Hi guys,
I am stuck with post processing scripts, it seems that cw has some limits/restrictions which I don´t understand.
1st what I wanna do:
My idea is that CW is doing everything - means, colleting the certs with acme - and roll them out, without any configured clients. I´m useing pdsh for that.
So I took this template script cw-apache2.sh and adapt it to my needs. I added this script in the post processing section of the cert, without any vars - just the script. All collecting and checking and cp/chmod/rm/xxx stuff works fine - except the point where the script should pdsh/pdcp this stuff to the target machine and restart the services.
Here is the script-code:
server=cert.mydomain.com:4055
client_name=netservice
cert_apikey=111111111111111111111111111111
key_apikey=111111111111111111111111111111
cert_name=netservice.mydomain.com
local_certs=/opt/certwarden/data/certs
time_stamp=/opt/certwarden/data/certs/$client_name/cert_timestamp.txt
temp_certs=/opt/certwarden/data/certs/$client_name/temp
api_cert_path=certwarden/api/v1/download/certificates/$cert_name
api_key_path=certwarden/api/v1/download/privatekeys/$cert_name
cert_owner=root
set -e
check if you already have the client dirs
if ( ! test -d "$local_certs/$client_name" ) || ( ! test -e "$temp_certs" ) ;
then
mkdir $local_certs/$client_name
mkdir $temp_certs
fi
Fetch certs, if curl returns anything other than 200 success, abort
http_statuscode=$(curl -L https://$server/$api_cert_path -H "apiKey: $cert_apikey" --output $temp_certs/$cert_name.pem --write-out "%{http_code}")
if test $http_statuscode -ne 200; then exit "$http_statuscode"; fi
http_statuscode=$(curl -L https://$server/$api_key_path -H "apiKey: $key_apikey" --output $temp_certs/$client_name-key.pem --write-out "%{http_code}")
if test $http_statuscode -ne 200; then exit "$http_statuscode"; fi
check if you already have a cert+key
if ( ! test -e "$local_certs/$cert_name.pem" ) || ( ! test -e "$local_certs/$client_name-key.pem" ) ;
then
cp $temp_certs/* $local_certs/
chown $cert_owner:$cert_owner $local_certs/$cert_name.pem
chown $cert_owner:$cert_owner $local_certs/$client_name-key.pem
chmod 600 $local_certs/$client_name-key.pem
chmod 644 $local_certs/$cert_name.pem
fi
check for cert and key changes
if ( ! cmp -s "$temp_certs/$cert_name.pem" "$local_certs/$cert_name.pem" ) || ( ! cmp -s "$temp_certs/$client_name-key.pem" "$local_certs/$client_name-key.pem" ) ;
then
cp -rf $temp_certs/* $local_certs/
chown $cert_owner:$cert_owner $local_certs/$cert_name.pem
chown $cert_owner:$cert_owner $local_certs/$client_name-key.pem
chmod 600 $local_certs/$client_name-key.pem
chmod 644 $local_certs/$cert_name.pem
pdcp -w $client_name $local_certs/$cert_name.pem /etc/ssl/unica/
pdcp -w $client_name $local_certs/$client_name-key.pem /etc/ssl/unica/
pdsh -w $client_name systemctl restart apache2
fi
rm -f $temp_certs/$cert_name.pem
rm -f $temp_certs/$client_name-key.pem
echo "Last Run: $(date)" > $time_stamp
Why is this not working, any ideas/help?
Manual shell exec works fine.
Best regards Marc