From 0368e5d498d4b1b32fe80374edbf562514fbde9d Mon Sep 17 00:00:00 2001
From: itiligent <github@itiligent.com>
Date: Thu, 7 Sep 2023 14:39:45 +1000
Subject: [PATCH] add tls cert refresh script

---
 1-setup.sh                          |  26 ++--
 4a-install-tls-self-signed-nginx.sh |   6 +-
 README.md                           |   1 +
 refresh-tls-self-signed.sh          | 176 ++++++++++++++++++++++++++++
 4 files changed, 198 insertions(+), 11 deletions(-)
 create mode 100644 refresh-tls-self-signed.sh

diff --git a/1-setup.sh b/1-setup.sh
index b26ca6c..8735f3f 100644
--- a/1-setup.sh
+++ b/1-setup.sh
@@ -17,7 +17,7 @@
 # Scripts with "add" in their name can be run post install to add optional features not included in the main install
 
 # If something isn't working:
-#     tail -f /var/log/syslog /var/log/tomcat*/*.out /var/log/mysql/*.log guac-setup/guacamole_${GUAC_VERSION}_setup.log
+#     tail -f /var/log/syslog /var/log/tomcat*/*.out guac-setup/guacamole_${GUAC_VERSION}_setup.log
 # Or for Guacamole debug mode & verbose logs in the console:
 #     sudo systemctl stop guacd && sudo /usr/local/sbin/guacd -L debug -f
 
@@ -82,8 +82,8 @@ MYSQLJCON="8.1.0"
 # Set preferred Apache CDN download link)
 GUAC_SOURCE_LINK="http://apache.org/dyn/closer.cgi?action=download&filename=guacamole/${GUAC_VERSION}"
 
-# Force a specific MySQL version e.g. 11.1.2 See https://mariadb.org/mariadb/all-releases/
-# If MYSQL_VERSION is left blank, script will default to the Linux distro default MYSQL packages.
+# Force a specific MySQL version e.g. 11.1.2 See https://mariadb.org/mariadb/all-releases/ for available versions.
+# If MYSQL_VERSION is left blank, script will default to the distro default MYSQL packages.
 MYSQL_VERSION=""
 if [ -z "${MYSQL_VERSION}" ]; then
     # Use Linux distro default version.
@@ -95,7 +95,7 @@ if [ -z "${MYSQL_VERSION}" ]; then
     MYSQLCLIENT="mariadb-client"
 fi
 
-# Check for the latest version of Tomcat currently supported by the Linux distro
+# Check for the latest version of Tomcat currently supported by the distro
 if [[ $(apt-cache show tomcat10 2>/dev/null | egrep "Version: 10" | wc -l) -gt 0 ]]; then
     TOMCAT_VERSION="tomcat10"
     elif [[ $(apt-cache show tomcat9 2>/dev/null | egrep "Version: 9" | wc -l) -gt 0 ]]; then
@@ -226,6 +226,7 @@ wget -q --show-progress ${GITHUB}add-tls-guac-daemon.sh -O add-tls-guac-daemon.s
 wget -q --show-progress ${GITHUB}add-fail2ban.sh -O add-fail2ban.sh
 wget -q --show-progress ${GITHUB}backup-guac.sh -O backup-guac.sh
 wget -q --show-progress ${GITHUB}upgrade-guac.sh -O upgrade-guac.sh
+wget -q --show-progress ${GITHUB}refresh-tls-self-signed.sh -O refresh-tls-self-signed.sh
 # Download the (customisable) dark theme & branding template
 wget -q --show-progress ${GITHUB}branding.jar -O branding.jar
 chmod +x *.sh
@@ -649,9 +650,7 @@ else
     echo
 fi
 
