schleedej/admin-tools
0
0
Fork 0
forked from URZ/admin-tools
Code Pull Requests Activity
Files
3747fa1375d4305d4cdd27ab7035448c3e37a30b
admin-tools/UpdateCRL.sh

120 lines
3.0 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
##############################################################
#
# This script updates all CRL files of the PKI used by the
# URZ. These are:
#
# UniHGW (own CA)
# Harica
# Sectigo
#
##############################################################
set -ou pipefail
###########################################################
# Global systemd/journald Functions
###########################################################
function INFO {
echo "$1"
echo "$1" | systemd-cat -p info -t "$(basename "$0" .sh)"
}
function WARNING {
echo "WARNING: $1" >&2
echo "$1" | systemd-cat -p warning -t "$(basename "$0" .sh)"
}
function ERROR {
echo "ERROR: $1" >&2
echo "$1" | systemd-cat -p err -t "$(basename "$0" .sh)"
}
###########################################################
PATHCRL=/etc/ssl/crl
CRL=(UniHGW-CRL-2032 GEANT-RSA-CRL GEANT-ECC-CRL HARICA-RSA-CA-CRL HARICA-ECC-CA-CRL HARICA-RSA-CRL-2021 HARICA-ECC-CRL-2021 HARICA-RSA-CRL-2025 HARICA-ECC-CRL-2025)
if [[ $(lsb_release -c | awk '{ print $2 }') == "trixie" ]]; then
CRL=(UniHGW-CRL-2032 HARICA-RSA-CA-CRL HARICA-ECC-CA-CRL HARICA-RSA-CRL-2021 HARICA-ECC-CRL-2021 HARICA-RSA-CRL-2025 HARICA-ECC-CRL-2025)
fi
PATHSSL=/etc/ssl/certs
LASTRUN=/var/lib/runtime/$(basename "$0" .sh).lastrun
ERR=0
# Create directory if not exists
if [[ ! -d $PATHCRL ]]; then
if ! mkdir -p $PATHCRL; then
ERROR "Could not create $PATHCRL!"
exit 2
fi
fi
for CRL in "${CRL[@]}"
do
URLCRL=https://cacher.rz.uni-greifswald.de/$CRL.pem
# Download CRL
if ! /usr/bin/timeout 5s wget -q -O "/tmp/$CRL.pem" "$URLCRL"; then
ERROR "Could not download $CRL!"
ERR=1
continue
fi
# Verify CRL
if ! /usr/bin/openssl crl -CApath "$PATHSSL" -in "/tmp/$CRL.pem" -noout > /dev/null 2>&1; then
ERROR "Could not verify $CRL against $PATHSSL!"
ERR=1
rm -f "/tmp/$CRL.pem"
continue
fi
# Check CRL validity
CRLDATETIME=$(openssl crl -in "/tmp/$CRL.pem" -nextupdate -noout | sed 's/nextUpdate=//g')
VALIDUNTIL=$(date -d "$CRLDATETIME" +%s)
if [[ "$VALIDUNTIL" -lt $(date +%s) ]]; then
ERROR "$CRL is invalid!"
ERR=1
rm -f "/tmp/$CRL.pem"
continue
fi
# Move CRL to final destination path
if ! mv -f "/tmp/$CRL.pem" "$PATHCRL/$CRL.pem"; then
ERROR "Could not move CRL to $PATHCRL!"
ERR=1
rm -f "/tmp/$CRL.pem"
continue
fi
# Link CRL
if [[ ! -L "$PATHSSL"/"$CRL.pem" ]]; then
if ! ln -s "$PATHCRL"/"$CRL.pem" "$PATHSSL"/"$CRL.pem"; then
ERROR "Could not create CRL link to $PATHSSL!"
ERR=1
rm -f "$PATHCRL"/"$CRL.pem" "$PATHSSL"/"$CRL.pem"
continue
fi
fi
INFO "$CRL successfully updated"
done
# Rehash
if /usr/bin/c_rehash -n > /dev/null 2>&1; then
INFO "Rehash successful"
else
ERROR "Could not rehash $PATHSSL!"
exit 2
fi
# Set runtime information
if [[ "$ERR" -eq 0 ]]; then
date +%s > "$LASTRUN"
fi
exit 0
View Git Blame Copy Permalink