Commit 62ffe5c6 authored by Xueshan Feng's avatar Xueshan Feng
Browse files

updated to allow renaming and upload new cert.

parent 398aa062
Generate a wildcard ssl certificate request for a subdomain, e.g, *.foobar.stanford.edu: ## Generate a wildcard ssl certificate request for a subdomain, e.g, *.foobar.stanford.edu:
``` ```
$ git clone git@code.stanford.edu:devops-tools/star-cert-request.git $ git clone git@code.stanford.edu:devops-tools/star-cert-request.git
...@@ -22,5 +22,12 @@ Normally you can use [cert request form](https://tools.stanford.edu/cgi-bin/cert ...@@ -22,5 +22,12 @@ Normally you can use [cert request form](https://tools.stanford.edu/cgi-bin/cert
your request, however, if the subdomain is delegated to a cloud vendor, you will need to send the csr to your request, however, if the subdomain is delegated to a cloud vendor, you will need to send the csr to
**its-ssl-service@lists.stanford.edu** because the form cannot verify the ownership of a domain from NetDB. **its-ssl-service@lists.stanford.edu** because the form cannot verify the ownership of a domain from NetDB.
## Upload cert to AWS IAM service
```
./upload_cert_to_aws.sh -s foo.stanford.edu -p foo.stanford.edu
```
If the SSL certificate already exists, the script will rename it and upload the new server server with the same server name.
If you use the cert in ELB, the ELB still uses the old certificate until you update the ELB cert to points to the new SSL cert.
...@@ -3,39 +3,108 @@ ...@@ -3,39 +3,108 @@
# Usage: ./upload_cert_to_aws.sh foo.stanford.edu awsprofile # Usage: ./upload_cert_to_aws.sh foo.stanford.edu awsprofile
# #
# To get arn: aws --profile awsprofile iam get-server-certificate --server-certificate-name=<fqdn> # To get arn: aws --profile awsprofile iam get-server-certificate --server-certificate-name=<fqdn>
#
# Author: Xueshan Feng <sfeng@stanford.edu>
#
domain='stanford.edu' function init(){
server=$1 domain=${domain:-'stanford.edu'}
awsprofile=$2 server="${server%%.*}"
if [ "X$server" = "X" ]; echo "=== $server"
then domaincert=${body:-'stanford_edu_cert.cer'}
echo "SSL cert CN name is required. e.g. ./upload-cert-to-aws.sh foo.stanford.edu" intermcert=${chain:='stanford_edu_interm.cer'}
exit 1 server_name=$server.$domain
fi dryrun=0
if [ "X$awsprofile" = "X" ]; }
function upload_cert(){
if aws --profile $profile iam get-server-certificate --server-certificate-name $server_name >/dev/null 2>&1 ;
then
expirationdate=$(aws --profile $profile iam get-server-certificate --server-certificate-name $server.stanford.edu | \
jq -r '.ServerCertificate.ServerCertificateMetadata.Expiration' | sed 's/T.*//' )
echo "Renaming old server $server_name to $server_name.$expirationdate"
answer='N'
echo -n "Do you want to continue? [Y/N]"
read answer
echo ""
[ "X$answer" != "XY" ] && echo "Do nothing. Quit." && exit 0
aws --profile $profile iam update-server-certificate --server-certificate-name $server_name \
--new-server-certificate-name $server_name.$expirationdate
fi
aws --profile $profile iam upload-server-certificate --server-certificate-name $server_name \
--certificate-body file://${server}_${domaincert} \
--private-key file://$server_name.key --certificate-chain file://${server}_$intermcert
}
help(){
echo "upload_cert_to_aws.sh -p <profile> -s <server> [-d <domain>] -c <chain file> -b <body> [-n] [-y]"
echo ""
echo " -p <aws profile>: authenticate as this profile."
echo " -s <server>: server name. e.g. foo.stanford.edu"
echo " -d <domain>: default to stanford.edu."
echo " -b <cert file>: default to <server>_stanford_edu_cert.cer"
echo " -c <chain file>: default to <server>_stanford_edu_interm.cer"
echo " -y : non-interative mode. Answer to yes to all default values."
echo " -n : dryrun. print out the commands"
echo " -h : Help"
}
# Main
while getopts "b:c:d:p:s:hny" OPTION
do
case $OPTION in
b)
body=$OPTARG
;;
c)
chain=$OPTARG
;;
d)
domain=$OPTARG
;;
p)
profile=$OPTARG
;;
s)
server=$OPTARG
;;
n)
dryrun=1
;;
y)
interactive=0
;;
[h?])
help
exit
;;
esac
done
if [[ -z $profile || -z $server ]];
then then
echo "AWS profile for authentication is required." help
exit 1 exit 1
else
init
fi fi
aws --profile $awsprofile support help 2>/dev/null 1>&2
if [ $? = "255" ]; echo "Getting AWS account number ..."
then accountId=$(aws --profile $profile iam get-user | jq '.User.Arn' | grep -Eo '[[:digit:]]{12}')
echo "Account $awsprofile doesn't exit." if [ -z "$accountId" ]; then
echo "Cannot find AWS account number."
exit 1 exit 1
fi fi
server="${server%%.*}"
domaincert="stanford_edu_cert.cer"
intermcert="stanford_edu_interm.cer"
server_name="$server.$domain"
if [[ -f ${server}_${domaincert} ]] && [[ -f ${server}_$intermcert ]] && [[ -f $server_name.key ]]; if [[ -f ${server}_${domaincert} ]] && [[ -f ${server}_$intermcert ]] && [[ -f $server_name.key ]];
then then
aws --profile $awsprofile iam upload-server-certificate --server-certificate-name $server_name \ upload_cert
--certificate-body file://${server}_${domaincert} \
--private-key file://$server_name.key --certificate-chain file://${server}_$intermcert
else else
echo "one of the files are missing: ${server}_${domaincert}, ${server}_$intermcert, or $server_name.key" echo "one of the files are missing: ${server}_${domaincert}, ${server}_$intermcert, or $server.key"
exit 1 exit 1
fi fi
[ $dryrun -eq 1 ] && echo "Dryrun mode. Nothing is changed."
exit 0 exit 0
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment