mkcerts upgrades

mkcerts.sh

@@ -30,10 +30,10 @@ fi
 
 # GENERIC UTILS
 
-function ifsrev { __temp=$(tr "$2" '\n' <<< "$1" | tac | tr '\n' "$2"); echo -n ${__temp:0:-1}; }
+function ifsrev { __temp=`tr "$2" '\n' <<< "$1" | tac | tr '\n' "$2"`; echo -n ${__temp:0:-1}; }
 function b64u { cat | base64 -w 0 | tr '/+' '_-' | tr -d '= '; } # u for url-safe
 function ub64u { tr '_-' '/+' | base64 -d | hexdump -v -e '/1 ""' -e '/1 "%02x" ""'; } # u for un-
-function short256 { __temp=$(cat | sha256sum); echo -n ${__temp:0:-3}; }
+function short256 { __temp=`cat | sha256sum`; echo -n ${__temp:0:-3}; }
 function hex2bin { cat | sed 's/\([0-9a-f]\{2\}\)/\\\\\\x\1/g' | xargs printf; }
 
 # UTILS
@@ -51,7 +51,7 @@ function get_CA_URLs
 	CAs[jewgle]=https://dv.acme-v02.api.pki.goog/directory
 	CAs[jewgletest]=https://dv.acme-v02.test-api.pki.goog/directory
 	CA=$1
-	endpoints=$(carl -s ${CAs[$CA]})
+	endpoints=`carl -s ${CAs[$CA]}`
 	export CA
 	export endpoints # I don't know if this works, or if it matters
 } # $1=LE
@@ -59,14 +59,14 @@ function get_CA_URLs
 function read_ACME
 {
 	# Extract signature info from key:
-	read hex exp <<< $(openssl rsa -in account.key -noout -text | tr -d ': \r\n' | sed -E 's/^.*modulus00([a-f0-9]+)publicExponent[0-9]+\(0x([0-9a-f]+)\).*$/\1 \2/')
+	read hex exp <<< `openssl rsa -in account.key -noout -text | tr -d ': \r\n' | sed -E 's/^.*modulus00([a-f0-9]+)publicExponent[0-9]+\(0x([0-9a-f]+)\).*$/\1 \2/'`
 	# And prepare it for sending to ACME server:
-	hex=$(hex2bin <<< "$hex" | b64u)
-	exp=$([ $((${#exp}%2)) = 0 ] || echo -n 0; echo $exp) # There's probably an easier way than this, but it works and makes sense so whatever.
-	exp=$(hex2bin <<< "$exp" | b64u) # Apparently this one goes in URLs. OR NOT, THE OTHER ONE DOES.
+	hex=`hex2bin <<< "$hex" | b64u`
+	exp=`[ $((${#exp}%2)) = 0 ] || echo -n 0; echo $exp` # There's probably an easier way than this, but it works and makes sense so whatever.
+	exp=`hex2bin <<< "$exp" | b64u` # Apparently this one goes in URLs. OR NOT, THE OTHER ONE DOES.
 	jerk='{"e": "'$exp'", "kty": "RSA", "n": "'$hex'"}'
 	sig='{"alg":"RS256", "jwk": '$jerk'}' # Keys must be sorted.
-	thumb=$(echo -n "$jerk" | tr -d ' ' | short256 | hex2bin | b64u) # How many times can you b64 a bowl of ramen before it begins questioning its existence
+	thumb=`echo -n "$jerk" | tr -d ' ' | short256 | hex2bin | b64u` # How many times can you b64 a bowl of ramen before it begins questioning its existence
 }
 
 function load_kid
@@ -83,7 +83,7 @@ function get_nonce
 	# Get a nonce (nigger):
 	nonce_resp=$1
 	if [ -z "$nonce_resp" ]; then
-		nonce_resp=$(carl -si $(echo $endpoints | jq -r .newNonce))
+		nonce_resp=`carl -si $(echo $endpoints | jq -r .newNonce)`
 	fi
 	grep -i 'replay-nonce' <<< "$nonce_resp" | tr -d "\r" | grep -Eo '[0-9a-zA-Z_\-]+$' # Fucking Windows line endings
 }
@@ -95,12 +95,12 @@ function szf # setup zone file
 	file=$1
 	shift
 	for tok in $@; do
-		echo _ACME-CHALLENGE	300	TXT	$(echo -n "$tok.$thumb" | short256 | hex2bin | b64u) >> $file
+		echo _ACME-CHALLENGE	300	TXT	`echo -n "$tok.$thumb" | short256 | hex2bin | b64u` >> $file
 	done
 }
 function usoa # update SOA
 {
-	inc=$(grep -Eo 'SOA	[^	]+	[^	]+	[0-9]+' $1 | grep -Eo '[0-9]+$')
+	inc=`grep -Eo 'SOA	[^	]+	[^	]+	[0-9]+' $1 | grep -Eo '[0-9]+$'`
 	sed -i 's/SOA\t\([^\t]*\)\t\([^\t]*\)\t[0-9]*/SOA	\1	\2	'$((inc+1))'/' $1
 }
 
@@ -110,9 +110,9 @@ function complete_challenges
 {
 	read_ACME # get thumb. It fucks up sig but I don't care, send_req fixes it.
 	declare -A toks
-	urls=$(jq -r '.[]' <<< "$1")
+	urls=`jq -r '.[]' <<< "$1"`
 	while read url; do
-		read dom chalurl tok <<< "$(send_req $url | jq -r '.identifier.value+" "+(.challenges | .[] | select(.type == "dns-01") | .url+" "+.token)')"
+		read dom chalurl tok <<< "`send_req $url | jq -r '.identifier.value+" "+(.challenges | .[] | select(.type == "dns-01") | .url+" "+.token)'`"
 		chals="$chals $chalurl"
 		toks[$dom]="${toks[$dom]} $tok"
 	done <<< "$urls"
@@ -123,7 +123,7 @@ function complete_challenges
 	try_challenges $chals
 	# now we wait for validations
 	echo "beginning validation" >&2
-	echo "pending list contains: $chals" >&2
+	echo "pending list contains: ${pending[@]}" >&2
 	dirty=1
 	tick=0
 	while [ $dirty -gt 0 ]; do
@@ -147,7 +147,7 @@ function apply_challenge
 	dom=$1
 	shift
 	echo "applying challenge for $dom: $@" >&2
-	dnsname="/var/named/$(ifsrev $dom .).zone"
+	dnsname="/var/named/`ifsrev $dom .`.zone"
 	czf $dnsname
 	szf $dnsname $@ # Actually update the DNS
 	usoa $dnsname # And don't forget to update the SOA number
@@ -157,7 +157,6 @@ function try_challenges
 {
 	for url in $@; do
 		sleep $sleepval # Spam a bit less
-		echo "trying $url" >&2
 		send_req $url '{}' > /dev/null # need empty dict to tell server to validate challenge, empty body only checks status. Just another certified ACME moment.
 	done
 }
@@ -168,9 +167,9 @@ function status_challenges
 	for url in $@; do
 		sleep $sleepval
 		echo "checking $url" >&2
-		oof=$(send_req $url)
-		oof2=$(jq -r .status <<< "$oof")
-		nonce=$(get_nonce) # For some reason checking status doesn't come back with a nonce, or comes back with same nonce.
+		oof="`send_req $url`"
+		oof2=`jq -r .status <<< "$oof"`
+		nonce=`get_nonce` # For some reason checking status doesn't come back with a nonce, or comes back with same nonce.
 		if [ $oof2 != valid ]; then dirt=1; echo -n "in" >&2; fi
 		echo "valid" >&2
 	done
@@ -186,15 +185,15 @@ function send_req
 	data=$(jq '.+{"nonce":"'$nonce'","url":"'$url'"}' <<< "$sig" | tr -d '\r\n' | tr -s ' ' ' ' | sed -e 's/{ /{/g' -e 's/ }/}/g') # Keys don't need to be sorted here, but they still are.
 	# I don't know why the URL has to be in the body that is sent to the URL.
 	# ACME is a terrible protocol.
-	body=$(b64u <<< "$data")
-	sig2=$(echo -n "$body.$req" | openssl dgst -sha256 -sign account.key | b64u)
+	body=`b64u <<< "$data"`
+	sig2=`echo -n "$body.$req" | openssl dgst -sha256 -sign account.key | b64u`
 	mexican='{"protected": "'$body'", "payload": "'$req'", "signature": "'$sig2'"}' # Because it's a jose
-	req_resp=$(carl -isH "Content-type:application/jose+json" $url --data "$mexican" | tr -d "\r") # Here is the line that does the work
-	req_heads=$(sed -n 1,/^$/p <<< "$req_resp")
-	req_resp=$(sed 1,/^$/d <<< "$req_resp")
-	nonce=$(get_nonce "$req_heads")
+	req_resp=`carl -isH "Content-type:application/jose+json" $url --data "$mexican" | tr -d "\r"` # Here is the line that does the work
+	req_heads=`sed -n 1,/^$/p <<< "$req_resp"`
+	req_resp=`sed 1,/^$/d <<< "$req_resp"`
+	nonce=`get_nonce "$req_heads"`
 	if [ -n "$3" ]; then printf "$req_heads"; echo; echo; fi
-	echo $req_resp
+	echo "$req_resp"
 }
 
