#!/bin/sh set -e set -x AUTHORITY=certidude.@authority[0] # TODO: iterate over all authorities GATEWAY=$(uci get $AUTHORITY.gateway) COMMON_NAME=$(uci get system.@system[0].hostname) DIR=/etc/certidude/authority/$(uci get $AUTHORITY.hostname) mkdir -p $DIR AUTHORITY_PATH=$DIR/ca_cert.pem CERTIFICATE_PATH=$DIR/host_cert.pem REQUEST_PATH=$DIR/host_req.pem KEY_PATH=$DIR/host_key.pem KEY_TYPE=$(uci get $AUTHORITY.key_type) KEY_LENGTH=$(uci get $AUTHORITY.key_length) KEY_CURVE=$(uci get $AUTHORITY.key_curve) NTP_SERVERS=$(uci get system.ntp.server) logger -t certidude -s "Fetching time from NTP servers: $NTP_SERVERS" ntpd -q -n -d -p $NTP_SERVERS logger -t certidude -s "Time is now: $(date)" # If certificate file is there assume everything's set up if [ -f $CERTIFICATE_PATH ]; then SERIAL=$(openssl x509 -in $CERTIFICATE_PATH -noout -serial | cut -d "=" -f 2 | tr [A-F] [a-f]) logger -t certidude -s "Certificate with serial $SERIAL already exists in $CERTIFICATE_PATH, attempting to bring up VPN tunnel..." exit 0 fi ######################################### ### Generate private key if necessary ### ######################################### if [ ! -f $KEY_PATH ]; then case $KEY_TYPE in rsa) logger -t certidude -s "Generating $KEY_LENGTH-bit RSA key..." openssl genrsa -out $KEY_PATH.part $KEY_LENGTH openssl rsa -in $KEY_PATH.part -noout ;; ec) logger -t certidude -s "Generating $KEY_CURVE ECDSA key..." openssl ecparam -name $KEY_CURVE -genkey -noout -out $KEY_PATH.part ;; *) logger -t certidude -s "Unsupported key type $KEY_TYPE" exit 255 ;; esac mv $KEY_PATH.part $KEY_PATH fi ############################ ### Fetch CA certificate ### ############################ if [ ! -f $AUTHORITY_PATH ]; then logger -t certidude -s "Fetching CA certificate from $URL/api/certificate/" curl -f -s http://$(uci get $AUTHORITY.hostname)/api/certificate/ -o $AUTHORITY_PATH.part if [ $? -ne 0 ]; then logger -t certidude -s "Failed to receive CA certificate, server responded: $(cat $AUTHORITY_PATH.part)" exit 10 fi openssl x509 -in $AUTHORITY_PATH.part -noout if [ $? -ne 0 ]; then logger -t certidude -s "Received invalid CA certificate" exit 11 fi mv $AUTHORITY_PATH.part $AUTHORITY_PATH fi logger -t certidude -s "CA certificate md5sum: $(md5sum -b $AUTHORITY_PATH)" ##################################### ### Generate request if necessary ### ##################################### if [ ! -f $REQUEST_PATH ]; then openssl req -new -sha256 -key $KEY_PATH -out $REQUEST_PATH.part -subj "/CN=$COMMON_NAME" mv $REQUEST_PATH.part $REQUEST_PATH fi logger -t certidude -s "Request md5sum is $(md5sum -b $REQUEST_PATH)" curl -f -L \ -H "Content-Type: application/pkcs10" \ --cacert $AUTHORITY_PATH \ --data-binary @$REQUEST_PATH \ https://$(uci get $AUTHORITY.hostname):8443/api/request/?autosign=true\&wait=yes -o $CERTIFICATE_PATH.part # TODO: Loop until we get exitcode 0 # TODO: Use backoff time $((2\*X)) if [ $? -ne 0 ]; then echo "Failed to fetch certificate" exit 21 fi # Verify certificate openssl verify -CAfile $AUTHORITY_PATH $CERTIFICATE_PATH.part if [ $? -ne 0 ]; then logger -t certidude -s "Received bogus certificate!" exit 22 fi logger -t certidude -s "Certificate md5sum: $(md5sum -b $CERTIFICATE_PATH.part)" uci commit echo $AUTHORITY_PATH >> /etc/sysupgrade.conf echo $CERTIFICATE_PATH >> /etc/sysupgrade.conf echo $KEY_PATH >> /etc/sysupgrade.conf echo $REQUEST_PATH >> /etc/sysupgrade.conf mv $CERTIFICATE_PATH.part $CERTIFICATE_PATH # Start services logger -t certidude -s "Starting IPSec IKEv2 daemon..." /etc/init.d/ipsec enable /etc/init.d/ipsec restart