Last active
March 18, 2020 19:05
-
-
Save antillean/2878290b9d5cd91d1cb6 to your computer and use it in GitHub Desktop.
Let's Encrypt renewal script for VSFTPD, mumble-server (and possibly other things)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| ## Some notes: | |
| ## 1. This should be run as root! | |
| ## 2. This assumes that /etc/letsencrypt/cli.ini is sensibly specified. | |
| ## 3. /usr/local/sbin/le-sub.example.com-renewal.sh is a sensible place to put this. | |
| ## 4. A sensible crontab entry for this: 15 2 * * 1 /usr/local/sbin/le-sub.example.com-renewal.sh >> /var/log/le-sub.example.com-renewal.log | |
| exp_limit=15; | |
| le_path='/opt/letsencrypt'; | |
| domain='sub.example.com'; | |
| cert_file="/etc/letsencrypt/live/$domain/cert.pem" | |
| ## Exit if there's no certificate to renew. | |
| if [ ! -f $cert_file ]; then | |
| echo "[ERROR] certificate file not found for domain '$domain'." | |
| exit 1; | |
| fi | |
| ## Determine number of days till expiration. | |
| exp=$(date -d "`openssl x509 -in $cert_file -text -noout|grep "Not After"|cut -c 25-`" +%s) | |
| datenow=$(date -d "now" +%s) | |
| days_exp=$(echo \( $exp - $datenow \) / 86400 |bc) | |
| echo "Checking expiration date for $domain..." | |
| if [ "$days_exp" -gt "$exp_limit" ] ; then | |
| ## Display message and exit if no need for renewal. | |
| echo "The certificate is up to date, no need for renewal ($days_exp days left)." | |
| exit 0; | |
| else | |
| ## Display messages as renewal steps are performed, then exit. | |
| echo "The certificate for $domain is about to expire soon. Starting Let's Encrypt renewal script..." | |
| echo "Instructing UFW to allow access on port 80..." | |
| ufw allow from any to any app www | |
| echo "Running Let's Encrypt update script..." | |
| $le_path/letsencrypt-auto certonly --agree-tos --renew-by-default | |
| echo "Deleting previously inserted UFW rule..." | |
| ufw delete allow from any to any app www | |
| ## TODO: 1. This list of services shouldn't be hard-coded. | |
| ## TODO: 2. Is it enough to reload vsftpd? | |
| ## TODO: 3. Ideally if you have to do a hard restart (as with mumble?), you should make sure that no one's connected to the service. | |
| echo "Reloading dependent services..." | |
| service vsftpd reload | |
| service mumble-server restart | |
| echo "Renewal process finished for domain $domain" | |
| exit 0; | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment