anlutro/letsencrypt.sh

## letsencrypt.sh
#!/bin/sh

date -R
echo "Updating letsencrypt certificate for $1"

if [ "$(id -u)" = "0" ]; then
   echo "This script cannot be run as root" 1>&2
   exit 1
fi

wget -nv https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem \
	-O /etc/letsencrypt/intermediate.pem || exit 1
chmod 640 /etc/letsencrypt/intermediate.pem

python /etc/letsencrypt/acme-tiny/acme_tiny.py \
	--account-key /etc/letsencrypt/account.key \
	--csr /etc/letsencrypt/domains/$1.csr \
	--acme-dir /etc/letsencrypt/challenges \
	> /etc/letsencrypt/domains/$1.pem.tmp || exit 1

cat /etc/letsencrypt/domains/$1.pem.tmp /etc/letsencrypt/intermediate.pem \
	> /etc/letsencrypt/domains/$1.pem
rm /etc/letsencrypt/domains/$1.pem.tmp
chmod 640 /etc/letsencrypt/domains/$1.pem

sudo systemctl reload nginx

## letsencrypt.sls
{% set conf_dir = '/etc/letsencrypt' %}
{% set log_path = '/var/log/letsencrypt.log' %}

include:
  - python.install
  - {{ pillar.web.server }}

letsencrypt-user:
  user.present:
    - name: letsencrypt
    - shell: {{ pillar.nologin_shell }}
    - home: {{ conf_dir }}

{{ log_path }}:
  file.managed:
    - user: letsencrypt
    - group: adm
    - mode: 640

{{ conf_dir }}:
  file.directory:
    - user: letsencrypt
    - group: letsencrypt
    - mode: 755

{{ conf_dir }}/letsencrypt.sh:
  file.managed:
    - source: salt://ssl/letsencrypt.sh
    - user: letsencrypt
    - group: letsencrypt
    - mode: 540

{{ conf_dir }}/acme-tiny:
  git.latest:
    - name: https://github.com/diafygi/acme-tiny
    - target: {{ conf_dir }}/acme-tiny
    - user: letsencrypt

{{ conf_dir }}/domains:
  file.directory:
    - user: letsencrypt
    - group: www-data
    - mode: 2750

{{ conf_dir }}/challenges:
  file.directory:
    - user: letsencrypt
    - group: www-data
    - dir_mode: 2750

{{ conf_dir }}/account.key:
  cmd.run:
    - name: openssl genrsa 4096 > {{ conf_dir }}/account.key
    - creates: {{ conf_dir }}/account.key
    - user: letsencrypt
    - group: letsencrypt
  file.managed:
    - mode: 440
    - user: letsencrypt
    - group: letsencrypt

{% set day = 1 %}
{% from 'web/init.sls' import update_site_vars %}
{% for name, site in pillar.get('web_sites', {}).items() if 'letsencrypt' in site %}
  {% do update_site_vars(name, site) %}
{% if site.letsencrypt %}
{{ conf_dir }}/domains/{{ site.domain }}.key:
  cmd.run:
    - name: openssl genrsa 4096 > {{ conf_dir }}/domains/{{ site.domain }}.key
    - creates: {{ conf_dir }}/domains/{{ site.domain }}.key
    - user: letsencrypt
  file.managed:
    - mode: 440
    - user: letsencrypt
    - group: www-data

{{ conf_dir }}/domains/{{ site.domain }}.csr:
  cmd.run:
  {% if site.letsencrypt is list %}
    - name: |
        openssl req -new -sha256 -key {{ conf_dir }}/domains/{{ site.domain }}.key \
        -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:{{ site.letsencrypt | join(',DNS:') }}")) \
        > {{ conf_dir }}/domains/{{ site.domain }}.csr
  {% else %}
    - name: |
        openssl req -new -sha256 -key {{ conf_dir }}/domains/{{ site.domain }}.key \
        -subj "/CN={{ site.domain }}" > {{ conf_dir }}/domains/{{ site.domain }}.csr
  {% endif %}
    - creates: {{ conf_dir }}/domains/{{ site.domain }}.csr
    - user: letsencrypt
  file.managed:
    - mode: 440
    - user: letsencrypt
    - group: letsencrypt

letsencrypt-{{ site.domain }}:
  cmd.run:
    - name: {{ conf_dir }}/letsencrypt.sh {{ site.domain }}
    - creates: {{ conf_dir }}/domains/{{ site.domain }}.pem
    - user: letsencrypt
    - require:
      - service: {{ pillar.web.server }}
  cron.present:
    - name: {{ conf_dir }}/letsencrypt.sh {{ site.domain }} >> {{ log_path }} 2>&1
    - identifier: letsencrypt-{{ site.domain }}
    - user: letsencrypt
    - daymonth: {{ day }}
    - hour: 3
    - minute: 0
{% set day = day + 7 %}
{% if day > 28 %}
  {% set day = day - 27 %}
{% endif %}
{% else %}
letsencrypt-{{ site.domain }}:
  cron.absent:
    - identifier: letsencrypt-{{ site.domain }}
    - user: letsencrypt
{{ conf_dir }}/domains/{{ site.domain }}.pem:
  file.absent
{% endif %}
{% endfor %}
	#!/bin/sh

	date -R
	echo "Updating letsencrypt certificate for $1"

	if [ "$(id -u)" = "0" ]; then
	echo "This script cannot be run as root" 1>&2
	exit 1
	fi

	wget -nv https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem \
	-O /etc/letsencrypt/intermediate.pem \|\| exit 1
	chmod 640 /etc/letsencrypt/intermediate.pem

	python /etc/letsencrypt/acme-tiny/acme_tiny.py \
	--account-key /etc/letsencrypt/account.key \
	--csr /etc/letsencrypt/domains/$1.csr \
	--acme-dir /etc/letsencrypt/challenges \
	> /etc/letsencrypt/domains/$1.pem.tmp \|\| exit 1

	cat /etc/letsencrypt/domains/$1.pem.tmp /etc/letsencrypt/intermediate.pem \
	> /etc/letsencrypt/domains/$1.pem
	rm /etc/letsencrypt/domains/$1.pem.tmp
	chmod 640 /etc/letsencrypt/domains/$1.pem

	sudo systemctl reload nginx
	{% set conf_dir = '/etc/letsencrypt' %}
	{% set log_path = '/var/log/letsencrypt.log' %}

	include:
	- python.install
	- {{ pillar.web.server }}

	letsencrypt-user:
	user.present:
	- name: letsencrypt
	- shell: {{ pillar.nologin_shell }}
	- home: {{ conf_dir }}

	{{ log_path }}:
	file.managed:
	- user: letsencrypt
	- group: adm
	- mode: 640

	{{ conf_dir }}:
	file.directory:
	- user: letsencrypt
	- group: letsencrypt
	- mode: 755

	{{ conf_dir }}/letsencrypt.sh:
	file.managed:
	- source: salt://ssl/letsencrypt.sh
	- user: letsencrypt
	- group: letsencrypt
	- mode: 540

	{{ conf_dir }}/acme-tiny:
	git.latest:
	- name: https://github.com/diafygi/acme-tiny
	- target: {{ conf_dir }}/acme-tiny
	- user: letsencrypt

	{{ conf_dir }}/domains:
	file.directory:
	- user: letsencrypt
	- group: www-data
	- mode: 2750

	{{ conf_dir }}/challenges:
	file.directory:
	- user: letsencrypt
	- group: www-data
	- dir_mode: 2750

	{{ conf_dir }}/account.key:
	cmd.run:
	- name: openssl genrsa 4096 > {{ conf_dir }}/account.key
	- creates: {{ conf_dir }}/account.key
	- user: letsencrypt
	- group: letsencrypt
	file.managed:
	- mode: 440
	- user: letsencrypt
	- group: letsencrypt

	{% set day = 1 %}
	{% from 'web/init.sls' import update_site_vars %}
	{% for name, site in pillar.get('web_sites', {}).items() if 'letsencrypt' in site %}
	{% do update_site_vars(name, site) %}
	{% if site.letsencrypt %}
	{{ conf_dir }}/domains/{{ site.domain }}.key:
	cmd.run:
	- name: openssl genrsa 4096 > {{ conf_dir }}/domains/{{ site.domain }}.key
	- creates: {{ conf_dir }}/domains/{{ site.domain }}.key
	- user: letsencrypt
	file.managed:
	- mode: 440
	- user: letsencrypt
	- group: www-data

	{{ conf_dir }}/domains/{{ site.domain }}.csr:
	cmd.run:
	{% if site.letsencrypt is list %}
	- name: \|
	openssl req -new -sha256 -key {{ conf_dir }}/domains/{{ site.domain }}.key \
	-subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:{{ site.letsencrypt \| join(',DNS:') }}")) \
	> {{ conf_dir }}/domains/{{ site.domain }}.csr
	{% else %}
	- name: \|
	openssl req -new -sha256 -key {{ conf_dir }}/domains/{{ site.domain }}.key \
	-subj "/CN={{ site.domain }}" > {{ conf_dir }}/domains/{{ site.domain }}.csr
	{% endif %}
	- creates: {{ conf_dir }}/domains/{{ site.domain }}.csr
	- user: letsencrypt
	file.managed:
	- mode: 440
	- user: letsencrypt
	- group: letsencrypt

	letsencrypt-{{ site.domain }}:
	cmd.run:
	- name: {{ conf_dir }}/letsencrypt.sh {{ site.domain }}
	- creates: {{ conf_dir }}/domains/{{ site.domain }}.pem
	- user: letsencrypt
	- require:
	- service: {{ pillar.web.server }}
	cron.present:
	- name: {{ conf_dir }}/letsencrypt.sh {{ site.domain }} >> {{ log_path }} 2>&1
	- identifier: letsencrypt-{{ site.domain }}
	- user: letsencrypt
	- daymonth: {{ day }}
	- hour: 3
	- minute: 0
	{% set day = day + 7 %}
	{% if day > 28 %}
	{% set day = day - 27 %}
	{% endif %}
	{% else %}
	letsencrypt-{{ site.domain }}:
	cron.absent:
	- identifier: letsencrypt-{{ site.domain }}
	- user: letsencrypt
	{{ conf_dir }}/domains/{{ site.domain }}.pem:
	file.absent
	{% endif %}
	{% endfor %}