#!/usr/bin/env bash
set -euo pipefail

if [[ $EUID -ne 0 ]]; then
    echo "must run as root (use sudo)" >&2
    exit 1
fi

ROOT_DIR=/root/dumps/mitm_logs
SNAKE_DIR=/home/snake/dumps/mitm_logs
mkdir -p "$ROOT_DIR" "$SNAKE_DIR"

CERT="$ROOT_DIR/mitm_cert.pem"
KEY="$ROOT_DIR/mitm_key.pem"

CFG=$(mktemp)
trap 'rm -f "$CFG"' EXIT

cat > "$CFG" <<'EOF'
[req]
distinguished_name = dn
req_extensions = v3_req
x509_extensions = v3_req
prompt = no

[dn]
CN = portal.ubianet.com
O  = Ubia
C  = US

[v3_req]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt

[alt]
DNS.1 = portal.ubianet.com
DNS.2 = api.us.ubianet.com
DNS.3 = api.cn.ubianet.com
DNS.4 = *.ubianet.com
DNS.5 = *.aliyuncs.com
DNS.6 = *.oss-cn-shenzhen.aliyuncs.com
DNS.7 = *.myqcloud.com
IP.1  = 192.168.1.172
EOF

openssl req -x509 -newkey rsa:2048 -nodes -days 3650 \
    -keyout "$KEY" -out "$CERT" -config "$CFG" -extensions v3_req

chmod 644 "$CERT"
chmod 600 "$KEY"

cp "$CERT" "$SNAKE_DIR/mitm_cert.pem"
cp "$KEY"  "$SNAKE_DIR/mitm_key.pem"
chown snake:snake "$SNAKE_DIR/mitm_cert.pem" "$SNAKE_DIR/mitm_key.pem"
chmod 644 "$SNAKE_DIR/mitm_cert.pem"
chmod 600 "$SNAKE_DIR/mitm_key.pem"

echo
echo "=== wrote ==="
ls -l "$CERT" "$KEY" "$SNAKE_DIR/mitm_cert.pem" "$SNAKE_DIR/mitm_key.pem"
echo
echo "=== subject + SANs ==="
openssl x509 -in "$CERT" -noout -text | grep -E "Subject:|DNS:|IP Address:"