kcoyner/aws_ec2_nginx_certbot_autorenew.sh

## aws_ec2_nginx_certbot_autorenew.sh
#!/usr/bin/env bash
#
# This script would help to automate renewal of LetsEncrypt TLS certificates in a Linux machine
# running nginx web server on AWS EC2.
# What it does:
# 1. it stops nginx
# 2. it opens incoming firewall ports 80 and 443 for certbot host verification
# 3. it runs certbot to renew certificates. Certbot launches a standalone HTTP server on port 80 or 443
# 4. it closes incoming firewall ports 80 and 443
# 5. it starts nginx
#
# If everything works fine then the nginx is down for a few seconds only.
#
# The script is not meant to be executed in production environments with heavy HTTP traffic.
#
# IT WILL CAUSE AT LEAST SOME DOWNTIME!
#
# The script requires awscli installed on the machine.
#
# This script has been tested on Ubuntu 16 and newer but should also work on Debians
#
# Author Sven Varkel <sven@investorise.com>
# Copyright 2019 Sven Varkel
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation
# files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the
# Software is furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
# WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
# ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

export AWS_DEFAULT_REGION="us-east-1"
export GROUP_ID="<ADD SECURITY GROUP ID HERE>"
systemctl stop nginx
/usr/local/bin/aws ec2 authorize-security-group-ingress --group-id $GROUP_ID --protocol tcp --port 443 --cidr "0.0.0.0/0"
/usr/local/bin/aws ec2 authorize-security-group-ingress --group-id $GROUP_ID --protocol tcp --port 80 --cidr "0.0.0.0/0"
/usr/bin/certbot renew -n
/usr/local/bin/aws ec2 revoke-security-group-ingress --group-id $GROUP_ID --protocol tcp --port 443 --cidr "0.0.0.0/0"
/usr/local/bin/aws ec2 revoke-security-group-ingress --group-id $GROUP_ID --protocol tcp --port 80 --cidr "0.0.0.0/0"
systemctl start nginx
echo "done."
exit 0
	#!/usr/bin/env bash
	#
	# This script would help to automate renewal of LetsEncrypt TLS certificates in a Linux machine
	# running nginx web server on AWS EC2.
	# What it does:
	# 1. it stops nginx
	# 2. it opens incoming firewall ports 80 and 443 for certbot host verification
	# 3. it runs certbot to renew certificates. Certbot launches a standalone HTTP server on port 80 or 443
	# 4. it closes incoming firewall ports 80 and 443
	# 5. it starts nginx
	#
	# If everything works fine then the nginx is down for a few seconds only.
	#
	# The script is not meant to be executed in production environments with heavy HTTP traffic.
	#
	# IT WILL CAUSE AT LEAST SOME DOWNTIME!
	#
	# The script requires awscli installed on the machine.
	#
	# This script has been tested on Ubuntu 16 and newer but should also work on Debians
	#
	# Author Sven Varkel <sven@investorise.com>
	# Copyright 2019 Sven Varkel
	#
	# Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation
	# files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy,
	# modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the
	# Software is furnished to do so, subject to the following conditions:
	#
	# The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
	#
	# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
	# WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
	# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
	# ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

	export AWS_DEFAULT_REGION="us-east-1"
	export GROUP_ID="<ADD SECURITY GROUP ID HERE>"
	systemctl stop nginx
	/usr/local/bin/aws ec2 authorize-security-group-ingress --group-id $GROUP_ID --protocol tcp --port 443 --cidr "0.0.0.0/0"
	/usr/local/bin/aws ec2 authorize-security-group-ingress --group-id $GROUP_ID --protocol tcp --port 80 --cidr "0.0.0.0/0"
	/usr/bin/certbot renew -n
	/usr/local/bin/aws ec2 revoke-security-group-ingress --group-id $GROUP_ID --protocol tcp --port 443 --cidr "0.0.0.0/0"
	/usr/local/bin/aws ec2 revoke-security-group-ingress --group-id $GROUP_ID --protocol tcp --port 80 --cidr "0.0.0.0/0"
	systemctl start nginx
	echo "done."
	exit 0