imcitius/certs.sh

## certs.sh
#!/bin/bash

#set -xe

LEGO_PATH=/tmp/cert-$RANDOM

mkdir -p $LEGO_PATH/accounts/acme-v02.api.letsencrypt.org/$ACC/keys
vault read -field=account.json secret/$ENV/letsencrypt/$DOMAIN > /dev/null 2>&1
if [[ $? -eq 0 ]]; then
  echo "Credentials found"
  vault read -field=account.json secret/$ENV/letsencrypt/$DOMAIN >  $LEGO_PATH/accounts/acme-v02.api.letsencrypt.org/$ACC/account.json
  vault read -field=account_key secret/$ENV/letsencrypt/$DOMAIN >  $LEGO_PATH/accounts/acme-v02.api.letsencrypt.org/$ACC/keys/$ACC.key
else
  echo "Credentials not found"
fi

mkdir -p $LEGO_PATH/certificates
for file in $DOMAIN.json $DOMAIN.crt $DOMAIN.issuer.crt $DOMAIN.key $DOMAIN.pem; do
  vault read -field=$file secret/$ENV/letsencrypt/$DOMAIN > /dev/null 2>&1
  if [[ $? -eq 0 ]]; then
    echo "$file found in vault"
    vault read -field=$file secret/$ENV/letsencrypt/$DOMAIN >  $LEGO_PATH/certificates/$file
  else
    echo "$file not found in vault"
  fi
done

lego -d $DOMAIN -a --email $ACC --dns dnsmadeeasy --pem --path $LEGO_PATH --dns.resolvers 8.8.8.8 run
if [[ $? -eq 0 ]]; then
  vault write secret/$ENV/letsencrypt/$DOMAIN $DOMAIN.json=@$LEGO_PATH/certificates/$DOMAIN.json \
        last_update_unixtime=`date +%s` \
        last_update="`date`" \
        cert=@$LEGO_PATH/certificates/$DOMAIN.crt \
        key=@$LEGO_PATH/certificates/$DOMAIN.key \
        $DOMAIN.crt=@$LEGO_PATH/certificates/$DOMAIN.crt \
        $DOMAIN.issuer.crt=@$LEGO_PATH/certificates/$DOMAIN.issuer.crt \
        $DOMAIN.key=@$LEGO_PATH/certificates/$DOMAIN.key \
        $DOMAIN.pem=@$LEGO_PATH/certificates/$DOMAIN.pem \
        account.json=@$LEGO_PATH/accounts/acme-v02.api.letsencrypt.org/$ACC/account.json \
        account_key=@$LEGO_PATH/accounts/acme-v02.api.letsencrypt.org/$ACC/keys/$ACC.key

        DOMHASH=$( echo $DOMAIN | md5sum | sed 's/[a-z+|\ +|-]//g' | head -c 4)$( echo $DOMAIN | md5sum | sed 's/[a-z+|\ +|-]//g' | tail -c 4 | tr -d '\n')
        consul kv put traefik/entrypoints/https/tls/certificates/$DOMHASH/certfile @$LEGO_PATH/certificates/$DOMAIN.crt
        consul kv put traefik/entrypoints/https/tls/certificates/$DOMHASH/keyfile @$LEGO_PATH/certificates/$DOMAIN.key

        # send mattermost alert
        TEXT="Updated certificate for $DOMAIN in $ENV via LetsEncrypt :tada:"
        curl -i -X POST -H "Content-Type: application/json" -d "{\"text\": \"$TEXT\"}" https://mattermost.domain.com/hooks/4q1cdg9jz3y38bk8ne3ti6w7ue
else
        echo "Lego error"
        # send mattermost alert
        TEXT="Error updating certificate for $DOMAIN in $ENV via LetsEncrypt :nauseated_face:"
        curl -i -X POST -H "Content-Type: application/json" -d "{\"text\": \"$TEXT\"}" https://mattermost.domain.com/hooks/4q1cdg9jz3y38bk8ne3ti6w7ue
fi

rm -rf $LEGO_PATH
	#!/bin/bash

	#set -xe

	LEGO_PATH=/tmp/cert-$RANDOM

	mkdir -p $LEGO_PATH/accounts/acme-v02.api.letsencrypt.org/$ACC/keys
	vault read -field=account.json secret/$ENV/letsencrypt/$DOMAIN > /dev/null 2>&1
	if [[ $? -eq 0 ]]; then
	echo "Credentials found"
	vault read -field=account.json secret/$ENV/letsencrypt/$DOMAIN > $LEGO_PATH/accounts/acme-v02.api.letsencrypt.org/$ACC/account.json
	vault read -field=account_key secret/$ENV/letsencrypt/$DOMAIN > $LEGO_PATH/accounts/acme-v02.api.letsencrypt.org/$ACC/keys/$ACC.key
	else
	echo "Credentials not found"
	fi

	mkdir -p $LEGO_PATH/certificates
	for file in $DOMAIN.json $DOMAIN.crt $DOMAIN.issuer.crt $DOMAIN.key $DOMAIN.pem; do
	vault read -field=$file secret/$ENV/letsencrypt/$DOMAIN > /dev/null 2>&1
	if [[ $? -eq 0 ]]; then
	echo "$file found in vault"
	vault read -field=$file secret/$ENV/letsencrypt/$DOMAIN > $LEGO_PATH/certificates/$file
	else
	echo "$file not found in vault"
	fi
	done

	lego -d $DOMAIN -a --email $ACC --dns dnsmadeeasy --pem --path $LEGO_PATH --dns.resolvers 8.8.8.8 run
	if [[ $? -eq 0 ]]; then
	vault write secret/$ENV/letsencrypt/$DOMAIN $DOMAIN.json=@$LEGO_PATH/certificates/$DOMAIN.json \
	last_update_unixtime=`date +%s` \
	last_update="`date`" \
	cert=@$LEGO_PATH/certificates/$DOMAIN.crt \
	key=@$LEGO_PATH/certificates/$DOMAIN.key \
	$DOMAIN.crt=@$LEGO_PATH/certificates/$DOMAIN.crt \
	$DOMAIN.issuer.crt=@$LEGO_PATH/certificates/$DOMAIN.issuer.crt \
	$DOMAIN.key=@$LEGO_PATH/certificates/$DOMAIN.key \
	$DOMAIN.pem=@$LEGO_PATH/certificates/$DOMAIN.pem \
	account.json=@$LEGO_PATH/accounts/acme-v02.api.letsencrypt.org/$ACC/account.json \
	account_key=@$LEGO_PATH/accounts/acme-v02.api.letsencrypt.org/$ACC/keys/$ACC.key

	DOMHASH=$( echo $DOMAIN \| md5sum \| sed 's/[a-z+\|\ +\|-]//g' \| head -c 4)$( echo $DOMAIN \| md5sum \| sed 's/[a-z+\|\ +\|-]//g' \| tail -c 4 \| tr -d '\n')
	consul kv put traefik/entrypoints/https/tls/certificates/$DOMHASH/certfile @$LEGO_PATH/certificates/$DOMAIN.crt
	consul kv put traefik/entrypoints/https/tls/certificates/$DOMHASH/keyfile @$LEGO_PATH/certificates/$DOMAIN.key

	# send mattermost alert
	TEXT="Updated certificate for $DOMAIN in $ENV via LetsEncrypt :tada:"
	curl -i -X POST -H "Content-Type: application/json" -d "{\"text\": \"$TEXT\"}" https://mattermost.domain.com/hooks/4q1cdg9jz3y38bk8ne3ti6w7ue
	else
	echo "Lego error"
	# send mattermost alert
	TEXT="Error updating certificate for $DOMAIN in $ENV via LetsEncrypt :nauseated_face:"
	curl -i -X POST -H "Content-Type: application/json" -d "{\"text\": \"$TEXT\"}" https://mattermost.domain.com/hooks/4q1cdg9jz3y38bk8ne3ti6w7ue
	fi

	rm -rf $LEGO_PATH