forked from URZ/admin-tools
117 lines
2.4 KiB
Bash
Executable File
117 lines
2.4 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
##############################################################
|
|
#
|
|
# This script updates all CRL files of the PKI used by the
|
|
# URZ. These are:
|
|
#
|
|
# UniHGW (own CA)
|
|
# Sectigo
|
|
# DFN
|
|
#
|
|
##############################################################
|
|
|
|
set -ou pipefail
|
|
|
|
###########################################################
|
|
# Global systemd/journald Functions
|
|
###########################################################
|
|
|
|
function INFO {
|
|
echo "$1"
|
|
echo "$1" | systemd-cat -p info -t "$(basename "$0" .sh)"
|
|
}
|
|
|
|
function WARNING {
|
|
echo "WARNING: $1" >&2
|
|
echo "$1" | systemd-cat -p warning -t "$(basename "$0" .sh)"
|
|
}
|
|
|
|
function ERROR {
|
|
echo "ERROR: $1" >&2
|
|
echo "$1" | systemd-cat -p err -t "$(basename "$0" .sh)"
|
|
}
|
|
|
|
###########################################################
|
|
|
|
PATHCRL=/etc/CertsAndKeys
|
|
CRL=(DFN-CRL.pem UniHGW-CRL.pem GEANT-RSA-CRL.pem GEANT-ECC-CRL.pem)
|
|
PATHSSL=/etc/ssl/certs
|
|
LASTRUN=/var/lib/runtime/$(basename "$0" .sh).lastrun
|
|
ERR=0
|
|
|
|
# Create directory if not exists
|
|
if [[ ! -d $PATHCRL ]]; then
|
|
if ! mkdir -p $PATHCRL; then
|
|
ERROR "Could not create $PATHCRL!"
|
|
exit 2
|
|
fi
|
|
fi
|
|
|
|
for CRL in "${CRL[@]}"
|
|
do
|
|
URLCRL=https://cacher.rz.uni-greifswald.de/$CRL
|
|
|
|
# Download CRL
|
|
if ! /usr/bin/timeout 5s wget -q -O /tmp/"$CRL" "$URLCRL"; then
|
|
ERROR "Could not download $CRL!"
|
|
ERR=1
|
|
continue
|
|
fi
|
|
|
|
# Verify CRL
|
|
if ! /usr/bin/openssl crl -CApath "$PATHSSL" -in /tmp/"$CRL" -noout > /dev/null 2>&1; then
|
|
ERROR "Could not verify $CRL against $PATHSSL!"
|
|
ERR=1
|
|
rm -f /tmp/"$CRL"
|
|
continue
|
|
fi
|
|
|
|
# Check CRL validity
|
|
CRLDATETIME=$(openssl crl -in /tmp/"$CRL" -nextupdate -noout | sed 's/nextUpdate=//g')
|
|
VALIDUNTIL=$(date -d "$CRLDATETIME" +%s)
|
|
|
|
if [[ "$VALIDUNTIL" -lt $(date +%s) ]]; then
|
|
ERROR "$CRL is invalid!"
|
|
ERR=1
|
|
rm -f /tmp/"$CRL"
|
|
continue
|
|
fi
|
|
|
|
# Move CRL to final destination path
|
|
if ! mv -f /tmp/"$CRL" "$PATHCRL"/"$CRL"; then
|
|
ERROR "Could not move CRL to $PATHCRL!"
|
|
ERR=1
|
|
rm -f /tmp/"$CRL"
|
|
continue
|
|
fi
|
|
|
|
# Link CRL
|
|
if [[ ! -L "$PATHSSL"/"$CRL" ]]; then
|
|
if ! ln -s "$PATHCRL"/"$CRL" "$PATHSSL"/"$CRL"; then
|
|
ERROR "Could not create CRL link to $PATHSSL!"
|
|
ERR=1
|
|
rm -f "$PATHCRL"/"$CRL" "$PATHSSL"/"$CRL"
|
|
continue
|
|
fi
|
|
fi
|
|
|
|
INFO "$CRL successfully updated"
|
|
|
|
done
|
|
|
|
# Rehash
|
|
if /usr/bin/c_rehash > /dev/null 2>&1; then
|
|
INFO "Rehash successful"
|
|
else
|
|
ERROR "Could not rehash $PATHSSL!"
|
|
exit 2
|
|
fi
|
|
|
|
# Set runtime information
|
|
if [[ "$ERR" -eq 0 ]]; then
|
|
date +%s > "$LASTRUN"
|
|
fi
|
|
|
|
exit 0
|