Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Let's Encrypt Auto-Renewal using the Webroot Plugin (Nginx) - Single renew script to support multiple configs at once
#!/bin/bash
web_service='nginx'
config_files="/usr/local/etc/letsencrypt/*.ini"
le_path='/opt/letsencrypt'
exp_limit=30;
do_reload=0;
for config_file in $config_files; do
domain=`grep "^\s*domains" $config_file | sed "s/^\s*domains\s*=\s*//" | sed 's/(\s*)\|,.*$//'`
cert_file="/etc/letsencrypt/live/$domain/fullchain.pem"
if [[ ! -f $cert_file ]]; then
echo "[ERROR] certificate file not found for domain $domain."
continue;
fi
exp=$(date -d "`openssl x509 -in $cert_file -text -noout|grep "Not After"|cut -c 25-`" +%s)
datenow=$(date -d "now" +%s)
days_exp=$(echo \( $exp - $datenow \) / 86400 |bc)
echo "Checking expiration date for $domain..."
if [[ "$days_exp" -gt "$exp_limit" ]] ; then
echo "$domain certificate is up to date, no need for renewal ($days_exp days left)."
else
echo "The certificate for $domain is about to expire soon. Starting webroot renewal script..."
$le_path/letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --config $config_file
do_reload=1;
fi
done
if [[ "$do_reload" -gt 0 ]]; then
echo "Reloading $web_service"
/usr/sbin/service $web_service reload
echo "Renewal process finished for expiring domains"
exit 0;
fi
# This is an example of the kind of things you can do in a configuration file.
# All flags used by the client can be configured here. Run Let's Encrypt with
# "--help" to learn more about the available options.
# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096
# Always use the staging/testing server
# server = https://acme-staging.api.letsencrypt.org/directory
# Uncomment and update to register with the specified e-mail address
email = you@example.com
# Uncomment and update to generate certificates for the specified
# domains.
domains = example.com, www.example.com
# Uncomment to use a text interface instead of ncurses
# text = True
# Uncomment to use the standalone authenticator on port 443
# authenticator = standalone
# standalone-supported-challenges = tls-sni-01
# Uncomment to use the webroot authenticator. Replace webroot-path with the
# path to the public_html / webroot folder being served by your web server.
# authenticator = webroot
webroot-path = /usr/share/nginx/html
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment