Skip to content

Instantly share code, notes, and snippets.

@mat813

mat813/LICENSE

Last active June 8, 2021 15:05
Show Gist options
  • Save mat813/b837358785441f488312 to your computer and use it in GitHub Desktop.
Save mat813/b837358785441f488312 to your computer and use it in GitHub Desktop.
Download ZIP
Scripts around acme_tiny to manage keys, requests, certificates...
Raw
README.md

acme-tiny-scripts

This is a suite of tiny, auditable scripts that you can throw on your server to manage keys, certificate requests and Let's Encrypt certificates using acme-tiny.

installation

git clone https://github.com/mat813/acme-tiny-scripts.git
cd acme-tiny-scripts
cp config.sh.sample config.sh

Edit the values in config.sh according to your installation. All three path should be owned by the user running the scripts, the mode of the private path should be 0711. The durations are in days.

scripts

gen_key.sh name

This script is used to generate keys for 1) the account, 2) the certificate and requests. It takes only one argument, the name associated with the key. The same name will be used for the certificate request, and the certificate. In the end, you will get a <name>.crt

When you first run everything, you must generate an account key, it is not used by any certificate, only for communication between the scripts and letsencrypt. Start by:

$ ./gen_key.sh account
Generating RSA private key, 4096 bit long modulus
...................................++
..............++
e is 65537 (0x10001)
$

Now, you can create the key to your first certificate request:

$ ./gen_key.sh example
Generating RSA private key, 4096 bit long modulus
............................++
...........................................++
e is 65537 (0x10001)
$

gen_csr.sh name domain [domain...]

This script generates a Certificate Signing Request in the private directory. It takes two, or more, arguments, the first is the name, the same as the one used for the key generation, and the other are the domains you need your certificate to have:

$ ./gen_csr.sh example examples.com www.examples.com examples.net www.examples.net
$

You can check that it does contain the right domains with:

$ openssl req -noout -text < /etc/ssl/private/letsencrypt/example.csr |grep DNS
                DNS:examples.com, DNS:www.examples.com, DNS:examples.net, DNS:www.examples.net

DANE/TLSA

The script will also generate a /etc/ssl/public/letsencrypt/example.tlsa file with HTTPS TLSA (_443._tcp.domain.) records for all the domains passed as arguments. If you are using the certificates for other purpose than HTTPS, you will have to change the port number.

gen_one.sh name

This script uses the key and CSR generated during the previous steps and calls acme-tiny.py to get a valid certificate from Let's Encrypt.

At this point, you need to have setup your web server to point the /.well-known/acme-challenge/ directory to the challenge path of the configuration file. See configuring your web server for more informations.

$ ./gen_one.sh example
Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying example.com...
example.com verified!
Verifying www.example.com...
www.example.com verified!
Verifying example.net...
example.net verified!
Verifying www.example.net...
www.example.net verified!
Signing certificate...
Certificate signed!
$

If all went well, you now have a example.crt file in the public directory. You can check that it does contain the requested domains:

$ openssl x509 -noout -text -in /etc/ssl/public/letsencrypt/example.crt |grep DNS
                DNS:examples.com, DNS:www.examples.com, DNS:examples.net, DNS:www.examples.net

You can now configure the SSL bits of your web web server with that certificate and the associated key.

There are actually two files that are generated, the <name>.crt that only contains the certificate, and a <name>.bundle that contains both the certificate, and the intermediate certificate from Let's Encrypt. The intermediate certificate is also stored as intermediate.pem in the public directory.

Configuring your web server for letsencrypt

First, note that Let's Encrypt will look for the challenge over http not https, so either your web server must be able to give the answer over http, or it must redirect to https, and in that case, the certificate must be valid.

In the following examples, I will describe serving the challenges over http. I prefer this method because it still works if your certificates are invalid, for example, if you let the expire.

Apache

To be able to serve the challenge over http, you only need to add an Alias directive

<VirtualHost *:80>
        ServerName www.example.net
        Alias /.well-known/acme-challenge/ /usr/local/www/challenges/
	<Directory /usr/local/www/challenges/>
		Require all granted
	</Directory>
	[rest of your VirtualHost configuration]
</VirtualHost>

If your VirtualHost contains a RedirectPermanent / https://www.examples.net/ then you will need to be a bit more subtle with how you configure things so that the challenges work:

<VirtualHost *:80>
        ServerName www.example.net
        Alias /.well-known/acme-challenge/ /usr/local/www/challenges/
	<Directory /usr/local/www/challenges/>
		Require all granted
	</Directory>
        RedirectMatch 301 ^(?!/\.well-known/acme-challenge/).* https://www.example.net$0
</VirtualHost>

Nginx

    server {
        listen       *:80;
        listen       [::]:80;
        server_name  www.example.net;

        location /.well-known/acme-challenge/ {
            alias /usr/local/www/challenges/;
            try_files $uri =404;
        }

	[rest of your server configuration]
    }

If your server configuration contains a return 301 https://www.example.net$request_uri; then you will need to bit a bit more subtle with how you configure things so that the challenges work:

    server {
        listen       *:80;
        listen       [::]:80;
        server_name  www.example.net;

        location /.well-known/acme-challenge/ {
            alias /usr/local/www/challenges/;
            try_files $uri =404;
        }

        location / {
                return 301 https://www.example.net$request_uri;
        }
    }

Configuring HTTPS on your web server

There are dozens of howtos on how to configure HTTPS, I'm keeping this mostly for my own use :-)

The /etc/ssl/private/dhparam_4096.pem file is generated with openssl dhparam -out dhparam_4096.pem 4096.

Apache

In the main apache configuration

You must enable ssl_module and socache_shmcb_module.

Listen 443
<IfVersion >= 2.4>
        <IfModule socache_shmcb_module>
  	      SSLSessionCache        "shmcb:/tmp/ssl_scache(512000)"
  	      SSLSessionCacheTimeout  300
  	      SSLStaplingCache        "shmcb:/tmp/stapling_cache(2097152)"
        </IfModule>
</IfVersion>
<IfVersion < 2.4>
        SSLSessionCache        "shmcb:/tmp/ssl_scache(512000)"
        SSLSessionCacheTimeout  300
</IfVersion>

In each VirtualHost

SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "HIGH:!aNULL:!MD5:!3DES:!CAMELLIA:!AES128"
SSLEngine on
<IfVersion >= 2.4>
        SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparam_4096.pem"
        SSLUseStapling on
</IfVersion>

SSLCertificateFile "/etc/ssl/public/letsencrypt/example.crt"
SSLCertificateKeyFile "/etc/ssl/private/letsencrypt/example.key"
SSLCertificateChainFile "/etc/ssl/public/letsencrypt/intermediate.pem"

Nginx

In each server section

Remember to enable ssl and http2:

listen       *:443 ssl http2;
listen       [::]:443 ssl http2;

ssl_certificate       /etc/ssl/public/letsencrypt/example.bundle;
ssl_certificate_key   /etc/ssl/private/letsencrypt/example.key;

ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5:!3DES:!CAMELLIA:!AES128";
ssl_dhparam "/etc/ssl/private/dhparam_4096.pem";
ssl_prefer_server_ciphers on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_session_timeout 5m;

regen.sh service [service...]

This script should be run, via cron, every day, to regenerate outdated certificates. Certificates are considered outdated when their expiration date is less than $renew days from now, the default is 20 days.

Before you add a cron entry with 0 0 * * * /some/path/regen.sh. I said once a day, not "at midnight". If everybody does that, the Let's Encrypt servers will be hammered at the top of every hour.

So, add a cron entry, with, say, 15 22 * * * /some/path/regen.sh, but not that one either, choose your own.

It also take as arguments the services to reload. (With the service command, that may, or may not, exist, on your OS.) It also uses sudo to run the commands, but you may tinker with the end of that script to fit your needs.

check_expire.sh

This is a nagios plugin that will check that all the certificates in the public directory have an expiration date of at least $warning days in the future, default 15, give a warning if they have less, and become critical if it goes below $critical days, default 10.

notes

I am a FreeBSD user, so, all this works just fine on FreeBSD, YMMV.

/!\ caveats /!\

The regen.sh script is ran from cron, and it runs acme-tiny. The acme-tiny script's shebang contains /usr/bin/env python so python must either be in cron's PATH, or you must change acme-tiny's shebang to point to the correct python PATH. Also, it runs sudo, so, sudo must be in the PATH.

Raw
check_expire.sh
#!/bin/sh
# vim:sw=8 sts=8
set -e
dir=$(dirname "$0")
. "${dir}"/lets_path.sh
STATE_OK=0
STATE_WARNING=1
STATE_CRITICAL=2
STATE_UNKNOWN=3
STATE_DEPENDENT=4
crts=0
for cert in $(find "${lets_public}" -name '*.crt')
do
if [ ! -f "${cert}" ]
then
echo "No certificate to check"
exit ${STATE_UNKNOWN}
fi
crts=$((crts+1))
if ! openssl x509 -in "${cert}" -noout -checkend $((86400*warning)) > /dev/null
then
base=$(basename "${cert}" .crt)
if ! openssl x509 -in "${cert}" -noout -checkend $((86400*critical)) > /dev/null
then
crit="${crit} ${base}"
else
warn="${warn} ${base}"
fi
fi
done
if [ -n "${crit}" ]
then
echo "Certificates for${crit} expire in less than ${critical} days"
exit ${STATE_CRITICAL}
fi
if [ -n "${warn}" ]
then
echo "Certificates for${warn} expire in less than ${warning} days"
exit ${STATE_WARNING}
fi
echo "${crts} certificates expire in more than ${warning} days."
exit ${STATE_OK}
Raw
config.sh.sample
#!/bin/sh
# Where to put private files (keys)
lets_private=/etc/ssl/private/letsencrypt
# Where to put public files (certificates, requests)
lets_public=/etc/ssl/public/letsencrypt
# Challenges directory
challenges=/usr/local/www/challenges
# SSL config
ssl_config=/etc/ssl/openssl.cnf
# certbot dns hooks, see certbot's help
dns_auth_hook=/some/script
dns_cleanup_hook=/some/script
# Only set those if on a slave
dns_url=https://dnssec.absolight.fr/
dns_login=
dns_password=
# Values when the check will get critical, and warning, in days
critical=10
warning=15
# When to renew, in days. Keep it > warning ;-)
renew=20
Raw
gen_csr.sh
#!/bin/sh
# vim:sw=8 sts=8
set -e
dir=$(dirname "$0")
. "${dir}"/lets_path.sh
if [ $# -lt 2 ]
then
echo "Usage: $0 [filename] [domains...]"
exit 1
fi
name=$1
shift
key_name=${lets_private}/${name}.key
csr_name=${lets_private}/${name}.csr
if [ ! -e "${key_name}" ]
then
echo "Key file does not exist : ${key_name}, generate it with"
echo "${dir}/gen_key.sh ${name}"
exit 1
fi
dirname=$(dirname "${lets_public}/${name}")
if ! mkdir -p "${dirname}"
then
echo "Directory ${dirname} cannot be created, run:"
echo "install -d -o acme ${dirname}"
exit 1
fi
if [ -e "${csr_name}" ]
then
echo "CSR already exists : ${csr_name}"
exit 1
fi
tlsa_hash=$(openssl rsa -in "${key_name}" -outform DER -pubout 2>/dev/null | openssl dgst -sha256 -binary | hexdump -ve '1/1 "%02x"')
: > "${lets_public}/${name}.tlsa"
tlsa_line() {
printf '_443._tcp.%s. IN TLSA 3 1 1 %s\n' "${1}" "${tlsa_hash}" >> "${lets_public}/${name}.tlsa"
}
config=$(mktemp)
trap 'rm -f ${config}' EXIT
cat "$ssl_config" > "${config}"
echo "[SAN]" >> "${config}"
output="subjectAltName=DNS:$1"
tlsa_line "$1"
shift
for d in "$@"
do
output="${output},DNS:${d}"
tlsa_line "${d}"
done
echo "${output}" >> "${config}"
openssl req -new -sha256 -key "${key_name}" -subj "/" -reqexts SAN -config "${config}" > "${csr_name}"
chmod 444 "${csr_name}"
Raw
gen_key.sh
#!/bin/sh
# vim:sw=8 sts=8
set -e
dir=$(dirname "$0")
. "${dir}"/lets_path.sh
if [ $# -ne 1 ]
then
echo "Usage: $0 [filename]"
exit 1
fi
name=$1
shift
key_name=${lets_private}/${name}.key
