Skip to content

Instantly share code, notes, and snippets.

@Rudis1261
Last active September 2, 2021 14:49
Show Gist options
  • Save Rudis1261/f54c99d531b048120292a4f83367d66e to your computer and use it in GitHub Desktop.
Save Rudis1261/f54c99d531b048120292a4f83367d66e to your computer and use it in GitHub Desktop.
A PHP Script to check a host's certificate validity, and automatically renew it. Using https://letsencrypt.org/
#!/usr/bin/env php
<?php
error_reporting(-1);
ini_set('displayErrors', 1);
echo PHP_EOL . PHP_EOL ."====================START=========================";
echo PHP_EOL . "RUN ON:\t\t\t\t" . date('d M Y G:i', time()) . PHP_EOL;
// Check the host
if (empty($argv[1]) || filter_var(gethostbyname($argv[1]), FILTER_VALIDATE_IP) === false) {
die("No valid hostname provided" . PHP_EOL);
}
//$cmd = 'echo | openssl s_client -connect ' . trim($argv[1]) . ':443 2>/dev/null | openssl x509 -noout -dates';
$cmd = "curl --insecure -v https://" . trim($argv[1]) . " 2>&1 | awk 'BEGIN { cert=0 } /^\* Server certificate:/ { cert=1 } /^\*/ { if (cert) print }' | grep -i expire";
$check = exec($cmd);
if (!$check || !stristr($check, "date:") || !stristr($check, "expire")) {
die("Could not determine certificate status" . PHP_EOL);
}
$expiry = explode("date:", $check);
if (empty($expiry[1])) {
die("Could not find expiry date!" . PHP_EOL);
}
$expiry = strtotime($expiry[1]);
if (empty($expiry)) {
die("Could not extract expiry date" . PHP_EOL);
}
$renewalTime = strtotime("+2 weeks");
if (empty($renewalTime)) {
die("Could not determine, expiration limit" . PHP_EOL);
}
echo "HOST:\t\t\t\t" . $argv[1] . PHP_EOL;
echo "Certificate expiring on:\t" . date('d M Y', $expiry) . PHP_EOL;
echo "Should renew by:\t\t" . date('d M Y', $renewalTime) . PHP_EOL;
echo "====================RENEW=========================" . PHP_EOL;
if ($expiry <= $renewalTime) {
echo PHP_EOL . "Renewing!" . PHP_EOL;
chdir('/root/letsencrypt');
exec('git pull', $gitPull);
echo PHP_EOL . "Git Pull Update:" . PHP_EOL;
echo implode(PHP_EOL, $gitPull) . PHP_EOL;
$iniName = "hosts/live/".explode('.', $argv[1])[0].".ini";
echo PHP_EOL . "Renewing with ini: ${iniName}" . PHP_EOL. PHP_EOL;
exec('./letsencrypt-auto certonly -c ' . $iniName, $renewOutput);
echo implode(PHP_EOL, $renewOutput) . PHP_EOL;
exec('nginx -t > /tmp/nginx-test 2>&1');
$read = file_get_contents('/tmp/nginx-test');
if (stristr($read, 'syntax is ok') && stristr($read, 'test is successful')) {
echo "All good, restarting NGINX" . PHP_EOL;
exec('service nginx reload');
}
} else {
echo "Nothing to do here!" . PHP_EOL;
}
echo "=====================END==========================" . PHP_EOL;
@Rudis1261
Copy link
Author

Rudis1261 commented May 23, 2016

Super simple script which assumes some things.

  • Server running Letsencrypt in a cert only mode.
  • Webserver used is NGINX
  • PHP is installed
  • Would be used with a crontab weekly to automatically renew certificates
  • This script assumes that letsencrypt is installed in /root/letsencrypt
  • And that your config.ini files are in /root/letsencrypt/live/<hostname>.ini eg /root/letsencrypt/live/thatguy.ini for thatguy.co.za

If you don't know what this configuration ini should contain, have a look at the documentation http://letsencrypt.readthedocs.io/en/latest/using.html#configuration-file

Direct Usage:

./check_certificate_validity.php example.com

Crontab Usage:

# Renew Certificates At 04:00 on Sat.
0   4   *   *   6    php /root/check_certificate_validity.php example.com >> /tmp/certificate.log

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment