Last active
January 7, 2017 19:09
-
-
Save novakin/251c6d2e9daac54cd02233263ad42113 to your computer and use it in GitHub Desktop.
Letsencrypt ECDSA cert renewal
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| ## Change this | |
| MAINDOMAIN="votre-domaine.tld" #Domaine a renouveler | |
| EMAIL="[email protected]" #Votre email | |
| WEBROOT="/var/www/www.votre-domaine.tld" # Racine du domaine | |
| WEB_SERVICE="nginx" #NGinx ou Apache2 | |
| LE_PATH="/opt/letsencrypt" #Path du client Let's Encrypt | |
| EXP_LIMIT=40; #Date limite renouvellement cert | |
| if [ ! -f /etc/letsencrypt/live-ecdsa/$MAINDOMAIN/chain.pem ]; then | |
| echo "[ERROR] certificate file not found for domain $MAINDOMAIN." | |
| exit 1 | |
| fi | |
| if [ ! -f /etc/letsencrypt/live-ecdsa/$MAINDOMAIN/csr-p384.der ]; then | |
| echo "[ERROR] CSR file for domain $MAINDOMAIN missing. Exiting" | |
| exit 1 | |
| fi | |
| ## Expiration limit check | |
| echo "Checking expiration date for $MAINDOMAIN..." | |
| if openssl x509 -in /etc/letsencrypt/live-ecdsa/$MAINDOMAIN/chain.pem -noout -checkend $(( EXP_LIMIT*24*3600 )) ; then | |
| echo "The certificate is up to date, no need for renewal." | |
| exit 0; | |
| else | |
| echo "The certificate for $MAINDOMAIN is about to expire soon. Starting webroot renewal script..." | |
| ## Saving previous certs | |
| if [ ! -e /etc/letsencrypt/live-ecdsa/$MAINDOMAIN/letmp.save/ ]; then | |
| mkdir /etc/letsencrypt/live-ecdsa/$MAINDOMAIN/letmp.save/ | |
| fi | |
| mv -f /etc/letsencrypt/live-ecdsa/$MAINDOMAIN/letmp/*.pem /etc/letsencrypt/live-ecdsa/$MAINDOMAIN/letmp.save/ | |
| ## Certificate generation | |
| cp /etc/letsencrypt/live-ecdsa/$MAINDOMAIN/chain.pem /etc/letsencrypt/live-ecdsa/$MAINDOMAIN/chain.pem.save | |
| cd /etc/letsencrypt/live-ecdsa/$MAINDOMAIN/letmp/ | |
| $LE_PATH/letsencrypt-auto certonly --text --agree-tos --email $EMAIL --webroot --webroot-path $WEBROOT --csr /etc/letsencrypt/live-ecdsa/$MAINDOMAIN/csr-p384.der --renew-by-default | |
| ## We won't replace the current cert if let's encrypt could not issue a new cert | |
| if [ ! -f /etc/letsencrypt/live-ecdsa/$MAINDOMAIN/letmp/0001*.pem ] ; then | |
| cp -f /etc/letsencrypt/live-ecdsa/$MAINDOMAIN/letmp.save/*.pem /etc/letsencrypt/live-ecdsa/$MAINDOMAIN/letmp/ | |
| echo "[ERROR] No certificate issued by Let's Encrypt. Your previous certificate will not be modified" | |
| exit 1; | |
| fi | |
| cat 0001* > /etc/letsencrypt/live-ecdsa/$MAINDOMAIN/chain.pem | |
| echo "Reloading $WEB_SERVICE" | |
| /usr/sbin/service $WEB_SERVICE reload | |
| echo "Renewal process finished for domain $MAINDOMAIN" | |
| exit 0; | |
| fi | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment