Add support for automatically getting an ACME certificate

geteduroam · Nov 20, 2024 · b8f59a1 · b8f59a1
1 parent d3b2c57
commit b8f59a1
Showing 1 changed file with 42 additions and 24 deletions.
diff --git a/contrib/install/install-letswifi-portal.sh b/contrib/install/install-letswifi-portal.sh
@@ -11,9 +11,9 @@ WORKING_DIR=/var/lib/letswifi
 SETTINGS_DIR=/etc/letswifi
 SETTINGS_FILE="$SETTINGS_DIR/install-answers.sh"
 
-test -f "$SETTINGS_FILE" && . "$SETTINGS_FILE"
 fqdn="${fqdn:-$(hostname -f)}"
 acme_server=https://api.buypass.com/acme/directory
+test -f "$SETTINGS_FILE" && . "$SETTINGS_FILE"
 
 if ! command -v dialog >/dev/null
 then
@@ -76,7 +76,7 @@ fi
 
 printf '\033[0;44;37m\033[2J' >&2
 
-apt-get install -qq ca-certificates git php-fpm php-dom php-sqlite3 php-curl sqlite3 simplesamlphp apache2 composer
+apt-get install -qq cron ca-certificates git php-fpm php-dom php-sqlite3 php-curl sqlite3 simplesamlphp apache2 composer
 a2enconf simplesamlphp "$(basename /etc/apache2/conf-available/php*-fpm.conf)"
 a2dismod status
 
@@ -91,7 +91,7 @@ then
 		sed -i -e "/^ *'module\\.enable' =>/a\\"	\
 			-e "         'cron' => true,\\"	\
 			/etc/simplesamlphp/config.php
-	crontab -u www-data -l || EDITOR=tee crontab -u www-data -e <<EOF
+	crontab -u www-data -l || crontab -u www-data - <<EOF
 4 51 * * * php /usr/share/simplesamlphp/modules/cron/bin/cron.php -t hourly
 EOF
 else
@@ -169,35 +169,53 @@ tee /etc/apache2/sites-available/letswifi-portal.conf << EOF >/dev/null
 </VirtualHost>
 EOF
 
-mkdir -p "/var/lib/acme/certs/$fqdn"
-test -f "/var/lib/acme/certs/$fqdn/$fqdn.key" || test -f "/var/lib/acme/certs/$fqdn/$fqdn.cer"	\
-	|| openssl req -x509 -newkey rsa:2048	\
-		-keyout "/var/lib/acme/certs/$fqdn/$fqdn.key"	\
-		-out "/var/lib/acme/certs/$fqdn/$fqdn.cer"	\
-		-sha256 -days 3650 -nodes	\
-		-subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=CommonNameOrHostname"
-cp "/var/lib/acme/certs/$fqdn/$fqdn.cer" "/var/lib/acme/certs/$fqdn/fullchain.cer"
 a2dissite 000-default default-ssl
 a2ensite letswifi-portal
 a2enmod ssl proxy_fcgi setenvif
-service apache2 restart
 >/var/www/html/index.html
 
-# First fix own account for ACME
-#acme_email="$(dialog --backtitle "Let's Wi-Fi installation" --title 'ACME configuration' --ok-label Yes --cancel-label No --inputbox 'A self signed certificate has been created.\n\nDo you want to obtain a certificate for $fqdn using ACME now?\n\nThen enter e-mail address for registering an ACME account' 0 0 3>&1 1>&2 2>&3 3>&- || true)"
-#printf 'acme_email=%s\n' "$acme_email" >>"$SETTINGS_FILE"
-
-if [ -n "$acme_email" ]
+if [ -n "$acme_email" -a -n "$acme_server" ]
 then
-	wget --output-document /usr/sbin/acme.sh https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh
-	chmod +x /usr/sbin/acme.sh
+	acme_hostname="$(printf %s "$acme_server" | sed -es_^https://__ -es_/.*\$__)"
+	[ -f /usr/bin/acme.sh ] || wget --output-document /usr/bin/acme.sh https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh
+	chmod +x /usr/bin/acme.sh
 	mkdir -p /var/www/html/.well-known/acme-challenge
-	# todo own account for ACME
-	test -f /var/lib/acme/.acme.sh/ca/api.buypass.com/acme/directory/account.json \
-		|| /usr/sbin/acme.sh --server "$acme_server" --register-account --accountemail "$acme_email"
-	/usr/sbin/acme.sh --server "$acme_server" --issue -d "$fqdn" --webroot /var/www/html
-	# todo ACME cron
+	getent passwd acme >/dev/null || useradd	\
+		--comment 'ACME protocol client'	\
+		--home-dir /var/lib/acme	\
+		--shell /bin/sh	\
+		--system acme
+	mkdir -p /var/lib/acme/certs
+	touch /var/log/acme.sh.log
+	[ -L /var/lib/acme/.acme.sh -a -d /var/lib/acme/.acme.sh ] || ln -s ./ /var/lib/acme/.acme.sh
+	chown -Rh acme:acme /var/lib/acme /var/log/acme.sh.log /var/www/html/.well-known/acme-challenge
+	test -f /var/lib/acme/account.conf || tee /var/lib/acme/account.conf <<EOF
+CERT_HOME="/var/lib/acme/certs"
+LOG_FILE='/var/log/acme.sh.log'
+ECC_SUFFIX=
+EOF
+	test -d "/var/lib/acme/.acme.sh/ca/$acme_hostname"	\
+		|| su acme -c "/usr/bin/acme.sh --no-color --server '$acme_server' --register-account --accountemail '$acme_email'"
+	if ! service apache2 status >/dev/null
+	then
+		a2dissite letswifi-portal
+		service apache2 start
+	fi
+	su acme -c "/usr/bin/acme.sh --no-color --server '$acme_server' --issue -d '$fqdn' --webroot /var/www/html"
+	a2ensite letswifi-portal
+	crontab -u acme -l || crontab -u acme - <<EOF
+4 17 * * * /usr/bin/acme.sh/acme.sh --cron --home /var/lib/acme > /dev/null
+EOF
 fi
+mkdir -p "/var/lib/acme/certs/$fqdn"
+test -f "/var/lib/acme/certs/$fqdn/$fqdn.key" || test -f "/var/lib/acme/certs/$fqdn/$fqdn.cer"	\
+	|| openssl req -x509 -newkey rsa:2048	\
+		-keyout "/var/lib/acme/certs/$fqdn/$fqdn.key"	\
+		-out "/var/lib/acme/certs/$fqdn/$fqdn.cer"	\
+		-sha256 -days 3650 -nodes	\
+		-subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=CommonNameOrHostname"
+cp -n "/var/lib/acme/certs/$fqdn/$fqdn.cer" "/var/lib/acme/certs/$fqdn/fullchain.cer" || true
+service apache2 restart
 
 printf '\033[0m' >&2
 dialog --backtitle "Let's Wi-Fi installation" --msgbox "Installation completed, Let's Wi-Fi should now be set up on port 443\n\n$extra_info\n\nConfiguration files for Let's Wi-Fi and SimpleSAMLphp are respectively\nlocated in /etc/letswifi and /etc/simplesaml" 0 0 >&2