-# Because the below scripts may be run manually after install, we need to sync them
-# with our global variables or any setup prompt choices we made. This way we can run them
-# later and they will all work as a set without any manual changes.
+# Sync the various manual config scripts with the relevant variables selected at install 
 sed -i "s|MYSQL_HOST=|MYSQL_HOST='${MYSQL_HOST}'|g" $DOWNLOAD_DIR/backup-guac.sh
 sed -i "s|MYSQL_PORT=|MYSQL_PORT='${MYSQL_PORT}'|g" $DOWNLOAD_DIR/backup-guac.sh
 sed -i "s|GUAC_USER=|GUAC_USER='${GUAC_USER}'|g" $DOWNLOAD_DIR/backup-guac.sh
@@ -660,12 +659,14 @@ sed -i "s|GUAC_DB=|GUAC_DB='${GUAC_DB}'|g" $DOWNLOAD_DIR/backup-guac.sh
 sed -i "s|DB_BACKUP_DIR=|DB_BACKUP_DIR='${DB_BACKUP_DIR}'|g" $DOWNLOAD_DIR/backup-guac.sh
 sed -i "s|BACKUP_EMAIL=|BACKUP_EMAIL='${BACKUP_EMAIL}'|g" $DOWNLOAD_DIR/backup-guac.sh
 sed -i "s|BACKUP_RETENTION=|BACKUP_RETENTION='${BACKUP_RETENTION}'|g" $DOWNLOAD_DIR/backup-guac.sh
+
 sed -i "s|CERT_COUNTRY=|CERT_COUNTRY='${CERT_COUNTRY}'|g" $DOWNLOAD_DIR/add-tls-guac-daemon.sh
 sed -i "s|CERT_STATE=|CERT_STATE='${CERT_STATE}'|g" $DOWNLOAD_DIR/add-tls-guac-daemon.sh
 sed -i "s|CERT_LOCATION=|CERT_LOCATION='${CERT_LOCATION=}'|g" $DOWNLOAD_DIR/add-tls-guac-daemon.sh
 sed -i "s|CERT_ORG=|CERT_ORG='${CERT_ORG}'|g" $DOWNLOAD_DIR/add-tls-guac-daemon.sh
 sed -i "s|CERT_OU=|CERT_OU='${CERT_OU}'|g" $DOWNLOAD_DIR/add-tls-guac-daemon.sh
 sed -i "s|CERT_DAYS=|CERT_DAYS='${CERT_DAYS}'|g" $DOWNLOAD_DIR/add-tls-guac-daemon.sh
+
 sed -i "s|MYSQL_HOST=|MYSQL_HOST='${MYSQL_HOST}'|g" $DOWNLOAD_DIR/upgrade-guac.sh
 sed -i "s|MYSQL_PORT=|MYSQL_PORT='${MYSQL_PORT}'|g" $DOWNLOAD_DIR/upgrade-guac.sh
 sed -i "s|GUAC_USER=|GUAC_USER='${GUAC_USER}'|g" $DOWNLOAD_DIR/upgrade-guac.sh
@@ -673,6 +674,15 @@ sed -i "s|GUAC_PWD=|GUAC_PWD='${GUAC_PWD}'|g" $DOWNLOAD_DIR/upgrade-guac.sh
 sed -i "s|GUAC_DB=|GUAC_DB='${GUAC_DB}'|g" $DOWNLOAD_DIR/upgrade-guac.sh
 sed -i "s|MYSQL_ROOT_PWD=|MYSQL_ROOT_PWD='${MYSQL_ROOT_PWD}'|g" $DOWNLOAD_DIR/upgrade-guac.sh
 
+sed -i "s|CERT_COUNTRY=|CERT_COUNTRY='${CERT_COUNTRY}'|g" $DOWNLOAD_DIR/refresh-tls-self-signed.sh
+sed -i "s|CERT_STATE=|CERT_STATE='${CERT_STATE}'|g" $DOWNLOAD_DIR/refresh-tls-self-signed.sh
+sed -i "s|CERT_LOCATION=|CERT_LOCATION='${CERT_LOCATION}'|g" $DOWNLOAD_DIR/refresh-tls-self-signed.sh
+sed -i "s|CERT_ORG=|CERT_ORG='${CERT_ORG}'|g" $DOWNLOAD_DIR/refresh-tls-self-signed.sh
+sed -i "s|CERT_OU=|CERT_OU='${CERT_OU}'|g" $DOWNLOAD_DIR/refresh-tls-self-signed.sh
+sed -i "s|PROXY_SITE=|PROXY_SITE='${PROXY_SITE}'|g" $DOWNLOAD_DIR/refresh-tls-self-signed.sh
+sed -i "s|DEFAULT_IP=|DEFAULT_IP='${DEFAULT_IP}'|g" $DOWNLOAD_DIR/refresh-tls-self-signed.sh
+sed -i "s|CERT_DAYS=|CERT_DAYS='${CERT_DAYS}'|g" $DOWNLOAD_DIR/refresh-tls-self-signed.sh
+
 # Export the relevant variable selections to child install scripts
 export DOWNLOAD_DIR="${DOWNLOAD_DIR}"
 export TMP_DIR=$TMP_DIR
@@ -749,7 +759,7 @@ fi
 
 # Apply self signed TLS certificates to Nginx reverse proxy if option is selected
 if [[ "${INSTALL_NGINX}" = true ]] && [[ "${SELF_SIGN}" = true ]]; then
-    sudo -E ./4a-install-tls-self-signed-nginx.sh ${PROXY_SITE} ${CERT_DAYS}
+    sudo -E ./4a-install-tls-self-signed-nginx.sh ${PROXY_SITE} ${CERT_DAYS} | tee -a ${LOG_LOCATION}
     echo -e "${LGREEN}Self signed certificate configured for Nginx \n${LYELLOW}https:${LGREEN}//${PROXY_SITE} - admin login: guacadmin pass: guacadmin\n${LYELLOW}***Be sure to change the password***${GREY}"
 fi
 
diff --git a/4a-install-tls-self-signed-nginx.sh b/4a-install-tls-self-signed-nginx.sh
index 193e65f..d7cc276 100644
--- a/4a-install-tls-self-signed-nginx.sh
+++ b/4a-install-tls-self-signed-nginx.sh
@@ -73,7 +73,7 @@ if [[ $SSLDAYS == "" ]]; then
 fi
 
 echo
-echo "{$GREY}Creating a new Nginx TLS Certificate ..."
+echo "{$GREY}Creating a new Nginx TLS Certificate..."
 openssl req -x509 -nodes -newkey rsa:2048 -keyout $SSLNAME.key -out $SSLNAME.crt -days $SSLDAYS -config $TMP_DIR/cert_attributes.txt
 if [ $? -ne 0 ]; then
     echo -e "${LRED}Failed. See ${LOG_LOCATION}${GREY}" 1>&2
@@ -111,7 +111,7 @@ else
 fi
 
 # Update Nginx config to accept the new certificates
-echo -e "${GREY}Configuring Nginx proxy to use self signed TLS certificates and setting up automatic HTTP to HTTPS redirect...${DGREY}"
+echo -e "${GREY}Configuring Nginx proxy to use the self signed TLS certificate and setting up HTTP redirect...${DGREY}"
 #cat > /etc/nginx/sites-available/$PROXY_SITE <<EOL | > /dev/null
 cat <<EOF | tee /etc/nginx/sites-available/$PROXY_SITE
 server {
@@ -188,7 +188,7 @@ else
     echo
 fi
 
-# Hack to assist with displaying "$" symbols and " ' quotes in a (cut/pasteable) bash screen output format for Nginx configs
+# Hack to assist with displaying "$" symbols and " ' quotes in a (cut/paste-able) bash screen output format
 SHOWASTEXT1='$mypwd'
 SHOWASTEXT2='"Cert:\LocalMachine\Root"'
 
diff --git a/README.md b/README.md
index ab6ea29..cd3d6d8 100644
--- a/README.md
+++ b/README.md
@@ -107,4 +107,5 @@ The autorun link above downloads the following items into the `$DOWNLOAD_DIR/gua
 - `add-fail2ban.sh`: A hardening script to add a fail2ban policy (with local subnet override) to secure Guacamole against external brute force attacks
 - `backup-guacamole.sh`: A simple MySQL Guacamole backup script
 - `upgrade-guac.sh` Upgrades the currently installed versions of Guacamole and MySQL connector.
+- `refresh-tls-self-signed` Creates and installs updated TLS certificates into Nginx. (Can be configured to generate certs for any other application).
 - `branding.jar`: An example template for a custom (dark mode) Guacamole theme. Delete this file to keep the default Guacamole UI. This extension's source is also included for easier study and customisation.
diff --git a/refresh-tls-self-signed.sh b/refresh-tls-self-signed.sh
new file mode 100644
index 0000000..aca03d1
--- /dev/null
+++ b/refresh-tls-self-signed.sh
@@ -0,0 +1,176 @@
+#!/bin/bash
+#######################################################################################################################
+# Create or refresh self signed TLS certificates for Nginx (or others)
+# For Ubuntu / Debian / Rasbpian
+# David Harrop
+# September 2023
+#######################################################################################################################
+
+# If run with with no command arguments, the ${PROXY_SITE} ${CERT_DAYS} & ${Default_IP) values from original install are applied.
+#      e.g. sudo ./refresh-tls-self-signed-nginx.sh
+#
+# SCript can also be run with custom command line arguments for use with any TLS application:
+#      Command arguments are formatted as: [command] [FQDN] [cert-lifetime] [IP]
+#      e.g. sudo ./refresh-tls-self-signed-nginx.sh webserver.domain.local 365 192.168.1.1
+
+# Prepare text output colours
+GREY='\033[0;37m'
+DGREY='\033[0;90m'
+GREYB='\033[1;37m'
+LRED='\033[0;91m'
+LGREEN='\033[0;92m'
+LYELLOW='\033[0;93m'
+NC='\033[0m' #No Colour
+
+# Check if user is root or sudo
+if ! [ $(id -u) = 0 ]; then
+    echo
+    echo -e "${LRED}Please run this script as sudo or root${NC}" 1>&2
+    echo
+    exit 1
+fi
+
+echo
+echo
+echo -e "${LGREEN}Cresting self signed TLS certificates for Nginx...${GREY}"
+echo
+
+USER_HOME_DIR=$(eval echo ~${SUDO_USER})
+CERT_DIR=tls-certs-$(date +%y.%m.%d-%H_%M)
+WORKING_DIR=$USER_HOME_DIR/guac-setup/$CERT_DIR
+mkdir -p $WORKING_DIR
+cd $WORKING_DIR
+
+# Set default certificate file destinations. Change these for other TLS applications.
+DIR_SSL_KEY="/etc/nginx/ssl/private"
+DIR_SSL_CERT="/etc/nginx/ssl/cert"
+
+# Cmd line arguments for dns name, certificate days and IP address
+TLSNAME=$1
+TLSDAYS=$2
+TLSIP=$3
+
+# Auto updated values from main installer (manually update if blank)
+CERT_COUNTRY=
+CERT_STATE=
+CERT_LOCATION=
+CERT_ORG=
+CERT_OU=
+PROXY_SITE=
+CERT_DAYS=
+DEFAULT_IP=
+
+# Assume the values used by the guacamole installer if the script is run without any command line options
+if [ -z "$1" ] | [ -z "$2" ] | [ -z "$3" ] ; then
+TLSNAME=$PROXY_SITE
+TLSDAYS=$CERT_DAYS
+TLSIP=$DEFAULT_IP
+fi
+
+# Make directories to place TLS Certificate if they don't exist
+if [[ ! -d $DIR_SSL_KEY ]]; then
+    sudo mkdir -p $DIR_SSL_KEY
+fi
+
+if [[ ! -d $DIR_SSL_CERT ]]; then
+    sudo mkdir -p $DIR_SSL_CERT
+fi
+
+echo -e "${GREY}New self signed TLS certificate attributes are shown below...${DGREY}"
+# Display the new TLS cert parameters.
+cat <<EOF | tee cert_attributes.txt
+[req]
+distinguished_name  = req_distinguished_name
