#!/bin/bash ####################################################################################################################### # Create or refresh self signed TLS certificates for Nginx (or others) # For Ubuntu / Debian / Rasbpian # David Harrop # September 2023 ####################################################################################################################### # If run with with no command arguments, the ${PROXY_SITE}, ${CERT_DAYS} & ${Default_IP) values used during the # the original install are applied. To keep these run: sudo ./refresh-tls-self-signed-nginx.sh # # This script can also be run with custom command line arguments for use with any TLS application: # Command arguments are formatted as: [command] [FQDN] [cert-lifetime] [IP] # e.g. sudo ./refresh-tls-self-signed-nginx.sh webserver.domain.local 365 192.168.1.1 # Prepare text output colours GREY='\033[0;37m' DGREY='\033[0;90m' GREYB='\033[1;37m' LRED='\033[0;91m' LGREEN='\033[0;92m' LYELLOW='\033[0;93m' NC='\033[0m' #No Colour # Check if user is root or sudo if ! [[ $(id -u) = 0 ]]; then echo echo -e "${LRED}Please run this script as sudo or root${NC}" 1>&2 echo exit 1 fi echo echo echo -e "${LGREEN}Cresting self signed TLS certificates for Nginx...${GREY}" echo # Create a place to save the certs so we don't overwrite any earlier versions USER_HOME_DIR=$(eval echo ~${SUDO_USER}) CERT_DIR_NAME=tls-certs-$(date +%y.%m.%d) CERT_DIR=$USER_HOME_DIR/guac-setup/$CERT_DIR_NAME mkdir -p $CERT_DIR cd $CERT_DIR # Set default certificate file destinations. Change these for other TLS applications. DIR_SSL_KEY="/etc/nginx/ssl/private" DIR_SSL_CERT="/etc/nginx/ssl/cert" # Cmd line arguments for dns name, certificate days and IP address TLSNAME=$1 TLSDAYS=$2 TLSIP=$3 # Below variables are automatically updated by the 1-setup.sh script with the respective values given at install (manually update if blank) CERT_COUNTRY= CERT_STATE= CERT_LOCATION= CERT_ORG= CERT_OU= PROXY_SITE= CERT_DAYS= DEFAULT_IP= RSA_KEYLENGTH= # Assume the values set by the main installer if the script is run without any command line options if [[ -z "$1" ]] || [[ -z "$2" ]] || [[ -z "$3" ]]; then TLSNAME=$PROXY_SITE TLSDAYS=$CERT_DAYS TLSIP=$DEFAULT_IP fi # Make directories to place TLS Certificate if they don't exist if [[ ! -d $DIR_SSL_KEY ]]; then mkdir -p $DIR_SSL_KEY fi if [[ ! -d $DIR_SSL_CERT ]]; then mkdir -p $DIR_SSL_CERT fi echo -e "${GREY}New self signed TLS certificate attributes are shown below...${DGREY}" # Display the new TLS cert parameters. cat <&2 exit 1 else echo -e "${LGREEN}OK${GREY}" echo fi # Place TLS Certificate into the defined application path cp $TLSNAME.key $DIR_SSL_KEY/$TLSNAME.key cp $TLSNAME.crt $DIR_SSL_CERT/$TLSNAME.crt # Create a PFX formatted key for easier import to Windows hosts and change permissions to enable copying elsewhere echo -e "${GREY}Converting client certificates for Windows & Linux...${GREY}" openssl pkcs12 -export -out $TLSNAME.pfx -inkey $TLSNAME.key -in $TLSNAME.crt -password pass:1234 if [[ $? -ne 0 ]]; then echo -e "${LRED}Failed.${GREY}" 1>&2 exit 1 else echo -e "${LGREEN}OK${GREY}" echo fi # Change of permissions so certs can be copied via WinSCP. chown -R $SUDO_USER:root $CERT_DIR # Reload everything echo -e "${GREY}New certificate created, restating Guacamole & Ngnix..." TOMCAT=$(ls /etc/ | grep tomcat) systemctl restart $TOMCAT systemctl restart guacd systemctl restart nginx if [[ $? -ne 0 ]]; then echo -e "${LRED}Failed.${GREY}" 1>&2 exit 1 else echo -e "${LGREEN}OK${GREY}" echo fi # Hack to assist with displaying "$" symbols and " ' quotes in a (cut/paste-able) bash screen output format SHOWASTEXT1='$mypwd' SHOWASTEXT2='"Cert:\LocalMachine\Root"' printf "${GREY}+------------------------------------------------------------------------------------------------------------- ${LGREEN}+ WINDOWS CLIENT SELF SIGNED TLS BROWSER CONFIG - SAVE THIS BEFORE CONTINUING!${GREY} + + 1. In ${CERT_DIR} is a Windows version of the new certificate ${LYELLOW}$TLSNAME.pfx${GREY} + 2. Import this PFX file into your Windows client with the below Powershell commands (as Administrator): \n" echo -e "${SHOWASTEXT1} = ConvertTo-SecureString -String "1234" -Force -AsPlainText" echo -e "Import-pfxCertificate -FilePath $TLSNAME.pfx -Password "${SHOWASTEXT1}" -CertStoreLocation "${SHOWASTEXT2}"" printf "${GREY}+------------------------------------------------------------------------------------------------------------- ${LGREEN}+ LINUX CLIENT SELF SIGNED TLS BROWSER CONFIG - SAVE THIS BEFORE CONTINUING!${GREY} + + 1. In ${CERT_DIR} is a new Linux native OpenSSL certificate ${LYELLOW}$TLSNAME.crt${GREY} + 2. Import the CRT file into your Linux client certificate store with the below command: \n" echo -e "(If certutil is not installed, run apt-get install libnss3-tools)" echo -e "mkdir -p $HOME/.pki/nssdb && certutil -d $HOME/.pki/nssdb -N" echo -e "certutil -d sql:$HOME/.pki/nssdb -A -t "CT,C,c" -n $TLSNAME -i $TLSNAME.crt" printf "+-------------------------------------------------------------------------------------------------------------\n" rm -f cert_attributes.txt # Done echo -e ${NC}