Last active
January 16, 2024 09:33
-
-
Save Aervyon/70d5a5559c36050afe7919b7126bcd6f to your computer and use it in GitHub Desktop.
A script to reload certificates for databases and other services
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#! /bin/bash | |
# Expects running as root | |
# DO NOT UNDER ANY CIRCUMSTANCE INCLUDE A TRAILING SLASH | |
ACME_HOME=/root/.acme.sh | |
BASE=example.com | |
DIRECTORY="$BASE"_ecc | |
MONGODB_SSL_DIR=/etc/ssl/mongodb | |
MONGODB_SSL_FILE=mongodb.pem | |
CERT_PATH="$ACME_HOME"/"$DIRECTORY" | |
FULLCHAIN_NAME=fullchain.cer | |
KEY_NAME="$BASE".key | |
if [[ $1 == "--help" ]]; then | |
echo "Reloads certificates for acme.sh for mongodb & postgres" | |
echo "by https://github.com/Aervyon" | |
echo "Get it at https://gist.github.com/Aervyon/70d5a5559c36050afe7919b7126bcd6f" | |
echo "If the link doesn't work look for a 'reload-certs.sh' gist under https://gist.github.com/Aervyon" | |
echo "Usage with acme.sh: 'acme.sh --{reload, renew, cron} --reloadcmd /path/to/reload-certs.sh'" | |
echo "" | |
echo "" | |
echo "Commands:" | |
echo "--var-check Checks all variables defined in the script, then exits" | |
echo "--dry Dry-Run. Does not change anything, does not renew certs" | |
exit 0 | |
fi | |
if [[ $1 == "--var-check" ]]; then | |
echo "Checking variables and exiting" | |
echo "ACME HOME =" "$ACME_HOME" | |
echo "BASE =" "$BASE" | |
echo "DIRECTORY =" "$DIRECTORY" | |
echo "MONGODB SSL DIRECTORY =" "$MONGODB_SSL_DIR" | |
echo "MONGODB SSL FILE =" "$MONGODB_SSL_FILE" | |
echo "CERTIFICATE PATH =" "$CERT_PATH" | |
echo "KEY NAME =" "$KEY_NAME" | |
exit 0 | |
fi | |
dry=false | |
if [[ $1 == "--dry" ]]; then | |
echo "Running in dry-run mode. Expect no file system changes" | |
dry=true | |
fi | |
# MONGO DB CERTIFICATE MANAGEMENT | |
# Make a new pem file containing the key and the certs necessary | |
echo "Combining private key ${CERT_PATH}/${KEY_NAME} with ${CERT_PATH}/${FULLCHAIN_NAME} to make ${MONGODB_SSL_DIR}/${MONGODB_SSL_FILE}" | |
if [ $dry == false ]; then | |
(cat "$CERT_PATH"/{"$KEY_NAME","$FULLCHAIN_NAME"} | tee "${MONGODB_SSL_DIR}/${MONGODB_SSL_FILE}") > /dev/null | |
fi | |
# Ensure everything in $MONGODB_SSL_DIR is owned by mongodb | |
if [ $MONGODB_SSL_DIR != "/etc/ssl" ]; then | |
echo "Changing directory ownership (recursive) of ${MONGODB_SSL_DIR} to mongodb:mongodb" | |
if [ $dry == false ]; then | |
chown -R mongodb:mongodb "$MONGODB_SSL_DIR" | |
fi | |
else | |
echo "Changing ownership of ${MONGODB_SSL_FILE} to mongodb:mongodb" | |
if [ $dry == false ]; then | |
chown mongodb:mongodb "${MONGODB_SSL_DIR}/${MONGODB_SSL_FILE}" | |
fi | |
fi | |
echo "Setting file permissions for ${MONGODB_SSL_DIR}/${MONGODB_SSL_FILE} to 600 (rw, -, -)" | |
if [ $dry == false ]; then | |
# Set the correct permissions for the files | |
chmod 600 "$MONGODB_SSL_DIR"/"$MONGODB_SSL_FILE" > /dev/null | |
fi | |
echo "Reloading Mongod systemd service" | |
# Restart mongodb to apply the new certificates | |
if [ $dry == false ]; then | |
systemctl restart mongod | |
fi | |
echo "Updated MongoDB Certificates. Run 'systemctl status mongod' to check mongod status" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment