fix cert bundle renewal & empty cert list (#158).

HappyBasher · HappyBasher · commit 79924bf07b00 · 2025-04-25T12:26:23.000+02:00
diff --git a/sbin/linuxmuster-renew-certs b/sbin/linuxmuster-renew-certs
@@ -2,7 +2,7 @@
 #
 # renew self-signed server certs
 # thomas@linuxmuster.net
-# 20250409
+# 20250425
 #
 
 import datetime
@@ -21,7 +21,7 @@ def usage():
     print('Usage: linuxmuster-renew-certs [options]')
     print(' [options] may be:')
     print(' -c <list>, --certs=<list> : Comma separated list of certificates to be renewed')
-    print('                             ("ca", "server" and/or "firewall" or "all").')
+    print('                             ("ca", "server" and/or "firewall" or "all"). Mandatory.')
     print(' -d <#>,    --days=<#>     : Set number of days (default: 7305).')
     print(' -f,        --force        : Skip security prompt.')
     print(' -n,        --dry-run      : Test only if the firewall certs can be renewed.')
@@ -45,6 +45,7 @@ force = False
 reboot = False
 days = '7305'
 all_list = ['ca', 'server', 'firewall']
+cert_list = []
 
 
 # open logfile
@@ -86,6 +87,10 @@ for o, a in opts:
         assert False, "unhandled option"
         usage()
         sys.exit(1)
+if len(cert_list) == 0:
+    printScript('No certs to renew given (-c)!')
+    usage()
+    sys.exit(1)
 
 
 # get setup values
@@ -214,10 +219,12 @@ def renewCert(item):
     if item == 'ca':
         pem = cacert
     else:
+        key = ssldir + '/' + name + '.key.pem'
         pem = ssldir + '/' + name + '.cert.pem'
         csr = ssldir + '/' + name + '.csr'
         cnf = ssldir + '/' + name + '_cert_ext.cnf'
         chn = ssldir + '/' + name + '.fullchain.pem'
+        bdl = ssldir + '/' + name + '.cert.bundle.pem'
     b64 = pem + '.b64'
     b64_old = b64 + '_old'
     if name == 'firewall' or name == 'ca':
@@ -235,6 +242,7 @@ def renewCert(item):
             subProc('openssl x509 -req -in ' + csr + ' -CA ' + cacert + ' ' + cakey_passin + ' -CAkey '
                 + cakey + ' -CAcreateserial -out ' + pem + ' -days ' + days + ' -sha256 -extfile ' + cnf, logfile)
             catFiles([pem, cacert], chn)
+            catFiles([key, pem], bdl)
         if name == 'firewall' or name == 'ca':
             shutil.copyfile(b64, b64_old)
             subProc('base64 -w0 ' + pem + ' > ' + b64, logfile)
