From a184866de3fcf928120749a12c230666ebf02c5b Mon Sep 17 00:00:00 2001 From: Asif Bacchus Date: Fri, 23 Jul 2021 17:53:42 -0600 Subject: [PATCH] refactor(entrypoint): remove export function - never a need to export keypair, cert is always enough --- build/entrypoint.sh | 87 ++++++++++++++++++++++----------------------- 1 file changed, 42 insertions(+), 45 deletions(-) diff --git a/build/entrypoint.sh b/build/entrypoint.sh index 7b60508..5ca934f 100644 --- a/build/entrypoint.sh +++ b/build/entrypoint.sh @@ -5,8 +5,27 @@ # # functions +certificateCheckEnabled() { + if [ "$httpsEnabled" != "TRUE" ]; then + printf "\nSSL/TLS not enabled. Please set LR_HTTPS=TRUE if you want to enable SSL/TLS.\n" + exit 1 + fi +} + +certificateCheckExist() { + if [ -n "$(find /certs/ -type d -empty -print)" ]; then + printf "noexist" + elif ! [ -r "/certs/fullchain.pem" ]; then + printf "noread_certificate" + elif ! [ -r "/certs/privkey.pem" ]; then + printf "noread_key" + else + printf "ok" + fi +} + certificateGenerateNew() { - # generate self-signed certificate + # generate self-signed certificate and export as PFX printf "\nGenerating new self-signed certificate:\n" # shellcheck disable=SC3028 if [ -z "$CERT_HOSTNAME" ]; then export CERT_HOSTNAME="$HOSTNAME"; fi @@ -14,18 +33,11 @@ certificateGenerateNew() { printf "\nUnable to generate certificate. Is your 'certs' directory writable by this container?\n\n" exit 55 fi - printf "Exporting pfx certificate..." - if ! openssl pkcs12 -export -in /certs/fullchain.pem -inkey /certs/privkey.pem -out "/certs/${CERT_HOSTNAME}.pfx" -name "LiveReload" -passout pass:cert1234; then - printf "\nUnable to export generated certificate as PFX.\n\n" - exit 56 - fi # print message to user printf "\n\nA self-signed certificate has been generated and saved in the location mounted to '/certs' in this container.\n" printf "The certificate and private key are PEM formatted with names 'fullchain.pem' and 'privkey.pem', respectively.\n" - printf "If you need to import them to a Windows machine, please use the '%s.pfx' file with password 'cert1234'.\n\n" "$CERT_HOSTNAME" - - if [ "$1" != "noexit" ]; then exit 0; fi + printf "Remember to import 'fullchain.pem' to the trusted store on any client machines or you will get warnings.\n\n" } certificateShow() { @@ -34,25 +46,11 @@ certificateShow() { exit 0 } -certificateExport() { - certificateCheckEnabled - printf "\nExporting currently loaded certificate:\n" - exit 0 -} - -certificateCheckEnabled() { - if [ "$httpsEnabled" != "TRUE" ]; then - printf "\nSSL/TLS not enabled. Please set LR_HTTPS=TRUE if you want to enable SSL/TLS.\n" - exit 1 - fi -} - convertCaseUpper() { printf "%s" "$1" | tr "[:lower:]" "[:upper:]" } # default variable values -doCertExport=0 doCertNew=0 doCertShow=0 doServer=0 @@ -73,13 +71,10 @@ new-cert) show-cert) doCertShow=1 ;; -export-cert) - doCertExport=1 - ;; *) # invalid or unknown option printf "\nUnknown action requested: %s\n" "$1" - printf "Valid actions: [listen | server | run | start] | shell | new-cert | show-cert | export-cert\n\n" + printf "Valid actions: [listen | server | run | start] | shell | new-cert | show-cert\n\n" exit 1 ;; esac @@ -91,23 +86,26 @@ if [ "$doServer" -eq 1 ]; then # https pre-flight check if [ "$httpsEnabled" = "TRUE" ]; then printf "[SSL/TLS mode enabled]\n" - if [ -n "$(find /certs/ -type d -empty -print)" ]; then - printf "[Generating certificate]\n" - # certs directory is empty --> auto-generate certificates - certificateGenerateNew 'noexit' - else - # certs directory contains certificates --> check if they can read - printf "[Checking mounted certificate]\n" - if ! [ -r "/certs/fullchain.pem" ]; then + certStatus="$(certificateCheckExist)" + case "$certStatus" in + noexist) + printf "[Generating certificate]\n" + certificateGenerateNew + ;; + noread_certificate) + printf "[Checking mounted certificate]" printf "\nERROR: SSL/TLS mode selected but unable to read certificate!\n\n" exit 51 - fi - if ! [ -r "/certs/privkey.pem" ]; then + ;; + noread_key) + printf "[Checking mounted certificate]" printf "\nERROR: SSL/TLS mode selected but unable to read private key!\n\n" exit 52 - fi - fi - printf "[Certificate OK]\n" + ;; + ok) + printf "[Certificate OK]\n" + ;; + esac fi exec node livereload.js exit "$?" @@ -127,14 +125,14 @@ if [ "$doShell" -eq 1 ]; then fi # action: generate new self-signed certificate -if [ "$doCertNew" -eq 1 ]; then certificateGenerateNew; fi +if [ "$doCertNew" -eq 1 ]; then + certificateGenerateNew + exit 0 +fi # action: show loaded certificate if [ "$doCertShow" -eq 1 ]; then certificateShow; fi -# action: export loaded certificate -if [ "$doCertExport" -eq 1 ]; then certificateExport; fi - # failsafe exit - terminate with code 99: this code should never be executed! exit 99 @@ -146,7 +144,6 @@ exit 99 # 51: unable to read certificate/chain # 52: unable to read private key # 55: unable to generate new certificate -# 56: unable to export certificate, likely write error # 99: code error #EOF