Scripts:
*** asceds
status/info and general description
(interactive only), runs as root/sudo, ${ASCEDSBINDIR}/
asceds [-h] [-d] [-l] [-c] [-m <string>] [-t <type>] [-u <username>]
Shows a summary of current status of certificate files and managed services
-h --> display usage and exit
-d --> describes in detail asceds utilities and usage
-l --> shows summary of warnings/errors from log files
-c --> show details about clients
-m <string> --> name or SANs of the client matches <string> (no regexp)
-t <type> -> type of the client matches type (unman*, pman*, fman*)
-u <username> --> lists unmanaged clients requested by web <username>;
              works only with "-t unman"
-m and -t work only with -c, otherwise they are ignored

*** asceds-authorized-domains
manages domains which are authorized by the CA to get certificates
using this server's EABKID/EABHMACKEY
asceds-authorized-domains [-h] [-a <domainname>,...] [-d <domainname>,...]
-a <domainname>[,<domainname>,...] adds comma separated domain names
-d <domainname>[,<domainname>,...] deletes comma separated domain names
If no argument, displays current configuration and goes into interactive mode;
Deletes domain names from ${ASCEDSETCDIR}/asceds-certbot.conf
   ${ASCEDSWEBDIR}/etc/users.php and ${ASCEDSWEBDIR}/html/public/.htaccess.
   Deletes clients containing the removed domains from certbot and from 
   asceds on the cert manager; do not revoke the existing certificates.
Adds domain names to ${ASCEDSETCDIR}/asceds-certbot.conf
   ${ASCEDSWEBDIR}/etc/users.php and ${ASCEDSWEBDIR}/html/public/.htaccess. 

*** asceds-certmanager-setup
setup the certificate manager
(interactive only), runs as root/sudo, ${ASCEDSCBDIR}/
asceds-certmanager-setup [-h] [-s <certmanager>]
-h --> display usage and exit
-s <certmanager> --> FQDN of the certificate manager (if different from hostname)
Checks/fixes network configuration including hosts, postfix, openssl.cnf.
Checks for certbot; if not found, offer self signed certbot (for test sites)
   or requests certbot install.
Checks for mailer; if not found, requests mailer install.
Collects certbot credentials and authorized domains in asceds-certbot.conf.
Creates asceds user ssh keys and the local authorized_keys.
Creates/updates the site config file asceds-site.conf.
Creates symlinks to certobot-related ASCEDS scripts.
Sets cron asceds-cert-propagate for driving asceds-propagate-certbot 
   to push renewed cert files to ~asceds/<client> and propagate
   them to managed clients through asceds-send-cert.
Web interface setup:
   Gets info: organization name, website url, request execution methods;
   Customizes config.php and asceds.php;
   Copies and reconfigs asceds-site-apache2.conf;
   Initializes request log file;
   Builds directory structure for the website;
   Creates symlink to make site config file available by wget to clients;
   Creates ssh keys for root requests by ssh;
   Sets asceds-web-actions crontab for running the request queues generated 
      by the web interface.

*** asceds-clean 
Cleans asceds certificate data on the client
asceds-clean [-h]
-h --> display usage and exit
Removes the certificate request ${ASCEDSHOMEDIR}/cert.conf
Removes any existing certificates from ${ASCEDSHOMEDIR}/certs/

*** asceds-client-remove
Removes existing client: cert files from /etc/letsencrypt and from 
${ASCEDSHOMEDIR} (create backup copy);
to be run on the cert manager as root/sudo, directly or through 
asceds-propagate-certbot in /etc/cron.d/asceds-cert-propagate 
if the client is offline for more than 30 days;
asceds-client-remove [-h] [-q] -c <client_name>
-h --> display usage and exit
-c <client_name> --> client to be setup; print usage if missing
-q --> no question asked; sends output to the logs
Removes letsencrypt certificate files
Moves ${ASCEDSHOMEDIR} certificate files to .bak copy 
Removes host down flag

*** asceds-client-setup
gets client parameters, generates new certificate, copies files to the client;
to be run on the cert manager as root/sudo through asceds-init on the client;
(interactive only), runs as root/sudo, ${ASCEDSBINDIR}/
asceds-client-setup [-h] [-s] [-q] -c <client_name>
-h --> display usage and exit
-c <client_name> --> client to be setup; print usage if missing
-q --> no question asked; sends output to the logs
-s --> clean old keys of the client in ~asceds/.ssh/known_hosts
Scp client's cert.conf to ${ASCEDSHOMEDIR}/${DOMAIN_NAME}_cert.conf
Validity checks
   DOMAIN_NAME --> CLIENT_DOMAIN_NAME
   SANS_LIST --> CLIENT_SANS_LIST
Generates new certificate: asceds-certbot-gencert
Creates flag for transferring the certificates .newcerts
Transfers cert back: asceds-send-cert -c <client_name>

*** asceds-init
initializes certificate client
(interactive only), runs as root/sudo, ${ASCEDSBINDIR}/
asceds-init [-h] [-r] [-f] [-s <certmanager>]
-h --> display usage and exit
-r --> set noreturn policy, client is read-only
-f --> site using self signed certificates 
-s <certmanager> --> the site certificate manager
Checks/fixes network configuration including hosts, postfix, openssl.cnf.
Builds certificate manager URL:
  if no cert manager is mentioned in the command line, ask for it;
Retrieves the site config file from the certificate manager,
  parse and create {ASCEDSETCDIR}/asceds-site.conf.
Sets the certificate encoding in {ASCEDSETCDIR}/asceds-hostconf.conf.
Generates certificate configuration in cert.conf.
Copies logrotate asceds config file.
Creates renewal crontab: asceds-cert-refresh
Work done on root/sudo@certmanager if access available, 
      otherwise prints instructions and exits:
  Runs setup script: asceds-client-setup -s -c ${CLIENT_DOMAIN_NAME}
Selects and configures services which depend on certificates and 
      have reconfig scripts: asceds-services

*** asceds-sans-update
change SAN values, recreate certificate, reconfigure services
(interactive only), runs as root/sudo, ${ASCEDSBINDIR}/
asceds-sans-update [-h] [-l] [-r] [-a <hostname>,...] [-d <hostname>,...]
-h --> display usage and exit
-r --> set noreturn policy if client is read-only
-l --> local mode (appropriate for asceds-init)
-a <hostname>[,<hostname>,...] adds comma separated SAN values
-d <hostname>[,<hostname>,...] deletes comma separated SAN values
Refresh cert.conf according to the current version of asceds;
If no -a/-d, displays current configuration and goes into interactive mode;
Deletes SAN values from /etc/hosts, /etc/postfix/main.cf, openssl.cnf
Checks DNS records of SANs to be added; configures with the host IP address
Adds SAN values to /etc/hosts, /etc/postfix/main.cf, openssl.cnf
Refreshes ~asceds/cert.conf
Provides instructions to manually complete the action.

*** asceds-send-cert
copies new site config and certificate files to the clients;
it does not check for the type of client, attepts transfer anyway.
(interactive + script), runs as asceds, ${ASCEDSBINDIR}/
used by asceds-init, also when certificates are generated
(renewal, add-sans, del-sans)
asceds-send-cert [-h] [-q] -c <client_name>
-h --> display usage and exit
-q --> no question asked; sends output to the logs in ${ASCEDSLOGDIR}/
-c <client_name> --> transfer the certificate files to client_name
Checks for a new site config file (flagged by <client_name>:.newsiteconf).
SCP the new site config file to asceds@<client_name>:.
Removes the trigger for uploading the site config file.
Sets the trigger for site config file update <client_name>:.site-reconf.
Checks if new certificate files exist (flagged by <client_name>:.newcerts).
SCP the new certificate files to asceds@<client_name>:certs/.
Removes the trigger for uploading new certificate files.
Sets the trigger for service reconfiguration <client_name>:.asceds-reconf.
If the client is unreachable, sets a flag ~asceds/down/<client_name> and
   emails to ALARM; if client is reachable and the flag exists, removes it.

*** asceds-service-reconfig
updates the site config file if needed,
copies cert filess to the right locations and restarts services using them
(interactive + script), runs as root/sudo, ${ASCEDSBINDIR}/
needs to be run by trigger every time the cert files are changing
    cron job <-- ~asceds/.asceds-reconf
(init, renewal, add-sans, del-sans)
asceds-service-reconfig [-q] [-t] [-h] [-s <service>]
-q --> no question asked; sends output to the logs in ${ASCEDSLOGDIR}/
-t --> reconfigure services only if trigger file .asceds-reconf exists
-s service --> reconfigures the <service> only (one service);
               in cron mode, -s options are ignored
-h --> display usage and exit
Updates the site config file using the trigger ${ASCEDSHOMEDIR}/.site-reconf;
Checks if the available certificate is not stale 
   (expired or expiring in the next 5 days);
   if the certificate is stale, refreshes the site configuration file 
   to allow pushing new certificate files which are blocked when 
   the asceds ssh keys change on the certificate manager;
   if it is almost expired, send message to ALARM;
Reads parameters (CLIENT_DOMAIN_NAME, CLIENT_SANS_LIST) <-- ~asceds/cert.conf;
Copies cert/key from ~asceds/certs/ --> /etc/ssl ; fix permissions;
Reconfigures/restarts services through ${ASCEDSSERVCONF}/*.sh ;
     to avoid sourcing: rename so it doesn't match *.sh;
     available service templates: ${ASCEDSSERVDIR}/*.sh.proto;
Removes the reconfig trigger file ${ASCEDSHOMEDIR}/.asceds-reconf

*** asceds-services
configure services handled by ASCEDS
(interactive only), runs as root/sudo, ${ASCEDSBINDIR}/
asceds-services [-h] [-a <service>] [-d <service>]
-h --> display usage and exit
-d <service> --> deactivate one service (before activating)
                 multiple [-d <service>] are allowed
-a <service> --> activate or refresh one service, 
                 multiple [-a <service>] are allowed,
                 each activated service is reconfigured through 
                      asceds-service-reconfig -q -s <service>   
Shows available services to be updated by
      scripts in ${ASCEDSSERVDIR}/*.sh.proto;
Shows activated service update scripts;
Shows which local scripts (if any) are different from templates;
Shows which local scripts (if any) have no template;
Deactives local .sh scripts in ${ASCEDSSERVCONF}/, keeping a backup;
Activates local .sh scripts in ${ASCEDSSERVCONF}/ starting from templates; 
With no argument, offers a simple interface to activate/deactivate services
      by typing in a space separated list.
To refresh a local script from template, both deactivate and activate it.

*** asceds-update-siteconfig
Configures/updates site config file ${ASCEDSETCDIR}/asceds-site.conf
(interactive + script(on client only)), runs as root/sudo, ${ASCEDSBINDIR}/
asceds-update-siteconfig [-h] [-q] [-s] [-c]
-h --> display usage and exit
-q --> no question asked; sends output to the logs in ${ASCEDSLOGDIR}/
-s --> create/update the site config file on the certificate manager
-c --> reconfigure client (-s and -c are mutually exclusive)
On the certificate manager:
  Creates/updates the site config file ${ASCEDSETCDIR}/asceds-site.conf.
    Allows ASCEDSCRTMGR change only if ran from asceds-certmanager-setup.
    If certificate manager name is a CNAME (not fqdn of localhost): 
      checks if it resolves to the same IP address;
      adds it to hosts, postfix, openssl.cnf.
  Refreshes symlink to make site config file available by wget to clients.
  Copies the new site config file into ${ASCEDSHOMEDIR}/<managed_client>/ and
     adds .newsiteconf trigger to all managed clients except cert manager itself.
  On the cert manager, copies the new site config file into ${ASCEDSHOMEDIR}/.
On the client (no prompts in quiet mode):
  Certificate manager URL priority: ${ASCEDSALTCRTMGR}, ${ASCEDSCRTMGR}, input.
  Retrieves the site config file from the certificate manager URL
     to ${ASCEDSHOMEDIR}/asceds-site.conf.
  Parses and creates ${ASCEDSETCDIR}/asceds-site.conf.
  Uses the site ssh public key to create/update authorized_keys.

*** asceds-web-user
Adds/removes/reconfigures web users
asceds-web-user [-h] [-l] 
                [-p] [-a <username>] [-d <username>] 
                [-e] [-c] [-x] [-m <username>]
-h --> display usage and exit
l --> list current users and their domains, then exit 
-p --> use simple auth password file ${ASCEDSWEBDIR}/html/cert/.htpasswd
-a <username> --> adds username to the website;
-d <username> --> deletes user from the website;
-m <username> --> modifies (if -e, -c, or -x present) or deletes/re-adds user;
-e --> modifies email address (works with -m);
-c --> modifies authorized domains (works with -m);
-x --> modifies simple auth password (works with -m if .htpasswd exists); 
Options -a/-d/-m are mutually exclusive.
Wildcard ALL gives user authority over all available domains.
Sets/removes list of authorized domains in ${ASCEDSWEBDIR}/etc/users.php
Sets/removes user password for simple auth in ${ASCEDSWEBDIR}/html/cert/.htpasswd
   (if it exists or -p)
If file ${ASCEDSWEBDIR}/html/cert/.htpasswd exists, -p is forced.
<Username> must be valid email address used for sending notifications,
   or a mail alias is set.
User deletion is allowed only if no unmanaged clients are recorded to the user.


*** asceds-certbot-gencert
generates new cert files using certbot
(interactive + script), runs as root/sudo, ${ASCEDSCBDIR}/
asceds-certbot-gencert [-h] [-e] [-d] [-q] -c <client_name> [-s <SAN1>,<SAN2>,...]
Generates new cert files using certbot. Options:
-h --> display usage and exit
-e --> execute the certbot command (just echo the command by default)
-q --> no question asked; sends output to the logs in ${ASCEDSLOGDIR}/
-d --> dry-run (off by default)
-c <client_name> --> name of the computer requesting a certificate
-s <SAN1>,... --> comma-separated alternate names of the computer requesting 
                   a certificate not including domain_name
Figures out certbot's options based on the command line input.
Checks if cert manager is authorized to generate requested certificates
   by matching hostname and SANs with the authorized domains.
Generates new certificates using certbot if -e or if CERTBOTEXEC is not empty:
   Certs/key are generated by certbot and go in /etc/letsencrypt/live/<cert_name>/;
   Checks if a fresh certificate was generated;
   Certs/key are copied to ${ASCEDSHOMEDIR}/<client_name>/ and chown asceds:asceds;
   If client is unmanaged, copies the cert files in the web dir and chown ${ASCEDSWEBUSER}.

*** asceds-certbot-revoke
revoke certs
(interactive + script), runs as root/sudo, ${ASCEDSCBDIR}/
asceds-certbot-revoke [-h] [-e] [-q] [-d] -c <client_name>
-h --> display usage and exit
-q --> no question asked; sends output to the logs in ${ASCEDSLOGDIR}/
-c <client_name> --> cert for <client_name> will be revoked (one per use)
-e --> execute certbot revoke (just echo the command by default)
-d --> delete the client from asceds and certbot; do not revoke certificate
Checks if certbot is installed and certificate files exist.
Displays status of the client and of the certificate files.
Checks if cert manager is authorized to revoke requested certificate.
Displays (by default) or executes (if -e or if CERTBOTEXEC is not empty)
the certbot command to revoke the certificate.
If -e or -d or CERTBOTEXEC is not empty:
   Removes any certificate files from ~asceds/<client_name>/
      and /etc/letsencrypt/*/client_name>/*
   If client is unmanaged, removes the cert files from the web dir.

*** asceds-propagate-certbot
detect and propagate new certificates based on automatic renewals by certbot
(script by cron, interactive), runs as root/sudo, ${ASCEDSCBDIR}/
asceds-propagate-certbot [-h] [-q] [-l] [-r] [-c <client>]
-h --> display usage and exit
-q --> no question asked; sends output to the logs in ${ASCEDSLOGDIR}/
-l --> keep the certificate local, don't trigger asceds-send-cert
-r --> ignore noreturn policy and try to send the certificate
       (mutually exclusive with -l; needs -c)
-c <client> --> propagate only for <client> 
Looks for renewed certs;
Copies renewd certs to ~asceds/<client>/; chown asceds:asceds
If client is unmanaged:
   Copies the cert files in the web dir for download.
   Sends email to requestor for downloading the renewed cert files.
If client is managed:
   Creates transfer cert flag ~asceds/<client>/.newcerts.
   If fully managed client and no -l option, 
      or if privately managed client with -r option:
         Sends cert files to the client through asceds-send-cert.
   If privately managed client, sends email to ALARM announcing new cert.
Tries to re-send cert files to fully managed clients if .newcerts is present.
Removes clients which were offline for more than 30 days.

*** asceds-test-return
Tests read/write scp access to asceds@client
(called by asceds_cert.php), ${ASCEDSHOME}/website/
asceds-test-return [-h] -c <client_name>
-h --> display usage and exit
-c <client_name> --> client name to test 
Outputs: success = read/write successful 
         readonly = read-only access 
         noaccess = no ssh access at all


*** asceds-web-unmanaged 
Performs actions requested through the web interface for unmanaged clients
(request_cert.php, revoke_cert.php, cron script asceds-web-actions), 
${ASCEDSHOME}/website/ 
asceds-web-unmanaged [-h] [-q] [-n] [-r] [-c <client_name>]
-h --> display usage and exit
-q --> no question asked; sends output to the logs in ${ASCEDSLOGDIR}/
-n --> new certificate actions only
-r --> revoke actions only
-c <client_name> --> act only for <client_name>
If both types of requests (new certificate and revoke) are found,
revoke requests are performed first.
Revoke: requests in ${ASCEDSWEBDIR}/cert_queue/*.rev:
   read .rev file;
   log: date Web user <username> revoked certificate for <hostname>;
   asceds-certbot-revoke -q -e -c <hostname>;
   remove .rev file;
Newcert: requests in ${ASCEDSWEBDIR}/cert_queue/*.cert:
   read .cert file;
   create/adjust ~asceds/<hostname>_cert.conf;
        populate populate ASCEDS_CERT_ID if empty;
   log: date Web user <username> requested certificate for <hostname>
        with SANs <sans>, client type changed to: <ack>;
   asceds-certbot-gencert -e -q -c <hostname> -s <sans>;
   remove .cert file.

*** asceds-web-propagate
Propagates ASCEDS data requested through the web interface for managed clients
(asceds_cert.php, cron script asceds-web-actions), ${ASCEDSHOME}/website/
asceds-web-propagate [-h] [-q] [-c <client>]
-h --> display usage and exit
-q --> no question asked; sends output to the logs in ${ASCEDSLOGDIR}/
-c <client> --> propagate only <client> 
Propagate: requests in ${ASCEDSWEBDIR}/cert_queue/*.asceds
If run the queue (by cron), sends notification by email to requestors.
If cert.conf exists and ASCEDS_CERT_ID not empty, 
   removes web certificate files.
If ~asceds/<hostname>/.newcerts is present, just sends the certificate files
   through asceds-send-cert -c <client> (for atomic operation); 
Else, performs a full setup (generates new certificate and sends it)
   through asceds-client-setup -c  <client>.
Removes request file.

*** *-head
Header stub for scripts in the directory:
* save the arguments
* set default locations for config files
* load default config files as requested: local site hostconfig certbot
* load customized config files as requested: local site hostconfig certbot
* load libraries as requested
* echo greetings
* check if logging is possible
* normalize format of the arguments
