Helper script to validate certificates

:small_orange_diamond: Problem :small_orange_diamond:

One of the most common problems is having the correct certificates at the right location. As a possible consequence, the Boxine connection can’t be established or the Toniebox won’t connect to teddyCloud.

I built a small shell script that validates if

  • all necessary certificates are present at the right location
  • the server ca.der is from TeddyCloud
  • all client ca.der of each box are from Boxine

The script parses every single box from all client subfolders automatically.

Output might look like this:

:small_orange_diamond: Bash Script :small_orange_diamond:

check-certs.sh

certs_path="/teddycloud/certs"
echo "-----------------------------------"
echo "Checking teddyCloud certificates..."
echo "-----------------------------------"

# check server certificates
files=( "ca.der" "ca-key.pem" "ca-root.pem" "ca-root.srl" "teddy-cert.pem" "teddy-key.csr" "teddy-key.pem" )
echo -e "\nServer:"
echo "-------"
for file in "${files[@]}"
do
  filename=$(echo -en "$file: ")
  status=$([ -f "$certs_path/server/$file" ] && echo -e "\e[32mOK\e[0m" || echo -e "\e[31mFile not found!\e[0m")
  # TeddyCloud CA validation
  if [[ $file == "ca.der" ]]; then
    if [ -f "$certs_path/$file" ] && [ $(cat "$certs_path/$file" | grep -c "Teddy.* CA") -eq 0 ]; then
      status=$(echo -e "\e[31mWrong server CA, not from Teddycloud!\e[0m")
    fi
  fi
  printf "%-26s %-10s\n" "$filename" "$status"
done

# check default client certificates
files=( "ca.der" "client.der" "private.der" )
echo -e "\nClient (default):"
echo "-----------------"
for file in "${files[@]}"
do
  filename=$(echo -en "$file: ")
  status=$([ -f "$certs_path/client/$file" ] && echo -e "\e[32mOK\e[0m" || echo -e "\e[31mFile not found!\e[0m")
  # Boxine CA validation
  if [[ $file == "ca.der" ]]; then
    if [ -f "$certs_path/client/$file" ] && [ $(cat "$certs_path/client/$file" | grep -c "Boxine CA") -eq 0 ]; then
      status=$(echo -e "\e[31mWrong client CA, not from Boxine!\e[0m")
    fi
  fi
  printf "%-26s %-10s\n" "$filename" "$status"
done

# check client certificates for each box id
echo -e "\nClient per box:"
echo "---------------"
for dir in $certs_path/client/*/ 
do
    box_path=${dir%*/} 
    box_id=${box_path##*/}  
    for file in "${files[@]}" 
    do
      filename=$(echo -en "$box_id/$file: ")
      status=$([ -f "$box_path/$file" ] && echo -e "\e[32mOK\e[0m" || echo -e "\e[31mFile not found!\e[0m")
      # Boxine CA validation
      if [[ $file == "ca.der" ]]; then
        if [ -f "$box_path/$file" ] && [ $(cat "$box_path/$file" | grep -c "Boxine CA") -eq 0 ]; then
                status=$(echo -e "\e[31mWrong client CA, not from Boxine!\e[0m")
              fi
      fi
      printf "%-26s %-10s\n" "$filename" "$status"
    done
done

:small_orange_diamond: Installation :small_orange_diamond:

On your teddyCloud host machine:

  • copy the script above and save it as check-certs.sh
  • make it executable: chmod +x check-certs.sh
  • execute it with a one-liner:
docker exec -i teddycloud bash < check-certs.sh

This way, the script is executed inside the teddyCloud container which makes sure that the certificate path is always correct and it works on every docker host (Windows, macOS or Linux).

Hi!

Really nice, I think this will help the beginners.
Thanks for sharing!

I just updated the script above. It will also be included in the next teddycloud release.

Until then, you can also run it with one single command inside your teddycloud container:

  1. on your Docker host machine, connect to teddycloud container:
    docker exec -it teddycloud bash

  2. download and run the script (one line!):

curl -s "https://gist.githubusercontent.com/marco79cgn/9709b218fec5608a3ed6b2892d600aed/raw/dc059ce3ab0f728994f43ada5c4f033d743c21ec/check-tc-certificates.sh" -o /tmp/check-certs.sh && chmod +x /tmp/check-certs.sh && /tmp/check-certs.sh