#!/usr/bin/env bash # UniSOC Honeypot — renouvellement cert TLS pour Veeam-fake (port 443). # # 2 modes : # 1. Self-signed (par défaut) : régénère un cert auto-signé tous les 11 mois # (Veeam d'entreprise utilise souvent du PKI interne, # donc un cert auto-signé est crédible). # 2. Let's Encrypt (opt-in) : si /etc/unisoc-honeypot-agent/letsencrypt.env existe # et contient LETSENCRYPT_DOMAIN=…, on tente certbot # en mode standalone (port 80 utilisé temporairement # par certbot, http-honeytrap arrêté pour 60s). # # Cron suggéré : `7 3 * * 0 /opt/unisoc-honeypot-agent/cert-renew.sh` (dim 3h07) set -euo pipefail LOG=/var/log/unisoc-honeypot-cert-renew.log exec >> "$LOG" 2>&1 CERT_DIR="/etc/ssl/honeypot" mkdir -p "$CERT_DIR" CERT="$CERT_DIR/cert.pem" KEY="$CERT_DIR/key.pem" echo "[$(date -u +%FT%TZ)] === cert-renew start ===" LE_ENV=/etc/unisoc-honeypot-agent/letsencrypt.env if [ -f "$LE_ENV" ]; then # shellcheck disable=SC1090 . "$LE_ENV" fi renew_le() { local domain="$1" if ! command -v certbot >/dev/null 2>&1; then apt-get install -y --no-install-recommends certbot >/dev/null 2>&1 || { echo " certbot install KO — fallback self-signed" renew_selfsigned return } fi echo " attempting Let's Encrypt for $domain (standalone, port 80 freed temporarily)..." systemctl stop http-honeytrap 2>/dev/null || true if certbot certonly --standalone --non-interactive --agree-tos \ --email "${LETSENCRYPT_EMAIL:-noc@unisoc.fr}" -d "$domain" \ --preferred-challenges http --keep-until-expiring 2>&1 | tail -5; then cp -f "/etc/letsencrypt/live/$domain/fullchain.pem" "$CERT" cp -f "/etc/letsencrypt/live/$domain/privkey.pem" "$KEY" chmod 600 "$KEY" echo " Let's Encrypt cert installed for $domain" else echo " Let's Encrypt KO — fallback self-signed" renew_selfsigned fi systemctl start http-honeytrap 2>/dev/null || true } renew_selfsigned() { echo " generating self-signed cert (CN=srvdomaine, valid 395 days)..." openssl req -x509 -nodes -newkey rsa:2048 \ -days 395 \ -keyout "$KEY" -out "$CERT" \ -subj "/C=FR/ST=Ile-de-France/L=Paris/O=Corp Backup IT/OU=Backup Infrastructure/CN=srvdomaine.corp.local" \ -addext "subjectAltName=DNS:srvdomaine.corp.local,DNS:srv-backup-001.corp.local,DNS:backup,IP:127.0.0.1" \ 2>&1 | tail -2 chmod 600 "$KEY" echo " self-signed renewed: expires $(openssl x509 -enddate -noout -in "$CERT" | cut -d= -f2)" } # Mode logic if [ -n "${LETSENCRYPT_DOMAIN:-}" ]; then renew_le "$LETSENCRYPT_DOMAIN" else # Self-signed : ne renouvelle que si le cert expire dans <30 jours if [ -f "$CERT" ]; then end_epoch=$(date -d "$(openssl x509 -enddate -noout -in "$CERT" | cut -d= -f2)" +%s 2>/dev/null || echo 0) now_epoch=$(date +%s) days_left=$(( (end_epoch - now_epoch) / 86400 )) echo " self-signed cert valid for $days_left more days" if [ "$days_left" -gt 30 ]; then echo " no renewal needed (>30 days remaining)" exit 0 fi fi renew_selfsigned fi # Lien vers les paths utilisés par veeam-fake (rétrocompat) mkdir -p /etc/ssl/veeam-fake ln -sf "$CERT" /etc/ssl/veeam-fake/veeam.crt ln -sf "$KEY" /etc/ssl/veeam-fake/veeam.key # Reload services qui utilisent le cert systemctl restart veeam-fake 2>/dev/null || true echo "[$(date -u +%FT%TZ)] === cert-renew done ==="