Last active
June 23, 2024 17:54
-
-
Save levid0s/48bb9d1b2daa4092496a3591381abb20 to your computer and use it in GitHub Desktop.
LegoCertHub DownloadCert public
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# https://gist.github.com/levid0s/xxxxxx/ | |
# Usage: | |
# download_cert.sh [-h] [-n] [-f] | |
# -h: Show help | |
# -n: Skip update check | |
# -f: Force download, skip comparison | |
# Version: v20240623 | |
# Recommended crontab: | |
# 0 4 * * * $script_path >> /tmp/download_cert.log | |
if test -t 1 ; then | |
NC='\e[0m'; RD='\e[1;31m'; YL='\e[1;33m'; WH='\e[1;37m'; LC='\e[1;36m'; LN='\e[1;32m' | |
else | |
NC=''; RD=''; YL=''; WH=''; LC=''; LN='' | |
fi | |
script_dir=$(cd "$(dirname "$0")" && pwd) | |
script_filename="$(basename "$0")" | |
script_path="$script_dir/$script_filename" | |
ini_file="$script_dir/config.ini" | |
temp_dir='/tmp/dlcert' && mkdir -p "$temp_dir" | |
if [ "$1" = '-h' ]; then | |
echo "Recommended crontab:" | |
echo "0 4 * * * $script_path >> /tmp/download_cert.log" | |
exit 0 | |
fi | |
echo "Starting download_cert: $(date +"%Y-%m-%d %H:%M:%S")" | |
read_keys="lego_server cert_name crt_apikey key_apikey crt_path key_path reload_cmd lego_server_lookup name_server update_url" | |
for key in $read_keys; do | |
value="$(grep '^'$key'=' "$ini_file" | cut -d'=' -f2)" | |
eval "$key=\"$value\"" | |
[ -n "$debug" ] && echo "read: $key = $value" | |
done | |
ts=$(date +%Y%m%d-%H%M%S) | |
if [ -n "update_url" ] && [ "$1" != "-n" ]; then | |
temp_file="$temp_dir/dl.sh" | |
[ -n "$debug" ] && echo -e "${DY}Checking for downloader script updates..${NC}" | |
http_statuscode=$(curl --connect-timeout 10 -s $update_url --output "$temp_file" --write-out "%{http_code}") | |
if [ $http_statuscode -ne 200 ]; then | |
echo -e "${RD}Script download failed: $http_statuscode${NC}" | |
else | |
if cmp $temp_file $script_path; then | |
echo -e ">> Downloader script up to date."; | |
else | |
[ -n "$debug" ] && echo "Downloaded update: $temp_file" | |
echo -e "${GN}>> Found newer downloader script, updating..${NC}" | |
mv $script_path "$temp_dir/$script_filename.$ts.backup" | |
echo "Backing up: $script_path -> $temp_dir/$script_filename.$ts.backup" | |
cp $temp_file $script_path | |
echo "Updated: $temp_file -> $script_path" | |
chmod +x $script_path | |
echo "Starting updated script.." | |
$script_path | |
exit 0 | |
fi | |
fi | |
fi | |
if [ "$lego_server_lookup" = "true" ]; then | |
tmp="${lego_server#*://}" # Remove the protocol (everything up to '://') | |
legohost="${tmp%%/*}" # Remove everything after the hostname (path, query string, fragment identifier) | |
legohost="${legohost%%:*}" | |
ip_address="$(nslookup $legohost $name_server | grep -E 'Address: [0-9]' | awk '{print $2}')" | |
lego_server=$(echo "$lego_server" | sed "s/$legohost/$ip_address/") | |
echo "Resolved lego server: $lego_server" | |
fi | |
api_crt_path="certwarden/api/v1/download/certificates/$cert_name" | |
api_key_path="certwarden/api/v1/download/privatekeys/$cert_name" | |
temp_crt="$temp_dir/cert.pem" | |
temp_key="$temp_dir/key.pem" | |
temp_key_pkcs8="$temp_dir/key.pkcs8.pem" | |
backup_crt="${crt_path}.$ts.backup" | |
backup_key="${key_path}.$ts.backup" | |
if : ; then | |
[ -n "$debug" ] && echo "Calling: $lego_server/$api_crt_path" | |
http_statuscode=$(curl -L --connect-timeout 10 -s $lego_server/$api_crt_path -H "apiKey: $crt_apikey" --output "$temp_crt" --write-out "%{http_code}") | |
if test $http_statuscode -ne 200; then echo -e "${RD}Cert download failed: $http_statuscode${NC}"; exit "$http_statuscode"; fi | |
[ "$1" != "-f" ] && { | |
cmp -s $temp_crt $crt_path && echo -e "${WH}>> Certificate already up to date; nothing to do, exiting.${NC}" && exit 0 | |
echo -e "${GN}>> Found newer certificate!${NC}" | |
} | |
fi | |
if [ -n "$key_apikey" ]; then | |
[ -n "$debug" ] && echo "Calling: $lego_server/$api_key_path" | |
http_statuscode=$(curl -L --connect-timeout 10 -s $lego_server/$api_key_path -H "apiKey: $key_apikey" --output "$temp_key" --write-out "%{http_code}") | |
if test $http_statuscode -ne 200; then echo -e "${RD}Key download failed: $http_statuscode${NC}"; exit "$http_statuscode"; fi | |
[ "$1" != "-f" ] && { cmp -s $temp_key $key_path && echo -e "${WH}>> Keys have not changed.${NC}" && key_apikey=''; } | |
fi | |
## Downloads successful, proceed to copy | |
echo "Backing up: $crt_path -> $backup_crt" | |
cp "$crt_path" "$backup_crt" | |
echo "Updating: $crt_path" | |
cp $temp_crt $crt_path | |
if [ -n "$key_apikey" ]; then | |
echo "Backing up: $key_path -> $backup_key" | |
cp "$key_path" "$backup_key" | |
echo "Updating: $key_path" | |
cp $temp_key $key_path | |
fi | |
if [ -n "$reload_cmd" ]; then | |
echo "Reloading service with: $reload_cmd" | |
eval "$reload_cmd" | |
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Generic | |
cert_name=xxxx | |
crt_apikey=.... | |
key_apikey=.... | |
lego_server=http://xxxx:4050 | |
lego_server_lookup=true | |
name_server=192.168.1.1 | |
# Adguard Home | |
crt_path=/opt/AdGuardHome/cert/tls.crt | |
key_path=/opt/AdGuardHome/cert/tls.key | |
reload_cmd=service AdGuardHome restart | |
# OpenWRT | |
crt_path=/etc/uhttpd.crt | |
key_path=/etc/uhttpd.key | |
reload_cmd=service uhttpd restart | |
# Proxmox | |
crt_path=/etc/pve/local/pve-ssl.pem | |
key_path=/etc/pve/local/pve-ssl.key | |
reload_cmd=service pveproxy restart | |
# Plex | |
crt_path=/usr/lib/plexmediaserver/tls/tls.crt | |
key_path=/usr/lib/plexmediaserver/tls/tls.key | |
reload_cmd=openssl pkcs12 -export -in /usr/lib/plexmediaserver/tls/tls.crt -inkey /usr/lib/plexmediaserver/tls/tls.key -out /usr/lib/plexmediaserver/tls/tls.pfx -passout pass: && service plexmediaserver restart |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment