-
-
Save Decicus/93d698347cf600af5ea822870eeef54c to your computer and use it in GitHub Desktop.
Helper script for easier generation of Let's Encrypt certificates through acme.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Make sure to load environment variables. | |
. ~/.bashrc | |
ACME_DIR="/root/.acme.sh" | |
ACME="${ACME_DIR}/acme.sh --force" | |
BASE="/srv/ssl" | |
ECHO_PREFIX="[acme.sh Helper Script]" | |
CMD_PARAMS="$@"; | |
# Check if we should use BuyPass instead of Let's Encrypt | |
# as the certificate authority for this certificate. | |
BUYPASS=0; | |
if [[ "${CMD_PARAMS}" =~ "--buypass" ]]; then | |
BUYPASS=1; | |
echo "${ECHO_PREFIX} '--buypass' specified - Using BuyPass CA (Go SSL)." | |
fi | |
# BuyPass requires a valid email to be registered | |
# before we issue certificates. | |
if [[ $BUYPASS -eq 1 ]]; then | |
CA_DIR="${ACME_DIR}/ca/api.buypass.com"; | |
if [[ ! -d "${CA_DIR}" ]]; then | |
echo "${ECHO_PREFIX} Account email for BuyPass CA (required)?" | |
read ACCOUNT_EMAIL | |
eval "${ACME} --server https://api.buypass.com/acme/directory --register-account --accountemail '${ACCOUNT_EMAIL}'" | |
fi | |
fi | |
# Create directory if it exists, make sure permissions are as strict as possible. | |
echo "${ECHO_PREFIX} Creating base certificate directory: ${BASE}" | |
mkdir -p $BASE | |
chmod -R 600 $BASE | |
chown -R root:root $BASE | |
echo "${ECHO_PREFIX} Name of folder containing certificates? (Will be created under ${BASE})" | |
read FOLDERNAME | |
echo "${ECHO_PREFIX} Creating folder if it doesn't exist: ${BASE}/${FOLDERNAME}" | |
mkdir -p "${BASE}/${FOLDERNAME}" | |
# ¯\_(ツ)_/¯ - https://timmurphy.org/2012/03/09/convert-a-delimited-string-into-an-array-in-bash/ | |
OIFS=$IFS | |
IFS=' ' | |
echo "${ECHO_PREFIX} Space-separated list of domains to generate a certificate for?" | |
echo "${ECHO_PREFIX} You can specify a DNS provider or webroot for each domain. For example: some.example.com:/var/www/html other.example.com:dns_cf" | |
read DOMAIN_LIST | |
DOMAINS=($DOMAIN_LIST) | |
IFS=$OIFS | |
DOMAIN_PARAMS="" | |
ACME_PARAMS="" | |
for (( i = 0; i < ${#DOMAINS[@]}; i++ )); do | |
DOMAIN="${DOMAINS[$i]}"; | |
DOMAIN_NAME="$(echo $DOMAIN | cut -d ':' -f 1)"; | |
PROVIDER_NAME="$(echo $DOMAIN | cut -d ':' -f 2)"; | |
PROVIDER_TYPE="--dns"; | |
if [[ -z "${PROVIDER_NAME}" ]]; then | |
PROVIDER_NAME="dns_cf"; | |
fi | |
# Starts with a slash, we assume it's a path & webroot. | |
if [[ "${PROVIDER_NAME}" =~ "^/"* ]]; then | |
PROVIDER_TYPE="-w"; | |
fi | |
DOMAIN_PARAMS+=" -d ${DOMAIN_NAME}"; | |
ACME_PARAMS+=" -d ${DOMAIN_NAME} ${PROVIDER_TYPE} ${PROVIDER_NAME}"; | |
done | |
# DNS handler is now specified as part of the domain list. | |
# echo "${ECHO_PREFIX} DNS? [y/N]" | |
# read IS_DNS | |
# IS_DNS=${IS_DNS,,} | |
# if [[ $IS_DNS == *"y"* ]]; then | |
# echo "${ECHO_PREFIX} DNS provider? For example: Cloudflare = dns_cf." | |
# echo "${ECHO_PREFIX} Provider also assumes the proper environment variables are set. Read: https://github.com/Neilpang/acme.sh/tree/master/dnsapi#how-to-use-dns-api" | |
# read DNS_PROVIDER | |
# ACME_PARAMS+="--dns ${DNS_PROVIDER}" | |
# else | |
# echo "${ECHO_PREFIX} Webroot? For example: /var/www/html" | |
# read WEBROOT_DIR | |
# ACME_PARAMS+="-w ${WEBROOT_DIR}" | |
# fi | |
# Make sure we point to the right CA. | |
if [[ $BUYPASS -eq 1 ]]; then | |
ACME_PARAMS+=" --server https://api.buypass.com/acme/directory" | |
else | |
# For some reason acme.sh is now using ZeroSSL as the default CA for new certs. | |
# I hate change, so we force Let's Encrypt unless BuyPass is used. | |
ACME_PARAMS+=" --server letsencrypt" | |
fi | |
echo "${ECHO_PREFIX} Reload command? For example: nginx -s reload" | |
read RELOADCMD | |
echo "${ECHO_PREFIX} Requesting certificate using the chosen methods:" | |
eval "${ACME} ${ACME_PARAMS} --issue" | |
SSL_PATH="$BASE/$FOLDERNAME" | |
if [[ "$?" == "0" ]]; then | |
echo "${ECHO_PREFIX} Certificate request completed. Installing certificate with reload command." | |
eval "${ACME} ${DOMAIN_PARAMS} --key-file '${SSL_PATH}/key.pem' --fullchain-file '${SSL_PATH}/fullchain.pem' --cert-file '${SSL_PATH}/cert.pem' --ca-file '${SSL_PATH}/chain.pem' --reloadcmd '${RELOADCMD}' --install-cert" | |
else | |
echo "${ECHO_PREFIX} An error occurred during certificate request. Aborting." | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment