svenvarkel · January 16, 2019 23:36
diff --git a/aws_ec2_nginx_certbot_autorenew.sh b/aws_ec2_nginx_certbot_autorenew.sh
 #!/usr/bin/env bash
 # 
 # This script would help to automate renewal of LetsEncrypt TLS certificates in a Linux machine
 # running nginx web server on AWS EC2.
 # What it does:
 # 1. it stops nginx
 # 2. it opens incoming firewall ports 80 and 443 for certbot host verification
 # 3. it runs certbot to renew certificates. Certbot launches a standalone HTTP server on port 80 or 443
 # 4. it closes incoming firewall ports 80 and 443
 # 5. it starts nginx
 #
 # If everything works fine then the nginx is down for a few seconds only. 
 #
 # The script is not meant to be executed in production environments with heavy HTTP traffic. 
 #
 # IT WILL CAUSE AT LEAST SOME DOWNTIME!
 #
 # The script requires awscli installed on the machine.
 #
 # This script has been tested on Ubuntu 16 and newer but should also work on Debians
 #
 # Author Sven Varkel <[email protected]>
 # Copyright 2019 Sven Varkel
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation 
 # files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, 
 # modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the 
 # Software is furnished to do so, subject to the following conditions:
 #
 # The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
 #
 # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 
 # WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR 
 # COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, 
 # ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

 export AWS_DEFAULT_REGION="us-east-1"
 export GROUP_ID="<ADD SECURITY GROUP ID HERE>"
 systemctl stop nginx
 /usr/local/bin/aws ec2 authorize-security-group-ingress --group-id $GROUP_ID --protocol tcp --port 443 --cidr "0.0.0.0/0"
 /usr/local/bin/aws ec2 authorize-security-group-ingress --group-id $GROUP_ID --protocol tcp --port 80 --cidr "0.0.0.0/0"
 /usr/bin/certbot renew -n
 /usr/local/bin/aws ec2 revoke-security-group-ingress --group-id $GROUP_ID --protocol tcp --port 443 --cidr "0.0.0.0/0"
 /usr/local/bin/aws ec2 revoke-security-group-ingress --group-id $GROUP_ID --protocol tcp --port 80 --cidr "0.0.0.0/0"
 systemctl start nginx
 echo "done."
 exit 0
	#!/usr/bin/env bash
	#
	# This script would help to automate renewal of LetsEncrypt TLS certificates in a Linux machine
	# running nginx web server on AWS EC2.
	# What it does:
	# 1. it stops nginx
	# 2. it opens incoming firewall ports 80 and 443 for certbot host verification
	# 3. it runs certbot to renew certificates. Certbot launches a standalone HTTP server on port 80 or 443
	# 4. it closes incoming firewall ports 80 and 443
	# 5. it starts nginx
	#
	# If everything works fine then the nginx is down for a few seconds only.
	#
	# The script is not meant to be executed in production environments with heavy HTTP traffic.
	#
	# IT WILL CAUSE AT LEAST SOME DOWNTIME!
	#
	# The script requires awscli installed on the machine.
	#
	# This script has been tested on Ubuntu 16 and newer but should also work on Debians
	#
	# Author Sven Varkel <[email protected]>
	# Copyright 2019 Sven Varkel
	#
	# Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation
	# files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy,
	# modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the
	# Software is furnished to do so, subject to the following conditions:
	#
	# The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
	#
	# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
	# WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
	# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
	# ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

	export AWS_DEFAULT_REGION="us-east-1"
	export GROUP_ID="<ADD SECURITY GROUP ID HERE>"
	systemctl stop nginx
	/usr/local/bin/aws ec2 authorize-security-group-ingress --group-id $GROUP_ID --protocol tcp --port 443 --cidr "0.0.0.0/0"
	/usr/local/bin/aws ec2 authorize-security-group-ingress --group-id $GROUP_ID --protocol tcp --port 80 --cidr "0.0.0.0/0"
	/usr/bin/certbot renew -n
	/usr/local/bin/aws ec2 revoke-security-group-ingress --group-id $GROUP_ID --protocol tcp --port 443 --cidr "0.0.0.0/0"
	/usr/local/bin/aws ec2 revoke-security-group-ingress --group-id $GROUP_ID --protocol tcp --port 80 --cidr "0.0.0.0/0"
	systemctl start nginx
	echo "done."
	exit 0