better cert

hiddify · Oct 24, 2023 · 61cd95c · 61cd95c
1 parent d54e2d5
commit 61cd95c
Show file tree

Hide file tree

Showing 9 changed files with 102 additions and 91 deletions.
diff --git a/acme.sh/cert_utils.sh b/acme.sh/cert_utils.sh
@@ -0,0 +1,83 @@
+function get_cert() {
+    cd /opt/hiddify-manager
+    source ./lib/acme.sh.env
+    DOMAIN=$1
+    ssl_cert_path=../ssl
+    mkdir -p /opt/hiddify-manager/acme.sh/www/.well-known/acme-challenge
+    echo "location /.well-known/acme-challenge {root /opt/hiddify-manager/acme.sh/www/;}" >/opt/hiddify-manager/nginx/parts/acme.conf
+    # systemctl reload --now hiddify-nginx
+
+    rm -f $ssl_cert_path/$DOMAIN.key
+    DOMAIN_IP=$(dig +short -t a $DOMAIN.)
+    echo "resolving domain $DOMAIN -> IP= $DOMAIN_IP ServerIP-> $SERVER_IP"
+    if [[ $SERVER_IP != $DOMAIN_IP ]]; then
+        echo "maybe it is an error! make sure that it is correct"
+        #sleep 10
+    fi
+
+    flags=
+    if [ "$SERVER_IPv6" != "" ]; then
+        flags="--listen-v6"
+    fi
+
+    ./lib/acme.sh --issue -w /opt/hiddify-manager/acme.sh/www/ -d $DOMAIN --log $(pwd)/../log/system/acme.log --pre-hook "systemctl restart hiddify-nginx"
+    # ./lib/acme.sh --issue -w /opt/hiddify-manager/acme.sh/www/ -d $DOMAIN --log $(pwd)/../log/system/acme.log --server letsencrypt
+
+    ./lib/acme.sh --installcert -d $DOMAIN \
+        --fullchainpath $ssl_cert_path/$DOMAIN.crt \
+        --keypath $ssl_cert_path/$DOMAIN.crt.key \
+        --reloadcmd "echo success"
+
+    if [[ $? != 0 ]]; then
+        bash generate_self_signed_cert.sh $DOMAIN
+    fi
+
+    chmod 644 $ssl_cert_path/$DOMAIN.crt.key
+    echo "" >/opt/hiddify-manager/nginx/parts/acme.conf
+    systemctl reload --now hiddify-nginx
+
+    systemctl reload hiddify-haproxy
+}
+
+function get_self_signed_cert() {
+    cd /opt/hiddify-manager
+    d=$1
+    mkdir -p ../ssl
+    certificate="../ssl/$d.crt"
+    private_key="../ssl/$d.crt.key"
+    current_date=$(date +%s)
+    generate_new_cert=0
+    # Check if the certificate file exists
+    if [ ! -f "$certificate" ]; then
+        echo "Certificate file not found. Generating a new certificate."
+        generate_new_cert=1
+    else
+        expire_date=$(openssl x509 -enddate -noout -in "$certificate" | cut -d= -f2-)
+        # Convert the expire date to seconds since epoch
+        expire_date_seconds=$(date -d "$expire_date" +%s)
+
+        if [ "$current_date" -ge "$expire_date_seconds" ]; then
+            echo "Certificate is expired. Generating a new certificate."
+            generate_new_cert=1
+        fi
+    fi
+
+    # Check if the private key file exists
+    if [ ! -f "$private_key" ]; then
+        echo "Private key file not found. Generating a new certificate."
+        generate_new_cert=1
+    else
+        # Check if the private key is valid
+        if ! openssl rsa -check -in "$private_key"; then
+            echo "Private key is invalid. Generating a new certificate."
+            generate_new_cert=1
+        fi
+    fi
+
+    # Generate a new certificate if necessary
+    if [ "$generate_new_cert" -eq 1 ]; then
+        openssl req -x509 -newkey rsa:2048 -keyout "$private_key" -out "$certificate" -days 3650 -nodes -subj "/C=GB/ST=London/L=London/O=Google Trust Services LLC/CN=$d"
