#!/bin/bash

echo generating CA key
openssl genrsa -out /etc/letsencrypt/rootCA.key 4096

echo generating CA certificate
openssl req -x509 -new -nodes -sha256 -days 7300 \
    -key /etc/letsencrypt/rootCA.key \
    -subj "/C=DE/ST=BW/O={{ domain }}/CN={{ server_fqdn }}" \
    -out /etc/letsencrypt/rootCA.crt

echo generating server key
openssl genrsa -out /etc/letsencrypt/{{ domain }}.key 2048

echo generating signing request
openssl req -new -sha256 \
    -key /etc/letsencrypt/{{ domain }}.key \
    -subj "/C=DE/ST=BW/O={{ domain }}/CN={{ server_fqdn }}" \
    -reqexts SAN \
    -extensions SAN \
    -config <(cat /etc/ssl/openssl.cnf \
        <(printf "\n[SAN]\nsubjectAltName=DNS:{{ server_fqdn }}")) \
    -out /etc/letsencrypt/{{ domain }}.csr

echo generating server certificate
openssl x509 -req -CAcreateserial -days 7300 -sha256 \
    -extfile <(printf "subjectAltName=DNS:{{ server_fqdn }}") \
    -in /etc/letsencrypt/{{ domain }}.csr \
    -CA /etc/letsencrypt/rootCA.crt \
    -CAkey /etc/letsencrypt/rootCA.key \
    -out /etc/letsencrypt/{{ domain }}.crt

echo copy to proper locations
cp /etc/letsencrypt/{{ domain }}.key /etc/letsencrypt/live/{{ domain }}/privkey.pem
cp /etc/letsencrypt/rootCA.crt /etc/letsencrypt/live/{{ domain }}/chain.pem
cp /etc/letsencrypt/{{ domain }}.crt /etc/letsencrypt/live/{{ domain }}/cert.pem

echo generate full chain certificate
cat /etc/letsencrypt/live/{{ domain }}/cert.pem > /etc/letsencrypt/live/{{ domain }}/fullchain.pem
cat /etc/letsencrypt/live/{{ domain }}/chain.pem >> /etc/letsencrypt/live/{{ domain }}/fullchain.pem