Last active
January 2, 2017 15:51
-
-
Save kchristensen/532e1f2222614e586d12 to your computer and use it in GitHub Desktop.
Automatically renew SSL certificates issued by letsencrypt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/env bash | |
| function help() { | |
| echo "Usage: $0 -d <DOMAIN> -e <EMAIL> -s <KEYSIZE>" | |
| exit 1 | |
| } | |
| DAYS_TO_RENEW=35 | |
| EMAIL="kyle@junglist.org" | |
| KEY_SIZE=2048 | |
| OPTIND=1 | |
| NGINX_ROOT=/www | |
| PATH=/root/.local/share/letsencrypt/bin/:$PATH | |
| SSL_PATH=${NGINX_ROOT}/etc/ssl | |
| while getopts "h:d:e:s:" opt; do | |
| case "$opt" in | |
| h) | |
| help | |
| exit 1 | |
| ;; | |
| d) | |
| DOMAIN=$OPTARG | |
| END_DATE=$(openssl x509 -noout -enddate -in /${SSL_PATH}/crt/${DOMAIN}.crt 2>&1|awk -FnotAfter= '{print $2}') | |
| DAYS_LEFT=$((($(date --date="$END_DATE" +%s) - $(date +%s)) / 86400)) | |
| ;; | |
| e) | |
| EMAIL=$OPTARG | |
| ;; | |
| s) | |
| KEY_SIZE=$OPTARG | |
| ;; | |
| esac | |
| done | |
| shift $((OPTIND-1)) | |
| if [ -z $DOMAIN ]; | |
| then | |
| echo "You must specify a domain name." | |
| exit 1 | |
| fi | |
| if [[ $EUID -ne 0 ]]; | |
| then | |
| echo "Error: You must be root to run this!" | |
| exit 1 | |
| fi | |
| if [[ $DAYS_LEFT -gt $DAYS_TO_RENEW ]]; | |
| then | |
| echo "Error: Not attempting renewal for ${DOMAIN}, certificate does not expire for ${DAYS_LEFT} days" | |
| exit 1 | |
| fi | |
| echo "Requesting updated certificate for ${DOMAIN}" | |
| CERTBOT_AUTO=$0 certbot \ | |
| certonly \ | |
| -d ${DOMAIN} \ | |
| -d www.${DOMAIN} \ | |
| --email ${EMAIL} \ | |
| --quiet \ | |
| --renew-by-default \ | |
| --rsa-key-size ${KEY_SIZE} \ | |
| --webroot \ | |
| --webroot-path ${NGINX_ROOT}/html/${DOMAIN} | |
| NEW_MD5=$(md5sum /etc/letsencrypt/live/${DOMAIN}/fullchain.pem|awk '{print $1}') | |
| OLD_MD5=$(md5sum ${SSL_PATH}/crt/${DOMAIN}.crt 2>&1|awk '{print $1}') | |
| if [ "$NEW_MD5" != "$OLD_MD5" ]; | |
| then | |
| echo "Refreshing SSL certificate for ${DOMAIN}" | |
| cat /etc/letsencrypt/live/${DOMAIN}/fullchain.pem > ${SSL_PATH}/crt/${DOMAIN}.crt | |
| cat /etc/letsencrypt/live/${DOMAIN}/privkey.pem > ${SSL_PATH}/key/${DOMAIN}.key | |
| chmod 400 /etc/letsencrypt/live/${DOMAIN}/privkey.pem ${SSL_PATH}/key/${DOMAIN}.key | |
| END_DATE=$(openssl x509 -noout -enddate -in /${SSL_PATH}/crt/${DOMAIN}.crt 2>&1|awk -FnotAfter= '{print $2}') | |
| DAYS_LEFT=$((($(date --date="$END_DATE" +%s) - $(date +%s)) / 86400)) | |
| CONFIGTEST=$(service nginx configtest > /dev/null 2>&1) | |
| if [ $? -eq 0 ]; | |
| then | |
| MSG="Nginx config checked out, reloading Nginx" | |
| SUB="SSL certificate renewal successful for ${DOMAIN}, expires in ${DAYS_LEFT} days" | |
| service nginx reload > /dev/null 2>&1 | |
| else | |
| MSG="An error occurred during the renewal process for ${DOMAIN}, aborting Nginx restart" | |
| SUB="SSL certificate renewal failure for ${DOMAIN}, expires in ${DAYS_LEFT} days" | |
| fi | |
| echo $MSG | |
| echo $MSG|mail -r $EMAIL -s "$SUB" $EMAIL | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment