Last active
October 22, 2021 11:26
-
-
Save zenware/6610ea569ac580f462f985dfaf2af313 to your computer and use it in GitHub Desktop.
Analysis of a letsencrypt renewal cron script from: https://blog.benroux.me/running-multiple-https-domains-from-the-same-server/#autorenewourcerts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# The line above this one basically just indicates that the file is a shell script. | |
# This script renews all the Let's Encrypt certificates with a validity < 30 days | |
# This first line is a conditional block it tries to run the program at | |
# `/opt/letsencrypt/letsencrypt-auto` with the command `renew` | |
# Earlier in the guide the letsencrypt binaries were installed to opt | |
# `sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt` | |
# The `!` at the beginning is a boolean conditional negation operator and in this | |
# case the complete expression will return true if the program doesn't succeed. | |
# Also in the conditional it uses the redirection operator `>` to write the output | |
# of the command to the file, I recommend using `>>` instead as it will append | |
# `>` just overwrites the contents of the file. | |
# `>` or `>>` alone will just redirect the contents of the Standard Output Stream, or | |
# stdout, `2>&1` placed at the end will cause the Standard Error Stream, or stderr to | |
# be redirected into the `renew.log` file as well. | |
if ! /opt/letsencrypt/letsencrypt-auto renew > /var/log/letsencrypt/renew.log 2>&1 ; then | |
# After the command fails to renew the certs it will say so | |
echo Automated renewal failed: | |
# And it will also try to print out the log immediately, I don't recommend this. | |
cat /var/log/letsencrypt/renew.log | |
# Finally this block exits the script with a failure status (anything other than 0) | |
exit 1 | |
fi | |
# This runs some nginx commands `nginx -t` tests the config file, | |
# `nginx -s` sends a signal to the running process, in this case | |
# the reload signal. So it reloads nginx with the new valid config. | |
nginx -t && nginx -s reload |
Yep, that's correct, I thought it was weird too... I suppose the cronjob facility might be receiving all command output and injecting it into it's own logs but in general I thought it was silly. Perhaps it was for testing the script before making it a cronjob.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As for the logic of
This is how I understand the logic
if
is testing>
and2>&1
).! false
)then
print output that no one will seeecho Automated renewal failed:
andcat /var/log/letsencrypt/renew.log
(this is for a cron job... so who'll see the output? 😛) and then terminate the scriptexit 1
(thus not running the last line of code).Is this correct?