Script to issue/renew LetsEncrypt SSL certs and hook into SaltStack for deployment

acme-renew-ssl.sh

# !/usr/bin/env bash
##
## Copyright (C) 2022 Island Bridge Networks Limited. All Rights Reserved.
##
## Based on work by @sparkeh
##

# Acme location
ACME="/usr/local/acme.sh/acme.sh"

# Add the cert name, we'll take care of the wildcard automatically.
CERTS="example.com example.org"

# Path to salt state directory
SALT_CERT_REPO="/srv/salt/ssl-acme/acme"

# Connection to pdns api
PDNS_URL="http://192.0.2.34:8081"
PDNS_TOKEN="soopersecret=="

oper=""
speccert=$CERTS
salt=1

while getopts "o:c:nh" opt; do
  case $opt in
    o) oper=$OPTARG
       ;;

    c) speccert=$OPTARG
       ;;

    n) salt=0
       ;;
 
     h)
      echo "$0 -o <operation: renew, renewf, issue> -c <if specified, only this cert> -n [skip salt]";
      exit 0;
      ;;

    *)
      echo "$0 -o <operation: renew, renewf, issue> -c <if specified, only this cert> -n [skip salt]";
      exit 1;
      ;;
  esac
done


if  [[ $oper = "renew" ]]; then
  OPER="--renew"
elif  [[ $oper = "renewf" ]]; then
  OPER="--renew --force"
elif  [[ $oper = "issue" ]]; then
  OPER="--issue"
else
  echo "Operation must be one of renew renewf or issue"
  exit
fi


export PDNS_Url=$PDNS_URL
export PDNS_Token=$PDNS_TOKEN
export PDNS_ServerId="localhost"
export PDNS_Ttl=60

for CERT in $speccert; do

    $ACME $OPER --server letsencrypt --dns dns_pdns -d $CERT -d \*.$CERT \
        --cert-file $SALT_CERT_REPO/$CERT.crt \
        --key-file $SALT_CERT_REPO/$CERT.key \
        --fullchain-file $SALT_CERT_REPO/$CERT.full.crt

done

if [[ $salt = "1" ]]; then

  /usr/bin/salt 'xxx' state.apply ssl-acme

fi