From f496539203fa74c2d98214a6cb33c13fd232e2e5 Mon Sep 17 00:00:00 2001
From: Frogg <admin@frogg.fr>
Date: Sun, 17 May 2026 10:12:55 +0200
Subject: [PATCH] - ajout du script de renew auto du server CA

---
 config/config_install.sh  |  3 ++-
 func/deb_sys.sh           | 32 +++++++++++++++++++++++++++++---
 script/ca_server_renew.sh |  4 ++++
 3 files changed, 35 insertions(+), 4 deletions(-)
 create mode 100644 script/ca_server_renew.sh

diff --git a/config/config_install.sh b/config/config_install.sh
index f8bc4c5..50b2397 100644
--- a/config/config_install.sh
+++ b/config/config_install.sh
@@ -11,7 +11,7 @@ CONFIG_DEB_INSTALL_SERVER_SMTP_LOGIN="admin@frogg.fr"
 # ZABBIX CLIENT INSTALLATION
 CONFIG_DEB_INSTALL_ZABBIX_SERVER_IP="zabbix.server.home"
 # CA INSTALLATION
-CONFIG_DEB_INSTALL_DEFAULT_CA_SERVER="192.168.0.110"
+CONFIG_DEB_INSTALL_DEFAULT_CA_SERVER="ca.server.home"
 CONFIG_DEB_INSTALL_DEFAULT_CA_WILDCARD="*.server.home"
 CONFIG_DEB_INSTALL_DEFAULT_CA_SERVICES="gitea nginx apache2 mysql postgresql jellyfin"
 CONFIG_DEB_INSTALL_DEFAULT_CA_STEP="step-cli_0.24.4_amd64.deb"
@@ -20,6 +20,7 @@ CONFIG_DEB_INSTALL_DEFAULT_CA_FILE_PFX="server.pfx"
 CONFIG_DEB_INSTALL_DEFAULT_CA_FILE_CRT="server.crt"
 CONFIG_DEB_INSTALL_DEFAULT_CA_FILE_KEY="server.key"
 CONFIG_DEB_INSTALL_DEFAULT_CA_CRON="STEP-CA-RENEWAL"
+CONFIG_DEB_INSTALL_DEFAULT_CA_FINGERPRINT="4873b9eaeb8a7643475939b4035221bd1bc3acd0db00e94df5a76d771459f439"
 # SCRIPT UPDATE INSTALLATION
 CONFIG_DEB_INSTALL_CRON_UPDATE="CONFIG_DEB_INSTALL_CRON_UPDATE"
 
diff --git a/func/deb_sys.sh b/func/deb_sys.sh
index 975bb97..3b5a7b1 100644
--- a/func/deb_sys.sh
+++ b/func/deb_sys.sh
@@ -52,7 +52,7 @@ check_deb_sys_ipv6(){
 
 
 check_deb_sys_locale_install() {
-  # On cherche spécifiquement les lignes décommentées pour fr_FR ET en_US
+  # On cherche spécifiquement les lignes dé commentées pour fr_FR ET en_US
   if grep -q "^fr_FR.UTF-8" /etc/locale.gen && grep -q "^en_US.UTF-8" /etc/locale.gen; then
     return 0
   else
@@ -331,7 +331,14 @@ do_deb_sys_ufw() {
     fi
 
     msg_info "Liste des ports tcp sortant ouvert"
-    ss -tlnw | grep -v -E '(127\.0\.0\.1|::1)' | column -t
+    sudo ss -tlnwp | grep -v -E '(127\.0\.0\.1|::1)' | awk '
+    BEGIN {print "State", "Local_Address:Port", "Process"}
+    NR==1 {next}
+    {
+        split($4, a, ":");
+        port=a[length(a)]
+    }
+    !seen[port]++ {print $1, $2, $5}' | column -t
 
     # 2. Boucle de saisie (on remplit uniquement le tableau en mémoire)
     while true; do
@@ -356,7 +363,7 @@ do_deb_sys_ufw() {
     current_ssh_port=${current_ssh_port:-22}
     if [[ ! " ${ports_to_allow[@]} " =~ " ${current_ssh_port} " ]]; then
         msg_warning "ATTENTION : Votre port SSH ($current_ssh_port) n'est pas inclus !"
-        read -p "L'ajouter ? (O/n) : " add_ssh
+        read -rp "L'ajouter ? (O/n) : " add_ssh
         [[ "$add_ssh" != "n" ]] && ports_to_allow+=("$current_ssh_port")
     fi
 
@@ -634,8 +641,27 @@ EOF"
     msg_success "MSMTP configuré. Test d'envoi recommandé : echo 'Test' | mail -s 'Test sujet' ton@mail.com"
 }
 
+do_deb_sys_cert_install_ca_server(){
+  local full_command="${WELCOME_SCRIPT_PATH}/ca_server_renew.sh"
+
+  msg_info "Renouvellement du certificat"
+  eval "$full_command"
+
+  msg_info "Ajout du renouvellement automatique du certificat"
+  update_cron_marker "$CONFIG_DEB_INSTALL_DEFAULT_CA_CRON" "0 0 1 * * $full_command >> /var/log/cert-renew.log 2>&1"
+
+  msg_success "Opération terminée"
+}
+
 do_deb_sys_cert_install(){
 
+  # cas du server CA
+  if [ "$(hostname)" = "$CONFIG_DEB_INSTALL_DEFAULT_CA_SERVER" ] || [ "$(hostname -f)" = "$CONFIG_DEB_INSTALL_DEFAULT_CA_SERVER" ]; then
+      msg_warning "server CA détecté, mise en place d'un renew spécifique..."
+      do_deb_sys_cert_install_ca_server
+      return 0
+  fi
+
   local ca_ip wildcard_domain ca_url ca_fingerprint base_domain marker root_crt input_ip step_path \
   system_target inter_target cert_group load_state unit svc_user current_group \
   cert_dir cert_crt cert_key cert_key cert_pfx pfx_cmd pfx_input step_bin renew_cmd restart_cmd="" \
diff --git a/script/ca_server_renew.sh b/script/ca_server_renew.sh
new file mode 100644
index 0000000..0a956bf
--- /dev/null
+++ b/script/ca_server_renew.sh
@@ -0,0 +1,4 @@
+systemctl stop step-ca
+step certificate create "Frogg.home CA Intermediate CA" /var/lib/step-ca/.step/certs/intermediate_ca.crt /var/lib/step-ca/.step/secrets/intermediate_ca_key --profile intermediate-ca --ca /var/lib/step-ca/.step/certs/root_ca.crt --ca-key /var/lib/step-ca/.step/secrets/root_ca_key --not-after 87600h --ca-password-file /var/lib/step-ca/.step/password.txt --password-file /var/lib/step-ca/.step/password.txt --force
+chown -R step:step /var/lib/step-ca/
+systemctl start step-ca
\ No newline at end of file