ssl improvements
- ssl for wpsubdom removed, wildcard is enough. - ssl-root-path fixed. - some minor code improvements.
This commit is contained in:
parent
cec4995891
commit
eb28ac2828
|
@ -1,6 +1,8 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
# Let's Encrypt manual mode (for Reverse Proxy sites)
|
# Let's Encrypt manual mode (for Reverse Proxy sites)
|
||||||
sudo mkdir -p $value/.well-known/acme-challenge
|
source /opt/webinoly/lib/general
|
||||||
sudo touch $value/.well-known/acme-challenge/$CERTBOT_TOKEN
|
sslpath=$(conf_read temp-path)
|
||||||
sudo echo $CERTBOT_VALIDATION > $value/.well-known/acme-challenge/$CERTBOT_TOKEN
|
sudo mkdir -p $sslpath/.well-known/acme-challenge
|
||||||
|
sudo touch $sslpath/.well-known/acme-challenge/$CERTBOT_TOKEN
|
||||||
|
sudo echo $CERTBOT_VALIDATION > $sslpath/.well-known/acme-challenge/$CERTBOT_TOKEN
|
||||||
|
|
|
@ -1,4 +1,6 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
# Let's Encrypt manual mode (for Reverse Proxy sites)
|
# Let's Encrypt manual mode (for Reverse Proxy sites)
|
||||||
rm -rf $value/.well-known
|
source /opt/webinoly/lib/general
|
||||||
|
sslpath=$(conf_read temp-path)
|
||||||
|
sudo rm -rf $sslpath/.well-known
|
||||||
|
|
|
@ -3,7 +3,7 @@ source /opt/webinoly/lib/general
|
||||||
|
|
||||||
|
|
||||||
app_version() {
|
app_version() {
|
||||||
local app_ver="1.6.0-beta"
|
local app_ver="1.6.0"
|
||||||
echo $app_ver
|
echo $app_ver
|
||||||
}
|
}
|
||||||
svr_version() {
|
svr_version() {
|
||||||
|
|
43
lib/site-ssl
43
lib/site-ssl
|
@ -7,7 +7,9 @@ source /opt/webinoly/lib/general
|
||||||
|
|
||||||
site_ssl_on() {
|
site_ssl_on() {
|
||||||
local cermail=$(conf_read mail)
|
local cermail=$(conf_read mail)
|
||||||
local root="$domain"
|
local root=$domain
|
||||||
|
|
||||||
|
# Some validations to prevent errors when creating certs.
|
||||||
if [[ $cache == "-root" && -n $value && -a /etc/nginx/sites-available/$value ]]; then
|
if [[ $cache == "-root" && -n $value && -a /etc/nginx/sites-available/$value ]]; then
|
||||||
root="$value"
|
root="$value"
|
||||||
elif [[ $cache == "-root" && -n $value && ! -a /etc/nginx/sites-available/$value ]]; then
|
elif [[ $cache == "-root" && -n $value && ! -a /etc/nginx/sites-available/$value ]]; then
|
||||||
|
@ -19,8 +21,12 @@ site_ssl_on() {
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ ! -d /var/www/$root/htdocs && $cache != "-root-path" ]]; then
|
if [[ ! -d /var/www/$root/htdocs && $cache != "-root-path" ]]; then
|
||||||
echo "${red}Seems like you are trying to request an SSL Certificate for a Parked/Mapped Domain.!${end}"
|
echo "${red}Seems like you are trying to request an SSL Certificate for a Parked/Mapped Domain.${end}"
|
||||||
echo "${red}Please, use the '-root=domain.com' parameter to include the main domain path.${end}"
|
echo "${red}Please, use the '-root=domain.com' parameter to specify the main domain.${end}"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
if [[ $cache == "-root-path" && ! -d $value ]]; then
|
||||||
|
echo "${red}[ERROR] Invalid root path!${end}"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -48,38 +54,37 @@ site_ssl_on() {
|
||||||
read -p "Please, enter an email to register your new certificate: ${end}" cermail
|
read -p "Please, enter an email to register your new certificate: ${end}" cermail
|
||||||
if [[ "$cermail" =~ ^[a-z0-9_\+-]+(\.[a-z0-9_\+-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*\.([a-z]{2,4})$ ]]; then
|
if [[ "$cermail" =~ ^[a-z0-9_\+-]+(\.[a-z0-9_\+-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*\.([a-z]{2,4})$ ]]; then
|
||||||
conf_write mail $cermail
|
conf_write mail $cermail
|
||||||
echo "${gre} Email address has been successfuly validated and saved! ${end}"
|
echo "${gre}Email address has been successfuly validated and saved! ${end}"
|
||||||
else
|
else
|
||||||
cermail=""
|
cermail=""
|
||||||
echo "${red} Please enter a valid email address!"
|
echo "${red}Please enter a valid email address!"