 # CORE ACTIONS
@@ -204,7 +203,7 @@ function gen_ACME_key { openssl genrsa -traditional 2048 > account.key; }
 function register_acc
 {
 	# These things have to occur before we process anything else because their values get used in EAB sneablies
-	url=$(echo $endpoints | jq -r .newAccount)
+	url=`echo $endpoints | jq -r .newAccount`
 	read_ACME
 	
 	email=$1; shift
@@ -223,9 +222,9 @@ function register_acc
 	fi
 	# Create account:
 	req='{"termsOfServiceAgreed": true, '"$eab"'"contact": ["mailto:'"$email"'"]}'
-	out=$(send_req "$url" "$req" yes)
+	out="`send_req "$url" "$req" yes`"
 	echo "$out" >&2
-	loc=$(grep -i 'location' <<< "$out" | grep -io http.*$)
+	loc=`grep -i 'location' <<< "$out" | grep -io http.*$`
 	load_kid $loc
 	echo $loc
 }
@@ -234,31 +233,32 @@ function get_cert
 {
 	conf=$1
 	shift
-	url=$(echo $endpoints | jq -r .newOrder)
+	url=`echo $endpoints | jq -r .newOrder`
 	req='{"identifiers": ['
 	for n in $@; do
 		req=$req'{"type": "dns", "value": "'$n'"}, {"type": "dns", "value": "*.'$n'"}, ' # Do not put wildcard domains in; this will do it automatically. You still need to put them in the nuconf.
 	done
 	req=${req:0:-2}']}'
-	order=$(send_req $url "$req" yes)
+	order="`send_req $url "$req" yes`"
 	echo "$order" >&2
-	headers=$(sed -n 1,/^$/p <<< "$order")
-	order=$(sed 1,/^$/d <<< "$order")
+	headers=`sed -n 1,/^$/p <<< "$order"`
+	order=`sed 1,/^$/d <<< "$order"`
 	# I can just access the headers lol
 	# No I can't, assfucked by subshells again
-	orderurl=$(grep -i location <<< "$headers" | grep -io http.*$)
+	orderurl=`grep -i location <<< "$headers" | grep -io http.*$`
 	echo "order URL is: $orderurl" >&2
-	auths=$(jq '.authorizations' <<< "$order")
-	finalise=$(jq -r '.finalize' <<< "$order")
+	auths=`jq '.authorizations' <<< "$order"`
+	finalise=`jq -r '.finalize' <<< "$order"`
 	complete_challenges "$auths"
 	openssl req -new -key live.key -out live.csr -sha256 -noenc -config $conf -outform DER
 	# I guess I should just include the conf file
-	send_req $finalise '{"csr":"'$(cat live.csr | b64u)'"}'
+	send_req $finalise '{"csr":"'$(cat live.csr | b64u)'"}' > /dev/null
 	sleep 10
-	order2=`send_req $orderurl`
+	order2="`send_req $orderurl`"
 	echo $order2 >&2
 	certurl=`jq -r .certificate <<< "$order2"`
-	carl $certurl > out.crt
+	nonce=`get_nonce`
+	send_req "$certurl" > out.crt
 }
 
 # MAIN

updateLE.sh

@@ -1,22 +0,0 @@
-#!/bin/bash
-
-function ch { chown $1 $3; chmod $2 $3; }
-
-./mkcerts.sh LE get_cert nuconf rakka.au harpy.faith botegirl.parts
-cp -f out.crt /srv/http/certs/fag.crt
-ch http:http 644 /srv/http/certs/fag.crt
-cp -f out.crt /etc/prosody/certs/harpy.faith/fullchain.pem
-ch prosody:jabber 600 /etc/prosody/certs/harpy.faith/fullchain.pem
-cp -f out.crt /srv/email/certs/fag.crt
-ch root:smtpd 640 /srv/email/certs/fag.crt
-
-./mkcerts.sh LE get_cert nerdconf nerdshope.au
-cp -f out.crt /srv/http/certs/nerd.crt
-ch http:http 644 /srv/http/certs/nerd.crt
-cp -f out.crt /srv/email/certs/nerd.crt
-ch root:smtpd 640 /srv/email/certs/nerd.crt
-
-systemctl reload nginx
-systemctl reload prosody
-systemctl restart smtpd
-systemctl reload dovecot

update_fag_certs.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+cd /root/certshit
+
+function ch { chown $1 $3; chmod $2 $3; }
+
+/root/certshit/mkcerts.sh ZSSL get_cert nuconf rakka.au harpy.faith botegirl.parts xn--kek.dev
+
+if ! certtool -i --load-certificate out.crt > /dev/null; then
+	echo an error occurred
+	cat out.crt
+else
+	cp -f out.crt /srv/http/certs/fag.crt
+	ch http:http 644 /srv/http/certs/fag.crt
+	cp -f out.crt /etc/prosody/certs/harpy.faith/fullchain.pem
+	ch prosody:jabber 600 /etc/prosody/certs/harpy.faith/fullchain.pem
+	cp -f out.crt /srv/email/certs/fag.crt
+	ch root:smtpd 640 /srv/email/certs/fag.crt
+	
+	#/root/certshit/mkcerts.sh LE get_cert nerdconf nerdshope.au
+	#cp -f out.crt /srv/http/certs/nerd.crt
+	#ch http:http 644 /srv/http/certs/nerd.crt
+	#cp -f out.crt /srv/email/certs/nerd.crt
+	#ch root:smtpd 640 /srv/email/certs/nerd.crt
+	
+	systemctl reload nginx
+	systemctl reload prosody
+	systemctl restart smtpd
+	systemctl restart imap4d
+fi