letsencrypt_synchronize_certs.sh

gistfile1.txt

#!/bin/bash

set -x
set -e

# This script intends to compliment an automated LetEncrypt setup on
# OS X Server. After updating certs, the new files should be imported into
# Keychain, which Server will notice. Amusingly, we need to encrypt the
# certs for this to work, so this script does that (hard-coded password!)

DOMAIN="xyzzy.com"

ACMECMDSUFFIX=" --state=/opt/brew/var/lib/acmetool --xlog.file=/Users/andre/acme.log --response-file=/opt/brew/var/lib/acmetool/conf/responses --hooks=/opt/brew/var/lib/acmetool/hooks"
# updated things to import
LIVE=$(acmetool status ${ACMECMDSUFFIX}| awk '/ACME_STATE_DIR/ {print $2}')
LIVE="$LIVE/live/$DOMAIN"

newCert="$LIVE/cert"
newKey="$LIVE/privkey"
newChain="$LIVE/chain"

# staging area
TMP=$(mktemp -d)

P12Out="${DOMAIN}.p12"

# convert files for /usr/bin/security
openssl pkcs12 -export \
-inkey "$newKey" \
-in "$newCert" \
-certfile "$newChain" \
-out "${TMP}/${P12Out}" \
-password pass:__%#@myreallybestpkcs12password11one

# import cert + key
#security import /etc/letsencrypt/live/${P12Out}/letsencrypt_sslcert.p12 -f pkcs12 \
sudo /usr/bin/security -v import "${TMP}/${P12Out}" \
-A \
-f pkcs12 \
-k /Library/Keychains/System.keychain \
-P __%#@myreallybestpkcs12password11one
#-T /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/ServerManagerDaemon.bundle/Contents/MacOS/servermgr \
#-T /Applications/Utilities/Keychain\ Access.app/Contents/MacOS/Keychain\ Access