-
Notifications
You must be signed in to change notification settings - Fork 3
/
fms-renew-cert-dns-route53.sh
executable file
·228 lines (185 loc) · 7.45 KB
/
fms-renew-cert-dns-route53.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
#!/bin/bash
# exit when a variable isn't set
set -u
# prevents errors in a pipeline from being masked.
set -o pipefail
# setup
# -----------------------------------------------------
# load the variables from the conf file
# assumes that the conf file is in the same folder as this script
parent_path=$( cd "$(dirname "${BASH_SOURCE[0]}")" ; pwd -P )
cd "$parent_path"
filePath="01-fms-certbot.conf"
if [ ! -f "$filePath" ]; then
echo "missing ${filePath}"
exit 1
fi
while read -r LINE; do
# Remove leading and trailing whitespaces, and carriage return
CLEANED_LINE=$(echo "$LINE" | awk '{$1=$1};1' | tr -d '\r')
if [[ $CLEANED_LINE != '#'* ]] && [[ $CLEANED_LINE == *'='* ]]; then
export "$CLEANED_LINE"
fi
done < "$filePath"
# -----------------------------------------------------
# This script runs the certbot renewal and imports the certificate into FileMaker Server.
# Usage:
# ./fms-renew-cert-dns-route53.sh
# the relevant commands that need to run as sudo have the -E flag to preserve the environment variables
# Detects if FileMaker Server is still running
isServerRunning()
{
fmserver=$(ps axc | sed "s/.*:..... /\"/" | sed s/$/\"/ | grep fmserver)
if [[ -z $fmserver ]] ; then
return 0 # fmserver is not running
fi
return 1 # fmserver is running
}
# Used to redirect errors to stderr
err()
{
echo "$*" >&2
}
# Test to see if Certbot is installed
if [[ "$OSTYPE" == "linux-gnu"* ]]; then
# Ubuntu
if [[ ! -e "/snap/bin/certbot" ]] ; then
err "[ERROR] Certbot not installed. Please install Certbot and run fm_request_cert.sh prior to running this script. Exiting..."
exit 1
fi
elif [[ "$OSTYPE" == "darwin"* ]]; then
# MacOS
if [[ ! -e "/opt/homebrew/bin/certbot" ]] ; then
err "[ERROR] Certbot not installed. Please install Certbot and run fm_request_cert.sh prior to running this script. Exiting..."
exit 1
fi
fi
if [ $PROMPT == 0 ] ; then
# FileMaker Admin Console Login Information
if [[ -n "${FAC_USERNAME}" ]]; then
FAC_USER="${FAC_USERNAME}"
else
err "[ERROR]: The FileMaker Server Admin Console Credentials was not set. Set FAC_USERNAME as an environment variable using export FAC_USERNAME="
err " If FAC_USERNAME and FAC_PASSWORD have been set, make sure to run the script using sudo -E ./fm_request_cert.sh"
err " Additionally, make sure that to set FAC_PASSWORD as an environment variable using export FAC_PASSWORD="
exit 1
fi
if [[ -n "${FAC_PASSWORD}" ]]; then
FAC_PASS="${FAC_PASSWORD}"
else
err "[ERROR]: The FileMaker Server Admin Console Credentials was not set. Set FAC_PASSWORD as an environment variable using export FAC_PASSWORD="
exit 1
fi
else
# Prompt user for values
echo " Enter the domain used to generate the certificate. If multiple domains were used, enter the name of the folder that the certificates should be found in."
read -p " > Domain: " DOMAIN
echo " To import the certificates and restart FileMaker Server, enter the FileMaker Admin Console credentials:"
read -s -p " > Username: " FAC_USER
echo ""
read -s -p " > Password: " FAC_PASS
echo ""
echo " Do you want to restart FileMaker Server after the certificate is generated?"
read -p " > Restart (0 for no, 1 for yes): " RESTART_SERVER
echo " Do you want to generate a test certificate?"
read -p " > Test Validation (0 for no, 1 for yes): " TEST_CERTIFICATE
echo " Enter the AWS Access Key for AWS user account."
read -p " > AWS key: " AWS_KEY
echo " Enter the AWS Access Secret for AWS user account."
read -p " > AWS secret: " AWS_SECRET
if [[ $TEST_CERTIFICATE -eq 0 ]] ; then
echo " Do you want to force renew the certificate?"
