Letencryptなどの証明書をACMEで自動更新するやつ

letsencrypt-autorenew

#!/bin/sh

# ACME auto certification with NGINX

#############################CONFIG####################################

### General ###

DOMAIN="example.com"           # Comma-separated list of domains to obtain a certificate for
EMAIL="admin@example.com"      # email
FORCE_RENEWAL=""               # set --force-renewal if you need.
DRY_RUN=""                     # set --dry-run if you need.

### PATH ###

CERTBOT="/usr/bin/certbot"     # $which certbot
NGINX="/usr/sbin/nginx"        # $which nginx
SYSTEMCTL="/usr/bin/systemctl" # $which systemctl

### Varidation method
#
# http:
#   Use HTTP-01.
#   Nginx should route acme-challenge path.
#        location ^~ /.well-known/acme-challenge/ {
#           root /usr/share/nginx/html/_webroot;
#          }
#
# standalone:
#   Use HTTP-01.
#
# dns-with-cloudflare, dns-with-aws, dns-with-google:
#   Use DNS-01.
#   Suitable for wildcard certification.
#

VARIDATION_METHOD="http"

### HTTP-01

WEBROOT="/usr/share/nginx/html/_webroot"

### DNS-01 with CloudFlare
# 
# (Recommended)
# $ sudoedit /etc/letsencrypt/cloudflare.ini
#     dns_cloudflare_api_token = xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# 
# (Not recommended)
# $ sudoedit /etc/lesencrypt/cloudflare.ini 
#     dns_cloudflare_email = admin@example.com
#     dns_cloudflare_api_key = xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# 
# $ sudo chmod 600 /etc/letsencrypt/cloudflare.ini
# 
# For more detail, visit https://developers.cloudflare.com/api/tokens/create/.
#

CF_CREDENTIALS_FILE="/etc/letsencrypt/cloudflare.ini"

### DNS-01 with Route53(AWS)
#
# $ sudoedit /etc/letsencrypt/awsconfig.ini
#     [default]
#     aws_access_key_id=AKIAIOSFODNN7EXAMPLE
#     aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
# 
# $ sudo chmod 600 /etc/letsencrypt/awsconfig.ini
#
# For more detail, visit https://certbot-dns-route53.readthedocs.io/en/stable/.
#

AWS_CREDENTIALS_FILE="/etc/letsencrypt/awsconfig.ini"

### DNS-01 with Google
# 
# $ sudoedit /etc/letsencrypt/google.json
#
#     {
#      "type": "service_account",
#      "project_id": "...",
#      "private_key_id": "...",
#      "private_key": "...",
#      "client_email": "...",
#      "client_id": "...",
#      "auth_uri": "https://accounts.google.com/o/oauth2/auth",
#      "token_uri": "https://accounts.google.com/o/oauth2/token",
#      "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
#      "client_x509_cert_url": "..."
#    }
#
# $ sudo chmod 600 /etc/letsencrypt/google.json
#

GOOGLE_CREDENTIALS_FILE="/etc/letsencrypt/google.json"

#######################################################################

case ${VARIDATION_METHOD} in
  http | webroot )
    parameter="--webroot -w ${WEBROOT}"
    ;;
    
  standalone )
    ${SYSTEMCTL} stop nginx
    parameter="--standalone"
    ;;
    
  dns-with-cloudflare | cloudflare | cf )
    parameter="--dns-cloudflare --dns-cloudflare-credentials ${CF_CREDENTIALS_FILE}"
    ;;
    
  dns-with-aws | aws | dns-with-route53 | route53 )
    # In certbot-dns-route53 modules, there is no way to set configuration files directly.
    # This script use environment variables. Be careful that 
    # For more details, visit https://github.com/certbot/certbot/blob/master/certbot-dns-route53/certbot_dns_route53/__init__.py
    export AWS_CONFIG_FILE=${AWS_CREDENTIALS_FILE}
    parameter="--dns-route53"
    ;;
    
  dns-with-google | google )
    parameter="--dns-google --dns-google-credentials ${GOOGLE_CREDENTIALS_FILE}"
    ;;
esac

cmd="${CERTBOT} certonly ${DRY_RUN} ${FORCE_RENEWAL} ${parameter} --non-interactive --agree-tos -m ${EMAIL} --no-eff-email -d ${DOMAIN}"

echo $cmd
eval $cmd

case ${VARIDATION_METHOD} in

   standalone )
      ${SYSTEMCTL} start nginx
      ;;
      
   * )
      ${NGINX} -t && ${SYSTEMCTL} reload nginx
      ;;
esac