updated to allow renaming and upload new cert.

62ffe5c6 · Xueshan Feng · 398aa062 · 62ffe5c6 · 62ffe5c6
Commit 62ffe5c6 authored Sep 04, 2016 by Xueshan Feng
Hide whitespace changes
Inline Side-by-side

Showing with 100 additions and 24 deletions

README.md README.md +8 -1

upload_cert_to_aws.sh upload_cert_to_aws.sh +92 -23

No files found.
--- a/README.md
+++ b/README.md
-Generate a wildcard ssl certificate request for a subdomain, e.g, *.foobar.stanford.edu:
+## Generate a wildcard ssl certificate request for a subdomain, e.g, *.foobar.stanford.edu:

 ```
 $ git clone git@code.stanford.edu:devops-tools/star-cert-request.git
@@ -22,5 +22,12 @@ Normally you can use [cert request form](https://tools.stanford.edu/cgi-bin/cert
 your request, however, if the subdomain is delegated to a cloud vendor, you will need to send the csr to 
 **its-ssl-service@lists.stanford.edu** because the form cannot verify the ownership of a domain from NetDB.

+## Upload cert to AWS IAM service

+```
+./upload_cert_to_aws.sh -s foo.stanford.edu -p foo.stanford.edu
+```
+
+If the SSL certificate already exists, the script will rename it and upload the new server server with the same server name.
+If you use the cert in ELB, the ELB still uses the old certificate until you update the ELB cert to points to the new SSL cert.

--- a/upload_cert_to_aws.sh
+++ b/upload_cert_to_aws.sh
@@ -3,39 +3,108 @@
 # Usage: ./upload_cert_to_aws.sh foo.stanford.edu awsprofile
 #
 # To get arn: aws --profile awsprofile iam get-server-certificate --server-certificate-name=<fqdn>
+#
+# Author: Xueshan Feng <sfeng@stanford.edu>
+# 

-domain='stanford.edu'
-server=$1
-awsprofile=$2
-if [ "X$server" = "X" ];
-then
-  echo "SSL cert CN name is required. e.g. ./upload-cert-to-aws.sh foo.stanford.edu"
-  exit 1
-fi
-if [ "X$awsprofile" = "X" ];
+function init(){
+    domain=${domain:-'stanford.edu'}
+    server="${server%%.*}"
+    echo "=== $server"
+    domaincert=${body:-'stanford_edu_cert.cer'}
+    intermcert=${chain:='stanford_edu_interm.cer'}
+    server_name=$server.$domain
+    dryrun=0
+}
+
+function upload_cert(){
+  if aws --profile $profile iam get-server-certificate --server-certificate-name $server_name >/dev/null 2>&1 ;
+  then
+    expirationdate=$(aws --profile $profile iam get-server-certificate --server-certificate-name $server.stanford.edu | \
+        jq -r '.ServerCertificate.ServerCertificateMetadata.Expiration' | sed 's/T.*//' )
+    echo "Renaming old server $server_name to $server_name.$expirationdate"
+    answer='N'
+    echo -n "Do you want to continue? [Y/N]"
+    read answer
+    echo ""
+    [ "X$answer" != "XY" ] && echo "Do nothing. Quit." &&  exit 0
+    aws --profile $profile iam update-server-certificate --server-certificate-name $server_name \
+	--new-server-certificate-name $server_name.$expirationdate
+  fi
+  aws --profile $profile iam upload-server-certificate --server-certificate-name $server_name \
+    --certificate-body file://${server}_${domaincert} \
+    --private-key file://$server_name.key --certificate-chain file://${server}_$intermcert
+}
+
+help(){
+  echo "upload_cert_to_aws.sh -p <profile> -s <server> [-d <domain>] -c <chain file> -b <body> [-n] [-y]"
+  echo ""
+  echo " -p <aws profile>: authenticate as this profile."
+  echo " -s <server>: server name. e.g. foo.stanford.edu"
+  echo " -d <domain>: default to stanford.edu."
+  echo " -b <cert file>: default to <server>_stanford_edu_cert.cer"
+  echo " -c <chain file>: default to <server>_stanford_edu_interm.cer"
+  echo " -y     : non-interative mode. Answer to yes to all default values."
+  echo " -n     : dryrun. print out the commands"
+  echo " -h     : Help"
+}
+
+# Main
+
+while getopts "b:c:d:p:s:hny" OPTION
+do
+  case $OPTION in
+    b)
+      body=$OPTARG
+      ;;
+    c)
+      chain=$OPTARG
+      ;;
+    d)
+      domain=$OPTARG
+      ;;
+    p)
+      profile=$OPTARG
+      ;;
+    s)
+      server=$OPTARG
+      ;;
+    n)
+      dryrun=1
+      ;;
+    y)
+      interactive=0
+      ;;
+    [h?])
+      help
+      exit
+      ;;
+  esac
+done
+
+if [[ -z $profile || -z $server ]]; 
 then
-  echo "AWS profile for authentication is required."
+  help
  exit 1
+else
+  init
 fi
-aws --profile $awsprofile support help 2>/dev/null 1>&2
-if [ $? = "255" ];
-then
-  echo "Account $awsprofile doesn't exit."
+
+echo "Getting AWS account number ..."
+accountId=$(aws --profile $profile iam get-user | jq '.User.Arn' | grep -Eo '[[:digit:]]{12}')
+if [ -z "$accountId" ]; then
+  echo "Cannot find AWS account number."
  exit 1
 fi

-server="${server%%.*}"
-domaincert="stanford_edu_cert.cer"
-intermcert="stanford_edu_interm.cer"
-server_name="$server.$domain"
-
 if [[ -f ${server}_${domaincert} ]] && [[ -f ${server}_$intermcert ]] && [[ -f $server_name.key ]];
 then
-  aws --profile $awsprofile iam upload-server-certificate --server-certificate-name $server_name \
-    --certificate-body file://${server}_${domaincert} \
-    --private-key file://$server_name.key --certificate-chain file://${server}_$intermcert
+  upload_cert
 else
-  echo "one of the files are missing: ${server}_${domaincert}, ${server}_$intermcert, or $server_name.key" 
+  echo "one of the files are missing: ${server}_${domaincert}, ${server}_$intermcert, or $server.key" 
  exit 1
 fi
+
+[ $dryrun -eq 1 ] && echo "Dryrun mode. Nothing is changed."
+
 exit 0