jhit/letsencrypt-for-pure-ftpd.sh

## letsencrypt-for-pure-ftpd.sh
#!/bin/bash

# letsencrypt-for-pure-ftpd.sh:  compares the ssl certficate/key used by pure-ftpd
# with the current certificate/key issued by letsencrypt and copy the latter
# to the former if they differ.

# this can be run as a cronjob to propogate letsencrypt certificate changes
# to pure-ftpd

PUREFTPD_CERT=/etc/ssl/private/pure-ftpd.pem
LE_DOMAIN=jhit.org
LE_DIR=/etc/letsencrypt/live/${LE_DOMAIN}
LE_CA=${LE_DIR}/chain.pem
LE_CERT=${LE_DIR}/cert.pem
LE_FULLCHAIN=${LE_DIR}/fullchain.pem
LE_KEY=${LE_DIR}/privkey.pem

OPENSSL=`which openssl 2>/dev/null | head -1`

# Check if letsencrypt has been setup
if [ ! -f ${LE_CA} -o ! -f ${LE_CERT} -o ! -f ${LE_FULLCHAIN} -o ! -f ${LE_KEY} ]
then
    echo "Letsencrypt files not found.  You must setup letsencrypt and issue a certificate first." 1>&2
    exit 0
fi

# Check openssl binary exists
if [ ! -f ${OPENSSL} ]
then
    echo "Cannot find openssl. Exiting." 1>&2
    exit 1
fi

# setup_certs() copies/formats the letsencrypt files for pure-ftpd
function setup_cert() {
    cat ${LE_KEY} ${LE_FULLCHAIN} > ${PUREFTPD_CERT}
    chown root:ssl-cert ${PUREFTPD_CERT}
    chmod 640 ${PUREFTPD_CERT}
}

# restart pureftpd if it is running
function restart_pureftpd_if_running() {
    service pure-ftpd-mysql status 2>/dev/null >/dev/null
    if [ $? -eq 0 ]
    then
        service pure-ftpd-mysql restart >/dev/null
    fi
}

# restart postfix if it is running
function restart_postfix_if_running() {
    service postfix status 2>/dev/null >/dev/null
    if [ $? -eq 0 ]
    then
        service postfix restart >/dev/null
    fi
}

# restart dovecot if it is running
function restart_dovecot_if_running() {
    service dovecot status 2>/dev/null >/dev/null
    if [ $? -eq 0 ]
    then
        service dovecot restart >/dev/null
    fi
}

if [ ! -f ${PUREFTPD_CERT} ]
then
    setup_cert && restart_pureftpd_if_running
else # check if keys/certificates changed
    le_modulus=`${OPENSSL} rsa -noout -modulus -in ${LE_KEY} | md5sum`
    pureftpd_modulus=`${OPENSSL} rsa -noout -modulus -in ${PUREFTPD_CERT} | md5sum`

    le_serial=`${OPENSSL} x509 -noout -serial -in ${LE_CERT}`
    pureftpd_file_serial=`${OPENSSL} x509 -noout -serial -in ${PUREFTPD_CERT}`
    pureftpd_running_serial=`${OPENSSL} s_client -connect localhost:21 -starttls ftp </dev/null 2>/dev/null | ${OPENSSL} x509 -serial -noout`


    if [ "${le_modulus}" != "${pureftpd_modulus}" -o "${le_serial}" != "${pureftpd_file_serial}" -o "${le_serial}" != "${pureftpd_running_serial}" ]
    then
        setup_cert && restart_pureftpd_if_running && restart_dovecot_if_running && restart_postfix_if_running
    fi
fi

exit 0

## run on console to install
# chmod +x /usr/local/sbin/letsencrypt-for-pure-ftpd.sh
# echo '25 3 * * *  root  /usr/local/sbin/letsencrypt-for-pure-ftpd.sh' >> /etc/cron.d/letsencrypt-restarts
	#!/bin/bash

	# letsencrypt-for-pure-ftpd.sh: compares the ssl certficate/key used by pure-ftpd
	# with the current certificate/key issued by letsencrypt and copy the latter
	# to the former if they differ.

	# this can be run as a cronjob to propogate letsencrypt certificate changes
	# to pure-ftpd

	PUREFTPD_CERT=/etc/ssl/private/pure-ftpd.pem
	LE_DOMAIN=jhit.org
	LE_DIR=/etc/letsencrypt/live/${LE_DOMAIN}
	LE_CA=${LE_DIR}/chain.pem
	LE_CERT=${LE_DIR}/cert.pem
	LE_FULLCHAIN=${LE_DIR}/fullchain.pem
	LE_KEY=${LE_DIR}/privkey.pem

	OPENSSL=`which openssl 2>/dev/null \| head -1`

	# Check if letsencrypt has been setup
	if [ ! -f ${LE_CA} -o ! -f ${LE_CERT} -o ! -f ${LE_FULLCHAIN} -o ! -f ${LE_KEY} ]
	then
	echo "Letsencrypt files not found. You must setup letsencrypt and issue a certificate first." 1>&2
	exit 0
	fi

	# Check openssl binary exists
	if [ ! -f ${OPENSSL} ]
	then
	echo "Cannot find openssl. Exiting." 1>&2
	exit 1
	fi

	# setup_certs() copies/formats the letsencrypt files for pure-ftpd
	function setup_cert() {
	cat ${LE_KEY} ${LE_FULLCHAIN} > ${PUREFTPD_CERT}
	chown root:ssl-cert ${PUREFTPD_CERT}
	chmod 640 ${PUREFTPD_CERT}
	}

	# restart pureftpd if it is running
	function restart_pureftpd_if_running() {
	service pure-ftpd-mysql status 2>/dev/null >/dev/null
	if [ $? -eq 0 ]
	then
	service pure-ftpd-mysql restart >/dev/null
	fi
	}

	# restart postfix if it is running
	function restart_postfix_if_running() {
	service postfix status 2>/dev/null >/dev/null
	if [ $? -eq 0 ]
	then
	service postfix restart >/dev/null
	fi
	}

	# restart dovecot if it is running
	function restart_dovecot_if_running() {
	service dovecot status 2>/dev/null >/dev/null
	if [ $? -eq 0 ]
	then
	service dovecot restart >/dev/null
	fi
	}

	if [ ! -f ${PUREFTPD_CERT} ]
	then
	setup_cert && restart_pureftpd_if_running
	else # check if keys/certificates changed
	le_modulus=`${OPENSSL} rsa -noout -modulus -in ${LE_KEY} \| md5sum`
	pureftpd_modulus=`${OPENSSL} rsa -noout -modulus -in ${PUREFTPD_CERT} \| md5sum`

	le_serial=`${OPENSSL} x509 -noout -serial -in ${LE_CERT}`
	pureftpd_file_serial=`${OPENSSL} x509 -noout -serial -in ${PUREFTPD_CERT}`
	pureftpd_running_serial=`${OPENSSL} s_client -connect localhost:21 -starttls ftp </dev/null 2>/dev/null \| ${OPENSSL} x509 -serial -noout`


	if [ "${le_modulus}" != "${pureftpd_modulus}" -o "${le_serial}" != "${pureftpd_file_serial}" -o "${le_serial}" != "${pureftpd_running_serial}" ]
	then
	setup_cert && restart_pureftpd_if_running && restart_dovecot_if_running && restart_postfix_if_running
	fi
	fi

	exit 0
	# chmod +x /usr/local/sbin/letsencrypt-for-pure-ftpd.sh
	# echo '25 3 * * * root /usr/local/sbin/letsencrypt-for-pure-ftpd.sh' >> /etc/cron.d/letsencrypt-restarts