Last active
June 7, 2017 09:09
-
-
Save hidekuro/1801e711367b47a7e519 to your computer and use it in GitHub Desktop.
Let's Encryptで証明書を取得してIAMにアップロードし、ELBに設定するスクリプト。
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| set -e | |
| cd $(dirname $0) | |
| # 現在日付のYYYYMMDD | |
| DATE_CURRENT_YMD=$(date '+%Y%m%d') | |
| # AWS Profile 名 | |
| AWS_PROFILE=elb_update_cert | |
| # 独自ドメイン | |
| DOMAINS=( | |
| "yourdomain.com" | |
| "www1.yourdomain.com" | |
| "www2.yourdomain.com" | |
| ) | |
| # IAM 上のサーバー証明書名。後ろに "-" + $DATE_CURRENT_YMD が付く。 | |
| CERT_NAME="letsencrypt-cert" | |
| # 対象 ELB のロードバランサー名 | |
| ELB_NAME="my-site-balancer01" | |
| # aws-cli 実行コマンド | |
| EXEC_AWS="aws --profile elb_update_cert" | |
| # Let's Encrypt の連絡用メールアドレス | |
| [email protected] | |
| # Let's Encrypt Client を clone したパス | |
| LE_HOME=/home/ec2-user/letsencrypt | |
| # letsencrypt-auto 実行コマンド | |
| EXEC_LE_AUTO="${LE_HOME}/letsencrypt-auto --email $LE_EMAIL --agree-tos" | |
| # 取得した証明書ファイルのリンク群が配置されるディレクトリ | |
| # letsencrypt-auto に与えた最初のドメイン名が採用される | |
| LE_FILES_ROOT=/etc/letsencrypt/live/${DOMAINS[0]} | |
| # 証明書ファイル群のシンボリックリンクのパス | |
| CERT_PATH=$LE_FILES_ROOT/cert.pem | |
| CHAIN_PATH=$LE_FILES_ROOT/chain.pem | |
| FULLCHAIN_PATH=$LE_FILES_ROOT/fullchain.pem | |
| PRIVKEY_PATH=$LE_FILES_ROOT/privkey.pem | |
| # DOMAINS を "-d" とペアで繋げたパラメータ (-d "yourdomain.com" -d "www1.yourdomain.com" ... ) | |
| LE_PARAM_DOMAINS=() | |
| for domain in "${DOMAINS[@]}"; do | |
| LE_PARAM_DOMAINS+=("-d" "$domain") | |
| done | |
| LE_PARAM_DOMAINS="${LE_PARAM_DOMAINS[@]}" | |
| # 証明書を(再)発行。 | |
| $EXEC_LE_AUTO certonly --webroot \ | |
| --renew-by-default \ | |
| -w /var/www/letsencrypt \ | |
| $LE_PARAM_DOMAINS | |
| # 現時点のサーバー証明書名リストを取得 | |
| OLD_SERVER_CERT_NAMES=$($EXEC_AWS iam list-server-certificates | jq -r ".ServerCertificateMetadataList[] | select(.ServerCertificateName | contains(\"${CERT_NAME}\")).ServerCertificateName") | |
| # 新しい証明書のサーバー証明書名 | |
| NEW_SERVER_CERT_NAME="${CERT_NAME}-${DATE_CURRENT_YMD}" | |
| # 新しい証明書を IAM にアップロード | |
| $EXEC_AWS iam upload-server-certificate --server-certificate-name $NEW_SERVER_CERT_NAME \ | |
| --certificate-body file://$CERT_PATH \ | |
| --private-key file://$PRIVKEY_PATH \ | |
| --certificate-chain file://$CHAIN_PATH | |
| # 反映を待つ | |
| sleep 15 | |
| # 新しい証明書の ARN を取得 | |
| SERVER_CERT_ARN=$($EXEC_AWS iam list-server-certificates | jq -r ".ServerCertificateMetadataList[] | select(.ServerCertificateName == \"${NEW_SERVER_CERT_NAME}\").Arn") | |
| # ELB に新しいサーバー証明書を設定 | |
| $EXEC_AWS elb set-load-balancer-listener-ssl-certificate \ | |
| --load-balancer-name $ELB_NAME \ | |
| --load-balancer-port 443 \ | |
| --ssl-certificate-id $SERVER_CERT_ARN | |
| # 反映を待つ | |
| sleep 15 | |
| # 古い証明書を削除 | |
| for cert_name in $OLD_SERVER_CERT_NAMES; do | |
| $EXEC_AWS iam delete-server-certificate --server-certificate-name $cert_name | |
| done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment