Created
July 5, 2016 13:37
-
-
Save jweyrich/52f71bd6cd99095dc806de10b368d264 to your computer and use it in GitHub Desktop.
Let's Encrypt Certificates Auto Renew
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # AUTHOR : Jardel Weyrich <[email protected]> | |
| # DESCRIPTION: Renew expiring certificates that were already issued via letsencrypt | |
| # and reside in `/etc/letsencrypt/live/$DOMAIN/`. | |
| # The domain authentication is done via WEBROOT. It starts an instance | |
| # of `lighttpd` that serves files on `/var/www`, do the renew process using | |
| # `letsencrypt-auto`, and then stops the `lighttpd` instance. | |
| # The updated certificates are then moved to `/etc/haproxy/certs/$DOMAIN.pem` | |
| # and the `haproxy` instance is reloaded to apply any certificate that might | |
| # have been updated. | |
| # | |
| # Tested only on Ubuntu 14.04.4 LTS | |
| # | |
| # Trap any errors or commands with non-zero exit status by calling function `catch_errors` | |
| trap catch_errors ERR | |
| set -e # abort if any command exits with error status | |
| set -o pipefail # abort if any command in pipeline exits with error status | |
| WEBROOT_PATH=/var/www | |
| # Executes letsencrypt-auto with --dry-run | |
| function test_renew_all_certificates() { | |
| /opt/letsencrypt/letsencrypt-auto renew \ | |
| --non-interactive \ | |
| --no-self-upgrade \ | |
| --webroot-path=$WEBROOT_PATH \ | |
| --dry-run | |
| } | |
| function renew_all_certificates() { | |
| /opt/letsencrypt/letsencrypt-auto renew \ | |
| --non-interactive \ | |
| --no-self-upgrade \ | |
| --webroot-path=$WEBROOT_PATH >> /var/log/letsencrypt-renew.log 2>&1 | |
| } | |
| # Executes letsencrypt-auto with --dry-run | |
| function test_renew_certificates_for_domain() { | |
| if [ -n "$1" ]; then | |
| DOMAIN="$1" | |
| /opt/letsencrypt/letsencrypt-auto certonly \ | |
| --non-interactive \ | |
| --no-self-upgrade \ | |
| --keep-until-expiring \ | |
| --webroot-path=$WEBROOT_PATH \ | |
| --manual-public-ip-logging-ok \ | |
| --agree-tos \ | |
| -d $DOMAIN \ | |
| --dry-run | |
| fi | |
| } | |
| function renew_certificates_for_domain() { | |
| if [ -n "$1" ]; then | |
| DOMAIN="$1" | |
| /opt/letsencrypt/letsencrypt-auto certonly \ | |
| --non-interactive \ | |
| --no-self-upgrade \ | |
| --keep-until-expiring \ | |
| --webroot-path=$WEBROOT_PATH \ | |
| --manual-public-ip-logging-ok \ | |
| --agree-tos \ | |
| -d $DOMAIN >> /var/log/letsencrypt-renew.log 2>&1 | |
| fi | |
| } | |
| function update_haproxy_certificate_for_domain() { | |
| if [ -n "$1" ]; then | |
| DOMAIN="$1" | |
| PRIV_KEY_PATH="/etc/letsencrypt/live/$DOMAIN/privkey.pem" | |
| PUB_KEY_PATH="/etc/letsencrypt/live/$DOMAIN/fullchain.pem" | |
| test -f "$PRIV_KEY_PATH" && test -f "$PUB_KEY_PATH" | |
| cat "$PRIV_KEY_PATH" > "/etc/haproxy/certs/temp-$DOMAIN.pem" | |
| cat "$PUB_KEY_PATH" >> "/etc/haproxy/certs/temp-$DOMAIN.pem" | |
| mv "/etc/haproxy/certs/temp-$DOMAIN.pem" "/etc/haproxy/certs/$DOMAIN.pem" | |
| chmod 400 "/etc/haproxy/certs/$DOMAIN.pem" | |
| fi | |
| } | |
| function renew_all_haproxy_certificates() { | |
| for DOMAIN in $(find "/etc/letsencrypt/live" -mindepth 1 -maxdepth 1 -type d -printf '%P\n'); do | |
| update_haproxy_certificate_for_domain "$DOMAIN" | |
| done | |
| } | |
| function catch_errors() { | |
| echo "script aborted because of errors" | |
| exit 1 | |
| } | |
| /usr/sbin/service lighttpd start | |
| renew_all_certificates | |
| /usr/sbin/service lighttpd stop | |
| renew_all_haproxy_certificates | |
| /usr/sbin/service haproxy reload |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment