sami7777/dashcaddy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4c2e4ed9862eb9d9e2026a5a493f823d2741c71b
dashcaddy/ca/scripts/install.sh
Sami f61e85d9a7 Initial commit: DashCaddy v1.0 
Full codebase including API server (32 modules + routes), dashboard frontend,
DashCA certificate distribution, installer script, and deployment skills.
2026-03-05 02:26:12 -08:00

221 lines
7.3 KiB
Bash
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
#!/bin/bash
#
# DashCA Installer - Sami Home Network Root CA
# Installs the root CA certificate system-wide on Linux and macOS
#
# Usage: curl -fsSL https://ca.sami/install.sh | sudo bash
#
set -e
# Configuration
CERT_URL="https://ca.sami/root.crt"
EXPECTED_FP="08:98:A5:63:F5:A1:A2:58:5F:02:D7:A8:A2:54:87:E6:BC:33:96:9F:9B:5D:B0:53:62:20:7F:AF:96:21:29:0E"
CERT_NAME="Sami_Home_Network_Root_CA"
# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
CYAN='\033[0;36m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
echo ""
echo -e "${CYAN}========================================${NC}"
echo -e "${CYAN} DashCA Installer${NC}"
echo -e "${CYAN} Sami Home Network Root CA${NC}"
echo -e "${CYAN}========================================${NC}"
echo ""
# Check for root/sudo
if [[ $EUID -ne 0 ]]; then
echo -e "${RED}✗ This script requires root privileges${NC}"
echo ""
echo "Please run with sudo:"
echo -e " ${YELLOW}curl -fsSL https://ca.sami/install.sh | sudo bash${NC}"
echo ""
echo "Or download first, then run:"
echo -e " ${YELLOW}curl -o install.sh https://ca.sami/install.sh${NC}"
echo -e " ${YELLOW}sudo bash install.sh${NC}"
echo ""
exit 1
fi
# Detect OS
echo -e "${CYAN}[1/6] Detecting operating system...${NC}"
if [[ "$OSTYPE" == "darwin"* ]]; then
OS="macos"
OS_NAME="macOS"
elif [[ -f /etc/os-release ]]; then
. /etc/os-release
if [[ "$ID" == "debian" ]] || [[ "$ID" == "ubuntu" ]] || [[ "$ID_LIKE" == *"debian"* ]]; then
OS="debian"
OS_NAME="Debian/Ubuntu"
elif [[ "$ID" == "fedora" ]] || [[ "$ID" == "rhel" ]] || [[ "$ID" == "centos" ]] || [[ "$ID_LIKE" == *"fedora"* ]] || [[ "$ID_LIKE" == *"rhel"* ]]; then
OS="redhat"
OS_NAME="RedHat/CentOS/Fedora"
elif [[ "$ID" == "arch" ]] || [[ "$ID_LIKE" == *"arch"* ]]; then
OS="arch"
OS_NAME="Arch Linux"
else
OS="unknown"
OS_NAME="Unknown Linux"
fi
elif [[ -f /etc/redhat-release ]]; then
OS="redhat"
OS_NAME="RedHat/CentOS"
elif [[ -f /etc/arch-release ]]; then
OS="arch"
OS_NAME="Arch Linux"
else
OS="unknown"
OS_NAME="Unknown"
fi
if [[ "$OS" == "unknown" ]]; then
echo -e "${RED} ✗ Unsupported operating system${NC}"
echo ""
echo "This script supports:"
echo " - Debian/Ubuntu"
echo " - RedHat/CentOS/Fedora"
echo " - Arch Linux"
echo " - macOS"
echo ""
echo "For manual installation, download the certificate:"
echo -e " ${YELLOW}curl -O $CERT_URL${NC}"
echo ""
exit 1
fi
echo -e "${GREEN} ✓ Detected: $OS_NAME${NC}"
# Download certificate
echo -e "${CYAN}[2/6] Downloading certificate from $CERT_URL...${NC}"
TEMP_CERT=$(mktemp)
if ! curl -fsSL "$CERT_URL" -o "$TEMP_CERT"; then
echo -e "${RED} ✗ Failed to download certificate${NC}"
echo ""
echo -e "${YELLOW}Troubleshooting:${NC}"
echo " - Ensure you are on the Tailnet/network where ca.sami is accessible"
echo " - Try accessing https://ca.sami in your browser first"
echo " - Check your network connection"
rm -f "$TEMP_CERT"
exit 1
fi
echo -e "${GREEN} ✓ Certificate downloaded${NC}"
# Verify fingerprint
echo -e "${CYAN}[3/6] Verifying certificate fingerprint...${NC}"
if ! command -v openssl &> /dev/null; then
echo -e "${RED} ✗ OpenSSL not found${NC}"
echo "Please install OpenSSL to verify certificate fingerprint"