dirname=$(dirname "${key_name}")
if [ ! -e "${lets_private}/account.key" -a "$name" != "account" ]
then
echo "The account key does not exist, start by creating it, with:"
echo "${dir}/${0} account"
exit 1
fi
if ! mkdir -p "${dirname}"
then
echo "Directory ${dirname} cannot be created, run:"
echo "install -d -o acme ${dirname}"
exit 1
fi
if [ -e "${key_name}" ]
then
echo "Key already exists : ${key_name}"
exit 1
fi
openssl genrsa 4096 > "${key_name}"
if [ "$name" != "account" ]
then
chmod 444 "${key_name}"
else
chmod 400 "${key_name}"
fi
Raw
gen_one.sh
#!/bin/sh
# vim:sw=8 sts=8
set -e
dir=$(dirname "$0")
. "${dir}"/lets_path.sh
if [ $# -ne 1 ]
then
echo "Usage: $0 [filename]"
exit 1
fi
name=$1
shift
key_name=${lets_private}/${name}.key
csr_name=${lets_private}/${name}.csr
if [ ! -e "${lets_private}/account.key" ]
then
echo "Account key does not exist : ${lets_private}/account.key"
echo "Maybe run ./gen_key.sh account"
exit 1
fi
if [ ! -e "${key_name}" ]
then
echo "Key does not exist : ${key_name}"
echo "Maybe run ./gen_key.sh ${name}"
exit 1
fi
if [ ! -e "${csr_name}" ]
then
echo "CSR does not exist : ${csr_name}"
echo "Maybe run ./gen_csr.sh ${name} domains..."
exit 1
fi
fetch -qo "${lets_public}/intermediate.pem" https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem
cert=$(mktemp)
trap 'rm -f ${cert}' EXIT
/usr/local/bin/acme_tiny --account-key "${lets_private}/account.key" --csr "${csr_name}" --acme-dir "${challenges}" > "${cert}"
cat "${cert}" > "${lets_public}/${name}.crt"
cat "${cert}" "${lets_public}/intermediate.pem" > "${lets_public}/${name}.bundle"
openssl x509 -noout -text -in "${cert}" > "${lets_public}/${name}.txt"
Raw
gen_one_dns.sh
#!/bin/sh
# vim:sw=8 sts=8
set -e
dir=$(dirname "$0")
. "${dir}"/lets_path.sh
if [ $# -ne 1 ]
then
echo "Usage: $0 [filename]"
exit 1
fi
name=$1
shift
key_name=${lets_private}/${name}.key
csr_name=${lets_private}/${name}.csr
if [ -x "${dns_auth_hook}" ] && [ -x "${dns_cleanup_hook}" ]
then
crt_name=${lets_public}/dns/${name}.crt
chain_name=${lets_public}/dns/${name}.chain
bundle_name=${lets_public}/dns/${name}.bundle
txt_name=${lets_public}/dns/${name}.txt
if [ ! -e "${lets_private}/account.key" ]
then
echo "Account key does not exist : ${lets_private}/account.key"
echo "Maybe run ./gen_key.sh account"
exit 1
fi
if [ ! -e "${key_name}" ]
then
echo "Key does not exist : ${key_name}"
echo "Maybe run ./gen_key.sh ${name}"
exit 1
fi
if [ ! -e "${csr_name}" ]
then
echo "CSR does not exist : ${csr_name}"
echo "Maybe run ./gen_csr.sh ${name} domains..."
exit 1
fi
dirname=$(dirname "${lets_public}/dns/${name}")
if ! mkdir -p "${dirname}"
then
echo "Directory ${dirname} cannot be created, run:"
echo "install -d -o acme ${dirname}"
exit 1
fi
cert=$(mktemp -u)
trap 'rm -f ${cert} ${cert}.chain ${cert}.bundle' EXIT
/usr/local/bin/certbot certonly \
--manual \
--non-interactive \
--quiet \
--agree-tos \
--server https://acme-v02.api.letsencrypt.org/directory \
--preferred-challenges=dns \
--config-dir "${lets_private}/dns" \
--work-dir /var/db/letsencrypt/dns \
--logs-dir /var/log/letsencrypt/dns \
