#!/bin/bash # # letsencrypt-renew.sh # # Copyright 2019 Jonathan Golder # # Derived from: # https://wiki.uberspace.de/webserver:https#automatisieren_von_let_s_encrypt # Which is itself originaly based on: # https://github.com/nerdoc/uberspace-tools/blob/master/letsencrypt-renew # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, # MA 02110-1301, USA. # # PATH=/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin # Detect first iteration to prevent useless sleep FIRSTITER=1 # PATH to inifiles / letsencrypt dir if [ -z "${LECONFIGDIR}" ]; then LECONFIGDIR=~/.config/letsencrypt fi # Catch missing LECONFIGDIR if [ ! -d "${LECONFIGDIR}" ]; then echo "$0: ${LECONFIGDIR} does not exists! Maybe letsencrypt is not yet initialised!" >&2 exit 1 fi # import_certificate # # Try to import certificate in webserver config using uberspace-add-certificate # # If something fails, leave a file as marker so we can try it again with next # script run. Failures occur occasionally due to problems with connection to # letsencrypt while import. import_certificate() { # import certificate uberspace-add-certificate -k "${LECONFIGDIR}/live/${domain}/privkey.pem" -c "${LECONFIGDIR}/live/${domain}/cert.pem" # Not successfull? if [ $? -ne 0 ]; then # Set error marker touch "${LECONFIGDIR}/live/${domain}/importerror" elif [ -f "${LECONFIGDIR}/live/${domain}/importerror" ]; then # Remove error marker rm "${LECONFIGDIR}/live/${domain}/importerror" fi } while getopts f opt do case $opt in f): force=1;; esac done # Get all existing inifiles matching namescheme cli-${domain}.ini for inifile in "${LECONFIGDIR}"/cli-*.ini; do # Get domain out of file (first value in property "domains") domain=$(grep -e "[ \t]*domains.*" "${inifile}" | sed "s/ //g" |cut -d "=" -f2 | cut -d "," -f1) # If there was an import error before, try again to import certificate if [ -f "${LECONFIGDIR}/live/${domain}/importerror" ]; then import_certificate fi # sleep for a random time so not all certificates get renewed at the same time if [ $FIRSTITER -ne 1 ]; then sleep $(expr $RANDOM % 600) fi if [[ -z $force ]]; then # Check validity of cert for domain openssl x509 -checkend $(( 21 * 86400 )) -in "${LECONFIGDIR}/live/${domain}/cert.pem" > /dev/null && continue fi # run let's encrypt FIRSTITER=0 letsencrypt certonly -c "${inifile}" || continue import_certificate done