d3m0k1d/HellreigN
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases Wiki Activity
Files
ad9d567d2ce3544d153af514c335899878f3d63c
HellreigN/backend/scripts/generate-certs.sh
T
d3m0k1d a2c71da3a0
ci-agent / build (push) Failing after 1m19s
Details
chore: grpc + mtls working
2026-04-04 03:55:37 +03:00

99 lines
3.4 KiB
Bash
Raw Blame History

#!/bin/bash
# Скрипт генерации SSL сертификатов для mTLS gRPC
set -e
CERT_DIR="${1:-/etc/HellreigN/ssl}"
DAYS_VALID=365
echo "Generating CA and server certificates in ${CERT_DIR}..."
# Создаём директорию
mkdir -p "${CERT_DIR}"
# Если сертификаты уже есть и не пустые - не перегенерируем
if [ -s "${CERT_DIR}/ca.crt" ] && [ -s "${CERT_DIR}/server.crt" ] && [ -s "${CERT_DIR}/server.key" ]; then
echo "Certificates already exist, skipping generation."
exit 0
fi
# Если файлы существуют но пустые - удаляем их для перегенерации
rm -f "${CERT_DIR}/ca.crt" "${CERT_DIR}/ca.key" "${CERT_DIR}/server.crt" "${CERT_DIR}/server.key" "${CERT_DIR}/server.csr"
# Генерация CA
echo "Generating CA..."
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out "${CERT_DIR}/ca.key"
openssl req -x509 -new -nodes -sha256 -days ${DAYS_VALID} \
-key "${CERT_DIR}/ca.key" \
-out "${CERT_DIR}/ca.crt" \
-subj "/CN=HellreigN Root CA"
# Генерация серверного сертификата
echo "Generating server certificate..."
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out "${CERT_DIR}/server.key"
openssl req -new -sha256 \
-key "${CERT_DIR}/server.key" \
-out "${CERT_DIR}/server.csr" \
-subj "/CN=${SERVER_CN:-localhost}"
# Создаём конфиг для server SAN
# Поддержка переменных окружения:
# SERVER_SAN_DNS - список DNS имен через запятую (например: localhost,backend,myserver.example.com)
# SERVER_SAN_IP - список IP адресов через запятую (например: 127.0.0.1,192.168.1.100)
cat > "${CERT_DIR}/server.ext" <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
EOF
# Добавляем DNS SAN
dns_idx=1
IFS=',' read -ra DNS_NAMES <<< "${SERVER_SAN_DNS:-localhost,backend}"
for dns_name in "${DNS_NAMES[@]}"; do
dns_name=$(echo "$dns_name" | xargs) # trim whitespace
if [ -n "$dns_name" ]; then
echo "DNS.${dns_idx} = ${dns_name}" >> "${CERT_DIR}/server.ext"
((dns_idx++))
fi
done
# Добавляем wildcard для localhost если есть
echo "DNS.${dns_idx} = *.localhost" >> "${CERT_DIR}/server.ext"
((dns_idx++))
# Добавляем IP SAN
ip_idx=1
IFS=',' read -ra IP_ADDRS <<< "${SERVER_SAN_IP:-127.0.0.1}"
for ip_addr in "${IP_ADDRS[@]}"; do
ip_addr=$(echo "$ip_addr" | xargs) # trim whitespace
if [ -n "$ip_addr" ]; then
echo "IP.${ip_idx} = ${ip_addr}" >> "${CERT_DIR}/server.ext"
((ip_idx++))
fi
done
openssl x509 -req -sha256 -days ${DAYS_VALID} \
-in "${CERT_DIR}/server.csr" \
-CA "${CERT_DIR}/ca.crt" \
-CAkey "${CERT_DIR}/ca.key" \
-CAcreateserial \
-out "${CERT_DIR}/server.crt" \
-extfile "${CERT_DIR}/server.ext"
# Очистка лишних файлов
rm -f "${CERT_DIR}/server.ext"
# Установка прав
chmod 600 "${CERT_DIR}"/*.key
chmod 644 "${CERT_DIR}"/*.crt
echo "Certificates generated successfully!"
echo " CA: ${CERT_DIR}/ca.crt"
echo " Server: ${CERT_DIR}/server.crt + ${CERT_DIR}/server.key"
echo " SAN DNS: ${SERVER_SAN_DNS:-localhost,backend}"
echo " SAN IP: ${SERVER_SAN_IP:-127.0.0.1}"
Reference in New Issue View Git Blame Copy Permalink