gartnera · February 3, 2016 16:43
diff --git a/provisionHttps.sh b/provisionHttps.sh
 #!/usr/bin/env bash

 NGINX_ROOT='/usr/local/etc/nginx/'
 BASE_CONF_NAME='proxy_template.conf'
 CERT_DIR='keys/'
 CHALLENGE_DIR='/var/letsenc-challenge/.well-known/acme-challenge/'
 ACME_TINY_DIR='/opt/acme-tiny/'
 ROUTER_IP='138.247.115.10'
 RENEW_SCRIPT_PATH='/opt/acme-tiny/renewCerts.sh'

 #replace if gnu
 SED_CMD="sed -i '' "

 echo "Warning: this script is for initial provisioning only"

 read -p "Enter the domain name: " domainName

 domainTargetIp=$(host $domainName | cut -d' ' -f 4 | tr -d '\n')

 if [[ $domainTargetIp != $ROUTER_IP ]]; then
        echo "Provided domain name dosen't point at the router"
        exit
 fi

 read -p "Enter the full url of the proxy desination: " proxyTarget

 curl $proxyTarget > /dev/null 2>&1
 if [[ $? != 0 ]]; then
        echo "Unable to connect to proxy target"
        exit
 fi

 cd $NGINX_ROOT/$CERT_DIR

 mkdir $domainName
 if [[ $? != 0 ]]; then
        echo "Domain directory already exists"
        exit
 fi

 cd $domainName

 openssl genrsa 4096 > key.pem

 #this line should work, but dosen't on freebsd
 #openssl req -new -sha256 -key key.pem -subj "/CN=$domainName" > domain.csr

 #workaround for freebsd. need to modify /etc/ssl/openssl.cnf
 openssl req -new -sha256 -key key.pem -nodes -config <(sed "s/COMMONNAME_REPLACE/$domainName/" /etc/ssl/openssl.cnf) > domain.csr

 cd $NGINX_ROOT/sites
 cp ../$BASE_CONF_NAME $domainName.conf

 eval $SED_CMD 's/DOMAIN/$domainName/' $domainName.conf
 eval $SED_CMD 's@TARGET@$proxyTarget@' $domainName.conf

 read -p "Do you want to force https? [Y/n]" -n 1
 if [[ $REPLY =~ ^[Nn]$ ]]; then
        :
 else
        eval $SED_CMD 's/#return 301/return 301/' $domainName.conf
 fi

 nginx -s reload

 #return to key directory
 cd -

 if [[ ! -f $ACME_TINY_DIR/account.key ]]; then
        openssl genrsa 4096 > $ACME_TINY_DIR/account.key
 fi

 python $ACME_TINY_DIR/acme_tiny.py --account-key $ACME_TINY_DIR/account.key --csr ./domain.csr --acme-dir $CHALLENGE_DIR > my_cert.pem
 if [[ $? != 0 ]]; then
        echo "Failed to sign cert"
        exit
 fi

 wget -O - https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > intermediate.pem
 cat my_cert.pem intermediate.pem > cert.pem

 cd $NGINX_ROOT/sites/

 #uncomment https server from conf
 eval $SED_CMD 's/^#//' $domainName.conf

 nginx -s reload


 #autorenew setup
 echo "#### Renew $domainName ####" >> $RENEW_SCRIPT_PATH
 echo "cd $NGINX_ROOT/$CERT_DIR/$domainName" >> $RENEW_SCRIPT_PATH
 echo "python $ACME_TINY_DIR/acme_tiny.py --account-key $ACME_TINY_DIR/account.key --csr ./domain.csr --acme-dir $CHALLENGE_DIR > my_cert.pem" >> $RENEW_SCRIPT_PATH
 echo "cat my_cert.pem intermediate.pem > cert.pem" >> $RENEW_SCRIPT_PATH
 echo -e "nginx -s reload\n" >> $RENEW_SCRIPT_PATH
diff --git a/proxy_template.conf b/proxy_template.conf
 #server{
 #       listen 443;
 #       ssl on;
 #       server_name DOMAIN;
 #
 #       ssl_certificate keys/DOMAIN/cert.pem;
 #       ssl_certificate_key keys/DOMAIN/key.pem;
 #
 #       ssl_prefer_server_ciphers On;
 #       ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 #       ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
 #       keepalive_timeout    60;
 #       ssl_session_cache    shared:SSL:10m;
 #       ssl_session_timeout  10m;
 #
 #       location / {
 #               proxy_set_header X-Forwarded-For $remote_addr;
 #               proxy_pass TARGET;
 #       }
 #}

 server{
        listen 80;
        server_name DOMAIN;

        location '/.well-known/acme-challenge' {
                default_type "text/plain";
                root /var/letsenc-challenge/;
        }
        location / {
                #uncomment for force tls
                #return 301 https://$server_name$request_uri;
                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_pass TARGET;
        }
 }
	#!/usr/bin/env bash