+x509_extensions     = v3_req
+prompt              = no
+string_mask         = utf8only
+
+[req_distinguished_name]
+C                   = $CERT_COUNTRY
+ST                  = $CERT_STATE
+L                   = $CERT_LOCATION
+O                   = $CERT_ORG
+OU                  = $CERT_OU
+CN                  = $TLSNAME
+
+[v3_req]
+keyUsage            = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage    = serverAuth, clientAuth, codeSigning, emailProtection
+subjectAltName      = @alt_names
+
+[alt_names]
+DNS.1               = $TLSNAME
+IP.1                = $TLSIP
+EOF
+
+echo
+# Create the new certificates
+echo "{$GREY}Creating a new TLS Certificate..."
+openssl req -x509 -nodes -newkey rsa:2048 -keyout $TLSNAME.key -out $TLSNAME.crt -days $TLSDAYS -config cert_attributes.txt
+if [ $? -ne 0 ]; then
+    echo -e "${LRED}Failed.${GREY}" 1>&2
+    exit 1
+else
+    echo -e "${LGREEN}OK${GREY}"
+    echo
+fi
+
+# Place TLS Certificate into the defined application path
+cp $TLSNAME.key $DIR_SSL_KEY/$TLSNAME.key
+cp $TLSNAME.crt $DIR_SSL_CERT/$TLSNAME.crt
+
+# Create a PFX formatted key for easier import to Windows hosts and change permissions to enable copying elsewhere
+echo -e "${GREY}Converting client certificates for Windows & Linux...${GREY}"
+openssl pkcs12 -export -out $TLSNAME.pfx -inkey $TLSNAME.key -in $TLSNAME.crt -password pass:1234
+if [ $? -ne 0 ]; then
+    echo -e "${LRED}Failed.${GREY}" 1>&2
+    exit 1
+else
+    echo -e "${LGREEN}OK${GREY}"
+    echo
+fi
+
+# Change of permissions so certs can be copied via WinSCP.
+chown -R $SUDO_USER:root $WORKING_DIR
+
+# Reload everything
+echo -e "${GREY}New certificate created, restating Guacamole & Ngnix..."
+TOMCAT=$(ls /etc/ | grep tomcat)
+systemctl restart $TOMCAT
+systemctl restart guacd
+systemctl restart nginx
+if [ $? -ne 0 ]; then
+    echo -e "${LRED}Failed.${GREY}" 1>&2
+    exit 1
+else
+    echo -e "${LGREEN}OK${GREY}"
+    echo
+fi
+
+# Hack to assist with displaying "$" symbols and " ' quotes in a (cut/paste-able) bash screen output format
+SHOWASTEXT1='$mypwd'
+SHOWASTEXT2='"Cert:\LocalMachine\Root"'
+
+printf "${GREY}+-------------------------------------------------------------------------------------------------------------
+${LGREEN}+ WINDOWS CLIENT SELF SIGNED TLS BROWSER CONFIG - SAVE THIS BEFORE CONTINUING!${GREY}
++
++ 1. In ${WORKING_DIR} is a Windows version of the new certificate ${LYELLOW}$TLSNAME.pfx${GREY}
++ 2. Import this PFX file into your Windows client with the below Powershell commands (as Administrator):
+\n"
+echo -e "${SHOWASTEXT1} = ConvertTo-SecureString -String "1234" -Force -AsPlainText"
+echo -e "Import-pfxCertificate -FilePath $TLSNAME.pfx -Password "${SHOWASTEXT1}" -CertStoreLocation "${SHOWASTEXT2}""
+printf "${GREY}+-------------------------------------------------------------------------------------------------------------
+${LGREEN}+ LINUX CLIENT SELF SIGNED TLS BROWSER CONFIG - SAVE THIS BEFORE CONTINUING!${GREY}
++
++ 1. In ${WORKING_DIR} is a new Linux native OpenSSL certificate ${LYELLOW}$TLSNAME.crt${GREY}
++ 2. Import the CRT file into your Linux client certificate store with the below command:
+\n"
+echo -e "(If certutil is not installed, run apt-get install libnss3-tools)"
+echo -e "mkdir -p $HOME/.pki/nssdb && certutil -d $HOME/.pki/nssdb -N"
+echo -e "certutil -d sql:$HOME/.pki/nssdb -A -t "CT,C,c" -n $TLSNAME -i $TLSNAME.crt"
+printf "+-------------------------------------------------------------------------------------------------------------\n"
+
+rm -f cert_attributes.txt
+
+# Done
+echo -e ${NC}