rm -f "$TEMP_CERT"
exit 1
fi
ACTUAL_FP=$(openssl x509 -in "$TEMP_CERT" -noout -fingerprint -sha256 | cut -d= -f2)
if [[ "$ACTUAL_FP" != "$EXPECTED_FP" ]]; then
echo -e "${RED} ✗ Fingerprint mismatch!${NC}"
echo -e "${YELLOW} Expected: $EXPECTED_FP${NC}"
echo -e "${RED} Got: $ACTUAL_FP${NC}"
rm -f "$TEMP_CERT"
echo ""
echo -e "${RED}SECURITY WARNING: The downloaded certificate does not match the expected fingerprint.${NC}"
echo -e "${RED}This could indicate a man-in-the-middle attack or certificate renewal.${NC}"
echo -e "${RED}Please verify with your network administrator before proceeding.${NC}"
echo ""
exit 1
fi
echo -e "${GREEN} ✓ Fingerprint verified${NC}"
# Extract certificate details
echo -e "${CYAN}[4/6] Extracting certificate information...${NC}"
CERT_SUBJECT=$(openssl x509 -in "$TEMP_CERT" -noout -subject | sed 's/subject=//')
CERT_NOT_AFTER=$(openssl x509 -in "$TEMP_CERT" -noout -enddate | sed 's/notAfter=//')
echo -e "${GREEN} ✓ Subject: $CERT_SUBJECT${NC}"
echo -e "${GREEN} ✓ Valid until: $CERT_NOT_AFTER${NC}"
# Check if already installed
echo -e "${CYAN}[5/6] Checking for existing installation...${NC}"
ALREADY_INSTALLED=false
case "$OS" in
debian)
if [[ -f "/usr/local/share/ca-certificates/${CERT_NAME}.crt" ]]; then
ALREADY_INSTALLED=true
fi
;;
redhat)
if [[ -f "/etc/pki/ca-trust/source/anchors/${CERT_NAME}.crt" ]]; then
ALREADY_INSTALLED=true
fi
;;
arch)
if [[ -f "/etc/ca-certificates/trust-source/anchors/${CERT_NAME}.crt" ]]; then
ALREADY_INSTALLED=true
fi
;;
macos)
if security find-certificate -a -c "$CERT_SUBJECT" /Library/Keychains/System.keychain &>/dev/null; then
ALREADY_INSTALLED=true
fi
;;
esac
if [[ "$ALREADY_INSTALLED" == "true" ]]; then
echo -e "${YELLOW} Certificate already installed${NC}"
rm -f "$TEMP_CERT"
echo ""
echo -e "${GREEN}The Sami Home Network Root CA is already trusted on this system.${NC}"
echo -e "${GREEN}No further action needed!${NC}"
echo ""
exit 0
fi
echo -e "${GREEN} ✓ Certificate not yet installed, proceeding...${NC}"
# Install based on OS
echo -e "${CYAN}[6/6] Installing certificate...${NC}"
case "$OS" in
debian)
cp "$TEMP_CERT" "/usr/local/share/ca-certificates/${CERT_NAME}.crt"
update-ca-certificates
echo -e "${GREEN} ✓ Certificate installed via update-ca-certificates${NC}"
;;
redhat)
cp "$TEMP_CERT" "/etc/pki/ca-trust/source/anchors/${CERT_NAME}.crt"
update-ca-trust
echo -e "${GREEN} ✓ Certificate installed via update-ca-trust${NC}"
;;
arch)
cp "$TEMP_CERT" "/etc/ca-certificates/trust-source/anchors/${CERT_NAME}.crt"
trust extract-compat
echo -e "${GREEN} ✓ Certificate installed via trust extract-compat${NC}"
;;
macos)
security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$TEMP_CERT"
echo -e "${GREEN} ✓ Certificate installed to System Keychain${NC}"
;;
esac
# Cleanup
rm -f "$TEMP_CERT"
echo ""
echo -e "${GREEN}========================================${NC}"
echo -e "${GREEN} SUCCESS!${NC}"
echo -e "${GREEN}========================================${NC}"
echo ""
echo -e "${GREEN}The Sami Home Network Root CA has been installed system-wide.${NC}"
echo ""
echo -e "${CYAN}What's next:${NC}"
echo -e " ${GREEN}${NC} All *.sami domains will now be trusted"
echo -e " ${GREEN}${NC} Browsers will no longer show security warnings"
echo -e " ${GREEN}${NC} Applications will trust HTTPS connections to your local services"
echo ""
echo -e "${CYAN}Test it out:${NC}"
echo -e " ${YELLOW}Visit https://status.sami or any other *.sami service${NC}"
echo -e " ${YELLOW}The connection should show as secure with no warnings${NC}"
echo ""
Reference in New Issue View Git Blame Copy Permalink