abuxton · May 4, 2023 12:49
diff --git a/README.MD b/README.MD
diff --git a/scrape-ca_bundle.sh b/scrape-ca_bundle.sh
 #!/usr/bin/env sh -x
 #!/bin/bash

 # Script to scrape target URL for ca_bundle and export to custom bundle.
 # usage:
 # If your require to first erase old crts (not necessary)
 # rm -Rf $CERT_DIR
 # > bash ./scrape-ca_bundle.sh \
 # DN=$FQDN \
 # CERT_DIR=$CERT_DIR \

 # Exit if any errors encountered
 set -e

 # uses, https://unix.stackexchange.com/questions/129391/passing-named-arguments-to-shell-scripts
 # should use https://wiki.bash-hackers.org/howto/getopts_tutorial but -<singlechar> is too limited
 for ARGUMENT in "$@"
 do

    KEY=$(echo $ARGUMENT | cut -f1 -d=)
    VALUE=$(echo $ARGUMENT | cut -f2 -d=)

    case "$KEY" in
            DN)        DN=${VALUE} ;;
            CERT_DIR)  CERT_DIR=${VALUE} ;;
            *)
    esac

 done

 if [ ! -z "$DN" ]; then
  echo "Fetching bundle from FQDN: $DN"
 	FQDN=${DN}
 else
  echo 'FQDN not set see usage ./scrape-ca_bundle.sh DN=$DN CERT_DIR=$CERT_DIR'
  exit
 fi
 if [ ! -z "$CERT_DIR" ]; then
  echo "CERT_DIR set as $CERT_DIR"
 else
  echo "CERT_DIR not set using $FQDN as $CERT_DIR see usage ./scrape-ca_bundle.sh DN=<FQDN> CERT_DIR=<CERT_DIR> "
  CERT_DIR=${FQDN}
 fi

 FQDN=$DN
 SSL_CERT_DIR=$CERT_DIR
 CA_BUNDLE=$SSL_CERT_DIR/ca-chain-bundle.pem

 # Prepare directories
 mkdir -p $SSL_CERT_DIR


 # Fetch all crts from a specific web location
 # taken from https://unix.stackexchange.com/a/487546/160695
 # openssl s_client -showcerts -verify 5 -connect $URL:443 < /dev/null

 openssl s_client -showcerts -verify 5 -connect $FQDN:443 < /dev/null \
 | awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="cert"a".pem"; print >out}'

 mkdir -p $SSL_CERT_DIR/crts
 mv ./cert* $SSL_CERT_DIR/crts/.

 cat $SSL_CERT_DIR/crts/*.pem > $CA_BUNDLE

 # Verify certificate against local case
 #openssl verify -verbose -x509_strict -CAfile certificate.pem -CApath nosuchdir $CA_BUNDLE
	#!/usr/bin/env sh -x
	#!/bin/bash

	# Script to scrape target URL for ca_bundle and export to custom bundle.
	# usage:
	# If your require to first erase old crts (not necessary)
	# rm -Rf $CERT_DIR
	# > bash ./scrape-ca_bundle.sh \
	# DN=$FQDN \
	# CERT_DIR=$CERT_DIR \

	# Exit if any errors encountered
	set -e

	# uses, https://unix.stackexchange.com/questions/129391/passing-named-arguments-to-shell-scripts
	# should use https://wiki.bash-hackers.org/howto/getopts_tutorial but -<singlechar> is too limited
	for ARGUMENT in "$@"
	do

	KEY=$(echo $ARGUMENT \| cut -f1 -d=)
	VALUE=$(echo $ARGUMENT \| cut -f2 -d=)

	case "$KEY" in
	DN) DN=${VALUE} ;;
	CERT_DIR) CERT_DIR=${VALUE} ;;
	*)
	esac

	done

	if [ ! -z "$DN" ]; then
	echo "Fetching bundle from FQDN: $DN"
	FQDN=${DN}
	else
	echo 'FQDN not set see usage ./scrape-ca_bundle.sh DN=$DN CERT_DIR=$CERT_DIR'
	exit
	fi
	if [ ! -z "$CERT_DIR" ]; then
	echo "CERT_DIR set as $CERT_DIR"
	else
	echo "CERT_DIR not set using $FQDN as $CERT_DIR see usage ./scrape-ca_bundle.sh DN=<FQDN> CERT_DIR=<CERT_DIR> "
	CERT_DIR=${FQDN}
	fi

	FQDN=$DN
	SSL_CERT_DIR=$CERT_DIR
	CA_BUNDLE=$SSL_CERT_DIR/ca-chain-bundle.pem

	# Prepare directories
	mkdir -p $SSL_CERT_DIR


	# Fetch all crts from a specific web location
	# taken from https://unix.stackexchange.com/a/487546/160695
	# openssl s_client -showcerts -verify 5 -connect $URL:443 < /dev/null

	openssl s_client -showcerts -verify 5 -connect $FQDN:443 < /dev/null \
	\| awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="cert"a".pem"; print >out}'

	mkdir -p $SSL_CERT_DIR/crts
	mv ./cert* $SSL_CERT_DIR/crts/.

	cat $SSL_CERT_DIR/crts/*.pem > $CA_BUNDLE

	# Verify certificate against local case
	#openssl verify -verbose -x509_strict -CAfile certificate.pem -CApath nosuchdir $CA_BUNDLE