From 39180230b20ba4a106da5f24b77a6a1c916ee72e Mon Sep 17 00:00:00 2001 From: David Tschida Date: Tue, 15 Nov 2022 17:11:51 -0800 Subject: [PATCH 1/5] Adding initial deploy script for openhabian --- deploy/openhabian.sh | 97 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 deploy/openhabian.sh diff --git a/deploy/openhabian.sh b/deploy/openhabian.sh new file mode 100644 index 00000000..f17c85aa --- /dev/null +++ b/deploy/openhabian.sh @@ -0,0 +1,97 @@ +#!/usr/bin/env sh + +# Config variables +# DEPLOY_OPENHABIAN_KEYPASS : This should be default most of the time since a custom password requires openhab config changes +# DEPLOY_OPENHABIAN_KEYSTORE : This should generate based on existing openhab env vars. + +openhabian_deploy() { + + # Name parameters + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + _debug _cfullchain "$_cfullchain" + + # TODO: Load from config using _getdeployconf and print with _debug2 + # Unclear if this is needed in this case. + + # Define configurable options + _openhab_keystore=${DEPLOY_OPENHABIAN_KEYSTORE:-${OPENHAB_USERDATA}/etc/keystore} + _openhab_keypass="${DEPLOY_OPENHABIAN_KEYPASS:-openhab}" + + # Take a backup of the old keystore + cp "${_openhab_keystore}" "${_openhab_keystore}.bak" + + # Verify Dependencies/PreReqs + if ! _exists keytool; then + _err "keytool not found, please install keytool" + return 1 + fi + if [ ! -w "$_openhab_keystore" ]; then + _err "The file $_openhab_keystore is not writable, please change the permission." + return 1 + fi + + # Generate PKCS12 keystore + _new_pkcs12="$(_mktemp)" + # _toPkcs doesn't support -nodes param + if ${ACME_OPENSSL_BIN:-openssl} pkcs12 \ + -export \ + -inkey "$_ckey" \ + -in "$_ccert" \ + -certfile "$_cca" \ + -name mykey \ + -out "$_new_pkcs12" \ + -nodes -passout "pass:$_openhab_keypass"; then + _debug "Successfully created pkcs keystore" + else + _err "Error generating pkcs12." + _err "Please re-run with --debug and report a bug." + rm "$_new_pkcs12" + return 1 + fi + + # Remove old cert from existing keychain + if keytool -delete \ + -alias mykey \ + -deststorepass "$_openhab_keypass" \ + -keystore "$_openhab_keystore"; then + _debug "Successfully deleted old key" + else + _err "Error deleting old key" + _err "Please re-run with --debug and report a bug." + rm "$_new_pkcs12" + return 1 + fi + + # Add new certificate to keychain + if keytool -importkeystore \ + -srckeystore "$_new_pkcs12" \ + -srcstoretype PKCS12 \ + -srcstorepass "$_openhab_keypass" \ + -alias mykey \ + -destkeystore "$_openhab_keystore" \ + -deststoretype jks \ + -deststorepass "$_openhab_keypass" \ + -destalias mykey; then + _debug "Successfully imported key" + else + _err "Failure when importing key" + _err "Please re-run with --debug and report a bug." + rm "$_new_pkcs12" + return 1 + fi + + # TODO: Reload/restart openhab to pick up new key + # Unifi script passes a reload cmd to handle reloading. + # Consider also stopping openhab before touching the keystore + + rm "$_new_pkcs12" +} From 72bf38c47ce4f81a1164fdbbdfcdbf25449aa083 Mon Sep 17 00:00:00 2001 From: David Tschida Date: Tue, 15 Nov 2022 18:00:35 -0800 Subject: [PATCH 2/5] Updating openhab script General cleanup, better errors, saving config variables, debug statements --- deploy/openhabian.sh | 40 +++++++++++++++++++++++++++++++--------- 1 file changed, 31 insertions(+), 9 deletions(-) diff --git a/deploy/openhabian.sh b/deploy/openhabian.sh index f17c85aa..07d1d827 100644 --- a/deploy/openhabian.sh +++ b/deploy/openhabian.sh @@ -6,7 +6,7 @@ openhabian_deploy() { - # Name parameters + # Name parameters, load configs _cdomain="$1" _ckey="$2" _ccert="$3" @@ -19,14 +19,26 @@ openhabian_deploy() { _debug _cca "$_cca" _debug _cfullchain "$_cfullchain" - # TODO: Load from config using _getdeployconf and print with _debug2 - # Unclear if this is needed in this case. + _getdeployconf DEPLOY_UNIFI_KEYSTORE + _getdeployconf DEPLOY_OPENHABIAN_KEYPASS + _getdeployconf DEPLOY_OPENHABIAN_RESTART + + _debug2 DEPLOY_UNIFI_KEYSTORE "$DEPLOY_UNIFI_KEYSTORE" + _debug2 DEPLOY_OPENHABIAN_KEYPASS "$DEPLOY_OPENHABIAN_KEYPASS" + _debug2 DEPLOY_OPENHABIAN_RESTART "$DEPLOY_OPENHABIAN_RESTART" # Define configurable options - _openhab_keystore=${DEPLOY_OPENHABIAN_KEYSTORE:-${OPENHAB_USERDATA}/etc/keystore} + _openhab_keystore="${DEPLOY_OPENHABIAN_KEYSTORE:-${OPENHAB_USERDATA}/etc/keystore}" _openhab_keypass="${DEPLOY_OPENHABIAN_KEYPASS:-openhab}" + _default_restart="sudo service openhab resart" + _openhab_restart="${DEPLOY_OPENHABIAN_RESTART:-$_default_restart}" + + _debug _openhab_keystore "$_openhab_keystore" + _debug _openhab_keypass "$_openhab_keypass" + _debug _openhab_restart "$_openhab_restart" # Take a backup of the old keystore + _debug "Storing a backup of the existing keystore at ${_openhab_keystore}.bak" cp "${_openhab_keystore}" "${_openhab_keystore}.bak" # Verify Dependencies/PreReqs @@ -63,7 +75,7 @@ openhabian_deploy() { -alias mykey \ -deststorepass "$_openhab_keypass" \ -keystore "$_openhab_keystore"; then - _debug "Successfully deleted old key" + _info "Successfully deleted old key" else _err "Error deleting old key" _err "Please re-run with --debug and report a bug." @@ -81,7 +93,7 @@ openhabian_deploy() { -deststoretype jks \ -deststorepass "$_openhab_keypass" \ -destalias mykey; then - _debug "Successfully imported key" + _info "Successfully imported new key" else _err "Failure when importing key" _err "Please re-run with --debug and report a bug." @@ -89,9 +101,19 @@ openhabian_deploy() { return 1 fi - # TODO: Reload/restart openhab to pick up new key - # Unifi script passes a reload cmd to handle reloading. - # Consider also stopping openhab before touching the keystore + # Reload openhab service + if eval "$_openhab_restart"; then + _info "Restarted opehnab" + else + _err "Failed to restart openhab, please restart openhab manually." + _err "The new key has been installed, but openhab may not use it until restarted" + _err "To prevent this error, override the restart command with DEPLOY_OPENHABIAN_RESTART \ + and ensure it can be called by the acme.sh user" + fi + + _savedeployconf DEPLOY_OPENHABIAN_KEYSTORE "$DEPLOY_OPENHABIAN_KEYSTORE" + _savedeployconf DEPLOY_OPENHABIAN_KEYPASS "$DEPLOY_OPENHABIAN_KEYPASS" + _savedeployconf DEPLOY_OPENHABIAN_RESTART "$DEPLOY_OPENHABIAN_RESTART" rm "$_new_pkcs12" } From 5477af425619039d10f8e1d0ab757fb1927faf0d Mon Sep 17 00:00:00 2001 From: David Tschida Date: Tue, 15 Nov 2022 21:51:33 -0800 Subject: [PATCH 3/5] Cleanup and commenting --- deploy/openhabian.sh | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/deploy/openhabian.sh b/deploy/openhabian.sh index 07d1d827..9c705350 100644 --- a/deploy/openhabian.sh +++ b/deploy/openhabian.sh @@ -1,8 +1,21 @@ #!/usr/bin/env sh -# Config variables -# DEPLOY_OPENHABIAN_KEYPASS : This should be default most of the time since a custom password requires openhab config changes -# DEPLOY_OPENHABIAN_KEYSTORE : This should generate based on existing openhab env vars. +# Deploy script to install keys to the openhab keystore + +# This script attempts to restart the openhab service upon completion. +# In order for this to work, the user running acme.sh needs to be able +# to execute the DEPLOY_OPENHABIAN_RESTART command +# (default: sudo service openhab restart) without needing a password prompt. +# To ensure this deployment runs properly ensure permissions are configured +# correctly, or change the command variable as needed. + +# Configutation options: +# DEPLOY_OPENHABIAN_KEYPASS : The default should be appropriate here for most cases, +# but change this to change the password used for the keystore. +# DEPLOY_OPENHABIAN_KEYSTORE : The full path of the openhab keystore file. This will +# default to a path based on the $OPENHAB_USERDATA directory. +# This should generate based on existing openhab env vars. +# DEPLOY_OPENHABIAN_RESTART : The command used to restart openhab openhabian_deploy() { @@ -30,7 +43,7 @@ openhabian_deploy() { # Define configurable options _openhab_keystore="${DEPLOY_OPENHABIAN_KEYSTORE:-${OPENHAB_USERDATA}/etc/keystore}" _openhab_keypass="${DEPLOY_OPENHABIAN_KEYPASS:-openhab}" - _default_restart="sudo service openhab resart" + _default_restart="sudo service openhab restart" _openhab_restart="${DEPLOY_OPENHABIAN_RESTART:-$_default_restart}" _debug _openhab_keystore "$_openhab_keystore" @@ -109,6 +122,7 @@ openhabian_deploy() { _err "The new key has been installed, but openhab may not use it until restarted" _err "To prevent this error, override the restart command with DEPLOY_OPENHABIAN_RESTART \ and ensure it can be called by the acme.sh user" + return 1 fi _savedeployconf DEPLOY_OPENHABIAN_KEYSTORE "$DEPLOY_OPENHABIAN_KEYSTORE" From 54035a304e7dfc0cb0dceb46dbaab3e9ac50d551 Mon Sep 17 00:00:00 2001 From: David Tschida Date: Wed, 16 Nov 2022 11:03:26 -0800 Subject: [PATCH 4/5] Correcting typos, adjusting comments, etc. --- deploy/openhabian.sh | 48 +++++++++++++++++++++++++------------------- 1 file changed, 27 insertions(+), 21 deletions(-) diff --git a/deploy/openhabian.sh b/deploy/openhabian.sh index 9c705350..9ea2572b 100644 --- a/deploy/openhabian.sh +++ b/deploy/openhabian.sh @@ -1,21 +1,21 @@ #!/usr/bin/env sh -# Deploy script to install keys to the openhab keystore +# Deploy script to install keys to the openHAB keystore -# This script attempts to restart the openhab service upon completion. +# This script attempts to restart the openHAB service upon completion. # In order for this to work, the user running acme.sh needs to be able # to execute the DEPLOY_OPENHABIAN_RESTART command # (default: sudo service openhab restart) without needing a password prompt. # To ensure this deployment runs properly ensure permissions are configured # correctly, or change the command variable as needed. -# Configutation options: -# DEPLOY_OPENHABIAN_KEYPASS : The default should be appropriate here for most cases, -# but change this to change the password used for the keystore. -# DEPLOY_OPENHABIAN_KEYSTORE : The full path of the openhab keystore file. This will +# Configuration options: +# DEPLOY_OPENHABIAN_KEYPASS : The default should be appropriate here for most cases, +# but change this to change the password used for the keystore. +# DEPLOY_OPENHABIAN_KEYSTORE : The full path of the openHAB keystore file. This will # default to a path based on the $OPENHAB_USERDATA directory. -# This should generate based on existing openhab env vars. -# DEPLOY_OPENHABIAN_RESTART : The command used to restart openhab +# This should generate based on existing openHAB env vars. +# DEPLOY_OPENHABIAN_RESTART : The command used to restart openHAB openhabian_deploy() { @@ -32,11 +32,11 @@ openhabian_deploy() { _debug _cca "$_cca" _debug _cfullchain "$_cfullchain" - _getdeployconf DEPLOY_UNIFI_KEYSTORE + _getdeployconf DEPLOY_OPENHABIAN_KEYSTORE _getdeployconf DEPLOY_OPENHABIAN_KEYPASS _getdeployconf DEPLOY_OPENHABIAN_RESTART - _debug2 DEPLOY_UNIFI_KEYSTORE "$DEPLOY_UNIFI_KEYSTORE" + _debug2 DEPLOY_OPENHABIAN_KEYSTORE "$DEPLOY_OPENHABIAN_KEYSTORE" _debug2 DEPLOY_OPENHABIAN_KEYPASS "$DEPLOY_OPENHABIAN_KEYPASS" _debug2 DEPLOY_OPENHABIAN_RESTART "$DEPLOY_OPENHABIAN_RESTART" @@ -50,11 +50,7 @@ openhabian_deploy() { _debug _openhab_keypass "$_openhab_keypass" _debug _openhab_restart "$_openhab_restart" - # Take a backup of the old keystore - _debug "Storing a backup of the existing keystore at ${_openhab_keystore}.bak" - cp "${_openhab_keystore}" "${_openhab_keystore}.bak" - - # Verify Dependencies/PreReqs + # Verify Dependencies if ! _exists keytool; then _err "keytool not found, please install keytool" return 1 @@ -64,6 +60,10 @@ openhabian_deploy() { return 1 fi + # Take a backup of the old keystore + _debug "Storing a backup of the existing keystore at ${_openhab_keystore}.bak" + cp "${_openhab_keystore}" "${_openhab_keystore}.bak" + # Generate PKCS12 keystore _new_pkcs12="$(_mktemp)" # _toPkcs doesn't support -nodes param @@ -83,7 +83,7 @@ openhabian_deploy() { return 1 fi - # Remove old cert from existing keychain + # Remove old cert from existing store if keytool -delete \ -alias mykey \ -deststorepass "$_openhab_keypass" \ @@ -96,7 +96,7 @@ openhabian_deploy() { return 1 fi - # Add new certificate to keychain + # Add new certificate to store if keytool -importkeystore \ -srckeystore "$_new_pkcs12" \ -srcstoretype PKCS12 \ @@ -114,12 +114,12 @@ openhabian_deploy() { return 1 fi - # Reload openhab service + # Reload openHAB service if eval "$_openhab_restart"; then - _info "Restarted opehnab" + _info "Restarted openhab" else - _err "Failed to restart openhab, please restart openhab manually." - _err "The new key has been installed, but openhab may not use it until restarted" + _err "Failed to restart openHAB, please restart openHAB manually." + _err "The new key has been installed, but openHAB may not use it until restarted" _err "To prevent this error, override the restart command with DEPLOY_OPENHABIAN_RESTART \ and ensure it can be called by the acme.sh user" return 1 @@ -131,3 +131,9 @@ openhabian_deploy() { rm "$_new_pkcs12" } + +# Credits: +# This solution was heavily informed by a few existing scripts: +# - https://gist.github.com/jpmens/8029383 +# - https://github.com/matsahm/openhab_change_ssl/blob/bd46986581631319606ae4c594d4ed774a67cd39/openhab_change_ssl +# Thank you! From c9854870de42652795e0204a28859cd9560e2c3b Mon Sep 17 00:00:00 2001 From: David Tschida Date: Thu, 17 Nov 2022 02:06:26 -0800 Subject: [PATCH 5/5] Formatting --- deploy/openhabian.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/deploy/openhabian.sh b/deploy/openhabian.sh index 9ea2572b..74df1226 100644 --- a/deploy/openhabian.sh +++ b/deploy/openhabian.sh @@ -3,8 +3,8 @@ # Deploy script to install keys to the openHAB keystore # This script attempts to restart the openHAB service upon completion. -# In order for this to work, the user running acme.sh needs to be able -# to execute the DEPLOY_OPENHABIAN_RESTART command +# In order for this to work, the user running acme.sh needs to be able +# to execute the DEPLOY_OPENHABIAN_RESTART command # (default: sudo service openhab restart) without needing a password prompt. # To ensure this deployment runs properly ensure permissions are configured # correctly, or change the command variable as needed. @@ -12,8 +12,8 @@ # Configuration options: # DEPLOY_OPENHABIAN_KEYPASS : The default should be appropriate here for most cases, # but change this to change the password used for the keystore. -# DEPLOY_OPENHABIAN_KEYSTORE : The full path of the openHAB keystore file. This will -# default to a path based on the $OPENHAB_USERDATA directory. +# DEPLOY_OPENHABIAN_KEYSTORE : The full path of the openHAB keystore file. This will +# default to a path based on the $OPENHAB_USERDATA directory. # This should generate based on existing openHAB env vars. # DEPLOY_OPENHABIAN_RESTART : The command used to restart openHAB