levid0s · July 14, 2024 11:56
diff --git a/download_cert.sh b/download_cert.sh
 #!/bin/sh
 # https://gist.github.com/levid0s/xxxxxx/

 # Usage:
 # download_cert.sh [-h] [-n] [-f]
 # -h: Show help
 # -n: Skip script update check
 # -f: Force cert download, skip comparison

 # Version: v20240714

 # Recommended crontab:
 # 0 4 * * *  $script_path >> /tmp/download_cert.log

 # Recommended install path:
 # OpenWRT: /root/download_cert/
 # Other:   /opt/download_cert/

 # Only use ANSI colors when the output is not redirected
 [ -t 1 ] && NC='\e[0m' && RD='\e[1;31m' && YL='\e[1;33m' && WH='\e[1;37m' && LC='\e[1;36m' && LN='\e[1;32m'
 [ ! -t 1 ] && NC='' && RD='' && YL='' && WH='' && LC='' && LN=''

 script_dir=$(cd "$(dirname "$0")" && pwd)
 script_filename="$(basename "$0")"
 script_path="$script_dir/$script_filename"
 temp_dir='/tmp/dlcert' && mkdir -p "$temp_dir"

 if [ "$1" = '-h' ]; then
    echo "Recommended crontab:"
    echo "0 4 * * *  $script_path >> /tmp/download_cert.log"
    exit 0
 fi

 echo "Starting download_cert: $(date +"%Y-%m-%d %H:%M:%S")"

 if [ -f /etc/download_cert.ini ]; then
    ini_file='/etc/download_cert.ini'
 elif [ -f "$script_dir/config.ini" ]; then
    ini_file="$script_dir/config.ini"
 else
    echo -e "${RD}Config not found: ${WH}$ini_file${NC}"
    exit 1
 fi

 read_keys="lego_server cert_name crt_apikey key_apikey crt_path key_path reload_cmd lego_server_lookup name_server update_url"

 for key in $read_keys; do
    value="$(grep '^'$key'=' "$ini_file" | cut -d'=' -f2)"
    eval "$key=\"$value\""
    [ -n "$debug" ] && echo "read: $key = $value"
 done

 ts=$(date +%Y%m%d-%H%M%S)

 if [ -n "update_url" ] && [ "$1" != "-n" ]; then
    temp_file="$temp_dir/dl.sh"
    [ -n "$debug" ] && echo -e "${DY}Checking \`download_cert.sh\` for updates..${NC}"
    http_statuscode=$(curl --connect-timeout 10 -s $update_url --output "$temp_file" --write-out "%{http_code}")
    if [ $http_statuscode -ne 200 ]; then
        echo -e "${RD}Script download failed: $http_statuscode${NC}"
    else
        if cmp $temp_file $script_path; then
            echo -e ">> \`download_cert.sh\` script up to date."
        else
            [ -n "$debug" ] && echo "Downloaded update: $temp_file"
            echo -e "${GN}>> Found newer downloader script, updating..${NC}"
            mv $script_path "$temp_dir/$script_filename.$ts.backup"
            echo "Backing up: $script_path -> $temp_dir/$script_filename.$ts.backup"
            cp $temp_file $script_path
            echo "Updated: $temp_file -> $script_path"
            chmod +x $script_path
            echo "Starting updated script.."
            $script_path
            exit 0
        fi
    fi
 fi

 if [ "$lego_server_lookup" = "true" ]; then
    tmp="${lego_server#*://}" # Remove the protocol (everything up to '://')
    legohost="${tmp%%/*}"     # Remove everything after the hostname (path, query string, fragment identifier)
    legohost="${legohost%%:*}"

    ip_address="$(nslookup $legohost $name_server | grep -E 'Address: [0-9]' | awk '{print $2}')"
    lego_server=$(echo "$lego_server" | sed "s/$legohost/$ip_address/")

    echo "Resolved lego server: $lego_server"
 fi

 api_crt_path="certwarden/api/v1/download/certificates/$cert_name"
 api_key_path="certwarden/api/v1/download/privatekeys/$cert_name"

 temp_crt="$temp_dir/cert.pem"
 temp_key="$temp_dir/key.pem"
 temp_key_pkcs8="$temp_dir/key.pkcs8.pem"
 backup_crt="${crt_path}.$ts.backup"
 backup_key="${key_path}.$ts.backup"

 if :; then
    [ -n "$debug" ] && echo "Calling: $lego_server/$api_crt_path"
    http_statuscode=$(curl -L --connect-timeout 10 -s $lego_server/$api_crt_path -H "apiKey: $crt_apikey" --output "$temp_crt" --write-out "%{http_code}")
    if test $http_statuscode -ne 200; then
        echo -e "${RD}Cert download failed: $http_statuscode${NC}"
        exit "$http_statuscode"
    fi
    [ "$1" != "-f" ] && {
        cmp -s $temp_crt $crt_path && echo -e "${WH}>> Certificate already up to date; nothing to do, exiting.${NC}" && exit 0
        echo -e "${GN}>> Found newer certificate!${NC}"
    }
 fi

 if [ -n "$key_apikey" ]; then
    [ -n "$debug" ] && echo "Calling: $lego_server/$api_key_path"
    http_statuscode=$(curl -L --connect-timeout 10 -s $lego_server/$api_key_path -H "apiKey: $key_apikey" --output "$temp_key" --write-out "%{http_code}")
    if test $http_statuscode -ne 200; then
        echo -e "${RD}Key download failed: $http_statuscode${NC}"
        exit "$http_statuscode"
    fi

    [ "$1" != "-f" ] && { cmp -s $temp_key $key_path && echo -e "${WH}>> Keys have not changed.${NC}" && key_apikey=''; }
 fi

 ## Downloads successful, proceed to copy

 [ -f "$crt_path" ] && echo "Backing up: $crt_path -> $backup_crt" && cp "$crt_path" "$backup_crt"
 echo "Updating: $crt_path"
 cp $temp_crt $crt_path

 if [ -n "$key_apikey" ]; then
    [ -f "$key_path" ] && echo "Backing up: $key_path -> $backup_key" && cp "$key_path" "$backup_key"
    echo "Updating: $key_path"
    cp $temp_key $key_path
 fi

 if [ -n "$reload_cmd" ]; then
    echo "Reloading service with: $reload_cmd"
    eval "$reload_cmd"
 fi
diff --git a/xdownload_cert.ini.example b/xdownload_cert.ini.example
 # Recommended path: /etc/download_cert.ini

 # Generic
 cert_name=xxxx
 crt_apikey=....
 key_apikey=....
 lego_server=http://xxxx:4050
 lego_server_lookup=true
 name_server=192.168.1.1
 update_url=https://gist.githubusercontent.com/levid0s/48bb9d1b2daa4092496a3591381abb20/raw/

 # Adguard Home
 crt_path=/opt/AdGuardHome/cert/tls.crt
 key_path=/opt/AdGuardHome/cert/tls.key
 reload_cmd=service AdGuardHome restart

 # OpenWRT
 crt_path=/etc/uhttpd.crt
 key_path=/etc/uhttpd.key
 reload_cmd=service uhttpd restart

 # Proxmox
 crt_path=/etc/pve/local/pve-ssl.pem
 key_path=/etc/pve/local/pve-ssl.key
 reload_cmd=service pveproxy restart

 # Plex
 crt_path=/usr/lib/plexmediaserver/tls/tls.crt
 key_path=/usr/lib/plexmediaserver/tls/tls.key
 reload_cmd=openssl pkcs12 -export -in /usr/lib/plexmediaserver/tls/tls.crt -inkey /usr/lib/plexmediaserver/tls/tls.key -out /usr/lib/plexmediaserver/tls/tls.pfx  -passout pass: && service plexmediaserver restart

 # Grafana
 crt_path=/etc/grafana/grafana.crt
 key_path=/etc/grafana/grafana.key
 reload_cmd=systemctl restart grafana-server.service
	#!/bin/sh
	# https://gist.github.com/levid0s/xxxxxx/

	# Usage:
	# download_cert.sh [-h] [-n] [-f]
	# -h: Show help
	# -n: Skip script update check
	# -f: Force cert download, skip comparison

	# Version: v20240714

	# Recommended crontab:
	# 0 4 * * * $script_path >> /tmp/download_cert.log

	# Recommended install path:
	# OpenWRT: /root/download_cert/
	# Other: /opt/download_cert/

	# Only use ANSI colors when the output is not redirected
	[ -t 1 ] && NC='\e[0m' && RD='\e[1;31m' && YL='\e[1;33m' && WH='\e[1;37m' && LC='\e[1;36m' && LN='\e[1;32m'
	[ ! -t 1 ] && NC='' && RD='' && YL='' && WH='' && LC='' && LN=''

	script_dir=$(cd "$(dirname "$0")" && pwd)
	script_filename="$(basename "$0")"
	script_path="$script_dir/$script_filename"
	temp_dir='/tmp/dlcert' && mkdir -p "$temp_dir"

	if [ "$1" = '-h' ]; then
	echo "Recommended crontab:"
	echo "0 4 * * * $script_path >> /tmp/download_cert.log"
	exit 0
	fi

	echo "Starting download_cert: $(date +"%Y-%m-%d %H:%M:%S")"

	if [ -f /etc/download_cert.ini ]; then
	ini_file='/etc/download_cert.ini'
	elif [ -f "$script_dir/config.ini" ]; then
	ini_file="$script_dir/config.ini"
	else
	echo -e "${RD}Config not found: ${WH}$ini_file${NC}"
	exit 1
	fi

	read_keys="lego_server cert_name crt_apikey key_apikey crt_path key_path reload_cmd lego_server_lookup name_server update_url"

	for key in $read_keys; do
	value="$(grep '^'$key'=' "$ini_file" \| cut -d'=' -f2)"
	eval "$key=\"$value\""
	[ -n "$debug" ] && echo "read: $key = $value"
	done

	ts=$(date +%Y%m%d-%H%M%S)

	if [ -n "update_url" ] && [ "$1" != "-n" ]; then
	temp_file="$temp_dir/dl.sh"
	[ -n "$debug" ] && echo -e "${DY}Checking \`download_cert.sh\` for updates..${NC}"
	http_statuscode=$(curl --connect-timeout 10 -s $update_url --output "$temp_file" --write-out "%{http_code}")
	if [ $http_statuscode -ne 200 ]; then
	echo -e "${RD}Script download failed: $http_statuscode${NC}"
	else
	if cmp $temp_file $script_path; then
	echo -e ">> \`download_cert.sh\` script up to date."
	else
	[ -n "$debug" ] && echo "Downloaded update: $temp_file"
	echo -e "${GN}>> Found newer downloader script, updating..${NC}"
	mv $script_path "$temp_dir/$script_filename.$ts.backup"
	echo "Backing up: $script_path -> $temp_dir/$script_filename.$ts.backup"
	cp $temp_file $script_path
	echo "Updated: $temp_file -> $script_path"
	chmod +x $script_path
	echo "Starting updated script.."
	$script_path
	exit 0
	fi
	fi
	fi

	if [ "$lego_server_lookup" = "true" ]; then
	tmp="${lego_server#*://}" # Remove the protocol (everything up to '://')
	legohost="${tmp%%/*}" # Remove everything after the hostname (path, query string, fragment identifier)
	legohost="${legohost%%:*}"

	ip_address="$(nslookup $legohost $name_server \| grep -E 'Address: [0-9]' \| awk '{print $2}')"
	lego_server=$(echo "$lego_server" \| sed "s/$legohost/$ip_address/")

	echo "Resolved lego server: $lego_server"
	fi

	api_crt_path="certwarden/api/v1/download/certificates/$cert_name"
	api_key_path="certwarden/api/v1/download/privatekeys/$cert_name"