|
||||||
fi
|
fi
|
||||||
echo "${end}"
|
echo "${end}"
|
||||||
done
|
done
|
||||||
|
|
||||||
# Create new certificate
|
# Create new certificate
|
||||||
[[ $(conf_read debug) == "true" ]] && param="--test-cert" || param=""
|
local param="--email $cermail --no-eff-email --agree-tos --staple-ocsp --must-staple"
|
||||||
[[ $subdomflag == 1 ]] && domset="-d $domain" || domset="-d $domain -d www.$domain"
|
[[ $(conf_read debug) == "true" ]] && param="$param --test-cert"
|
||||||
|
[[ $subdomflag == 1 ]] && local domset="-d $domain" || local domset="-d $domain -d www.$domain"
|
||||||
|
|
||||||
# Wildcard
|
# Wildcard
|
||||||
if [[ ! -a /etc/letsencrypt/live/$domain/fullchain.pem && $cache == "-wildcard" ]]; then
|
if [[ ! -a /etc/letsencrypt/live/$domain/fullchain.pem && $cache == "-wildcard" ]]; then
|
||||||
sudo certbot certonly --manual --preferred-challenges=dns --no-eff-email --manual-public-ip-logging-ok --agree-tos --staple-ocsp --must-staple --email $cermail -d $domain -d *.$domain $param
|
sudo certbot certonly --manual --preferred-challenges=dns --manual-public-ip-logging-ok -d $domain -d *.$domain $param
|
||||||
|
|
||||||
# Manual mode for Reverse Proxy sites
|
# Manual mode for Reverse Proxy sites
|
||||||
elif [[ ! -a /etc/letsencrypt/live/$domain/fullchain.pem && $cache == "-root-path" ]]; then
|
elif [[ ! -a /etc/letsencrypt/live/$domain/fullchain.pem && $cache == "-root-path" ]]; then
|
||||||
if [[ ! -d $value ]]; then
|
conf_write temp-path $value
|
||||||
echo "${red}[ERROR] Invalid root path!${end}"
|
sudo certbot certonly --manual --preferred-challenges=http --manual-auth-hook /opt/webinoly/lib/ex-ssl-authentication --manual-cleanup-hook /opt/webinoly/lib/ex-ssl-cleanup --manual-public-ip-logging-ok $domset $param
|
||||||
exit 1
|
conf_delete temp-path
|
||||||
fi
|
|
||||||
sudo certbot certonly --manual --preferred-challenges=http --manual-auth-hook /opt/webinoly/lib/ex-ssl-authentication --manual-cleanup-hook /opt/webinoly/lib/ex-ssl-cleanup $domset --no-eff-email --manual-public-ip-logging-ok --agree-tos --staple-ocsp --must-staple --email $cermail $param
|
|
||||||
|
|
||||||
# Single cert
|
# Single cert
|
||||||
elif [[ ! -a /etc/letsencrypt/live/$domain/fullchain.pem ]]; then
|
elif [[ ! -a /etc/letsencrypt/live/$domain/fullchain.pem ]]; then
|
||||||
sudo certbot certonly --webroot -w /var/www/$root/htdocs/ $domset --email $cermail --no-eff-email --agree-tos --staple-ocsp --must-staple $param
|
sudo certbot certonly --webroot -w /var/www/$root/htdocs/ $domset $param
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
# SSL Nginx Conf
|
# SSL Nginx Conf
|
||||||
if [[ -a /etc/letsencrypt/live/$root/fullchain.pem ]]; then
|
if [[ -a /etc/letsencrypt/live/$domain/fullchain.pem ]]; then
|
||||||
sudo sed -i '/listen 80/c \ listen 443 ssl http2;' /etc/nginx/sites-available/$domain
|
sudo sed -i '/listen 80/c \ listen 443 ssl http2;' /etc/nginx/sites-available/$domain
|
||||||
sudo sed -i '/listen \[::\]:80/c \ listen [::]:443 ssl http2;' /etc/nginx/sites-available/$domain
|
sudo sed -i '/listen \[::\]:80/c \ listen [::]:443 ssl http2;' /etc/nginx/sites-available/$domain
|
||||||
sudo sed -i '/headers-http.conf/a \ include common/headers-https.conf;' /etc/nginx/sites-available/$domain
|
sudo sed -i '/headers-http.conf/a \ include common/headers-https.conf;' /etc/nginx/sites-available/$domain
|
||||||
|
@ -87,8 +92,8 @@ site_ssl_on() {
|
||||||
sudo sed -i "/WebinolySSLstart/,/WebinolySSLend/{s/domain.com/$domain/}" /etc/nginx/sites-available/$domain
|
sudo sed -i "/WebinolySSLstart/,/WebinolySSLend/{s/domain.com/$domain/}" /etc/nginx/sites-available/$domain
|
||||||
|
|
||||||
# HTTP to HTTPS Redirection
|
# HTTP to HTTPS Redirection
|
||||||
local sername="server_name $domain www.$domain;"
|
[[ $subdomflag == 1 ]] && local sername="server_name $domain;" || local sername="server_name $domain www.$domain;"
|
||||||
[[ $subdomflag == 1 ]] && sername="server_name $domain;"
|
[[ $cache == "-wildcard" ]] && sername="server_name $domain *.$domain;"
|
||||||
sudo sed -i '1r /opt/webinoly/templates/template-site-sslredirect' /etc/nginx/sites-available/$domain
|
sudo sed -i '1r /opt/webinoly/templates/template-site-sslredirect' /etc/nginx/sites-available/$domain
|
||||||
sudo sed -i "/#server_name;/c \ $sername" /etc/nginx/sites-available/$domain
|
sudo sed -i "/#server_name;/c \ $sername" /etc/nginx/sites-available/$domain
|
||||||
|
|
||||||
|
@ -106,7 +111,7 @@ site_ssl_on() {
|
||||||
echo "${gre}SSL have been successfully enabled for site $domain!${end}"
|
echo "${gre}SSL have been successfully enabled for site $domain!${end}"
|
||||||
else
|
else
|
||||||
echo "${red}"
|
echo "${red}"
|
||||||
echo " [ERROR] Certified not created!"
|
echo "[ERROR] Unable to create the new certificate!"
|
||||||
echo "${end}"
|
echo "${end}"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
@ -131,7 +136,7 @@ site_ssl_off() {
|
||||||
echo "${end}"
|
echo "${end}"
|
||||||
fi
|
fi
|
||||||
if [[ $answer == [Yy] ]]; then
|
if [[ $answer == [Yy] ]]; then
|
||||||
[[ $(conf_read debug) == "true" ]] && param="--test-cert" || param=""
|
[[ $(conf_read debug) == "true" ]] && local param="--test-cert" || local param=""
|
||||||
sudo certbot revoke --cert-path /etc/letsencrypt/live/$domain/cert.pem --delete-after-revoke $param
|
sudo certbot revoke --cert-path /etc/letsencrypt/live/$domain/cert.pem --delete-after-revoke $param
|
||||||
echo "${gre}"
|
echo "${gre}"
|
||||||
echo "Certificate for your site $domain has been completely removed!"
|
echo "Certificate for your site $domain has been completely removed!"
|
||||||
|
|
18
plugins/site
18
plugins/site
|
@ -311,24 +311,6 @@ elif [[ "$type" == "-delete" && -a /etc/nginx/sites-available/$domain ]]; then
|
||||||
elif [[ "$type" == "-ssl-on" && -a /etc/nginx/sites-available/$domain ]]; then
|
elif [[ "$type" == "-ssl-on" && -a /etc/nginx/sites-available/$domain ]]; then
|
||||||
isssl=$( grep -F "ssl on;" /etc/nginx/sites-available/$domain )
|
isssl=$( grep -F "ssl on;" /etc/nginx/sites-available/$domain )
|
||||||
[[ -z $isssl ]] && site_ssl_on || echo "${red}SSL is already enabled for site $domain!${end}"
|
[[ -z $isssl ]] && site_ssl_on || echo "${red}SSL is already enabled for site $domain!${end}"
|
||||||
# SSL for WP-subdom subsites
|
|
||||||
elif [[ "$type" == "-ssl-on" && ! -a /etc/nginx/sites-available/$domain && $subdomflag == 1 && $cache == "-root" && ! -d /var/www/$domain/htdocs && $tld == $value && -d /var/www/$tld/htdocs/wp-admin && -a /etc/nginx/sites-available/$value ]]; then
|
|
||||||
if [[ -a /var/www/$value/wp-config.php ]]; then
|
|
||||||
wpconfpath="/var/www/$value/wp-config.php"
|
|
||||||
elif [[ -a /var/www/$value/htdocs/wp-config.php ]]; then
|
|
||||||
wpconfpath="/var/www/$value/htdocs/wp-config.php"
|
|
||||||
else
|
|
||||||
echo "${red}[ERROR] wp-config.php file not found!${end}"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
wpsubdom=$( grep -F "'SUBDOMAIN_INSTALL'" $wpconfpath | cut -f 2 -d "," )
|
|
||||||
if [[ $wpsubdom == *"true"* ]]; then
|
|
||||||
echo "${blu}* SSL for WP Multisite with subdomain configuration.${end}"
|
|
||||||
site_ssl_on
|
|
||||||
else
|
|
||||||
echo "${red}[ERROR] $value is not a WP Multisite with subdomain configuration.${end}"
|
|
||||||
fi
|
|
||||||
|
|
||||||
|
|
||||||
# SSL disabled (Letsencrypt)
|
# SSL disabled (Letsencrypt)
|
||||||
|
|
Loading…
Reference in a new issue