Last active
February 19, 2021 08:59
-
-
Save imcitius/d369b5678a9855c0d30cc5872c9c1027 to your computer and use it in GitHub Desktop.
Acme-Lego script to issue and renew certificates
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
#set -xe | |
LEGO_PATH=/tmp/cert-$RANDOM | |
mkdir -p $LEGO_PATH/accounts/acme-v02.api.letsencrypt.org/$ACC/keys | |
vault read -field=account.json secret/$ENV/letsencrypt/$DOMAIN > /dev/null 2>&1 | |
if [[ $? -eq 0 ]]; then | |
echo "Credentials found" | |
vault read -field=account.json secret/$ENV/letsencrypt/$DOMAIN > $LEGO_PATH/accounts/acme-v02.api.letsencrypt.org/$ACC/account.json | |
vault read -field=account_key secret/$ENV/letsencrypt/$DOMAIN > $LEGO_PATH/accounts/acme-v02.api.letsencrypt.org/$ACC/keys/$ACC.key | |
else | |
echo "Credentials not found" | |
fi | |
mkdir -p $LEGO_PATH/certificates | |
for file in $DOMAIN.json $DOMAIN.crt $DOMAIN.issuer.crt $DOMAIN.key $DOMAIN.pem; do | |
vault read -field=$file secret/$ENV/letsencrypt/$DOMAIN > /dev/null 2>&1 | |
if [[ $? -eq 0 ]]; then | |
echo "$file found in vault" | |
vault read -field=$file secret/$ENV/letsencrypt/$DOMAIN > $LEGO_PATH/certificates/$file | |
else | |
echo "$file not found in vault" | |
fi | |
done | |
lego -d $DOMAIN -a --email $ACC --dns dnsmadeeasy --pem --path $LEGO_PATH --dns.resolvers 8.8.8.8 run | |
if [[ $? -eq 0 ]]; then | |
vault write secret/$ENV/letsencrypt/$DOMAIN $DOMAIN.json=@$LEGO_PATH/certificates/$DOMAIN.json \ | |
last_update_unixtime=`date +%s` \ | |
last_update="`date`" \ | |
cert=@$LEGO_PATH/certificates/$DOMAIN.crt \ | |
key=@$LEGO_PATH/certificates/$DOMAIN.key \ | |
$DOMAIN.crt=@$LEGO_PATH/certificates/$DOMAIN.crt \ | |
$DOMAIN.issuer.crt=@$LEGO_PATH/certificates/$DOMAIN.issuer.crt \ | |
$DOMAIN.key=@$LEGO_PATH/certificates/$DOMAIN.key \ | |
$DOMAIN.pem=@$LEGO_PATH/certificates/$DOMAIN.pem \ | |
account.json=@$LEGO_PATH/accounts/acme-v02.api.letsencrypt.org/$ACC/account.json \ | |
account_key=@$LEGO_PATH/accounts/acme-v02.api.letsencrypt.org/$ACC/keys/$ACC.key | |
DOMHASH=$( echo $DOMAIN | md5sum | sed 's/[a-z+|\ +|-]//g' | head -c 4)$( echo $DOMAIN | md5sum | sed 's/[a-z+|\ +|-]//g' | tail -c 4 | tr -d '\n') | |
consul kv put traefik/entrypoints/https/tls/certificates/$DOMHASH/certfile @$LEGO_PATH/certificates/$DOMAIN.crt | |
consul kv put traefik/entrypoints/https/tls/certificates/$DOMHASH/keyfile @$LEGO_PATH/certificates/$DOMAIN.key | |
# send mattermost alert | |
TEXT="Updated certificate for $DOMAIN in $ENV via LetsEncrypt :tada:" | |
curl -i -X POST -H "Content-Type: application/json" -d "{\"text\": \"$TEXT\"}" https://mattermost.domain.com/hooks/4q1cdg9jz3y38bk8ne3ti6w7ue | |
else | |
echo "Lego error" | |
# send mattermost alert | |
TEXT="Error updating certificate for $DOMAIN in $ENV via LetsEncrypt :nauseated_face:" | |
curl -i -X POST -H "Content-Type: application/json" -d "{\"text\": \"$TEXT\"}" https://mattermost.domain.com/hooks/4q1cdg9jz3y38bk8ne3ti6w7ue | |
fi | |
rm -rf $LEGO_PATH |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment