Last active
February 20, 2017 16:40
-
-
Save internationils/7abdfdeec2c7af6011a4f0c94252f40a to your computer and use it in GitHub Desktop.
Create and apply Letsencrypt certificates to Gandi vhosts using certbot
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # --------------------------------------------------------------------- | |
| # --------------------------------------------------------------------- | |
| # sslgen-gandihosts.sh | |
| # | |
| # v04 - 2016-08-10 combibe create and update loop | |
| # v03 - 2016-08-10 more cleanups | |
| # v02 - 2016-08-04 lots of cleanups, improved loop for updates | |
| # v01 - basic functionality | |
| # --------------------------------------------------------------------- | |
| # --------------------------------------------------------------------- | |
| # generate and update letsencrypt certificates for gandi | |
| # from a remote host. | |
| # this script can be run via cron to check for and expirations and | |
| # handle certificate renewals | |
| # certbot recommends running twice a day | |
| # plugin connects via sftp to sftp.dc2.gpaas.net | |
| # it requires certbot and the gandi letsencrypt plugin | |
| # check the requirements: | |
| # https://github.com/Gandi/letsencrypt-gandi#requirements-1 | |
| # Letsencrypt: https://letsencrypt.org/ | |
| # Certbot: https://certbot.eff.org/ | |
| # --------------------------------------------------------------------- | |
| # --------------------------------------------------------------------- | |
| # --------------------------------------------------------------------- | |
| # define the certbot binary and usage options | |
| # --------------------------------------------------------------------- | |
| # certbot binary | |
| CERTBOT=/usr/local/bin/certbot | |
| LEDIR=/mnt/backup/scripts/sslcert | |
| CONFIGDIR=$LEDIR/.letsencrypt | |
| WORKDIR=$LEDIR/.letsencrypt | |
| LOGSDIR=$LEDIR/.letsencrypt | |
| # certbot OPTIONS: https://certbot.eff.org/docs/using.html#command-line-options | |
| # Useful option when testing: --dry-run | |
| GENOPTS="--non-interactive --agree-tos" | |
| # useful options: --quiet --force-renew | |
| # --keep-until-expiring seems to be automatically set even when using certonly\ | |
| # --force-renew can be used to test if the updating works correctly | |
| UPDATEOPTS="certonly --quiet --non-interactive --keep-until-expiring" | |
| # --------------------------------------------------------------------- | |
| # define the certbot binary and usage options | |
| # --------------------------------------------------------------------- | |
| # read user specific variables from a pwrc file | |
| # to create this file, simply take the commented lines from this section, | |
| # create the file, uncomment and set the variables correctly | |
| . $LEDIR/sslgen-gandihosts.pwrc | |
| # the name of the hosting instance | |
| #SHSNAME=my-hosting-instance | |
| # the host that you want to generate a certificate for | |
| #HOSTLIST="\ | |
| # host1.com \ | |
| # site2.net \ | |
| # blog3.org \ | |
| # shop4.com" | |
| #HOSTLIST="host1.com site2.net" | |
| # Email contact | |
| #[email protected] | |
| # the API key, available from your Gandi Account Management | |
| # Note: the test needs the real API key, not the test API key... | |
| #LIVEAPIKEY=MY-API-KEY | |
| #TESTAPIKEY=$TESTAPIKEY | |
| # --------------------------------------------------------------------- | |
| # LIVE create / update / renewal | |
| # --------------------------------------------------------------------- | |
| # Note: the --domain option cannot be used with 'renew': | |
| # Currently, the renew verb is only capable of renewing all installed certificates that are due to be renewed; individual domains cannot be specified with this action. If you would like to renew specific certificates, use the certonly command. The renew verb may provide other options for selecting certificates to renew in the future. | |
| # update all certificates stored | |
| # Workaround: do one at a time, use the certonly option with --keep-until-expiring | |
| create_update_cert() { | |
| echo Running with options "$CERTOPTS" | |
| for VHOST in $HOSTLIST | |
| do | |
| echo $ACTION certificate for $VHOST... | |
| $CERTBOT $CERTOPTS \ | |
| --domains $VHOST \ | |
| --config-dir $CONFIGDIR \ | |
| --work-dir $WORKDIR \ | |
| --logs-dir $LOGSDIR \ | |
| --authenticator letsencrypt-gandi:gandi-shs \ | |
| --letsencrypt-gandi:gandi-shs-name $SHSNAME \ | |
| --letsencrypt-gandi:gandi-shs-vhost $VHOST \ | |
| --letsencrypt-gandi:gandi-shs-api-key $LIVEAPIKEY \ | |
| --installer letsencrypt-gandi:gandi-shs | |
| done | |
| } | |
| # --------------------------------------------------------------------- | |
| # for debugging with the test server | |
| # --------------------------------------------------------------------- | |
| # Note: needs the real API key, not the test API key... | |
| test_cert() { | |
| echo Email $EMAIL | |
| echo Instance: $SHSNAME | |
| # commented out since I'm not sure what it really tests on the Gandi site | |
| # note that it needs your real API key, not the TEST API key | |
| echo $CERTBOT \ | |
| run --domains $VHOST \ | |
| --server https://acme-staging.api.letsencrypt.org/directory --break-my-certs \ | |
| --config-dir $CONFIGDIR \ | |
| --work-dir $WORKDIR \ | |
| --logs-dir $LOGSDIR \ | |
| --authenticator letsencrypt-gandi:gandi-shs \ | |
| --letsencrypt-gandi:gandi-shs-name $SHSNAME \ | |
| --letsencrypt-gandi:gandi-shs-vhost $VHOST \ | |
| --letsencrypt-gandi:gandi-shs-api-key $TESTAPIKEY \ | |
| --installer letsencrypt-gandi:gandi-shs | |
| } | |
| # --------------------------------------------------------------------- | |
| # --------------------------------------------------------------------- | |
| # main() | |
| # --------------------------------------------------------------------- | |
| # --------------------------------------------------------------------- | |
| # Check https://www.ssllabs.com/ssltest/analyze.html?d=$VHOST | |
| # to see the quality of your ssl enabled site | |
| echo Starting certbot operations for $HOSTLIST... | |
| if [ "$1" == "test" ]; then | |
| ACTION="TESTING" | |
| test_cert | |
| elif [ "$1" == "create" ]; then | |
| ACTION="GENERATING" | |
| CERTOPTS=$GENOPTS | |
| create_update_cert | |
| elif [ "$1" == "update" ]; then | |
| ACTION="UPDATING" | |
| CERTOPTS=$UPDATEOPTS | |
| create_update_cert | |
| elif [ -z "$1" ]; then | |
| echo Usage: "sslgen-gandihosts.sh <create|update|test>" | |
| else | |
| echo Unrecognized argument: "$1" | |
| echo Usage: "sslgen-gandihosts.sh <create|update|test>" | |
| fi | |
| exit |
And I'm not sure to understand these too lines, I think there's a typo:
#LIVEAPIKEY=MY-API-KEY
#TESTAPIKEY=$TESTAPIKEY
Thanks for sharing that script.
I think the first line should be #!/bin/bash as running it with sh throws [: test: unexpected operator.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
You may need to wrap every
$SHSNAMEinstance with quotes if your instance name contains spaces.