read -p " > Force Renew (0 for no, 1 for yes): " FORCE_RENEW
fi
fi
# DO NOT EDIT - FileMaker Directories
if [[ "$OSTYPE" == "linux-gnu"* ]]; then
CERTBOTPATH="/opt/FileMaker/FileMaker Server/CStore/Certbot"
elif [[ "$OSTYPE" == "darwin"* ]]; then
CERTBOTPATH="/Library/FileMaker Server/CStore/Certbot"
fi
# Set up paths for necessary directories
if [[ ! -e "$CERTBOTPATH" ]] ; then
err "[WARNING] $CERTBOTPATH not found. Certificate likely does not exist."
exit 1
fi
echo "- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -"
# run the certbot command
if [[ $TEST_CERTIFICATE -eq 1 ]] ; then
echo "Generating test certificate request."
sudo -E certbot renew --dns-route53 --dry-run --cert-name $DOMAIN --config-dir "$CERTBOTPATH" --work-dir "$CERTBOTPATH" --logs-dir "$CERTBOTPATH"
else
echo "Generating certificate request."
if [[ $FORCE_RENEW -eq 1 ]] ; then
sudo -E certbot renew --dns-route53 --cert-name $DOMAIN --force-renew --config-dir "$CERTBOTPATH" --work-dir "$CERTBOTPATH" --logs-dir "$CERTBOTPATH"
else
sudo -E certbot renew --dns-route53 --cert-name $DOMAIN --config-dir "$CERTBOTPATH" --work-dir "$CERTBOTPATH" --logs-dir "$CERTBOTPATH"
fi
fi
# capture return code for running certbot command
RETVAL=$?
echo "- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -"
if [[ $RETVAL != 0 ]] ; then
err "[ERROR]: Certbot returned with a nonzero failure code. Check $CERTBOTPATH/letsencrypt.log for more information."
exit 1
fi
CERTFILEPATH=$(sudo -E realpath "$CERTBOTPATH/live/$DOMAIN/fullchain.pem")
PRIVKEYPATH=$(sudo -E realpath "$CERTBOTPATH/live/$DOMAIN/privkey.pem")
# grant fmserver:fmsadmin group ownership
if sudo -E test -f "$PRIVKEYPATH"; then
sudo -E chown -R fmserver:fmsadmin "$CERTFILEPATH"
else
err "[ERROR]: An error occurred with certificate renewal. No private key found."
exit 1
fi
if sudo -E test -f "$CERTFILEPATH"; then
sudo -E chown -R fmserver:fmsadmin "$PRIVKEYPATH"
else
err "[ERROR]: An error occurred with certificate renewal. No certificate found."
exit 1
fi
# if we are testing, we don't need to import/restart
if [[ $TEST_CERTIFICATE -eq 1 ]] ; then
exit 0
fi
# run fmsadmin import certificate
echo "Importing Certificates:"
echo "Certificate: $CERTFILEPATH"
echo "Private key: $PRIVKEYPATH"
sudo -E fmsadmin certificate import "$CERTFILEPATH" --keyfile "$PRIVKEYPATH" -y -u $FAC_USER -p $FAC_PASS
# Capture return code for running certbot command
RETVAL=$?
if [ $RETVAL != 0 ] ; then
err "[ERROR]: FileMaker Server was unable to import the generated certificate."
exit 1
fi
# check if user wants to restart server
if [[ $RESTART_SERVER == 1 ]] ; then
echo "- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -"
echo "Restarting FileMaker Server."
isServerRunning
serverIsRunning=$?
if [ $serverIsRunning -eq 1 ] ; then
if [[ "$OSTYPE" == "linux-gnu"* ]]; then
sudo service fmshelper stop
elif [[ "$OSTYPE" == "darwin"* ]]; then
sudo launchctl stop com.filemaker.fms
fi
fi
waitCounter=0
while [[ $waitCounter -lt $MAX_WAIT_AMOUNT ]] && [[ $serverIsRunning -eq 1 ]]
do
sleep 10
isServerRunning
serverIsRunning=$?
echo "Waiting for FileMaker Server process to terminate..."
waitCounter=$((waitCounter++))
done
if [[ "$OSTYPE" == "linux-gnu"* ]]; then
sudo service fmshelper start
elif [[ "$OSTYPE" == "darwin"* ]]; then
sudo launchctl start com.filemaker.fms
fi
fi
echo "Lets Encrypt certificate renew script completed without any errors."
exit 0