echr
3/13/2019 - 1:06 AM

Update openfire keystore with Letsencrypt stuff

Update openfire keystore with Letsencrypt stuff

#!/bin/bash

#
# @author https://github.com/guusdk
#

# Checks for a known location where Let's Encrypt keys/certificates will be spontaneously exist.
# When files are detected, they're used to generate a new keystore, which is then used
# to replace the Openfire keystore.
set -e

PRIVKEY=/etc/letsencrypt/live/ourdomain/privkey.pem
CHAIN=/etc/letsencrypt/live/ourdomain/fullchain.pem
OPENFIRESTORE=/opt/openfire/resources/security/keystore
PASSWORD=changeit

# No changes needed below.
PKCS12ARCHIVE=/tmp/keystore.p12
TMPKEYSTORE=/tmp/keystore

if [[ -f $PRIVKEY && -f $CHAIN ]]
then

  # Remove leftovers from last iteration.
  if [[ -f $PKCS12ARCHIVE ]]
  then
    rm $PKCS12ARCHIVE
  fi

  if [[ -f $TMPKEYSTORE ]]
  then
    rm $TMPKEYSTORE
  fi

  # Import Let's Encrypt data in PKCS12 archive.
  openssl pkcs12 \
    -export \
    -out $PKCS12ARCHIVE \
    -inkey $PRIVKEY \
    -in $CHAIN \
    -password pass:$PASSWORD

  # Remove Let's Encrypt source data to prevent another execution.
  rm $PRIVKEY && rm $CHAIN

  # Create new Java keystore based on PKCS12 archive.
  keytool -importkeystore \
    -destkeystore $TMPKEYSTORE \
    -deststorepass $PASSWORD \
    -srcstoretype PKCS12 \
    -srcstorepass $PASSWORD \
    -srckeystore $PKCS12ARCHIVE

  # Set owner for new file
  chown daemon:daemon $TMPKEYSTORE

  # Backup old Openfire keystore.
  cp $OPENFIRESTORE $OPENFIRESTORE-backup-$(date +%s)

  # Move new store in place.
  mv $TMPKEYSTORE $OPENFIRESTORE
fi