zii · January 31, 2023 09:25
diff --git a/renew-cloudfront.sh b/renew-cloudfront.sh
 #!/usr/bin/env bash
 # certbot续期脚本, 同时更新aws cloudfront证书
 # 参考 https://taylor.callsen.me/lets-encrypt-integrating-certificate-auto-renewal-with-aws-cloudfront/
 # 1. 生成网站的泛域名证书 certbot certonly --manual --force-renew --preferred-challenges dns -d *.catlabs.cn -d catlabs.cn
 # 2. 每月续期 crontab -e 
 # 0 0 * */1 * /usr/bin/certbot certonly --manual --force-renew --preferred-challenges dns -d *.catlabs.cn -d catlabs.cn
 # 2. 安装aws cli:
 # $ curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
 # unzip awscliv2.zip
 # sudo ./aws/install
 # 3. 部署钩子脚本
 # certbot renew --deploy-hook .../certbot-aws.sh
 # cp certbot-cloudfront.sh /etc/letsencrypt/renewal-hooks/deploy

 set -e

 export AWS_ACCESS_KEY_ID=XXXXXXXXXXXX
 export AWS_SECRET_ACCESS_KEY=xxxxxxxxxxxxxxxxxx
 export AWS_DEFAULT_REGION=us-east-1 # 不用改
 export PYTHONIOENCODING=utf8
 DOMAIN=xxxx.com

 # 上传新证书到aws证书管理器
 newCertARN=$(aws acm import-certificate --certificate fileb:///etc/letsencrypt/live/$DOMAIN/cert.pem --private-key fileb:///etc/letsencrypt/live/$DOMAIN/privkey.pem --certificate-chain fileb:///etc/letsencrypt/live/$DOMAIN/fullchain.pem | \
  python3 -c "import sys, json; print(json.load(sys.stdin)['CertificateArn'])")

 echo "newCertARN:" $newCertARN

 # 修改单个DIST_ID的配置
 function update() {
 	AWS_CLOUDFRONT_DIST_ID=$1
 	currentCFETag=$(aws cloudfront get-distribution-config --id $AWS_CLOUDFRONT_DIST_ID | \
 	  python3 -c "import sys, json; print(json.load(sys.stdin)['ETag'])")

 	echo "etag:" $currentCFETag

 	updatedDistConfig=$(aws cloudfront get-distribution-config --id $AWS_CLOUDFRONT_DIST_ID | \
 	  python3 -c "import sys, json, ast; \
 	    distConfig=json.load(sys.stdin); \
 	    distConfig['DistributionConfig']['ViewerCertificate']['ACMCertificateArn']='"$newCertARN"'; \
 	    distConfig['DistributionConfig']['ViewerCertificate']['Certificate']='"$newCertARN"'; \
 	    print(json.dumps(distConfig['DistributionConfig']))")

 	#echo "DistConfig:" $updatedDistConfig

 	aws cloudfront update-distribution --if-match=''"$currentCFETag"'' --id $AWS_CLOUDFRONT_DIST_ID --distribution-config=''"$updatedDistConfig"'' > /dev/null

 	echo "update ok:" $AWS_CLOUDFRONT_DIST_ID $?
 }

 # 更新同一个域名下的不同子域
 update EXXXXXXXXXXXX
	#!/usr/bin/env bash
	# certbot续期脚本, 同时更新aws cloudfront证书
	# 参考 https://taylor.callsen.me/lets-encrypt-integrating-certificate-auto-renewal-with-aws-cloudfront/
	# 1. 生成网站的泛域名证书 certbot certonly --manual --force-renew --preferred-challenges dns -d *.catlabs.cn -d catlabs.cn
	# 2. 每月续期 crontab -e
	# 0 0 * /1 /usr/bin/certbot certonly --manual --force-renew --preferred-challenges dns -d *.catlabs.cn -d catlabs.cn
	# 2. 安装aws cli:
	# $ curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
	# unzip awscliv2.zip
	# sudo ./aws/install
	# 3. 部署钩子脚本
	# certbot renew --deploy-hook .../certbot-aws.sh
	# cp certbot-cloudfront.sh /etc/letsencrypt/renewal-hooks/deploy

	set -e

	export AWS_ACCESS_KEY_ID=XXXXXXXXXXXX
	export AWS_SECRET_ACCESS_KEY=xxxxxxxxxxxxxxxxxx
	export AWS_DEFAULT_REGION=us-east-1 # 不用改
	export PYTHONIOENCODING=utf8
	DOMAIN=xxxx.com

	# 上传新证书到aws证书管理器
	newCertARN=$(aws acm import-certificate --certificate fileb:///etc/letsencrypt/live/$DOMAIN/cert.pem --private-key fileb:///etc/letsencrypt/live/$DOMAIN/privkey.pem --certificate-chain fileb:///etc/letsencrypt/live/$DOMAIN/fullchain.pem \| \
	python3 -c "import sys, json; print(json.load(sys.stdin)['CertificateArn'])")

	echo "newCertARN:" $newCertARN

	# 修改单个DIST_ID的配置
	function update() {
	AWS_CLOUDFRONT_DIST_ID=$1
	currentCFETag=$(aws cloudfront get-distribution-config --id $AWS_CLOUDFRONT_DIST_ID \| \
	python3 -c "import sys, json; print(json.load(sys.stdin)['ETag'])")

	echo "etag:" $currentCFETag

	updatedDistConfig=$(aws cloudfront get-distribution-config --id $AWS_CLOUDFRONT_DIST_ID \| \
	python3 -c "import sys, json, ast; \
	distConfig=json.load(sys.stdin); \
	distConfig['DistributionConfig']['ViewerCertificate']['ACMCertificateArn']='"$newCertARN"'; \
	distConfig['DistributionConfig']['ViewerCertificate']['Certificate']='"$newCertARN"'; \
	print(json.dumps(distConfig['DistributionConfig']))")

	#echo "DistConfig:" $updatedDistConfig

	aws cloudfront update-distribution --if-match=''"$currentCFETag"'' --id $AWS_CLOUDFRONT_DIST_ID --distribution-config=''"$updatedDistConfig"'' > /dev/null

	echo "update ok:" $AWS_CLOUDFRONT_DIST_ID $?
	}

	# 更新同一个域名下的不同子域
	update EXXXXXXXXXXXX