jcjones/letsencrypt-renew.sh

## letsencrypt-renew.sh
#!/bin/bash
# This is free and unencumbered software released into the public domain.
#
# This script is designed to be run daily by cron. Please run it with randomness in its timing to
# avoid load spikes at Let's Encrypt. One example, running between midnight at 2 AM, would be:
#
# 0 0 * * * sleep $[(RANDOM % 115)+5]m ; /usr/sbin/letsencrypt-renew.sh
#
# If you aren't using Nginx, adjust the startServer and stopServer methods to suit. Also, you could
# use the webroot method.

FOUR_WEEKS=$((4*7*86400))

RENEW_LESS_THAN_SEC=${FOUR_WEEKS}
FIND=/usr/bin/find
SERVICE=/usr/sbin/service
OPENSSL=/usr/bin/openssl
LETSENCRYPT=/root/.local/share/letsencrypt/bin/letsencrypt

if [ ! -d /etc/letsencrypt/live ]; then
  exit 1
fi

function stopServer {
  if [ ${serverStopped} -eq 0 ] ; then
    ${SERVICE} nginx stop >/dev/null 2>&1
    serverStopped=1
  fi
}

function startServer {
  ${SERVICE} nginx start >/dev/null 2>&1
}

function issueCert {
  domains=${1}
  echo "Time to renew for domains ${domains}"
  if ! ${LETSENCRYPT} certonly -tvv --keep ${domains} > /var/log/letsencrypt/renew.log 2>&1 ; then
    echo Automated renewal failed:
    cat /var/log/letsencrypt/renew.log
  fi
}

function process {
  cert=${1}
  subject="$(${OPENSSL} x509 -noout -subject -in "${cert}" | grep -o -E 'CN=[^ ,]+' | tr -d 'CN=')"
  subjectaltnames="$(${OPENSSL} x509 -noout -text -in "${cert}" | sed -n '/X509v3 Subject Alternative Name/{n;p}' | sed 's/\s//g' | tr -d 'DNS:' | sed 's/,/ /g')"
  domains="-d ${subject}"
  for name in ${subjectaltnames}; do
    if [ "${name}" != "${subject}" ]; then
      domains="${domains} -d ${name}"
    fi
  done
  issueCert "${domains}"
  exitcode=0
}

if [ $UID -ne 0 ] ; then
  echo "Must be root"
  exit 1
fi

trap startServer SIGINT SIGTERM SIGHUP

serverStopped=0
exitcode=1

for cert in $(${FIND} /etc/letsencrypt/live -name cert.pem); do
  if ! ${OPENSSL} x509 -noout -checkend ${RENEW_LESS_THAN_SEC} -in "${cert}"; then
    stopServer
    process ${cert}
  fi
done

startServer
exit ${exitcode}
	#!/bin/bash
	# This is free and unencumbered software released into the public domain.
	#
	# This script is designed to be run daily by cron. Please run it with randomness in its timing to
	# avoid load spikes at Let's Encrypt. One example, running between midnight at 2 AM, would be:
	#
	# 0 0 * * * sleep $[(RANDOM % 115)+5]m ; /usr/sbin/letsencrypt-renew.sh
	#
	# If you aren't using Nginx, adjust the startServer and stopServer methods to suit. Also, you could
	# use the webroot method.

	FOUR_WEEKS=$((4786400))

	RENEW_LESS_THAN_SEC=${FOUR_WEEKS}
	FIND=/usr/bin/find
	SERVICE=/usr/sbin/service
	OPENSSL=/usr/bin/openssl
	LETSENCRYPT=/root/.local/share/letsencrypt/bin/letsencrypt

	if [ ! -d /etc/letsencrypt/live ]; then
	exit 1
	fi

	function stopServer {
	if [ ${serverStopped} -eq 0 ] ; then
	${SERVICE} nginx stop >/dev/null 2>&1
	serverStopped=1
	fi
	}

	function startServer {
	${SERVICE} nginx start >/dev/null 2>&1
	}

	function issueCert {
	domains=${1}
	echo "Time to renew for domains ${domains}"
	if ! ${LETSENCRYPT} certonly -tvv --keep ${domains} > /var/log/letsencrypt/renew.log 2>&1 ; then
	echo Automated renewal failed:
	cat /var/log/letsencrypt/renew.log
	fi
	}

	function process {
	cert=${1}
	subject="$(${OPENSSL} x509 -noout -subject -in "${cert}" \| grep -o -E 'CN=[^ ,]+' \| tr -d 'CN=')"
	subjectaltnames="$(${OPENSSL} x509 -noout -text -in "${cert}" \| sed -n '/X509v3 Subject Alternative Name/{n;p}' \| sed 's/\s//g' \| tr -d 'DNS:' \| sed 's/,/ /g')"
	domains="-d ${subject}"
	for name in ${subjectaltnames}; do
	if [ "${name}" != "${subject}" ]; then
	domains="${domains} -d ${name}"
	fi
	done
	issueCert "${domains}"
	exitcode=0
	}

	if [ $UID -ne 0 ] ; then
	echo "Must be root"
	exit 1
	fi

	trap startServer SIGINT SIGTERM SIGHUP

	serverStopped=0
	exitcode=1

	for cert in $(${FIND} /etc/letsencrypt/live -name cert.pem); do
	if ! ${OPENSSL} x509 -noout -checkend ${RENEW_LESS_THAN_SEC} -in "${cert}"; then
	stopServer
	process ${cert}
	fi
	done

	startServer
	exit ${exitcode}