Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Create and apply Letsencrypt certificates to Gandi vhosts using certbot
#!/bin/sh
# ---------------------------------------------------------------------
# ---------------------------------------------------------------------
# sslgen-gandihosts.sh
#
# v04 - 2016-08-10 combibe create and update loop
# v03 - 2016-08-10 more cleanups
# v02 - 2016-08-04 lots of cleanups, improved loop for updates
# v01 - basic functionality
# ---------------------------------------------------------------------
# ---------------------------------------------------------------------
# generate and update letsencrypt certificates for gandi
# from a remote host.
# this script can be run via cron to check for and expirations and
# handle certificate renewals
# certbot recommends running twice a day
# plugin connects via sftp to sftp.dc2.gpaas.net
# it requires certbot and the gandi letsencrypt plugin
# check the requirements:
# https://github.com/Gandi/letsencrypt-gandi#requirements-1
# Letsencrypt: https://letsencrypt.org/
# Certbot: https://certbot.eff.org/
# ---------------------------------------------------------------------
# ---------------------------------------------------------------------
# ---------------------------------------------------------------------
# define the certbot binary and usage options
# ---------------------------------------------------------------------
# certbot binary
CERTBOT=/usr/local/bin/certbot
LEDIR=/mnt/backup/scripts/sslcert
CONFIGDIR=$LEDIR/.letsencrypt
WORKDIR=$LEDIR/.letsencrypt
LOGSDIR=$LEDIR/.letsencrypt
# certbot OPTIONS: https://certbot.eff.org/docs/using.html#command-line-options
# Useful option when testing: --dry-run
GENOPTS="--non-interactive --agree-tos"
# useful options: --quiet --force-renew
# --keep-until-expiring seems to be automatically set even when using certonly\
# --force-renew can be used to test if the updating works correctly
UPDATEOPTS="certonly --quiet --non-interactive --keep-until-expiring"
# ---------------------------------------------------------------------
# define the certbot binary and usage options
# ---------------------------------------------------------------------
# read user specific variables from a pwrc file
# to create this file, simply take the commented lines from this section,
# create the file, uncomment and set the variables correctly
. $LEDIR/sslgen-gandihosts.pwrc
# the name of the hosting instance
#SHSNAME=my-hosting-instance
# the host that you want to generate a certificate for
#HOSTLIST="\
# host1.com \
# site2.net \
# blog3.org \
# shop4.com"
#HOSTLIST="host1.com site2.net"
# Email contact
#EMAIL=my-LE-email@myhost.com
# the API key, available from your Gandi Account Management
# Note: the test needs the real API key, not the test API key...
#LIVEAPIKEY=MY-API-KEY
#TESTAPIKEY=$TESTAPIKEY
# ---------------------------------------------------------------------
# LIVE create / update / renewal
# ---------------------------------------------------------------------
# Note: the --domain option cannot be used with 'renew':
# Currently, the renew verb is only capable of renewing all installed certificates that are due to be renewed; individual domains cannot be specified with this action. If you would like to renew specific certificates, use the certonly command. The renew verb may provide other options for selecting certificates to renew in the future.
# update all certificates stored
# Workaround: do one at a time, use the certonly option with --keep-until-expiring
create_update_cert() {
echo Running with options "$CERTOPTS"
for VHOST in $HOSTLIST
do
echo $ACTION certificate for $VHOST...
$CERTBOT $CERTOPTS \
--domains $VHOST \
--config-dir $CONFIGDIR \
--work-dir $WORKDIR \
--logs-dir $LOGSDIR \
--authenticator letsencrypt-gandi:gandi-shs \
--letsencrypt-gandi:gandi-shs-name $SHSNAME \
--letsencrypt-gandi:gandi-shs-vhost $VHOST \
--letsencrypt-gandi:gandi-shs-api-key $LIVEAPIKEY \
--installer letsencrypt-gandi:gandi-shs
done
}
# ---------------------------------------------------------------------
# for debugging with the test server
# ---------------------------------------------------------------------
# Note: needs the real API key, not the test API key...
test_cert() {
echo Email $EMAIL
echo Instance: $SHSNAME
# commented out since I'm not sure what it really tests on the Gandi site
# note that it needs your real API key, not the TEST API key
echo $CERTBOT \
run --domains $VHOST \
--server https://acme-staging.api.letsencrypt.org/directory --break-my-certs \
--config-dir $CONFIGDIR \
--work-dir $WORKDIR \
--logs-dir $LOGSDIR \
--authenticator letsencrypt-gandi:gandi-shs \
--letsencrypt-gandi:gandi-shs-name $SHSNAME \
--letsencrypt-gandi:gandi-shs-vhost $VHOST \
--letsencrypt-gandi:gandi-shs-api-key $TESTAPIKEY \
--installer letsencrypt-gandi:gandi-shs
}
# ---------------------------------------------------------------------
# ---------------------------------------------------------------------
# main()
# ---------------------------------------------------------------------
# ---------------------------------------------------------------------
# Check https://www.ssllabs.com/ssltest/analyze.html?d=$VHOST
# to see the quality of your ssl enabled site
echo Starting certbot operations for $HOSTLIST...
if [ "$1" == "test" ]; then
ACTION="TESTING"
test_cert
elif [ "$1" == "create" ]; then
ACTION="GENERATING"
CERTOPTS=$GENOPTS
create_update_cert
elif [ "$1" == "update" ]; then
ACTION="UPDATING"
CERTOPTS=$UPDATEOPTS
create_update_cert
elif [ -z "$1" ]; then
echo Usage: "sslgen-gandihosts.sh <create|update|test>"
else
echo Unrecognized argument: "$1"
echo Usage: "sslgen-gandihosts.sh <create|update|test>"
fi
exit
@zessx

This comment has been minimized.

Copy link

commented Nov 22, 2016

You may need to wrap every $SHSNAME instance with quotes if your instance name contains spaces.

@zessx

This comment has been minimized.

Copy link

commented Nov 22, 2016

And I'm not sure to understand these too lines, I think there's a typo:

#LIVEAPIKEY=MY-API-KEY
#TESTAPIKEY=$TESTAPIKEY
@xfra35

This comment has been minimized.

Copy link

commented Feb 20, 2017

Thanks for sharing that script.

I think the first line should be #!/bin/bash as running it with sh throws [: test: unexpected operator.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.