	NGINX_ROOT='/usr/local/etc/nginx/'
	BASE_CONF_NAME='proxy_template.conf'
	CERT_DIR='keys/'
	CHALLENGE_DIR='/var/letsenc-challenge/.well-known/acme-challenge/'
	ACME_TINY_DIR='/opt/acme-tiny/'
	ROUTER_IP='138.247.115.10'
	RENEW_SCRIPT_PATH='/opt/acme-tiny/renewCerts.sh'

	#replace if gnu
	SED_CMD="sed -i '' "

	echo "Warning: this script is for initial provisioning only"

	read -p "Enter the domain name: " domainName

	domainTargetIp=$(host $domainName \| cut -d' ' -f 4 \| tr -d '\n')

	if [[ $domainTargetIp != $ROUTER_IP ]]; then
	echo "Provided domain name dosen't point at the router"
	exit
	fi

	read -p "Enter the full url of the proxy desination: " proxyTarget

	curl $proxyTarget > /dev/null 2>&1
	if [[ $? != 0 ]]; then
	echo "Unable to connect to proxy target"
	exit
	fi

	cd $NGINX_ROOT/$CERT_DIR

	mkdir $domainName
	if [[ $? != 0 ]]; then
	echo "Domain directory already exists"
	exit
	fi

	cd $domainName

	openssl genrsa 4096 > key.pem

	#this line should work, but dosen't on freebsd
	#openssl req -new -sha256 -key key.pem -subj "/CN=$domainName" > domain.csr

	#workaround for freebsd. need to modify /etc/ssl/openssl.cnf
	openssl req -new -sha256 -key key.pem -nodes -config <(sed "s/COMMONNAME_REPLACE/$domainName/" /etc/ssl/openssl.cnf) > domain.csr

	cd $NGINX_ROOT/sites
	cp ../$BASE_CONF_NAME $domainName.conf

	eval $SED_CMD 's/DOMAIN/$domainName/' $domainName.conf
	eval $SED_CMD 's@TARGET@$proxyTarget@' $domainName.conf

	read -p "Do you want to force https? [Y/n]" -n 1
	if [[ $REPLY =~ ^[Nn]$ ]]; then
	:
	else
	eval $SED_CMD 's/#return 301/return 301/' $domainName.conf
	fi

	nginx -s reload

	#return to key directory
	cd -

	if [[ ! -f $ACME_TINY_DIR/account.key ]]; then
	openssl genrsa 4096 > $ACME_TINY_DIR/account.key
	fi

	python $ACME_TINY_DIR/acme_tiny.py --account-key $ACME_TINY_DIR/account.key --csr ./domain.csr --acme-dir $CHALLENGE_DIR > my_cert.pem
	if [[ $? != 0 ]]; then
	echo "Failed to sign cert"
	exit
	fi

	wget -O - https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > intermediate.pem
	cat my_cert.pem intermediate.pem > cert.pem

	cd $NGINX_ROOT/sites/

	#uncomment https server from conf
	eval $SED_CMD 's/^#//' $domainName.conf

	nginx -s reload


	#autorenew setup
	echo "#### Renew $domainName ####" >> $RENEW_SCRIPT_PATH
	echo "cd $NGINX_ROOT/$CERT_DIR/$domainName" >> $RENEW_SCRIPT_PATH
	echo "python $ACME_TINY_DIR/acme_tiny.py --account-key $ACME_TINY_DIR/account.key --csr ./domain.csr --acme-dir $CHALLENGE_DIR > my_cert.pem" >> $RENEW_SCRIPT_PATH
	echo "cat my_cert.pem intermediate.pem > cert.pem" >> $RENEW_SCRIPT_PATH
	echo -e "nginx -s reload\n" >> $RENEW_SCRIPT_PATH
	#server{
	# listen 443;
	# ssl on;
	# server_name DOMAIN;
	#
	# ssl_certificate keys/DOMAIN/cert.pem;
	# ssl_certificate_key keys/DOMAIN/key.pem;
	#
	# ssl_prefer_server_ciphers On;
	# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	# ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
	# keepalive_timeout 60;
	# ssl_session_cache shared:SSL:10m;
	# ssl_session_timeout 10m;
	#
	# location / {
	# proxy_set_header X-Forwarded-For $remote_addr;
	# proxy_pass TARGET;
	# }
	#}

	server{
	listen 80;
	server_name DOMAIN;

	location '/.well-known/acme-challenge' {
	default_type "text/plain";
	root /var/letsenc-challenge/;
	}
	location / {
	#uncomment for force tls
	#return 301 https://$server_name$request_uri;
	proxy_set_header X-Forwarded-For $remote_addr;
	proxy_pass TARGET;
	}
	}