Commit 62ffe5c6 authored by Xueshan Feng's avatar Xueshan Feng
Browse files

updated to allow renaming and upload new cert.

parent 398aa062
Generate a wildcard ssl certificate request for a subdomain, e.g, *.foobar.stanford.edu:
## Generate a wildcard ssl certificate request for a subdomain, e.g, *.foobar.stanford.edu:
```
$ git clone git@code.stanford.edu:devops-tools/star-cert-request.git
......@@ -22,5 +22,12 @@ Normally you can use [cert request form](https://tools.stanford.edu/cgi-bin/cert
your request, however, if the subdomain is delegated to a cloud vendor, you will need to send the csr to
**its-ssl-service@lists.stanford.edu** because the form cannot verify the ownership of a domain from NetDB.
## Upload cert to AWS IAM service
```
./upload_cert_to_aws.sh -s foo.stanford.edu -p foo.stanford.edu
```
If the SSL certificate already exists, the script will rename it and upload the new server server with the same server name.
If you use the cert in ELB, the ELB still uses the old certificate until you update the ELB cert to points to the new SSL cert.
......@@ -3,39 +3,108 @@
# Usage: ./upload_cert_to_aws.sh foo.stanford.edu awsprofile
#
# To get arn: aws --profile awsprofile iam get-server-certificate --server-certificate-name=<fqdn>
#
# Author: Xueshan Feng <sfeng@stanford.edu>
#
domain='stanford.edu'
server=$1
awsprofile=$2
if [ "X$server" = "X" ];
then
echo "SSL cert CN name is required. e.g. ./upload-cert-to-aws.sh foo.stanford.edu"
exit 1
fi
if [ "X$awsprofile" = "X" ];
function init(){
domain=${domain:-'stanford.edu'}
server="${server%%.*}"
echo "=== $server"
domaincert=${body:-'stanford_edu_cert.cer'}
intermcert=${chain:='stanford_edu_interm.cer'}
server_name=$server.$domain
dryrun=0
}
function upload_cert(){
if aws --profile $profile iam get-server-certificate --server-certificate-name $server_name >/dev/null 2>&1 ;
then
expirationdate=$(aws --profile $profile iam get-server-certificate --server-certificate-name $server.stanford.edu | \
jq -r '.ServerCertificate.ServerCertificateMetadata.Expiration' | sed 's/T.*//' )
echo "Renaming old server $server_name to $server_name.$expirationdate"
answer='N'
echo -n "Do you want to continue? [Y/N]"
read answer
echo ""
[ "X$answer" != "XY" ] && echo "Do nothing. Quit." && exit 0
aws --profile $profile iam update-server-certificate --server-certificate-name $server_name \
--new-server-certificate-name $server_name.$expirationdate
fi
aws --profile $profile iam upload-server-certificate --server-certificate-name $server_name \
--certificate-body file://${server}_${domaincert} \
--private-key file://$server_name.key --certificate-chain file://${server}_$intermcert
}
help(){
echo "upload_cert_to_aws.sh -p <profile> -s <server> [-d <domain>] -c <chain file> -b <body> [-n] [-y]"
echo ""
echo " -p <aws profile>: authenticate as this profile."
echo " -s <server>: server name. e.g. foo.stanford.edu"
echo " -d <domain>: default to stanford.edu."
echo " -b <cert file>: default to <server>_stanford_edu_cert.cer"
echo " -c <chain file>: default to <server>_stanford_edu_interm.cer"
echo " -y : non-interative mode. Answer to yes to all default values."
echo " -n : dryrun. print out the commands"
echo " -h : Help"
}
# Main
while getopts "b:c:d:p:s:hny" OPTION
do
case $OPTION in
b)
body=$OPTARG
;;
c)
chain=$OPTARG
;;
d)
domain=$OPTARG
;;
p)
profile=$OPTARG
;;
s)
server=$OPTARG
;;
n)
dryrun=1
;;
y)
interactive=0
;;
[h?])
help
exit
;;
esac
done
if [[ -z $profile || -z $server ]];
then
echo "AWS profile for authentication is required."
help
exit 1
else
init
fi
aws --profile $awsprofile support help 2>/dev/null 1>&2
if [ $? = "255" ];
then
echo "Account $awsprofile doesn't exit."
echo "Getting AWS account number ..."
accountId=$(aws --profile $profile iam get-user | jq '.User.Arn' | grep -Eo '[[:digit:]]{12}')
if [ -z "$accountId" ]; then
echo "Cannot find AWS account number."
exit 1
fi
server="${server%%.*}"
domaincert="stanford_edu_cert.cer"
intermcert="stanford_edu_interm.cer"
server_name="$server.$domain"
if [[ -f ${server}_${domaincert} ]] && [[ -f ${server}_$intermcert ]] && [[ -f $server_name.key ]];
then
aws --profile $awsprofile iam upload-server-certificate --server-certificate-name $server_name \
--certificate-body file://${server}_${domaincert} \
--private-key file://$server_name.key --certificate-chain file://${server}_$intermcert
upload_cert
else
echo "one of the files are missing: ${server}_${domaincert}, ${server}_$intermcert, or $server_name.key"
echo "one of the files are missing: ${server}_${domaincert}, ${server}_$intermcert, or $server.key"
exit 1
fi
[ $dryrun -eq 1 ] && echo "Dryrun mode. Nothing is changed."
exit 0
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment