Last active
January 15, 2020 16:49
-
-
Save maethor/78376ae0f0182b8b3801 to your computer and use it in GitHub Desktop.
This script generates or regenerates SSL certificates using acme-tiny to sign the certificate signing requests found in /etc/letsencrypt/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# | |
# Guillaume Subiron, Sysnove, 2016 | |
# Inspired by Benjamin Sonntag's https://github.com/octopuce/octopuce-goodies/blob/master/letsencrypt-renew/letsencrypt-auto-renew.sh | |
# | |
# Description : | |
# | |
# This script generates or regenerates SSL certificates using acme-tiny | |
# to sign the certificate signing requests found in /etc/letsencrypt/ | |
# For more : look at https://www.sysnove.fr/blog/2016/03/utilisation-pratique-letsencrypt-acme-tiny.html | |
# | |
# Copyright 2016 Guillaume Subiron <[email protected]> | |
# This work is free. You can redistribute it and/or modify it under the | |
# terms of the Do What The Fuck You Want To Public License, Version 2, | |
# as published by Sam Hocevar. See the http://www.wtfpl.net/ file for more details. | |
# | |
ADMIN_EMAIL=root | |
ACME_BIN=/usr/local/bin/acme_tiny.py | |
CONFIG_DIR=/etc/letsencrypt | |
ACCOUNT_KEY=$CONFIG_DIR/letsencrypt.key | |
INTERMEDIATE=$CONFIG_DIR/intermediate.pem | |
SERVICES="dovecot nginx apache2" | |
reload_services=0 | |
# Download intermediate if doesn't exist | |
if [ ! -f $INTERMEDIATE ] ; then | |
wget -O - https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > $INTERMEDIATE | |
fi | |
cd $CONFIG_DIR | |
for domain in * ; do | |
if [ -f "$domain/$domain.csr" ] ; then | |
crt=$domain/$domain.crt | |
csr=$domain/$domain.csr | |
acme_dir=/srv/www/acme-challenges | |
if [ ! -d $acme_dir ] ; then | |
mkdir -p $acme_dir | |
fi | |
## If crt doesn't exist, generate crt | |
if [ ! -f $crt ] ; then | |
echo "Trying to generate certificate for domain $domain…" | |
python $ACME_BIN --account-key $ACCOUNT_KEY --csr $csr --acme-dir $acme_dir > $crt.new | |
if [ "$?" -ne "0" ] ; then | |
rm -f $crt.new | |
echo "Certificate for $domain has NOT been successfully generated, please check." | mail -s "ERROR on certificate generation for $domain on $(hostname)" $ADMIN_EMAIL | |
else | |
mv $crt.new $crt | |
cat $crt $INTERMEDIATE > $crt+chain | |
echo "Certificate for $domain generated !" | |
fi | |
else | |
# If crt is too close to expiration, regen crt | |
crt_end_date=$(openssl x509 -in "$crt" -noout -enddate | sed -e "s/.*=//") | |
date_crt=$(date -ud "$crt_end_date" +"%s") | |
date_today=$(date +'%s') | |
date_jour_diff=$(( ( $date_crt - $date_today ) / (60*60*24) )) | |
if [ $date_jour_diff -le 30 ] ; then | |
echo "Trying to renew certificate for domain $domain expiring in $date_jour_diff days…" | |
python $ACME_BIN --account-key $ACCOUNT_KEY --csr $csr --acme-dir $acme_dir > $crt.new | |
if [ "$?" -ne "0" ] ; then | |
rm -f $crt.new | |
echo "Certificate for $domain has NOT been successfully renewed, please check." | mail -s "ERROR on certificate renew for $domain on $(hostname)" $ADMIN_EMAIL | |
else | |
cp $crt $crt.old | |
mv $crt.new $crt | |
cat $crt $INTERMEDIATE > $crt+chain | |
echo "Certificate for $domain renewed !" | |
reload_services=1 | |
fi | |
else | |
echo "Certificate for $domain doesn't need to be renewed (expires in $date_jour_diff days)." | |
fi | |
fi | |
fi | |
done | |
# Reload services | |
if [ "$reload_services" -ne "0" ] ; then | |
for service in $SERVICES ; do | |
if [ -f /etc/init.d/$service -o -f /lib/systemd/system/${service}.service ] ; then | |
echo "Reload $service." | |
/usr/sbin/service $service reload | |
fi | |
done | |
else | |
echo "No need to restart the services." | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment