-
-
Save ffernand/27a26e45ff7ae581a69f366ac85afe37 to your computer and use it in GitHub Desktop.
Certificate renew script for letsencrypt (acme-tiny)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# Read https://github.com/diafygi/acme-tiny before using this script | |
# This scripts expects: | |
# 1. letsencrypt account.key is present $ACCOUNT_KEY dir (Step 1.) | |
# 2. CSR to generated (files: domain.key and domain.csr) (Step 2.) | |
# domain.csr should be present in $DOMAIN_ROOT/$DOMAIN | |
# (eg. /home/letsencrypt/acme-tiny/mapilary.com/domain.csr) | |
# Resulting cert chained.pem will be stored in $DOMAIN_ROOT/$DOMAIN/chained.pem | |
# It is wise to run this script as dedicated user. | |
# For example create special "letsencrypt" user in ubuntu: | |
# $ adduser --system --group letsencrypt | |
# Permissions | |
# chmod 600 account.key | |
# Ownership | |
# chown letsencrypt: /var/www/challenges | |
# Setup cron | |
# allow letsencrypt user reload nginx | |
# visudo -f /etc/sudoers.d/letsencrypt | |
#letsencrypt ALL=(ALL) NOPASSWD: /usr/sbin/service nginx reload | |
# create log file | |
# sudo touch /var/log/acme_tiny.log | |
# sudo chown letsencrypt: /var/log/acme_tiny.log | |
# /etc/cron.d/letsencrypt | |
#SHELL=/bin/sh | |
#PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin | |
#MAILTO=root | |
#0 0 1 * * letsencrypt /home/letsencrypt/renew_cert.sh 2>> /var/log/acme_tiny.log | |
DOMAINS=( mapilary.com ws.mapilary.com api.mapilary.com ) | |
ACME_TINY_ROOT=/home/letsencrypt/acme-tiny | |
DOMAIN_ROOT=/home/letsencrypt/domains | |
ACCOUNT_KEY=/home/letsencrypt/account.key | |
ACME_DIR=/var/www/challenges | |
[ -f "$ACME_TINY_ROOT/acme_tiny.py" ] || { echo "acme-tiny not present in ACME_TINY_ROOT dir"; exit 1; } | |
[ -f ${ACCOUNT_KEY} ] || { echo "ACCOUNT_KEY not found."; exit 1; } | |
[ -d ${DOMAIN_ROOT} ] || { echo "DOMAIN_ROOT dir does not exists"; exit 1; } | |
[ -d ${ACME_DIR} ] || { echo "ACME_DIR dir does not exists"; exit 1; } | |
# download root letsencrypt cert | |
# full chained cert with root, intermediate and domain cert will created as full.pem | |
# useful for OCSP_stapling https://gist.github.com/StefanWallin/5690c76aee1f783c3d57 | |
# for nginx add rule: | |
# ssl_trusted_certificate /home/letsencrypt/domains/domain.tld/full.pem; | |
wget -O - https://letsencrypt.org/certs/isrgrootx1.pem > ${DOMAIN_ROOT}/root.pem | |
# download intermediate cert | |
#wget -O - https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > ${DOMAIN_ROOT}/intermediate.pem | |
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > ${DOMAIN_ROOT}/intermediate.pem | |
for DOMAIN in "${DOMAINS[@]}" | |
do | |
[ -d ${DOMAIN_ROOT}/${DOMAIN} ] || { echo "domain dir does not exists"; exit 1; } | |
echo "Generation cert for $DOMAIN" | |
python ${ACME_TINY_ROOT}/acme_tiny.py --account-key ${ACCOUNT_KEY} --csr ${DOMAIN_ROOT}/${DOMAIN}/domain.csr --acme-dir ${ACME_DIR} > ${DOMAIN_ROOT}/${DOMAIN}/signed.crt || exit | |
cat ${DOMAIN_ROOT}/${DOMAIN}/signed.crt ${DOMAIN_ROOT}/intermediate.pem > ${DOMAIN_ROOT}/${DOMAIN}/chained.pem | |
cat ${DOMAIN_ROOT}/${DOMAIN}/signed.crt ${DOMAIN_ROOT}/intermediate.pem ${DOMAIN_ROOT}/root.pem > ${DOMAIN_ROOT}/${DOMAIN}/full.pem | |
done | |
sudo service nginx reload |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment