From e5a33da6c6a527c78c0a7891f53934bc76c90ec6 Mon Sep 17 00:00:00 2001 From: Arthur Lu Date: Wed, 16 Oct 2024 20:33:34 +0000 Subject: [PATCH] add gencert.sh script to generate tls certificates, add some comments to setup.sh --- gencert.sh | 81 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ setup.sh | 7 +++++ 2 files changed, 88 insertions(+) create mode 100755 gencert.sh diff --git a/gencert.sh b/gencert.sh new file mode 100755 index 0000000..959a30a --- /dev/null +++ b/gencert.sh @@ -0,0 +1,81 @@ +#!/bin/bash + +# https://documentation.ubuntu.com/server/how-to/openldap/ldap-and-tls/ +# requries gnutls-bin ssl-cert +# only for ubuntu and you should probably double check the script before running + +ORG='' +CN='' + +# Define directories and filenames +CA_DIR="/etc/ssl" +CA_INFO="${CA_DIR}/ldap-ca.info" +CA_KEY="${CA_DIR}/private/ldap-ca-key.pem" +CA_CERT_TEMP="/usr/local/share/ca-certificates/ldap-ca-cert.crt" +CA_CERT="${CA_DIR}/certs/ldap-ca-cert.pem" +SERVER_INFO="${CA_DIR}/ldap-server.info" +LDAP_DIR="/etc/ldap" +SERVER_KEY="${LDAP_DIR}/ldap-server-key.pem" +SERVER_CERT="${LDAP_DIR}/ldap-server-cert.pem" + +# read in organization and host cn (FQDN) +read -p "Organization: " ORG +read -p "CA CN (FQDN): " CN + +# write CA tempalte info +cat > $CA_INFO < $SERVER_INFO << EOF +organization = ${ORG} +cn = ${CN} +tls_www_server +encryption_key +signing_key +expiration_days = 3652 +EOF + +# generate CA private key +certtool --generate-privkey \ + --bits 4096 \ + --outfile $CA_KEY + +# generate CA certificate +certtool --generate-self-signed \ + --load-privkey $CA_KEY \ + --template $CA_INFO \ + --outfile $CA_CERT_TEMP + +# update CA certificates +update-ca-certificates + +# generate server private key +certtool --generate-privkey \ + --bits 4096 \ + --outfile $SERVER_KEY + +# generate server certificate and sign certificate using CA +certtool --generate-certificate \ + --load-privkey $SERVER_KEY \ + --load-ca-certificate $CA_CERT \ + --load-ca-privkey $CA_KEY \ + --template $SERVER_INFO \ + --outfile $SERVER_CERT + +# make sure that openldap has access to the server key +chgrp openldap $SERVER_KEY +chmod 0640 $SERVER_KEY + +# report the relevant files made (this is useful for running setup.sh after) +echo " +Generated TLS Certificates ++==============================+ +CA Cert: ${CA_CERT} +Server Cert: ${SERVER_CERT} +Server Key: ${SERVER_KEY} +" \ No newline at end of file diff --git a/setup.sh b/setup.sh index 672cc77..1a5fa11 100755 --- a/setup.sh +++ b/setup.sh @@ -18,6 +18,7 @@ DO_TLS=1 POSITIONAL_ARGS=() +# parse CLI arguments while [[ $# -gt 0 ]]; do case $1 in --skip-auth) @@ -51,8 +52,10 @@ echo "DO AUTH = ${DO_AUTH}" echo "DO TLS = ${DO_TLS}" echo "+===============+" +# always read in base dn read -p "Base DN: " BASE_DN +# read in init admin info if [ "$DO_INIT" = 1 ]; then read -p "Admin User ID: " ADMIN_ID read -p "Admin User Email: " ADMIN_EMAIL @@ -67,18 +70,21 @@ if [ "$DO_INIT" = 1 ]; then do echo "Passwords must match" ; done fi +# read in infor for tls config if [ "$DO_TLS" = 1 ]; then read -p "CA Cert File Path: " CA_FILE read -p "Server Cert File Path: " CERT_FILE read -p "Server Key File Path: " KEY_FILE fi +# execute modify auth if [ "$DO_AUTH" = 1 ]; then envsubst '$BASE_DN' < auth.template.ldif > auth.ldif sudo ldapmodify -H ldapi:/// -Y EXTERNAL -f auth.ldif rm auth.ldif fi +# execute add init, which cannot be done on an already initialized system if [ "$DO_INIT" = 1 ]; then envsubst '$BASE_DN' < pass.template.ldif > pass.ldif envsubst '$BASE_DN:$ADMIN_ID:$ADMIN_EMAIL:$ADMIN_CN:$ADMIN_SN:$ADMIN_PASSWD' < init.template.ldif > init.ldif @@ -87,6 +93,7 @@ if [ "$DO_INIT" = 1 ]; then rm pass.ldif init.ldif fi +# execute modify tls if [ "$DO_TLS" = 1 ]; then envsubst '$CA_FILE:$CERT_FILE:$KEY_FILE' < tls.template.ldif > tls.ldif sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f tls.ldif