jirutka · December 4, 2018 01:42
diff --git a/README b/README
 Files structure:

 /
 |-- etc
 |   |-- acme (700)
 |   |   |-- privkey.pem (400)
 |   |   |-- request-cert (750)
 |   |   `-- update-certs (750)
 |   |-- periodic/weekly/acme-update (750)
 |   `-- ssl/acme (755)
 |       |-- private (700)
 |       |   `-- <domain>/privkey.pem (400)
 |       `-- <domain> (755)
 |           |-- cert.pem (444)
 |           |-- chain.pem (444)
 |           `-- fullchain.pem (444)
 `-- var/www/acme (755)
    :-- ...
    `-- xyz (444)
diff --git a/acme-challenge b/acme-challenge
 #
 # Server challenge directory for Let's encrypt!
 #
 location /.well-known/acme-challenge/ {
 	alias /var/www/acme/;
 }
diff --git a/acme-update b/acme-update
 #!/bin/ash
 set -eu -o pipefail

 LOGFILE='/var/log/acme.log'
 DATE_FORMAT='%Y-%m-%d %H:%M:%S'

 # An awk program to add prefix to all logged lines.
 AWK_LOG_PREFIX="{ print strftime(\"$DATE_FORMAT:\"), \$0; fflush(); }"

 { /etc/acme/update-certs 2>&1; } | awk "$AWK_LOG_PREFIX" | tee -a "$LOGFILE"
diff --git a/request-cert b/request-cert
 #!/bin/sh
 set -eu

 ACME_KEY='/etc/acme/privkey.pem'

 if [ $# -eq 0 ] || [ "$1" = -h ] || [ "$1" = --help ]; then
 	echo "Usage: $0 FQDN [ ALTNAME... ]" >&2; exit 1
 fi

 domain="$1"; shift
 altnames="$@"
 certdir="/etc/ssl/acme/$domain"
 keyfile="/etc/ssl/acme/private/$domain/privkey.pem"

 # acme-client can create only 4096 bits keys, but that's quite
 # an overkill, so generate 3072 bits key ourself.
 if [ ! -e "$keyfile" ]; then
 	mkdir -p "${keyfile%/*}"
 	( umask 0377 && openssl genrsa -out "$keyfile" 3072 )
 fi

 if [ -n "$altnames" ]; then
 	mkdir -p "$certdir"
 	printf '%s\n' $altnames > "$certdir"/alt-names
 fi

 acme-client -Fmv -f "$ACME_KEY" "$domain" $altnames
diff --git a/update-certs b/update-certs
 #!/bin/sh
 set -u

 ACME_KEY='/etc/acme/privkey.pem'
 CERTS_DIR='/etc/ssl/acme'
 KEYS_DIR='/etc/ssl/acme/private'

 reload=false
 status=0

 for path in $KEYS_DIR/*; do
 	cname="${path##*/}"
 	altnames=$(cat $CERTS_DIR/$cname/alt-names 2>/dev/null || true)

 	acme-client -emv -f "$ACME_KEY" "$cname" $altnames
 	case "$?" in
 		0) reload=true;;
 		1) status=1;;
 	esac
 done

 if $reload; then
 	/etc/init.d/nginx --ifstarted reload || status=2
 fi

 exit $status
	Files structure:

	/
	\|-- etc
	\| \|-- acme (700)
	\| \| \|-- privkey.pem (400)
	\| \| \|-- request-cert (750)
	\| \| `-- update-certs (750)
	\| \|-- periodic/weekly/acme-update (750)
	\| `-- ssl/acme (755)
	\| \|-- private (700)
	\| \| `-- <domain>/privkey.pem (400)
	\| `-- <domain> (755)
	\| \|-- cert.pem (444)
	\| \|-- chain.pem (444)
	\| `-- fullchain.pem (444)
	`-- var/www/acme (755)
	:-- ...
	`-- xyz (444)
	#
	# Server challenge directory for Let's encrypt!
	#
	location /.well-known/acme-challenge/ {
	alias /var/www/acme/;
	}
	#!/bin/ash
	set -eu -o pipefail

	LOGFILE='/var/log/acme.log'
	DATE_FORMAT='%Y-%m-%d %H:%M:%S'

	# An awk program to add prefix to all logged lines.
	AWK_LOG_PREFIX="{ print strftime(\"$DATE_FORMAT:\"), \$0; fflush(); }"

	{ /etc/acme/update-certs 2>&1; } \| awk "$AWK_LOG_PREFIX" \| tee -a "$LOGFILE"
	#!/bin/sh
	set -eu

	ACME_KEY='/etc/acme/privkey.pem'

	if [ $# -eq 0 ] \|\| [ "$1" = -h ] \|\| [ "$1" = --help ]; then
	echo "Usage: $0 FQDN [ ALTNAME... ]" >&2; exit 1
	fi

	domain="$1"; shift
	altnames="$@"
	certdir="/etc/ssl/acme/$domain"
	keyfile="/etc/ssl/acme/private/$domain/privkey.pem"

	# acme-client can create only 4096 bits keys, but that's quite
	# an overkill, so generate 3072 bits key ourself.
	if [ ! -e "$keyfile" ]; then
	mkdir -p "${keyfile%/*}"
	( umask 0377 && openssl genrsa -out "$keyfile" 3072 )
	fi

	if [ -n "$altnames" ]; then
	mkdir -p "$certdir"
	printf '%s\n' $altnames > "$certdir"/alt-names
	fi

	acme-client -Fmv -f "$ACME_KEY" "$domain" $altnames
	#!/bin/sh
	set -u

	ACME_KEY='/etc/acme/privkey.pem'
	CERTS_DIR='/etc/ssl/acme'
	KEYS_DIR='/etc/ssl/acme/private'

	reload=false
	status=0

	for path in $KEYS_DIR/*; do
	cname="${path##*/}"
	altnames=$(cat $CERTS_DIR/$cname/alt-names 2>/dev/null \|\| true)

	acme-client -emv -f "$ACME_KEY" "$cname" $altnames
	case "$?" in
	0) reload=true;;
	1) status=1;;
	esac
	done

	if $reload; then
	/etc/init.d/nginx --ifstarted reload \|\| status=2
	fi

	exit $status