+        echo "New certificate and private key generated."
+    fi
+
+}
diff --git a/acme.sh/generate_self_signed_cert.sh b/acme.sh/generate_self_signed_cert.sh
@@ -1,40 +1,3 @@
-#!/bin/bash
 cd $(dirname -- "$0")
-d=$1
-mkdir -p ../ssl
-certificate="../ssl/$d.crt"
-private_key="../ssl/$d.crt.key"
-current_date=$(date +%s)
-generate_new_cert=0
-# Check if the certificate file exists
-if [ ! -f "$certificate" ]; then
-    echo "Certificate file not found. Generating a new certificate."
-    generate_new_cert=1
-else
-    expire_date=$(openssl x509 -enddate -noout -in "$certificate" | cut -d= -f2-)
-    # Convert the expire date to seconds since epoch
-    expire_date_seconds=$(date -d "$expire_date" +%s)
-
-    if [ "$current_date" -ge "$expire_date_seconds" ]; then
-        echo "Certificate is expired. Generating a new certificate."
-        generate_new_cert=1
-    fi
-fi
-
-# Check if the private key file exists
-if [ ! -f "$private_key" ]; then
-    echo "Private key file not found. Generating a new certificate."
-    generate_new_cert=1
-else
-    # Check if the private key is valid
-    if ! openssl rsa -check -in "$private_key"; then
-        echo "Private key is invalid. Generating a new certificate."
-        generate_new_cert=1
-    fi
-fi
-
-# Generate a new certificate if necessary
-if [ "$generate_new_cert" -eq 1 ]; then
-    openssl req -x509 -newkey rsa:2048 -keyout "$private_key" -out "$certificate" -days 3650 -nodes -subj "/C=GB/ST=London/L=London/O=Google Trust Services LLC/CN=$d"
-    echo "New certificate and private key generated."
-fi
+source cert_utils.sh
+get_self_signed_cert $1
diff --git a/acme.sh/get_cert.sh b/acme.sh/get_cert.sh
@@ -1,39 +1,4 @@
 cd $(dirname -- "$0")
-source ./lib/acme.sh.env
-
-DOMAIN=$1
-ssl_cert_path=../ssl
-mkdir -p /opt/hiddify-manager/acme.sh/www/.well-known/acme-challenge
-echo "location /.well-known/acme-challenge {root /opt/hiddify-manager/acme.sh/www/;}" >/opt/hiddify-manager/nginx/parts/acme.conf
-# systemctl reload --now hiddify-nginx
-
-rm -f $ssl_cert_path/$DOMAIN.key
-DOMAIN_IP=$(dig +short -t a $DOMAIN.)
-echo "resolving domain $DOMAIN -> IP= $DOMAIN_IP ServerIP-> $SERVER_IP"
-if [[ $SERVER_IP != $DOMAIN_IP ]]; then
-    echo "maybe it is an error! make sure that it is correct"
-    #sleep 10
-fi
-
-flags=
-if [ "$SERVER_IPv6" != "" ]; then
-    flags="--listen-v6"
-fi
-
-./lib/acme.sh --issue -w /opt/hiddify-manager/acme.sh/www/ -d $DOMAIN --log $(pwd)/../log/system/acme.log --pre-hook "systemctl restart hiddify-nginx"
-# ./lib/acme.sh --issue -w /opt/hiddify-manager/acme.sh/www/ -d $DOMAIN --log $(pwd)/../log/system/acme.log --server letsencrypt
-
-./lib/acme.sh --installcert -d $DOMAIN \
-    --fullchainpath $ssl_cert_path/$DOMAIN.crt \
-    --keypath $ssl_cert_path/$DOMAIN.crt.key \
-    --reloadcmd "echo success"
-
-if [[ $? != 0 ]]; then
-    bash generate_self_signed_cert.sh $DOMAIN
-fi
-
-chmod 644 $ssl_cert_path/$DOMAIN.crt.key
-echo "" >/opt/hiddify-manager/nginx/parts/acme.conf
-systemctl reload --now hiddify-nginx
-
-systemctl reload hiddify-haproxy
+source cert_utils.sh
+./lib/acme.sh --register-account -m my@example.com
+get_cert $1
diff --git a/acme.sh/install.sh b/acme.sh/install.sh
@@ -1,5 +1,5 @@
 source ../common/utils.sh
-
+source ./lib/acme.sh.env
 install_package socat
 remove_package certbot
 

