You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
101 lines
3.0 KiB
101 lines
3.0 KiB
#!/bin/bash
|
|
#
|
|
# letsencrypt-renew.sh
|
|
#
|
|
# Copyright 2019 Jonathan Golder <jonathan@golderweb.de>
|
|
#
|
|
# Derived from:
|
|
# https://wiki.uberspace.de/webserver:https#automatisieren_von_let_s_encrypt
|
|
# Which is itself originaly based on:
|
|
# https://github.com/nerdoc/uberspace-tools/blob/master/letsencrypt-renew
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation; either version 2 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program; if not, write to the Free Software
|
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
|
|
# MA 02110-1301, USA.
|
|
#
|
|
#
|
|
|
|
PATH=/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin
|
|
|
|
# Detect first iteration to prevent useless sleep
|
|
FIRSTITER=1
|
|
|
|
# PATH to inifiles / letsencrypt dir
|
|
if [ -z "${LECONFIGDIR}" ]; then
|
|
LECONFIGDIR=~/.config/letsencrypt
|
|
fi
|
|
|
|
# Catch missing LECONFIGDIR
|
|
if [ ! -d "${LECONFIGDIR}" ]; then
|
|
echo "$0: ${LECONFIGDIR} does not exists! Maybe letsencrypt is not yet initialised!" >&2
|
|
exit 1
|
|
fi
|
|
|
|
# import_certificate
|
|
#
|
|
# Try to import certificate in webserver config using uberspace-add-certificate
|
|
#
|
|
# If something fails, leave a file as marker so we can try it again with next
|
|
# script run. Failures occur occasionally due to problems with connection to
|
|
# letsencrypt while import.
|
|
import_certificate() {
|
|
# import certificate
|
|
uberspace-add-certificate -k "${LECONFIGDIR}/live/${domain}/privkey.pem" -c "${LECONFIGDIR}/live/${domain}/cert.pem"
|
|
|
|
# Not successfull?
|
|
if [ $? -ne 0 ]; then
|
|
# Set error marker
|
|
touch "${LECONFIGDIR}/live/${domain}/importerror"
|
|
elif [ -f "${LECONFIGDIR}/live/${domain}/importerror" ]; then
|
|
# Remove error marker
|
|
rm "${LECONFIGDIR}/live/${domain}/importerror"
|
|
fi
|
|
}
|
|
|
|
while getopts f opt
|
|
do
|
|
case $opt in
|
|
f): force=1;;
|
|
esac
|
|
done
|
|
|
|
# Get all existing inifiles matching namescheme cli-${domain}.ini
|
|
for inifile in "${LECONFIGDIR}"/cli-*.ini; do
|
|
|
|
# Get domain out of file (first value in property "domains")
|
|
domain=$(grep -e "[ \t]*domains.*" "${inifile}" | sed "s/ //g" |cut -d "=" -f2 | cut -d "," -f1)
|
|
|
|
# If there was an import error before, try again to import certificate
|
|
if [ -f "${LECONFIGDIR}/live/${domain}/importerror" ]; then
|
|
|
|
import_certificate
|
|
fi
|
|
|
|
# sleep for a random time so not all certificates get renewed at the same time
|
|
if [ $FIRSTITER -ne 1 ]; then
|
|
sleep $(expr $RANDOM % 600)
|
|
fi
|
|
|
|
if [[ -z $force ]]; then
|
|
# Check validity of cert for domain
|
|
openssl x509 -checkend $(( 21 * 86400 )) -in "${LECONFIGDIR}/live/${domain}/cert.pem" > /dev/null && continue
|
|
fi
|
|
|
|
# run let's encrypt
|
|
FIRSTITER=0
|
|
letsencrypt certonly -c "${inifile}" || continue
|
|
|
|
import_certificate
|
|
|
|
done
|
|
|