Commit b9b7956d authored by Benoît's avatar Benoît
Browse files

Script simplifié, valable pour CentOS6 et CentOS7

parent 88dd2309
export LANG=en_US.UTF-8
export _JAVA_OPTIONS=-Duser.home=/usr/sbin/r1soft/conf
echo -e "\\n### Updating nessary packages..."
yum -y update nss nss-util nss-sysinit nss-tools wget curl ca-certificates openssl
echo -e "\\n### Installing Certbot..."
yum -y install certbot python2-certbot-apache --enablerepo=epel
cd /usr/sbin/r1soft/conf/
echo " -- Cleaning -- "
rm -f request.csr
rm -f *.pem
echo " -- Delete Keystore -- "
rm -f keystore
echo " -- Recreate Keystore -- "
keytool -genkey -noprompt -alias cdp -dname "CN=$(hostname), OU=HaiSoft, O=HaiSoft, L=Orléans, S=Centre, C=FR" -keystore ./keystore -storepass "password" -KeySize 2048 -keypass "password" -keyalg RSA
keytool -list -keystore ./keystore -v -storepass "password" > key.check
echo " -- Build CSR -- "
keytool -certreq -alias cdp -file request.csr -keystore ./keystore -storepass "password"
echo " -- Request Certificate -- "
certbot certonly --csr ./request.csr --standalone --non-interactive --agree-tos -m
echo " -- import Certificate -- "
keytool -import -trustcacerts -alias cdp -file 0001_chain.pem -keystore ./keystore -storepass "password"
echo " -- Cleaning -- "
rm -f request.csr
mkdir -p /usr/sbin/r1soft/conf/LetsEncrypt
/bin/mv *.pem ./LetsEncrypt/
/usr/bin/yum -y update nss nss-util nss-sysinit nss-tools wget curl ca-certificates openssl
if [ $(rpm --eval '%{centos_ver}') = 6 ]; then
# On a besoin de récupérer un certificat Let's Encrypt généré ailleurs (wildcard), car certbot ne supporte plus CentOS 6
# Dans notre cas, le certificat Let's Encrypt est copié le 5 de chaque mois dans /opt/ssl/
/usr/bin/openssl pkcs12 -export -out /root/keystore.pkcs12 -in /opt/ssl/fullchain.pem -inkey /opt/ssl/privkey.pem -password pass:password
elif [ $(rpm --eval '%{centos_ver}') = 7 ]; then
# Sous CentOS 7, on peut utiliser certbot (disponible depuis epel)
echo -e "\\n### Installing Certbot..."
/usr/bin/yum -y install certbot python2-certbot-apache --enablerepo=epel
if [ -f "/etc/letsencrypt/live/$(hostname)/fullchain.pem" ]; then
/usr/sbin/service httpd start ; /usr/bin/certbot renew ; /usr/sbin/service httpd stop
/usr/sbin/service httpd start ; /usr/bin/certbot certonly --webroot --webroot-path /var/www/html/ -d ; /usr/sbin/service httpd stop
/usr/bin/openssl pkcs12 -export -out /root/keystore.pkcs12 -in /etc/letsencrypt/live/$(hostname)/fullchain.pem -inkey /etc/letsencrypt/live/$(hostname)/privkey.pem -password pass:password
echo "Unsupported system ?"
/usr/bin/keytool -importkeystore -srckeystore /root/keystore.pkcs12 -srcstoretype PKCS12 -destkeystore /root/keystore.jks -deststorepass password -srcstorepass password
/bin/mv /root/keystore.jks /usr/sbin/r1soft/conf/keystore
rm -f /root/keystore.pkcs12
cp /etc/pki/java/cacerts /usr/sbin/r1soft/jre/lib/security/cacerts
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment