Aervyon/reload-certs.sh

## reload-certs.sh
#! /bin/bash
# Expects running as root

# DO NOT UNDER ANY CIRCUMSTANCE INCLUDE A TRAILING SLASH

ACME_HOME=/root/.acme.sh
BASE=example.com
DIRECTORY="$BASE"_ecc

MONGODB_SSL_DIR=/etc/ssl/mongodb
MONGODB_SSL_FILE=mongodb.pem

CERT_PATH="$ACME_HOME"/"$DIRECTORY"
FULLCHAIN_NAME=fullchain.cer
KEY_NAME="$BASE".key

if [[ $1 == "--help" ]]; then
    echo "Reloads certificates for acme.sh for mongodb & postgres"
    echo "by https://github.com/Aervyon"
    echo "Get it at https://gist.github.com/Aervyon/70d5a5559c36050afe7919b7126bcd6f"
    echo "If the link doesn't work look for a 'reload-certs.sh' gist under https://gist.github.com/Aervyon"
    echo "Usage with acme.sh: 'acme.sh --{reload, renew, cron} --reloadcmd /path/to/reload-certs.sh'"
    echo ""
    echo ""
    echo "Commands:"
    echo "--var-check    Checks all variables defined in the script, then exits"
    echo "--dry          Dry-Run. Does not change anything, does not renew certs"
    exit 0
fi

if [[ $1 == "--var-check" ]]; then
    echo "Checking variables and exiting"
    echo "ACME HOME             =" "$ACME_HOME"
    echo "BASE                  =" "$BASE"
    echo "DIRECTORY             =" "$DIRECTORY"
    echo "MONGODB SSL DIRECTORY =" "$MONGODB_SSL_DIR"
    echo "MONGODB SSL FILE      =" "$MONGODB_SSL_FILE"
    echo "CERTIFICATE PATH      =" "$CERT_PATH"
    echo "KEY NAME              =" "$KEY_NAME"
    exit 0
fi


dry=false
if [[ $1 == "--dry" ]]; then
    echo "Running in dry-run mode. Expect no file system changes"
    dry=true
fi

# MONGO DB CERTIFICATE MANAGEMENT
# Make a new pem file containing the key and the certs necessary
echo "Combining private key ${CERT_PATH}/${KEY_NAME} with ${CERT_PATH}/${FULLCHAIN_NAME} to make ${MONGODB_SSL_DIR}/${MONGODB_SSL_FILE}"
if [ $dry == false ]; then
    (cat "$CERT_PATH"/{"$KEY_NAME","$FULLCHAIN_NAME"} | tee "${MONGODB_SSL_DIR}/${MONGODB_SSL_FILE}") > /dev/null
fi

# Ensure everything in $MONGODB_SSL_DIR is owned by mongodb
if [ $MONGODB_SSL_DIR != "/etc/ssl" ]; then
    echo "Changing directory ownership (recursive) of ${MONGODB_SSL_DIR} to mongodb:mongodb"
    if [ $dry == false ]; then
        chown -R mongodb:mongodb "$MONGODB_SSL_DIR"
    fi
else
    echo "Changing ownership of ${MONGODB_SSL_FILE} to mongodb:mongodb"
    if [ $dry == false ]; then
        chown mongodb:mongodb "${MONGODB_SSL_DIR}/${MONGODB_SSL_FILE}"
    fi
fi

echo "Setting file permissions for ${MONGODB_SSL_DIR}/${MONGODB_SSL_FILE} to 600 (rw, -, -)"
if [ $dry == false ]; then
    # Set the correct permissions for the files
    chmod 600 "$MONGODB_SSL_DIR"/"$MONGODB_SSL_FILE" > /dev/null
fi

echo "Reloading Mongod systemd service"
# Restart mongodb to apply the new certificates
if [ $dry == false ]; then
    systemctl restart mongod
fi
echo "Updated MongoDB Certificates. Run 'systemctl status mongod' to check mongod status"
	#! /bin/bash
	# Expects running as root

	# DO NOT UNDER ANY CIRCUMSTANCE INCLUDE A TRAILING SLASH

	ACME_HOME=/root/.acme.sh
	BASE=example.com
	DIRECTORY="$BASE"_ecc

	MONGODB_SSL_DIR=/etc/ssl/mongodb
	MONGODB_SSL_FILE=mongodb.pem

	CERT_PATH="$ACME_HOME"/"$DIRECTORY"
	FULLCHAIN_NAME=fullchain.cer
	KEY_NAME="$BASE".key

	if [[ $1 == "--help" ]]; then
	echo "Reloads certificates for acme.sh for mongodb & postgres"
	echo "by https://github.com/Aervyon"
	echo "Get it at https://gist.github.com/Aervyon/70d5a5559c36050afe7919b7126bcd6f"
	echo "If the link doesn't work look for a 'reload-certs.sh' gist under https://gist.github.com/Aervyon"
	echo "Usage with acme.sh: 'acme.sh --{reload, renew, cron} --reloadcmd /path/to/reload-certs.sh'"
	echo ""
	echo ""
	echo "Commands:"
	echo "--var-check Checks all variables defined in the script, then exits"
	echo "--dry Dry-Run. Does not change anything, does not renew certs"
	exit 0
	fi

	if [[ $1 == "--var-check" ]]; then
	echo "Checking variables and exiting"
	echo "ACME HOME =" "$ACME_HOME"
	echo "BASE =" "$BASE"
	echo "DIRECTORY =" "$DIRECTORY"
	echo "MONGODB SSL DIRECTORY =" "$MONGODB_SSL_DIR"
	echo "MONGODB SSL FILE =" "$MONGODB_SSL_FILE"
	echo "CERTIFICATE PATH =" "$CERT_PATH"
	echo "KEY NAME =" "$KEY_NAME"
	exit 0
	fi


	dry=false
	if [[ $1 == "--dry" ]]; then
	echo "Running in dry-run mode. Expect no file system changes"
	dry=true
	fi

	# MONGO DB CERTIFICATE MANAGEMENT
	# Make a new pem file containing the key and the certs necessary
	echo "Combining private key ${CERT_PATH}/${KEY_NAME} with ${CERT_PATH}/${FULLCHAIN_NAME} to make ${MONGODB_SSL_DIR}/${MONGODB_SSL_FILE}"
	if [ $dry == false ]; then
	(cat "$CERT_PATH"/{"$KEY_NAME","$FULLCHAIN_NAME"} \| tee "${MONGODB_SSL_DIR}/${MONGODB_SSL_FILE}") > /dev/null
	fi

	# Ensure everything in $MONGODB_SSL_DIR is owned by mongodb
	if [ $MONGODB_SSL_DIR != "/etc/ssl" ]; then
	echo "Changing directory ownership (recursive) of ${MONGODB_SSL_DIR} to mongodb:mongodb"
	if [ $dry == false ]; then
	chown -R mongodb:mongodb "$MONGODB_SSL_DIR"
	fi
	else
	echo "Changing ownership of ${MONGODB_SSL_FILE} to mongodb:mongodb"
	if [ $dry == false ]; then
	chown mongodb:mongodb "${MONGODB_SSL_DIR}/${MONGODB_SSL_FILE}"
	fi
	fi

	echo "Setting file permissions for ${MONGODB_SSL_DIR}/${MONGODB_SSL_FILE} to 600 (rw, -, -)"
	if [ $dry == false ]; then
	# Set the correct permissions for the files
	chmod 600 "$MONGODB_SSL_DIR"/"$MONGODB_SSL_FILE" > /dev/null
	fi

	echo "Reloading Mongod systemd service"
	# Restart mongodb to apply the new certificates
	if [ $dry == false ]; then
	systemctl restart mongod
	fi
	echo "Updated MongoDB Certificates. Run 'systemctl status mongod' to check mongod status"