	temp_crt="$temp_dir/cert.pem"
	temp_key="$temp_dir/key.pem"
	temp_key_pkcs8="$temp_dir/key.pkcs8.pem"
	backup_crt="${crt_path}.$ts.backup"
	backup_key="${key_path}.$ts.backup"

	if :; then
	[ -n "$debug" ] && echo "Calling: $lego_server/$api_crt_path"
	http_statuscode=$(curl -L --connect-timeout 10 -s $lego_server/$api_crt_path -H "apiKey: $crt_apikey" --output "$temp_crt" --write-out "%{http_code}")
	if test $http_statuscode -ne 200; then
	echo -e "${RD}Cert download failed: $http_statuscode${NC}"
	exit "$http_statuscode"
	fi
	[ "$1" != "-f" ] && {
	cmp -s $temp_crt $crt_path && echo -e "${WH}>> Certificate already up to date; nothing to do, exiting.${NC}" && exit 0
	echo -e "${GN}>> Found newer certificate!${NC}"
	}
	fi

	if [ -n "$key_apikey" ]; then
	[ -n "$debug" ] && echo "Calling: $lego_server/$api_key_path"
	http_statuscode=$(curl -L --connect-timeout 10 -s $lego_server/$api_key_path -H "apiKey: $key_apikey" --output "$temp_key" --write-out "%{http_code}")
	if test $http_statuscode -ne 200; then
	echo -e "${RD}Key download failed: $http_statuscode${NC}"
	exit "$http_statuscode"
	fi

	[ "$1" != "-f" ] && { cmp -s $temp_key $key_path && echo -e "${WH}>> Keys have not changed.${NC}" && key_apikey=''; }
	fi

	## Downloads successful, proceed to copy

	[ -f "$crt_path" ] && echo "Backing up: $crt_path -> $backup_crt" && cp "$crt_path" "$backup_crt"
	echo "Updating: $crt_path"
	cp $temp_crt $crt_path

	if [ -n "$key_apikey" ]; then
	[ -f "$key_path" ] && echo "Backing up: $key_path -> $backup_key" && cp "$key_path" "$backup_key"
	echo "Updating: $key_path"
	cp $temp_key $key_path
	fi

	if [ -n "$reload_cmd" ]; then
	echo "Reloading service with: $reload_cmd"
	eval "$reload_cmd"
	fi
	# Recommended path: /etc/download_cert.ini

	# Generic
	cert_name=xxxx
	crt_apikey=....
	key_apikey=....
	lego_server=http://xxxx:4050
	lego_server_lookup=true
	name_server=192.168.1.1
	update_url=https://gist.githubusercontent.com/levid0s/48bb9d1b2daa4092496a3591381abb20/raw/

	# Adguard Home
	crt_path=/opt/AdGuardHome/cert/tls.crt
	key_path=/opt/AdGuardHome/cert/tls.key
	reload_cmd=service AdGuardHome restart

	# OpenWRT
	crt_path=/etc/uhttpd.crt
	key_path=/etc/uhttpd.key
	reload_cmd=service uhttpd restart

	# Proxmox
	crt_path=/etc/pve/local/pve-ssl.pem
	key_path=/etc/pve/local/pve-ssl.key
	reload_cmd=service pveproxy restart

	# Plex
	crt_path=/usr/lib/plexmediaserver/tls/tls.crt
	key_path=/usr/lib/plexmediaserver/tls/tls.key
	reload_cmd=openssl pkcs12 -export -in /usr/lib/plexmediaserver/tls/tls.crt -inkey /usr/lib/plexmediaserver/tls/tls.key -out /usr/lib/plexmediaserver/tls/tls.pfx -passout pass: && service plexmediaserver restart

	# Grafana
	crt_path=/etc/grafana/grafana.crt
	key_path=/etc/grafana/grafana.key
	reload_cmd=systemctl restart grafana-server.service