|||
return 1 |
|||
fi |
|||
fi |
|||
|
|||
if [ ! -z "$DEPLOY_SCP_KEY_TARGET" ]; then |
|||
scp "$_ckey" "$DEPLOY_SCP_KEY_TARGET" |
|||
if [ "$?" -ne 0 ]; then |
|||
_err "scp copy to server failed" |
|||
return 1 |
|||
fi |
|||
fi |
|||
|
|||
if [ ! -z "$DEPLOY_SCP_CERT_TARGET" ]; then |
|||
scp "$_ccert" "$DEPLOY_SCP_CERT_TARGET" |
|||
if [ "$?" -ne 0 ]; then |
|||
_err "scp copy to server failed" |
|||
return 1 |
|||
fi |
|||
fi |
|||
|
|||
if [ ! -z "$DEPLOY_SCP_FULLCHAIN_TARGET" ]; then |
|||
scp "$_cfullchain" "$DEPLOY_SCP_FULLCHAIN_TARGET" |
|||
if [ "$?" -ne 0 ]; then |
|||
_err "scp copy to server failed" |
|||
return 1 |
|||
fi |
|||
fi |
|||
|
|||
return 0 |
|||
} |
|||
|
|||
#################### private functions below ################################## |
|||
|
|||
_SCP_check_params() { |
|||
# at least one of key, cert or fullchain must be set |
|||
if [ -z "$DEPLOY_SCP_KEY_TARGET" ] && [ -z "$DEPLOY_SCP_CERT_TARGET" ] && [ -z "$DEPLOY_SCP_FULLCHAIN_TARGET " ]; then |
|||
DEPLOY_SCP_CA_TARGET="" |
|||
DEPLOY_SCP_KEY_TARGET="" |
|||
DEPLOY_SCP_CERT_TARGET="" |
|||
DEPLOY_SCP_FULLCHAIN_TARGET="" |
|||
return 1 |
|||
fi |
|||
|
|||
if [ ! -z "$DEPLOY_SCP_CA_TARGET" ]; then |
|||
_savedomainconf DEPLOY_SCP_CA_TARGET "${DEPLOY_SCP_CA_TARGET}" |
|||
fi |
|||
|
|||
if [ ! -z "$DEPLOY_SCP_KEY_TARGET" ]; then |
|||
_savedomainconf DEPLOY_SCP_KEY_TARGET "${DEPLOY_SCP_KEY_TARGET}" |
|||
fi |
|||
|
|||
if [ ! -z "$DEPLOY_SCP_CERT_TARGET" ]; then |
|||
_savedomainconf DEPLOY_SCP_CERT_TARGET "${DEPLOY_SCP_CERT_TARGET}" |
|||
fi |
|||
|
|||
if [ ! -z "$DEPLOY_SCP_FULLCHAIN_TARGET" ]; then |
|||
_savedomainconf DEPLOY_SCP_FULLCHAIN_TARGET "${DEPLOY_SCP_FULLCHAIN_TARGET}" |
|||
fi |
|||
|
|||
return 0 |
|||
} |
|||
Write
Preview
Loading…
Cancel
Save
Reference in new issue