Created
September 13, 2020 22:37
-
-
Save dreness/35fceeb1bb17ae757ef429a2a5628fbd to your computer and use it in GitHub Desktop.
letsencrypt_synchronize_certs.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -x | |
set -e | |
# This script intends to compliment an automated LetEncrypt setup on | |
# OS X Server. After updating certs, the new files should be imported into | |
# Keychain, which Server will notice. Amusingly, we need to encrypt the | |
# certs for this to work, so this script does that (hard-coded password!) | |
DOMAIN="xyzzy.com" | |
ACMECMDSUFFIX=" --state=/opt/brew/var/lib/acmetool --xlog.file=/Users/andre/acme.log --response-file=/opt/brew/var/lib/acmetool/conf/responses --hooks=/opt/brew/var/lib/acmetool/hooks" | |
# updated things to import | |
LIVE=$(acmetool status ${ACMECMDSUFFIX}| awk '/ACME_STATE_DIR/ {print $2}') | |
LIVE="$LIVE/live/$DOMAIN" | |
newCert="$LIVE/cert" | |
newKey="$LIVE/privkey" | |
newChain="$LIVE/chain" | |
# staging area | |
TMP=$(mktemp -d) | |
P12Out="${DOMAIN}.p12" | |
# convert files for /usr/bin/security | |
openssl pkcs12 -export \ | |
-inkey "$newKey" \ | |
-in "$newCert" \ | |
-certfile "$newChain" \ | |
-out "${TMP}/${P12Out}" \ | |
-password pass:__%#@myreallybestpkcs12password11one | |
# import cert + key | |
#security import /etc/letsencrypt/live/${P12Out}/letsencrypt_sslcert.p12 -f pkcs12 \ | |
sudo /usr/bin/security -v import "${TMP}/${P12Out}" \ | |
-A \ | |
-f pkcs12 \ | |
-k /Library/Keychains/System.keychain \ | |
-P __%#@myreallybestpkcs12password11one | |
#-T /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/ServerManagerDaemon.bundle/Contents/MacOS/servermgr \ | |
#-T /Applications/Utilities/Keychain\ Access.app/Contents/MacOS/Keychain\ Access |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment