|
#!/bin/bash |
|
|
|
reload_required=false |
|
|
|
# attempt to renew when less then 30 days remaining |
|
exp_limit=30; |
|
|
|
# returns 0 if no renewal needed, 1 otherwise |
|
check_cert_still_valid () { |
|
local cert_file=$1 |
|
|
|
local exp=$(date -d "`openssl x509 -in $cert_file -text -noout|grep "Not After"|cut -c 25-`" +%s) |
|
local datenow=$(date -d "now" +%s) |
|
local days_exp=$(echo \( $exp - $datenow \) / 86400 |bc) |
|
|
|
echo "Checking expiration date for $domain..." |
|
|
|
if [ "$days_exp" -gt "$exp_limit" ] ; then |
|
echo "The certificate is up to date, no need for renewal ($days_exp days left)." |
|
return 0 |
|
else |
|
echo "The certificate $cert_file is about to expire soon. Starting renewal..." |
|
return 1 |
|
fi |
|
} |
|
|
|
|
|
get_certificate() { |
|
|
|
local domain=$1 |
|
local cert_file=$2 |
|
|
|
local key_file="/home/certbot/certs/${domain}/${domain}.key" |
|
local csr_file="/home/certbot/certs/${domain}/${domain}.csr" |
|
|
|
local chain_file="/home/certbot/certs/$domain/chain.pem" |
|
local fullchain_file="/home/certbot/certs/$domain/fullchain.pem" |
|
|
|
# Certbot refuses to overwrite existing files, so remove anything that |
|
# might get in the way. |
|
# The certificate used by haproxy is kept separately, so no harm is done by |
|
# deleting these files: |
|
rm -f $cert_file $chain_file $fullchain_file |
|
certbot certonly --csr $csr_file --cert-path $cert_file --chain-path $chain_file --fullchain-path $fullchain_file |
|
|
|
if [ $? -eq 0 ]; then |
|
|
|
echo "Creating $combined_file with latest certs..." |
|
sudo /usr/local/sbin/le-haproxy-bundle $domain |
|
|
|
echo "Renewal process finished for domain $domain" |
|
reload_required=true |
|
|
|
else |
|
|
|
echo "certbot failed, not replacing installed certificate for ${domain}" |
|
|
|
fi |
|
} |
|
|
|
process_certificate() { |
|
local domain=$1 |
|
local cert_file="/home/certbot/certs/$domain/${domain}.crt" |
|
|
|
if [ -f $cert_file ]; then |
|
|
|
check_cert_still_valid $cert_file |
|
|
|
if [ ! $? -eq 0 ]; then |
|
get_certificate $domain $cert_file |
|
fi |
|
|
|
else |
|
|
|
echo "No certificate for domain $domain exists yet. Creating one..." |
|
get_certificate $domain $cert_file |
|
|
|
fi |
|
} |
|
|
|
|
|
|
|
|
|
domain=$1 |
|
|
|
# loop over all domains unless a domain is given |
|
if [ "${domain}" = "" ]; then |
|
|
|
for i in $( ls /home/certbot/certs ); do |
|
process_certificate $i |
|
done |
|
|
|
else |
|
|
|
process_certificate $domain |
|
|
|
fi |
|
|
|
|
|
if [ "$reload_required" = true ]; then |
|
|
|
echo "Reloading haproxy" |
|
sudo /usr/sbin/service haproxy reload |
|
|
|
fi |
|
|