Script to renew Atlassian (Jira, Confluence, etc) applications that use a Let's Encrypt certificate

renew-atlassian-letsencrypt-cert.sh

SITE=jira.example.com
PASS=muhpassword
KEYTOOL=/opt/atlassian/jira/jre/bin/keytool
KEYSTORE=/home/jira/.keystore
SERVICE=jira

# pull down nginx since it uses port 80
systemctl stop nginx

# Use port 80 to renew the cert
# There's quite a few cutom options here and it seems that `certbot renew` just doesn't cut it.
certbot certonly --standalone --noninteractive --force-renew --preferred-challenges http -d $SITE

# Delete old stuff or else it complains
$KEYTOOL -delete -keystore $KEYSTORE -storepass $PASS -alias 'root' 
$KEYTOOL -delete -keystore $KEYSTORE -storepass $PASS -alias 'tomcat'

# Convert PEM to PKCS12 in the most complicated way possible
openssl pkcs12 -export -in /etc/letsencrypt/live/$SITE/fullchain.pem -inkey  /etc/letsencrypt/live/$SITE/privkey.pem -out  /etc/letsencrypt/live/$SITE/cert_and_key.p12 -name tomcat -CAfile  /etc/letsencrypt/live/$SITE/chain.pem -caname root -password pass:$PASS -passin pass:$PASS -passout pass:$PASS

# Import the new certs
$KEYTOOL -importkeystore -srcstorepass $PASS -deststorepass $PASS -destkeypass $PASS -srckeystore /etc/letsencrypt/live/$SITE/cert_and_key.p12 -srcstoretype PKCS12 -alias tomcat -keystore $KEYSTORE
$KEYTOOL -import -trustcacerts -alias root -deststorepass $PASS -file /etc/letsencrypt/live/$SITE/chain.pem -noprompt -keystore $KEYSTORE

# Restart everything
systemctl restart $SERVICE
systemctl start nginx