mb-admin/scripts/generate-self-signed-cert.sh

#!/bin/bash
set -euo pipefail

# Generate a temporary self-signed TLS certificate for a domain.
# Intended for staging environments on AlmaLinux/RHEL/CentOS.
#
# Usage: generate-self-signed-cert.sh <domain> [days] [keys_dir]
#   domain   FQDN, e.g. example.staging.local
#   days     Validity in days (default: 30)
#   keys_dir Directory to write keys/certs (default: /var/lib/jelastic/keys)

DOMAIN="${1:-}"
DAYS="${2:-30}"
KEYS_DIR="${3:-/var/lib/jelastic/keys}"

if [[ -z "$DOMAIN" ]]; then
  echo "Usage: $0 <domain> [days] [keys_dir]" >&2
  exit 1
fi

if ! command -v openssl >/dev/null 2>&1; then
  echo "[ERROR] openssl not found. Please install openssl." >&2
  exit 2
fi

mkdir -p "$KEYS_DIR"
cd "$KEYS_DIR"

KEY_FILE="${DOMAIN}.key"
CRT_FILE="${DOMAIN}.cer"
CHAIN_FILE="${DOMAIN}.fullchain.pem"

echo "[INFO] Generating RSA key (${KEY_FILE})…"
openssl genrsa -out "$KEY_FILE" 2048 >/dev/null 2>&1

TMP_CONF=$(mktemp)
cat >"$TMP_CONF" <<CONF
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

[req_distinguished_name]
CN = ${DOMAIN}

[v3_req]
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = ${DOMAIN}
DNS.2 = www.${DOMAIN}
CONF

echo "[INFO] Creating self-signed certificate valid for ${DAYS} days (${CRT_FILE})…"
openssl req -x509 -new -nodes -key "$KEY_FILE" -sha256 -days "$DAYS" -out "$CRT_FILE" -config "$TMP_CONF" >/dev/null 2>&1
rm -f "$TMP_CONF"

# Build a fullchain (for self-signed, it's just the leaf repeated for compatibility)
cat "$CRT_FILE" > "$CHAIN_FILE"

# Maintain generic filenames used by other tooling
cp -f "$CRT_FILE" cert.pem
cp -f "$CHAIN_FILE" fullchain.pem
cp -f "$CRT_FILE" ca.cer

chmod 0644 "$CRT_FILE" "$CHAIN_FILE" cert.pem fullchain.pem ca.cer
chmod 0600 "$KEY_FILE"

echo "[SUCCESS] Self-signed certificate created:" 
echo "  Key:        $KEYS_DIR/$KEY_FILE"
echo "  Cert:       $KEYS_DIR/$CRT_FILE"
echo "  Fullchain:  $KEYS_DIR/$CHAIN_FILE"
echo "[NOTE] Apply/reload your web server to use the new certificate."

exit 0
new changes for purge litespeed 2025-08-12 18:05:24 +00:00			`#!/bin/bash`
			`set -euo pipefail`

			`# Generate a temporary self-signed TLS certificate for a domain.`
			`# Intended for staging environments on AlmaLinux/RHEL/CentOS.`
			`#`
			`# Usage: generate-self-signed-cert.sh <domain> [days] [keys_dir]`
			`# domain FQDN, e.g. example.staging.local`
			`# days Validity in days (default: 30)`
			`# keys_dir Directory to write keys/certs (default: /var/lib/jelastic/keys)`

			`DOMAIN="${1:-}"`
			`DAYS="${2:-30}"`
			`KEYS_DIR="${3:-/var/lib/jelastic/keys}"`

			`if [[ -z "$DOMAIN" ]]; then`
			`echo "Usage: $0 <domain> [days] [keys_dir]" >&2`
			`exit 1`
			`fi`

			`if ! command -v openssl >/dev/null 2>&1; then`
			`echo "[ERROR] openssl not found. Please install openssl." >&2`
			`exit 2`
			`fi`

			`mkdir -p "$KEYS_DIR"`
			`cd "$KEYS_DIR"`

			`KEY_FILE="${DOMAIN}.key"`
			`CRT_FILE="${DOMAIN}.cer"`
			`CHAIN_FILE="${DOMAIN}.fullchain.pem"`

			`echo "[INFO] Generating RSA key (${KEY_FILE})…"`
			`openssl genrsa -out "$KEY_FILE" 2048 >/dev/null 2>&1`

			`TMP_CONF=$(mktemp)`
			`cat >"$TMP_CONF" <<CONF`
			`[req]`
			`distinguished_name = req_distinguished_name`
			`x509_extensions = v3_req`
			`prompt = no`

			`[req_distinguished_name]`
			`CN = ${DOMAIN}`

			`[v3_req]`
			`keyUsage = digitalSignature, keyEncipherment`
			`extendedKeyUsage = serverAuth`
			`subjectAltName = @alt_names`

			`[alt_names]`
			`DNS.1 = ${DOMAIN}`
			`DNS.2 = www.${DOMAIN}`
			`CONF`

			`echo "[INFO] Creating self-signed certificate valid for ${DAYS} days (${CRT_FILE})…"`
			`openssl req -x509 -new -nodes -key "$KEY_FILE" -sha256 -days "$DAYS" -out "$CRT_FILE" -config "$TMP_CONF" >/dev/null 2>&1`
			`rm -f "$TMP_CONF"`

			`# Build a fullchain (for self-signed, it's just the leaf repeated for compatibility)`
			`cat "$CRT_FILE" > "$CHAIN_FILE"`

			`# Maintain generic filenames used by other tooling`
			`cp -f "$CRT_FILE" cert.pem`
			`cp -f "$CHAIN_FILE" fullchain.pem`
			`cp -f "$CRT_FILE" ca.cer`

			`chmod 0644 "$CRT_FILE" "$CHAIN_FILE" cert.pem fullchain.pem ca.cer`
			`chmod 0600 "$KEY_FILE"`

			`echo "[SUCCESS] Self-signed certificate created:"`
			`echo " Key: $KEYS_DIR/$KEY_FILE"`
			`echo " Cert: $KEYS_DIR/$CRT_FILE"`
			`echo " Fullchain: $KEYS_DIR/$CHAIN_FILE"`
			`echo "[NOTE] Apply/reload your web server to use the new certificate."`

			`exit 0`