add a very simple scp deployment

2025-05-09 09:12:44 +00:00 · 2017-08-21 19:41:57 +02:00 · 2017-08-21 19:41:57 +02:00 · 4388c93386
commit 4388c93386
parent 6a524bff9d
1 changed files with 145 additions and 0 deletions
--- a/deploy/scp.sh
+++ b/deploy/scp.sh
@ -0,0 +1,145 @@
+#!/usr/bin/env sh
+
+##########################################################################
+# This is a very simple deployment script to move certificates to a remote
+# server. The deployment uses scp (the remote cp method of ssh) and simply
+# drops certs into a target directory. Targets have the original scp format
+# e.g. like:
+#
+#   server.com:/var/spool/acme.sh/certs/
+#   user@server.com:/var/spool/acme.sh/certs/
+#   configuredserver:/var/spool/acme.sh/certs/
+#
+# You may use something like "configuredserver" which is the name of a host
+# configuration in the ~/.ssh/config file. If you have a more complex setup
+# like different ports, identity files, users or hostnames you are strongly
+# encouraged to use an entry in your ~/.ssh/config file. This saves this
+# little script from reimplementing every possible scp switch.
+#
+# You might wanto to configure ssh on the target server to use a special
+# account with key based authentication and allow scp only. Have a further
+# look at the rssh shell to allow scp only. You might as well put the user
+# into a chroot.
+#
+# The main reason for this form of deployment is, that the acme.sh script
+# can run in a safe and controlled environment. The acme.sh script needs
+# detailed and sensitive information e.g. like your acme private keys or
+# your dns providers credentials. Information like this you certainly don't
+# want to have lying around on your public webserver.
+#
+# Further deployment of the certificates should be handled by a cron job on
+# the remote server. That remote script could then move the new cert's to
+# their proper position, set file owner and permissions and restart the
+# belonging service.
+#
+# An example script for apache (on debian systems) might be:
+#
+#    #!/usr/bin/env sh
+#    chown root:root /var/spool/acme.sh/certs/*
+#    mv /var/spool/acme.sh/certs/* /etc/apache2/ssl.crt/
+#    systemctl restart apache2
+#
+# To avoid misunderstandings, this script is NOT like other deployment
+# scripts that target a specific type of server (apache/cyrus/exim/...)
+# and do all ssl configuration for you. With this script YOU do all your
+# ssl configuration on your target server yourself. Then, and only after
+# the target server is properly configured, you use this script to deploy
+# the forthcoming LE certificates.
+
+# When called for the first time use the following env vars to setup the
+# configuration. The vars will be stored on a per domain basis.
+#DEPLOY_SCP_CA_TARGET="user@server.com:/etc/apache2/ssl.crt"
+#DEPLOY_SCP_KEY_TARGET="user@server.com:/etc/apache2/ssl.key"
+#DEPLOY_SCP_CERT_TARGET="user@server.com:/etc/apache2/ssl.crt"
+#DEPLOY_SCP_FULLCHAIN_TARGET="user@server.com:/etc/apache2/ssl.crt"
+
+########  public functions #####################
+
+#domain keyfile certfile cafile fullchain
+scp_deploy() {
+  _cdomain="$1"
+  _ckey="$2"
+  _ccert="$3"
+  _cca="$4"
+  _cfullchain="$5"
+
+  _SCP_check_params
+  if [ "$?" -ne 0 ]; then
+    _err "Please specify at least one scp target. For instance:"
+    _info "DEPLOY_SCP_CERT_TARGET=\"user@server.com:/etc/apache2/ssl.crt\""
+    _info "The target directory has to be writable by the user."
+    _info "See the header of this script for more information."
+    return 1
+  fi
+
+  _debug _cdomain "$_cdomain"
+  _debug _cca "$_cca"
+  _debug _ckey "$_ckey"
+  _debug _ccert "$_ccert"
+  _debug _cfullchain "$_cfullchain"
+
+  if [ ! -z "$DEPLOY_SCP_CA_TARGET" ]; then
+    scp "$_cca" "$DEPLOY_SCP_CA_TARGET"
+    if [ "$?" -ne 0 ]; then
+      _err "scp copy to server failed"
+      return 1
+    fi
+  fi
+
+  if [ ! -z "$DEPLOY_SCP_KEY_TARGET" ]; then
+    scp "$_ckey" "$DEPLOY_SCP_KEY_TARGET"
+    if [ "$?" -ne 0 ]; then
+      _err "scp copy to server failed"
+      return 1
+    fi
+  fi
+
+  if [ ! -z "$DEPLOY_SCP_CERT_TARGET" ]; then
+    scp "$_ccert" "$DEPLOY_SCP_CERT_TARGET"
+    if [ "$?" -ne 0 ]; then
+      _err "scp copy to server failed"
+      return 1
+    fi
+  fi
+
+  if [ ! -z "$DEPLOY_SCP_FULLCHAIN_TARGET" ]; then
+    scp "$_cfullchain" "$DEPLOY_SCP_FULLCHAIN_TARGET"
+    if [ "$?" -ne 0 ]; then
+      _err "scp copy to server failed"
+      return 1
+    fi
+  fi
+
+  return 0
+}
+
+####################  private functions below ##################################
+
+_SCP_check_params() {
+  # at least one of key, cert or fullchain must be set
+  if [ -z "$DEPLOY_SCP_KEY_TARGET" ] && [ -z "$DEPLOY_SCP_CERT_TARGET" ] && [ -z "$DEPLOY_SCP_FULLCHAIN_TARGET " ]; then
+    DEPLOY_SCP_CA_TARGET=""
+    DEPLOY_SCP_KEY_TARGET=""
+    DEPLOY_SCP_CERT_TARGET=""
+    DEPLOY_SCP_FULLCHAIN_TARGET=""
+    return 1
+  fi
+
+  if [ ! -z "$DEPLOY_SCP_CA_TARGET" ]; then
+    _savedomainconf DEPLOY_SCP_CA_TARGET "${DEPLOY_SCP_CA_TARGET}"
+  fi
+
+  if [ ! -z "$DEPLOY_SCP_KEY_TARGET" ]; then
+    _savedomainconf DEPLOY_SCP_KEY_TARGET "${DEPLOY_SCP_KEY_TARGET}"
+  fi
+
+  if [ ! -z "$DEPLOY_SCP_CERT_TARGET" ]; then
+    _savedomainconf DEPLOY_SCP_CERT_TARGET "${DEPLOY_SCP_CERT_TARGET}"
+  fi
+
+  if [ ! -z "$DEPLOY_SCP_FULLCHAIN_TARGET" ]; then
+    _savedomainconf DEPLOY_SCP_FULLCHAIN_TARGET "${DEPLOY_SCP_FULLCHAIN_TARGET}"
+  fi
+
+  return 0
+}