#!/bin/bash -e
# Regenerate SSL keys and certificates

[ -n "$_TURNKEY_INIT" ] && exit 0

fatal() {
    echo "fatal: $@" 1>&2
    exit 1
}

which openssl >/dev/null || fatal "openssl is not installed"
echo "Regenerating SSL keys and certificates..."

# A DH group of 2048 bits is recommended to combat FREAK and Logjam, but
# Java 7 clients only support a group size of 1024 bits. A compromise is
# to generate a unique 1024 bit group for each server. This should be 
# changed to 2048 when Java 7 support is not needed.
openssl dhparam -out /etc/ssl/private/dhparams.pem 1024 > /dev/null 2>&1
chmod 400 /etc/ssl/private/dhparams.pem

# Use turnkey-make-ssl-cert to generate default server cert
/usr/local/bin/turnkey-make-ssl-cert --default --force-overwrite

# Restart relevant installed services
which nginx >/dev/null && service nginx restart
which tomcat7 >/dev/null && service tomcat7 restart 
which apache2 >/dev/null && service apache2 restart
which lighttpd >/dev/null && service lighttpd restart
which stunnel4 >/dev/null && service stunnel4 restart

# final tidy up
update-ca-certificates