diff --git a/acme.sh/run.sh b/acme.sh/run.sh
@@ -1,11 +1,14 @@
+source ../common/utils.sh
+source cert_utils.sh
+./lib/acme.sh --register-account -m my@example.com
 domains=$(cat ../current.json | jq -r '.domains[] | select(.mode | IN("direct", "cdn", "worker", "relay", "auto_cdn_ip", "old_xtls_direct", "sub_link_only")) | .domain')
 
 for d in $domains; do
-	bash get_cert.sh $d
+	get_cert $d
 done
 
 domains=$(cat ../current.json | jq -r '.domains[] | select(.mode | IN("fake")) | .domain')
 
 for d in $domains; do
-	bash generate_self_signed_cert.sh $d
-done
+	get_self_signed_cert $d
+done
diff --git a/common/download.sh b/common/download.sh
@@ -28,6 +28,7 @@ function install_panel() {
     apt update
     #apt upgrade -y
     apt -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" --only-upgrade upgrade
+    apt dist-upgrade -y
 
     if ! is_installed hiddifypanel; then
         sed -i "s|/opt/hiddify-manager/menu.sh||g" ~/.bashrc
@@ -194,9 +195,6 @@ function update_from_github() {
         echo "$override_version" >VERSION
     fi
     rm "$file_name"
-    apt upgrade -y
-    apt dist-upgrade -y
-    apt autoremove -y
     bash install.sh --no-gui
 }
 

diff --git a/common/utils.sh b/common/utils.sh
@@ -151,7 +151,6 @@ function hiddify_api() {
     return 0
 }
 
-
 function install_python() {
 
     if ! python3.10 --version &>/dev/null; then
@@ -180,7 +179,7 @@ function check() {
         success "Finished! Thank you for helping to skip filternet."
 
         install_package qrencode
-        qrencode -t utf8 -m 1 $(cat /opt/hiddify-manager/current.json | jq -r '.panel_links[]' | tail -n 1)
+        center_text "$(qrencode -t utf8 -m 2 $(cat /opt/hiddify-manager/current.json | jq -r '.panel_links[]' | tail -n 1))"
 
         echo "Please open the following link in the browser for client setup"
         cat /opt/hiddify-manager/current.json | jq -r '.panel_links[]' | while read -r link; do

diff --git a/hiddify-panel/src b/hiddify-panel/src
diff --git a/menu.sh b/menu.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-
+cd $(dirname -- "$0")
 source common/utils.sh
 
 sed -i "s|/opt/hiddify-config/menu.sh|/opt/hiddify-manager/menu.sh|g" ~/.bashrc
@@ -13,9 +13,9 @@ if [[ $(grep "/opt/hiddify-manager/menu.sh" ~/.bashrc | wc -l) > 0 ]]; then
 fi
 
 if ! grep -Fxq "PasswordAuthentication no" /etc/ssh/sshd_config; then
-  # @hiddify/@iam54r1n4 make a better message with a link to why should disable pass-auth
-  WARNING_MSG="Your server is vulnerable to abuses because PasswordAuthentication is enabled. To secure your server, please switch to key authentication mechanism and turn off PasswordAuthentication in your ssh config file."
-  whiptail --title "WARNING" --msgbox "$WARNING_MSG" 10 78
+    # @hiddify/@iam54r1n4 make a better message with a link to why should disable pass-auth
+    WARNING_MSG="Your server is vulnerable to abuses because PasswordAuthentication is enabled. To secure your server, please switch to key authentication mechanism and turn off PasswordAuthentication in your ssh config file."
+    whiptail --title "WARNING" --msgbox "$WARNING_MSG" 10 78
 fi
 #PACKAGE_MODE=$(get_package_mode)
 #LATEST_CONFIG_VERSION=$(get_release_version hiddify-manager)