#!/bin/bash
# Make a key and certificate for a server.
#
# Arguments:
#   hostname (if absent, will use contents of /etc/hostname as certificate
#     common name)
#
# © 2012, Multapplied Networks, Inc.
set -e
. /usr/share/bondingadmin/default/ca-vars

if [ $# -lt 1 ]; then
    HOSTNAME=`cat /etc/hostname`
else
    HOSTNAME="$1"
fi

LOCAL_KEY="$PRIVATE_DIR/$HOSTNAME.key.pem"
LOCAL_CSR="$CSRS_DIR/$HOSTNAME-server.csr.pem"

cd $BONDINGADMIN_DIR

# Make local host key and CSR
if [ ! -f "$LOCAL_KEY" ]; then
    echo "Writing local key and CSR..."
    CA_SUBJECT=`openssl x509 -in $CA_CERT -nameopt compat -noout -subject`
    SUBJECT=${CA_SUBJECT:8}
    SUBJECT=`echo $SUBJECT | sed "s/\/CN=.*/\/CN=${HOSTNAME}/"`
    umask 077 # User can do anything, group and others get nothing
    $OPENSSL req -config $CONFIG -new -nodes -out "$LOCAL_CSR" -keyout "$LOCAL_KEY" -subj "$SUBJECT"
    chown $HTTPD_USER:$HTTPD_GROUP $LOCAL_KEY $LOCAL_CSR
    chmod 644 $LOCAL_CSR
    umask 022 # Back to default umask

    # Run sign-bonding-cert as bondingadmin so lock file isn't owned by root
    USER=$(/usr/bin/whoami)
    if [ "$USER" != $HTTPD_USER ]; then
        sudo -u $HTTPD_USER /usr/sbin/sign-bonding-cert "$HOSTNAME" "$LOCAL_CSR" "server"
    else
        /usr/sbin/sign-bonding-cert "$HOSTNAME" "$LOCAL_CSR" "server"
    fi

    rm $LOCAL_CSR
else
    echo "Local key already exists at $LOCAL_KEY, not generating key or CSR."
fi
