forked from URZ/admin-tools
Initial commit
This commit is contained in:
116
UpdateCRL.sh
Executable file
116
UpdateCRL.sh
Executable file
@@ -0,0 +1,116 @@
|
||||
#!/bin/bash
|
||||
|
||||
##############################################################
|
||||
#
|
||||
# This script updates all CRL files of the PKI used by the
|
||||
# URZ. These are:
|
||||
#
|
||||
# UniHGW (own CA)
|
||||
# Sectigo
|
||||
# DFN
|
||||
#
|
||||
##############################################################
|
||||
|
||||
set -ou pipefail
|
||||
|
||||
###########################################################
|
||||
# Global systemd/journald Functions
|
||||
###########################################################
|
||||
|
||||
function INFO {
|
||||
echo "$1"
|
||||
echo "$1" | systemd-cat -p info -t "$(basename "$0" .sh)"
|
||||
}
|
||||
|
||||
function WARNING {
|
||||
echo "WARNING: $1" >&2
|
||||
echo "$1" | systemd-cat -p warning -t "$(basename "$0" .sh)"
|
||||
}
|
||||
|
||||
function ERROR {
|
||||
echo "ERROR: $1" >&2
|
||||
echo "$1" | systemd-cat -p err -t "$(basename "$0" .sh)"
|
||||
}
|
||||
|
||||
###########################################################
|
||||
|
||||
PATHCRL=/etc/CertsAndKeys
|
||||
CRL=(DFN-CRL.pem UniHGW-CRL.pem GEANT-RSA-CRL.pem GEANT-ECC-CRL.pem)
|
||||
PATHSSL=/etc/ssl/certs
|
||||
LASTRUN=/var/lib/runtime/$(basename "$0" .sh).lastrun
|
||||
ERR=0
|
||||
|
||||
# Create directory if not exists
|
||||
if [[ ! -d $PATHCRL ]]; then
|
||||
if ! mkdir -p $PATHCRL; then
|
||||
ERROR "Could not create $PATHCRL!"
|
||||
exit 2
|
||||
fi
|
||||
fi
|
||||
|
||||
for CRL in "${CRL[@]}"
|
||||
do
|
||||
URLCRL=https://cacher.rz.uni-greifswald.de/$CRL
|
||||
|
||||
# Download CRL
|
||||
if ! /usr/bin/timeout 5s wget -q -O /tmp/"$CRL" "$URLCRL"; then
|
||||
ERROR "Could not download $CRL!"
|
||||
ERR=1
|
||||
continue
|
||||
fi
|
||||
|
||||
# Verify CRL
|
||||
if ! /usr/bin/openssl crl -CApath "$PATHSSL" -in /tmp/"$CRL" -noout > /dev/null 2>&1; then
|
||||
ERROR "Could not verify $CRL against $PATHSSL!"
|
||||
ERR=1
|
||||
rm -f /tmp/"$CRL"
|
||||
continue
|
||||
fi
|
||||
|
||||
# Check CRL validity
|
||||
CRLDATETIME=$(openssl crl -in /tmp/"$CRL" -nextupdate -noout | sed 's/nextUpdate=//g')
|
||||
VALIDUNTIL=$(date -d "$CRLDATETIME" +%s)
|
||||
|
||||
if [[ "$VALIDUNTIL" -lt $(date +%s) ]]; then
|
||||
ERROR "$CRL is invalid!"
|
||||
ERR=1
|
||||
rm -f /tmp/"$CRL"
|
||||
continue
|
||||
fi
|
||||
|
||||
# Move CRL to final destination path
|
||||
if ! mv -f /tmp/"$CRL" "$PATHCRL"/"$CRL"; then
|
||||
ERROR "Could not move CRL to $PATHCRL!"
|
||||
ERR=1
|
||||
rm -f /tmp/"$CRL"
|
||||
continue
|
||||
fi
|
||||
|
||||
# Link CRL
|
||||
if [[ ! -L "$PATHSSL"/"$CRL" ]]; then
|
||||
if ! ln -s "$PATHCRL"/"$CRL" "$PATHSSL"/"$CRL"; then
|
||||
ERROR "Could not create CRL link to $PATHSSL!"
|
||||
ERR=1
|
||||
rm -f "$PATHCRL"/"$CRL" "$PATHSSL"/"$CRL"
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
|
||||
INFO "$CRL successfully updated"
|
||||
|
||||
done
|
||||
|
||||
# Rehash
|
||||
if /usr/bin/c_rehash > /dev/null 2>&1; then
|
||||
INFO "Rehash successful"
|
||||
else
|
||||
ERROR "Could not rehash $PATHSSL!"
|
||||
exit 2
|
||||
fi
|
||||
|
||||
# Set runtime information
|
||||
if [[ "$ERR" -eq 0 ]]; then
|
||||
date +%s > "$LASTRUN"
|
||||
fi
|
||||
|
||||
exit 0
|
||||
Reference in New Issue
Block a user