#!/bin/bash # # RaspAP SSL certificate installation functions # author: @billz # license: GNU General Public License v3.0 certname=$HOSTNAME."local" lighttpd_ssl="/etc/lighttpd/ssl" webroot_dir="/var/www/html" ### NOTE: all the below functions are overloadable for system-specific installs function config_installation() { install_log "Configure a new SSL certificate" echo "Current system hostname is ${certname}" echo -n "Create an SSL certificate for ${certname}? (Recommended) [y/N]" if [ $assume_yes == 0 ]; then read answer if [[ $answer != "y" ]]; then read -e -p "Enter an alternate certificate name: " -i "${certname}" certname fi else echo -e fi echo -n "Install to Lighttpd SSL directory: ${lighttpd_ssl}? [y/N]: " if [ $assume_yes == 0 ]; then read answer if [[ $answer != "y" ]]; then read -e -p "Enter alternate Lighttpd SSL directory: " -i "${lighttpd_ssl}" lighttpd_ssl fi else echo -e fi install_divider echo "A new SSL certificate for: ${certname}" echo "will be installed to lighttpd SSL directory: ${lighttpd_ssl}" install_divider echo -n "Complete installation with these values? [y/N]: " if [ $assume_yes == 0 ]; then read answer if [[ $answer != "y" ]]; then echo "Installation aborted." exit 0 fi else echo -e fi } # Installs pre-built mkcert binary for Arch Linux ARM function install_mkcert() { install_log "Fetching mkcert binary" sudo wget -q https://github.com/FiloSottile/mkcert/releases/download/v1.3.0/mkcert-v1.3.0-linux-arm -O /usr/local/bin/mkcert || install_error "Unable to download mkcert" sudo chmod +x /usr/local/bin/mkcert install_log "Installing mkcert" mkcert -install || install_error "Failed to install mkcert" } # Generate a certificate for host function generate_certificate() { install_log "Generating a new certificate for $certname" cd /home/pi mkcert $certname "*.${certname}.local" $certname || install_error "Failed to generate certificate for $certname" install_log "Combining private key and certificate" cat $certname+2-key.pem $certname+2.pem > $certname.pem || install_error "Failed to combine key and certificate"a echo "OK" } # Create a directory for the combined .pem file in lighttpd function create_lighttpd_dir() { #todo: check for existence install_log "Create SLL directory for lighttpd" sudo mkdir -p "$lighttpd_ssl" || install_error "Failed to create lighttpd directory" echo "OK" install_log "Setting permissions and moving .pem file" chmod 400 /home/pi/"$certname".pem || install_error "Unable to set permissions for .pem file" sudo mv /home/pi/"$certname".pem /etc/lighttpd/ssl echo "OK" } # Edit the lighttpd configuration function configure_lighttpd() { install_log "Configuring lighttpd for SSL" echo "OK" } # Copy rootCA.pem to RaspAP web root function copy_rootca() { install_log "Copying rootCA.pem to RaspAP web root" || install_error "Unable to copy rootCA.pem to ${webroot_dir}" sudo cp /home/pi/.local/share/mkcert/rootCA.pem ${webroot_dir} echo "OK" } # Restart lighttpd service function restart_lighttpd() { install_log "Restarting lighttpd service" sudo systemctl restart lighttpd.service || install_error "Unable to restart lighttpd service" sudo systemctl status lighttpd.service } function install_complete() { install_log "SSL certificate install completed!" install_divider echo "Open a browser and enter the address: http://${certname}/rootCA.pem" echo "Download the root certificate to your client and add it to your system keychain." echo "Note: Be sure to set this certificate to "Always trust" to avoid browser warnings." echo "Finally, enter the address https://${certname} in your browser." echo "Enjoy an encrypted SSL connection to RaspAP 🔒" install_divider } function install_certificate() { display_welcome config_installation install_mkcert generate_certificate create_lighttpd_dir configure_lighttpd copy_rootca restart_lighttpd install_complete }