updated to match tls refresh script

2025-12-13 18:02:32 +00:00 · 2023-09-07 20:38:17 +10:00 · 2023-09-07 20:38:17 +10:00 · e3cedd1a88
commit e3cedd1a88
parent 0368e5d498
1 changed files with 40 additions and 41 deletions
--- a/4a-install-tls-self-signed-nginx.sh
+++ b/4a-install-tls-self-signed-nginx.sh
@ -1,7 +1,7 @@
 #!/bin/bash
 #######################################################################################################################
 # Add self signed TLS certificates to Guacamole with Nginx reverse proxy
-# For Ubuntu / Debian / Rasbpian
+# For Ubuntu / Debian / Raspbian
 # 4a of 4
 # David Harrop
 # April 2023
@ -22,8 +22,21 @@ echo -e "${LGREEN}Setting up self signed TLS certificates for Nginx...${GREY}"
 echo

 # Setup script cmd line arguments for proxy site and certificate days
-SSLNAME=$1
-SSLDAYS=$2
+TLSNAME=$1
+TLSDAYS=$2
+
+# Set default certificate file destinations.
+DIR_SSL_CERT="/etc/nginx/ssl/cert"
+DIR_SSL_KEY="/etc/nginx/ssl/private"
+
+# Make directories to place TLS Certificate if they don't exist
+if [[ ! -d $DIR_SSL_KEY ]]; then
+    sudo mkdir -p $DIR_SSL_KEY
+fi
+
+if [[ ! -d $DIR_SSL_CERT ]]; then
+    sudo mkdir -p $DIR_SSL_CERT
+fi

 # Discover IPv4 interface
 DEFAULT_IP=$(ip addr show $(ip route | awk '/default/ { print $5 }') | grep "inet" | head -n 1 | awk '/inet/ {print $2}' | cut -d'/' -f1)
@ -43,7 +56,7 @@ ST                  = $CERT_STATE
 L                   = $CERT_LOCATION
 O                   = $CERT_ORG
 OU                  = $CERT_OU
-CN                  = $PROXY_SITE
+CN                  = $TLSNAME

 [v3_req]
 keyUsage            = nonRepudiation, digitalSignature, keyEncipherment
@ -51,30 +64,13 @@ extendedKeyUsage    = serverAuth, clientAuth, codeSigning, emailProtection
 subjectAltName      = @alt_names

 [alt_names]
-DNS.1               = $PROXY_SITE
+DNS.1               = $TLSNAME
 IP.1                = $DEFAULT_IP
 EOF

-# Set default certificate file destinations. These can be adapted for any other TLS application.
-DIR_SSL_CERT="/etc/nginx/ssl/cert"
-DIR_SSL_KEY="/etc/nginx/ssl/private"
-
-# Make directories to place TLS Certificate if they don't exist
-if [[ ! -d $DIR_SSL_KEY ]]; then
-    sudo mkdir -p $DIR_SSL_KEY
-fi
-
-if [[ ! -d $DIR_SSL_CERT ]]; then
-    sudo mkdir -p $DIR_SSL_CERT
-fi
-
-if [[ $SSLDAYS == "" ]]; then
-    $SSLDAYS = 3650
-fi
-
 echo
 echo "{$GREY}Creating a new Nginx TLS Certificate..."
-openssl req -x509 -nodes -newkey rsa:2048 -keyout $SSLNAME.key -out $SSLNAME.crt -days $SSLDAYS -config $TMP_DIR/cert_attributes.txt
+openssl req -x509 -nodes -newkey rsa:2048 -keyout $TLSNAME.key -out $TLSNAME.crt -days $TLSDAYS -config $TMP_DIR/cert_attributes.txt
 if [ $? -ne 0 ]; then
    echo -e "${LRED}Failed. See ${LOG_LOCATION}${GREY}" 1>&2
    exit 1
@ -83,14 +79,13 @@ else
    echo
 fi

-# Place TLS Certificate within defined path
-sudo cp $SSLNAME.key $DIR_SSL_KEY/$SSLNAME.key
-sudo cp $SSLNAME.crt $DIR_SSL_CERT/$SSLNAME.crt
+# Place TLS Certificate into the defined application path
+sudo cp $TLSNAME.key $DIR_SSL_KEY/$TLSNAME.key
+sudo cp $TLSNAME.crt $DIR_SSL_CERT/$TLSNAME.crt

 # Create a PFX formatted key for easier import to Windows hosts and change permissions to enable copying elsewhere
-echo -e "${GREY}Creating client certificates for Windows & Linux...${GREY}"
-sudo openssl pkcs12 -export -out $SSLNAME.pfx -inkey $SSLNAME.key -in $SSLNAME.crt -password pass:1234
-sudo chmod 0774 $SSLNAME.pfx
+echo -e "${GREY}Converting client certificates for Windows & Linux...${GREY}"
+sudo openssl pkcs12 -export -out $TLSNAME.pfx -inkey $TLSNAME.key -in $TLSNAME.crt -password pass:1234
 if [ $? -ne 0 ]; then
    echo -e "${LRED}Failed. See ${LOG_LOCATION}${GREY}" 1>&2
    exit 1
@ -99,9 +94,14 @@ else
    echo
 fi

+# Change of permissions so certs can be copied via WinSCP.
+sudo chown $SUDO_USER:root $TLSNAME.pfx 
+sudo chown $SUDO_USER:root $TLSNAME.crt
+sudo chown $SUDO_USER:root $TLSNAME.key
+
 # Backup the current Nginx config before update
-echo -e "${GREY}Backing up previous Nginx proxy to $DOWNLOAD_DIR/$PROXY_SITE-nginx.bak"
-cp /etc/nginx/sites-enabled/${PROXY_SITE} $DOWNLOAD_DIR/${PROXY_SITE}-nginx.bak
+echo -e "${GREY}Backing up previous Nginx proxy to $DOWNLOAD_DIR/$TLSNAME-nginx.bak"
+cp /etc/nginx/sites-enabled/${TLSNAME} $DOWNLOAD_DIR/${TLSNAME}-nginx.bak
 if [ $? -ne 0 ]; then
    echo -e "${LRED}Failed. See ${LOG_LOCATION}${GREY}" 1>&2
    exit 1
@ -112,13 +112,12 @@ fi

 # Update Nginx config to accept the new certificates
 echo -e "${GREY}Configuring Nginx proxy to use the self signed TLS certificate and setting up HTTP redirect...${DGREY}"
-#cat > /etc/nginx/sites-available/$PROXY_SITE <<EOL | > /dev/null
-cat <<EOF | tee /etc/nginx/sites-available/$PROXY_SITE
+cat <<EOF | tee /etc/nginx/sites-available/$TLSNAME
 server {
    #listen 80 default_server;
    root /var/www/html;
    index index.html index.htm index.nginx-debian.html;
-    server_name $PROXY_SITE;
+    server_name $TLSNAME;
    location / {
        proxy_pass $GUAC_URL;
        proxy_buffering off;
@ -129,8 +128,8 @@ server {
        access_log off;
    }
    listen 443 ssl;
-    ssl_certificate      /etc/nginx/ssl/cert/$SSLNAME.crt;
-    ssl_certificate_key  /etc/nginx/ssl/private/$SSLNAME.key;
+    ssl_certificate      /etc/nginx/ssl/cert/$TLSNAME.crt;
+    ssl_certificate_key  /etc/nginx/ssl/private/$TLSNAME.key;
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  5m;
 }
@ -139,7 +138,7 @@ server {
    listen 80 default_server;
    root /var/www/html;
    index index.html index.htm index.nginx-debian.html;
-    server_name $PROXY_SITE;
+    server_name $TLSNAME;
    location / {
        proxy_pass $GUAC_URL;
        proxy_buffering off;
@ -195,20 +194,20 @@ SHOWASTEXT2='"Cert:\LocalMachine\Root"'
 printf "${GREY}+-------------------------------------------------------------------------------------------------------------
 ${LGREEN}+ WINDOWS CLIENT SELF SIGNED TLS BROWSER CONFIG - SAVE THIS BEFORE CONTINUING!${GREY}
 +
-+ 1. In ${DOWNLOAD_DIR} is a Windows version of the new certificate ${LYELLOW}$SSLNAME.pfx${GREY}
+ 1. In ${DOWNLOAD_DIR} is a Windows version of the new certificate ${LYELLOW}$TLSNAME.pfx${GREY}
 + 2. Import this PFX file into your Windows client with the below Powershell commands (as Administrator):
 \n"
 echo -e "${SHOWASTEXT1} = ConvertTo-SecureString -String "1234" -Force -AsPlainText"
-echo -e "Import-pfxCertificate -FilePath $SSLNAME.pfx -Password "${SHOWASTEXT1}" -CertStoreLocation "${SHOWASTEXT2}""
+echo -e "Import-pfxCertificate -FilePath $TLSNAME.pfx -Password "${SHOWASTEXT1}" -CertStoreLocation "${SHOWASTEXT2}""
 printf "${GREY}+-------------------------------------------------------------------------------------------------------------
 ${LGREEN}+ LINUX CLIENT SELF SIGNED TLS BROWSER CONFIG - SAVE THIS BEFORE CONTINUING!${GREY}
 +
-+ 1. In ${DOWNLOAD_DIR} is a new Linux native OpenSSL certificate ${LYELLOW}$SSLNAME.crt${GREY}
+ 1. In ${DOWNLOAD_DIR} is a new Linux native OpenSSL certificate ${LYELLOW}$TLSNAME.crt${GREY}
 + 2. Import the CRT file into your Linux client certificate store with the below command:
 \n"
 echo -e "(If certutil is not installed, run apt-get install libnss3-tools)"
 echo -e "mkdir -p $HOME/.pki/nssdb && certutil -d $HOME/.pki/nssdb -N"
-echo -e "certutil -d sql:$HOME/.pki/nssdb -A -t "CT,C,c" -n $SSLNAME -i $SSLNAME.crt"
+echo -e "certutil -d sql:$HOME/.pki/nssdb -A -t "CT,C,c" -n $TLSNAME -i $TLSNAME.crt"
 printf "+-------------------------------------------------------------------------------------------------------------\n"
 echo -e "${LYELLOW}The above TLS browser config instructions are saved in ${LGREEN}$LOG_LOCATION${GREY}"