@@ -1,79 +1,142 @@
#! /bin/bash
# registrar dns must have cname entry pointing host to @ for your public IP.
# gateway must be upnp capable and device subnet running this script must be able to create upnp mappings
# tested using ubuntu server 16.04 client and esxi 6.5 target
echo -e " \n...\e[32mImporting Variables\e[m...\n"
# Import domain
read -p $'
\e [32mEnter the domain name for the certificate in host.domain.tld format\e [m: '
# Import email
read -p $'
\e [32mEnter the email for confirmation & renew notifications\e [m: '
# Import esxi admin user
read -p $'
\e [32mEnter ESXi admin username\e [m: '
# Import esxi host or IP
read -p $'
\e [32mEnter host or IP for the ESXi target\e [m: '
echo -e " \n...\e[32mUpdating system and installing miniupnpc and letsencrypt\e[m...\n"
# update, upgrade, and install requirements
sudo apt update && sudo apt upgrade -y
sudo apt install miniupnpc letsencrypt -y
# prompt user to enable SSH on ESXi target
read -n 1 -s -r -p '
\e[32mConfirm that SSH access is enabled on $DomainName. Press any key to continue.\e[m'
echo -e " \n...\e[32mSSH key transfer from client to $ESXiHost \e[m...\n"
# check if rsa keypair exists. if true, copy to ESXi host authorized keys. else, create 4096 bit rsa key with no pass and export to ESXi host.
if [[ -e ~ /.ssh/id_rsa ]]; then
echo -e " \n...\e[32mClient RSA key exists. Copying to $ESXiHost and restarting SSH\e[m...\n"
cat ~ /.ssh/id_rsa.pub | ssh $ESXiUser @$ESXiHost " mkdir -p /etc/ssh/keys-$ESXiUser / && cat >> /etc/ssh/keys-$ESXiUser /authorized_keys && /etc/init.d/SSH restart"
else
echo -e " \n...\e[32mClient RSA key not found. Generating 4096 bit key\e[m...\n"
ssh-keygen -b 4096 -t rsa -f ~ /.ssh/id_rsa -q -N " "
echo -e " \n...\e[32mCopying client RSA key to $ESXiHost and restarting SSH\e[m...\n"
cat ~ /.ssh/id_rsa.pub | ssh $ESXiUser @$ESXiHost " mkdir -p /etc/ssh/keys-$ESXiUser / && cat >> /etc/ssh/keys-$ESXiUser /authorized_keys && /etc/init.d/SSH restart"
#
# # -------------------------------=[ Info ]=--------------------------------- ##
#
# Generate letsencrypt cert on local server and scp to esxi target.
# Designed and tested on Ubuntu 16.04LTS.
# Assumes you have upnp control over local network. Tested with Ubiquiti USG.
#
# Dependencies:
# miniupnpc (sudo apt install miniupnpc)
# certbot (sudo apt install certbot)
#
# # -=[ Author ]=------------------------------------------------------------- ##
#
# shr00mie
# 9.21.2018
# v0.4
#
# # -=[ Use Case ]=----------------------------------------------------------- ##
#
# Allows for the generation of certificates on a separate host which can then
# be securely copied to target esxi host.
#
# # -=[ Breakdown ]=---------------------------------------------------------- ##
#
# 1. Prompt for esxi target FQDN, reminder email, and esxi admin username
# 2. Check if ssh keys exist for target.
# - If keys exist, continue.
# - If keys don't exist:
# - Silently generate 4096 RSA key, no passphrase, user@target as comment.
# - Add key to ssh-agent
# - Create target folder/file structure for scp automation
# - Restart SSH service on target.
# 3. Enable port forwarding.
# 4. Generate 4096 bit letsencrypt cert
# 5. Backup existing cert with datetime suffix
# 6. Copy cert to target
# 7. Restart target services
# 8. Remove port forwarding
#
# # -=[ To-Do ]=-------------------------------------------------------------- ##
#
# change: PermitRootLogin yes -> PermitRootLogin no
# add: ChallengeResponseAuthentication no
# add: PasswordAuthentication no
#
# # -=[ Functions ]=---------------------------------------------------------- ##
# Usage: status "Status Text"
function status() {
GREEN=' \033[00;32m'
RESTORE=' \033[0m'
echo -e " \n...${GREEN} $1 ${RESTORE} ...\n"
}
# Usage: input "Prompt Text" "Variable Name"
function input() {
GREEN=' \033[00;32m'
RESTORE=' \033[0m'
echo -en " \n...${GREEN} $1 ${RESTORE} : "
read $2
echo -e " "
}
function pressanykey(){
GREEN=' \033[00;32m'
RESTORE=' \033[0m'
echo -en " \n...${GREEN} $1 and press any key to continue${RESTORE} ..."
read -r -p " "
}
# Importing Variables
status " Importing Variables"
# Read ESXiHost
input " Enter the FQDN for the certificate/host in host.domain.tld format" " ESXiHost"
# Read Email
input " Enter the email for confirmation & renewal notifications" " Email"
# Read ESXiUser
input " Enter ESXi target admin username" " ESXiUser"
# Prompt user to confirm/enable SSH on ESXi target
pressanykey " Confirm that SSH access is enabled on the esxi target: $ESXiHost "
# Check for existing ssh keys for esxi host
status " Checking for existing ssh keys for $ESXiHost "
if [[ -e ~ /.ssh/$ESXiHost ' _rsa'
then
status " Keys for $ESXiHost exist. Continuing"
else
status " Keys for $ESXiHost not found. Generating 4096 bit keys"
# Generate 4096 bit key for user@target
ssh-keygen -b 4096 -t rsa -f ~ /.ssh/$ESXiHost ' _rsa' " " " $ESXiUser @$HOSTNAME LetsEncrypt"
status " Adding new key to ssh-agent"
# Add key to agent
eval ` ssh-agent` && ssh-add ~ /.ssh/$ESXiHost ' _rsa'
status " Configuring $ESXiHost for ssh access"
# Store key as variable
pubkey=` cat ~ /.ssh/$ESXiHost ' _rsa.pub' `
# Create directory for authorized user, copy key to target, set permissions,
# and restart ssh service on target.
ssh $ESXiUser @$ESXiHost " mkdir -p /etc/ssh/keys-$ESXiUser &&
echo $pubkey > /etc/ssh/keys-$ESXiUser /authorized_keys &&
chmod 700 -R /etc/ssh/keys-$ESXiUser &&
chmod 600 /etc/ssh/keys-$ESXiUser /authorized_keys &&
chown -R $ESXiUser /etc/ssh/keys-$ESXiUser &&
/etc/init.d/SSH restart"
fi
echo -e " \n...\e[32mEnabling https port forwarding to client for letsencrypt verification\e[m...\n"
# Enable UPnP https port forward for requesting device
upnpc -e " Let's Encrypt Temp SSL"
echo -e " \n...\e[32mRequesting 4096 bit certificate for $ESXiHost \e[m...\n"
# pull let's encrypt cert
sudo letsencrypt certonly --standalone --agree-tos -m $Email -d $DomainName --rsa-key-size 4096
echo -e " \n...\e[32mBacking up existing certificates on $ESXiHost \e[m...\n"
# backup existing SSL components on ESXi target
ssh $ESXiUser @$ESXiHost " mv /etc/vmware/ssl/castore.pem /etc/vmware/ssl/castore.pem.back"
ssh $ESXiUser @$ESXiHost " mv /etc/vmware/ssl/rui.crt /etc/vmware/ssl/rui.crt.back"
ssh $ESXiUser @$ESXiHost " mv /etc/vmware/ssl/rui.key /etc/vmware/ssl/rui.key.back"
echo -e " \n...\e[32mCoping letsencrypt certificates to $ESXiHost \e[m...\n"
# copy Let's Encrypt SSL componenets to ESXi target
sudo scp /etc/letsencrypt/live/$DomainName /fullchain.pem $ESXiUser @$ESXiHost :/etc/vmware/ssl/castore.pem
sudo scp /etc/letsencrypt/live/$DomainName /cert.pem $ESXiUser @$ESXiHost :/etc/vmware/ssl/rui.crt
sudo scp /etc/letsencrypt/live/$DomainName /privkey.pem $ESXiUser @$ESXiHost :/etc/vmware/ssl/rui.key
echo -e " \n...\e[32mRestarting services on $ESXiHost \e[m...\n"
# restart services on ESXi target
status " Enabling http(s) port forwarding to client for letsencrypt verification"
upnpc -e " letsencrypt http"
upnpc -e " letsencrypt https"
# Acquire letsencrypt cert
status " Requesting 4096 bit certificate for $ESXiHost "
sudo certbot certonly --standalone --preferred-challenges tls-sni --agree-tos -m $Email -d $ESXiHost --rsa-key-size 4096
# Backup existing SSL components on ESXi target
status " Backing up existing certificates on $ESXiHost "
time=$( date +%Y.%m.%d_%H:%M:%S)
ssh $ESXiUser @$ESXiHost " cp /etc/vmware/ssl/castore.pem /etc/vmware/ssl/castore.pem.back.$time "
ssh $ESXiUser @$ESXiHost " cp /etc/vmware/ssl/rui.crt /etc/vmware/ssl/rui.crt.back.$time "
ssh $ESXiUser @$ESXiHost " cp /etc/vmware/ssl/rui.key /etc/vmware/ssl/rui.key.back.$time "
# Copy letsencrypt cert to ESXi target
status " Coping letsencrypt cert to $ESXiHost "
sudo scp /etc/letsencrypt/live/$ESXiHost /fullchain.pem $ESXiUser @$ESXiHost :/etc/vmware/ssl/castore.pem
sudo scp /etc/letsencrypt/live/$ESXiHost /cert.pem $ESXiUser @$ESXiHost :/etc/vmware/ssl/rui.crt
sudo scp /etc/letsencrypt/live/$ESXiHost /privkey.pem $ESXiUser @$ESXiHost :/etc/vmware/ssl/rui.key
# Restart services on ESXi target
status " Restarting services on $ESXiHost "
ssh $ESXiUser @$ESXiHost " services.sh restart"
echo -e " \n...\e[32mRemoving https port forwarding\e[m...\n"
# Disable UPnP https port forward
upnpc -d 443 tcp
status " Removing http(s) port forwarding"
upnpc -d 80 tcp
upnpc -d 443 tcp
shr00mie revised this gist