--manual-auth-hook "${dns_auth_hook}" \
--manual-cleanup-hook "${dns_cleanup_hook}" \
--csr "${csr_name}" \
--cert-path "${cert}" \
--chain-path "${cert}.chain" \
--fullchain-path "${cert}.bundle"
cat "${cert}" > "${crt_name}"
cat "${cert}.chain" > "${chain_name}"
cat "${cert}.bundle" > "${bundle_name}"
openssl x509 -noout -text -in "${cert}" > "${txt_name}"
elif [ -n "${dns_url}" ] && [ -n "${dns_login}" ] && [ -n "${dns_password}" ]
then
crt_name=${lets_public}/dns/${name}.crt
chain_name=${lets_public}/dns/${name}.chain
bundle_name=${lets_public}/dns/${name}.bundle
txt_name=${lets_public}/dns/${name}.txt
tlsa_name=${lets_public}/${name}.tlsa
for ext in key crt chain bundle tlsa
do
tmp=$(mktemp)
#--header 'If-Modified-Since: Tue, 27 Mar 2018 14:31:08 GMT'
if curl --fail --silent -o "${tmp}" --user "${dns_login}:${dns_password}" "${dns_url}/${name}.${ext}"
then
eval file='${'${ext}'_name}'
if [ ! -s "${tmp}" ]
then
echo "file ${name}.${ext} empty !"
continue
fi
if ! cmp -s "${tmp}" "${file}"
then
mkdir -p "$(dirname "${file}")"
cat "${tmp}" > "${file}"
if [ "${ext}" = crt ]
then
openssl x509 -noout -text -in "${crt_name}" > "${txt_name}"
fi
fi
rm -f "${tmp}"
else
echo "${name}.${ext} not found"
fi
done
else
echo "Either set the hook to executables or set dns_url/login/password"
exit 1
fi
Raw
lets_path.sh
#!/bin/sh
# vim:sw=8 sts=8
# default values
lets_private=/etc/ssl/private/letsencrypt
lets_public=/etc/ssl/public/letsencrypt
challenges=/usr/local/www/challenges
ssl_config=/etc/ssl/openssl.cnf
critical=10
warning=15
renew=20
. "${dir}"/config.sh
caller=$(basename "$0")
my_id=$(id -u)
if [ "${my_id}" -eq 0 ] && [ -z "${BOW_BEFORE_ME_FOR_I_AM_ROOT}" ]
then
echo "Running as root, which you should not, ever, do."
echo "Please log in as the acme user and try again."
exit 1
fi
if [ ! -d "${lets_private}" ]
then
echo "Private directory does not exist. You need to run, as root:"
echo "install -d -o ${my_id} -g 0 -m 0711 ${lets_private}"
ret=1
elif [ "${caller}" != "check_expire.sh" ] && [ ! -w "${lets_private}" ]
then
echo "The private directory is not writable, as root, run:"
echo "chown ${my_id} ${lets_private}"
echo "chmod 0711 ${lets_private}"
fi
if [ ! -d "${lets_public}" ]
then
echo "Public directory does not exist. You need to run, as root:"
echo "install -d -o ${my_id} -g 0 -m 0755 ${lets_public}"
ret=1
elif [ "${caller}" != "check_expire.sh" ] && [ ! -w "${lets_public}" ]
then
echo "The public directory is not writable, as root, run:"
echo "chown ${my_id} ${lets_public}"
echo "chmod 0755 ${lets_public}"
fi
if [ ! -d "${challenges}" ]
then
echo "Challenge directory does not exist. You need to run, as root:"
echo "install -d -o ${my_id} -g 0 -m 0755 ${challenges}"
ret=1
elif [ "${caller}" != "check_expire.sh" ] && [ ! -w "${challenges}" ]
then
echo "The challenge directory is not writable, as root, run:"
echo "chown ${my_id} ${challenges}"
echo "chmod 0755 ${challenges}"
fi
if [ ! -e "${ssl_config}" ]
then
echo "The openssl.cnf config file does not exist at ${ssl_config}."
echo "Please, edit the lets_path.sh file and point it to an existing one."
ret=1
fi
if [ "${critical}" -ge "${warning}" ]; then
echo "The critical value ${critical} is equal or greater than the warning value ${warning}"
echo "It must be strictly less."
ret=1
fi
if [ "${warning}" -ge "${renew}" ]; then
echo "The warning value ${warning} is equal or greater than the renew value ${renew}"
echo "It must be strictly less."
ret=1
fi
if [ -n "${ret}" ]
then
exit 1
fi
Raw
LICENSE
Copyright (c) 2016 Mathieu Arnold. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
Raw
list.sh
#!/bin/sh
# vim:sw=8 sts=8
set -e
dir=$(dirname "$0")
. "${dir}"/lets_path.sh
. "${dir}"/config.sh
if [ -t 1 ]
then
NC='\033[0m'
RED='\033[0;31m'
LRED='\033[1;31m'
GREEN='\033[0;32m'
LGREEN='\033[1;32m'
ORANGE='\033[0;33m'
LORANGE='\033[1;33m'
BLUE='\033[0;34m'
LBLUE='\033[1;34m'
PURPLE='\033[0;35m'
LPURPLE='\033[1;35m'
CYAN='\033[0;36m'
LCYAN='\033[1;36m'
GRAY='\033[0;37m'
WHITE='\033[1;37m'
fi
echo '-------------------------------------------------------------------------------'
echo 'Found the following certs:'
find -s "${lets_public}" -name '*.crt' | while read -r cert
do
base=${cert#${lets_public}/}
base=${base#dns/}
domains=$(openssl x509 -noout -in "${cert}" -text|xargs -n 1|sed -ne 's/,$//; s/DNS://p;'|xargs)
endDate=$(openssl x509 -noout -in "${cert}" -enddate|sed -e 's/notAfter=//')
seconds=$(LANG=C date -j -f "%b %d %T %Y GMT" "${endDate}" +%s)
remain=$((seconds-$(date +%s)))
printf " Certificate Name: ${BLUE}%s${NC}\\n" "${base%.crt}"
printf " Domains: ${GRAY}%s${NC}\\n" "${domains}"
printf " Expiry Date: %s " "${endDate}"
if [ $remain -ge $((renew*86400)) ]
then
printf " ${GREEN}(VALID: %d days)${NC}\\n" $((remain/86400))
elif [ $remain -ge $((warning*86400)) ]
then
printf " ${LORANGE}(VALID: %d days)${NC}\\n" $((remain/86400))
elif [ $remain -ge $((warning*86400)) ]
then
printf " ${ORANGE}(VALID: %d days)${NC}\\n" $((remain/86400))
elif [ $remain -ge $((critical*86400)) ]
then
printf " ${RED}(VALID: %d days)${NC}\\n" $((remain/86400))
elif [ $remain -ge 0 ]
then
printf "${RED}(VALID: %d hours)${NC}\\n" $((remain/3600))
else
printf "${LRED}(INVALID)${NC}\\n"
fi
printf " Certificate Path: ${PURPLE}%s${NC}\\n" "${cert}"
printf " Private Key Path: ${PURPLE}%s/%s.key${NC}\\n" "${lets_private}" "${base%.crt}"
done
echo '-------------------------------------------------------------------------------'
Raw
regen.sh
#!/bin/sh
# vim:sw=8 sts=8
set -e
dir=$(dirname "$0")
. "${dir}"/lets_path.sh
if [ $# -lt 1 ]
then
echo "Usage: $0 [services...]"
exit 1
fi
for cert in $(find "${lets_public}" -name '*.crt')
do
if [ ! -f "${cert}" ]
then
echo "No certificate to renew"
exit 1
fi
if ! openssl x509 -in "${cert}" -noout -checkend $((86400*renew)); then
base=${cert#${lets_public}/}
base=${base%.crt}
case "${base}" in
dns/*)
"${dir}"/gen_one_dns.sh "${base#dns/}"
;;
*)
"${dir}"/gen_one.sh "${base}"
;;
esac
fi
done
# If base is set, it means we did renew at least one certificate, so, reload
# the services.
if [ -n "${base}" ]; then
for s in "$@"
do
sudo /usr/sbin/service "${s}" reload
done
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment