levid0s/1download_cert.sh

## 1download_cert.sh
#!/bin/sh
# https://gist.github.com/levid0s/xxxxxx/

# Usage:
# download_cert.sh [-h] [-n] [-f]
# -h: Show help
# -n: Skip update check
# -f: Force download, skip comparison

# Version: v20240623

# Recommended crontab:
# 0 4 * * *  $script_path >> /tmp/download_cert.log

if test -t 1 ; then
    NC='\e[0m'; RD='\e[1;31m'; YL='\e[1;33m'; WH='\e[1;37m'; LC='\e[1;36m'; LN='\e[1;32m'
else
    NC=''; RD=''; YL=''; WH=''; LC=''; LN=''
fi

script_dir=$(cd "$(dirname "$0")" && pwd)
script_filename="$(basename "$0")"
script_path="$script_dir/$script_filename"
ini_file="$script_dir/config.ini"
temp_dir='/tmp/dlcert' && mkdir -p "$temp_dir"

if [ "$1" = '-h' ]; then
    echo "Recommended crontab:"
    echo "0 4 * * *  $script_path >> /tmp/download_cert.log"
    exit 0
fi

echo "Starting download_cert: $(date +"%Y-%m-%d %H:%M:%S")"

read_keys="lego_server cert_name crt_apikey key_apikey crt_path key_path reload_cmd lego_server_lookup name_server update_url"

for key in $read_keys; do
    value="$(grep '^'$key'=' "$ini_file" | cut -d'=' -f2)"
    eval "$key=\"$value\""
    [ -n "$debug" ] && echo "read: $key = $value"
done

ts=$(date +%Y%m%d-%H%M%S)

if [ -n "update_url" ]  && [ "$1" != "-n" ]; then
    temp_file="$temp_dir/dl.sh"
    [ -n "$debug" ] && echo -e "${DY}Checking for downloader script updates..${NC}"
    http_statuscode=$(curl --connect-timeout 10 -s $update_url --output "$temp_file" --write-out "%{http_code}")
    if [ $http_statuscode -ne 200 ]; then
        echo -e "${RD}Script download failed: $http_statuscode${NC}"
    else
        if cmp $temp_file $script_path; then
            echo -e ">> Downloader script up to date.";
        else
            [ -n "$debug" ] && echo "Downloaded update: $temp_file"
            echo -e "${GN}>> Found newer downloader script, updating..${NC}"
            mv $script_path "$temp_dir/$script_filename.$ts.backup"
            echo "Backing up: $script_path -> $temp_dir/$script_filename.$ts.backup"
            cp $temp_file $script_path
            echo "Updated: $temp_file -> $script_path"
            chmod +x $script_path
            echo "Starting updated script.."
            $script_path
            exit 0
        fi
    fi
fi


if [ "$lego_server_lookup" = "true" ]; then
    tmp="${lego_server#*://}" # Remove the protocol (everything up to '://')
    legohost="${tmp%%/*}" # Remove everything after the hostname (path, query string, fragment identifier)
    legohost="${legohost%%:*}"

    ip_address="$(nslookup $legohost $name_server  | grep -E 'Address: [0-9]' | awk '{print $2}')"
    lego_server=$(echo "$lego_server" | sed "s/$legohost/$ip_address/")

    echo "Resolved lego server: $lego_server"
fi

api_crt_path="certwarden/api/v1/download/certificates/$cert_name"
api_key_path="certwarden/api/v1/download/privatekeys/$cert_name"

temp_crt="$temp_dir/cert.pem"
temp_key="$temp_dir/key.pem"
temp_key_pkcs8="$temp_dir/key.pkcs8.pem"
backup_crt="${crt_path}.$ts.backup"
backup_key="${key_path}.$ts.backup"

if : ; then
    [ -n "$debug" ] && echo "Calling: $lego_server/$api_crt_path"
    http_statuscode=$(curl -L --connect-timeout 10 -s $lego_server/$api_crt_path -H "apiKey: $crt_apikey" --output "$temp_crt" --write-out "%{http_code}")
    if test $http_statuscode -ne 200; then echo -e "${RD}Cert download failed: $http_statuscode${NC}"; exit "$http_statuscode"; fi
    [ "$1" != "-f" ] && {
        cmp -s $temp_crt $crt_path && echo -e "${WH}>> Certificate already up to date; nothing to do, exiting.${NC}" && exit 0
        echo -e "${GN}>> Found newer certificate!${NC}"
    }
fi

if [ -n "$key_apikey" ]; then
    [ -n "$debug" ] && echo "Calling: $lego_server/$api_key_path"
    http_statuscode=$(curl -L --connect-timeout 10 -s $lego_server/$api_key_path -H "apiKey: $key_apikey" --output "$temp_key" --write-out "%{http_code}")
    if test $http_statuscode -ne 200; then echo -e "${RD}Key download failed: $http_statuscode${NC}"; exit "$http_statuscode"; fi

    [ "$1" != "-f" ] && { cmp -s $temp_key $key_path && echo -e "${WH}>> Keys have not changed.${NC}" && key_apikey=''; }
fi

## Downloads successful, proceed to copy

echo "Backing up: $crt_path -> $backup_crt"
cp "$crt_path" "$backup_crt"
echo "Updating: $crt_path"
cp $temp_crt $crt_path

if [ -n "$key_apikey" ]; then
    echo "Backing up: $key_path -> $backup_key"
    cp "$key_path" "$backup_key"
    echo "Updating: $key_path"
    cp $temp_key $key_path
fi

if [ -n "$reload_cmd" ]; then
    echo "Reloading service with: $reload_cmd"
    eval "$reload_cmd"
fi

## config.ini
# Generic
cert_name=xxxx
crt_apikey=....
key_apikey=....
lego_server=http://xxxx:4050
lego_server_lookup=true
name_server=192.168.1.1

# Adguard Home
crt_path=/opt/AdGuardHome/cert/tls.crt
key_path=/opt/AdGuardHome/cert/tls.key
reload_cmd=service AdGuardHome restart

# OpenWRT
crt_path=/etc/uhttpd.crt
key_path=/etc/uhttpd.key
reload_cmd=service uhttpd restart

# Proxmox
crt_path=/etc/pve/local/pve-ssl.pem
key_path=/etc/pve/local/pve-ssl.key
reload_cmd=service pveproxy restart

# Plex
crt_path=/usr/lib/plexmediaserver/tls/tls.crt
key_path=/usr/lib/plexmediaserver/tls/tls.key
reload_cmd=openssl pkcs12 -export -in /usr/lib/plexmediaserver/tls/tls.crt -inkey /usr/lib/plexmediaserver/tls/tls.key -out /usr/lib/plexmediaserver/tls/tls.pfx  -passout pass: && service plexmediaserver restart
	#!/bin/sh
	# https://gist.github.com/levid0s/xxxxxx/

	# Usage:
	# download_cert.sh [-h] [-n] [-f]
	# -h: Show help
	# -n: Skip update check
	# -f: Force download, skip comparison

	# Version: v20240623

	# Recommended crontab:
	# 0 4 * * * $script_path >> /tmp/download_cert.log

	if test -t 1 ; then
	NC='\e[0m'; RD='\e[1;31m'; YL='\e[1;33m'; WH='\e[1;37m'; LC='\e[1;36m'; LN='\e[1;32m'
	else
	NC=''; RD=''; YL=''; WH=''; LC=''; LN=''
	fi

	script_dir=$(cd "$(dirname "$0")" && pwd)
	script_filename="$(basename "$0")"
	script_path="$script_dir/$script_filename"
	ini_file="$script_dir/config.ini"
	temp_dir='/tmp/dlcert' && mkdir -p "$temp_dir"

	if [ "$1" = '-h' ]; then
	echo "Recommended crontab:"
	echo "0 4 * * * $script_path >> /tmp/download_cert.log"
	exit 0
	fi

	echo "Starting download_cert: $(date +"%Y-%m-%d %H:%M:%S")"

	read_keys="lego_server cert_name crt_apikey key_apikey crt_path key_path reload_cmd lego_server_lookup name_server update_url"

	for key in $read_keys; do
	value="$(grep '^'$key'=' "$ini_file" \| cut -d'=' -f2)"
	eval "$key=\"$value\""
	[ -n "$debug" ] && echo "read: $key = $value"
	done

	ts=$(date +%Y%m%d-%H%M%S)

	if [ -n "update_url" ] && [ "$1" != "-n" ]; then
	temp_file="$temp_dir/dl.sh"
	[ -n "$debug" ] && echo -e "${DY}Checking for downloader script updates..${NC}"
	http_statuscode=$(curl --connect-timeout 10 -s $update_url --output "$temp_file" --write-out "%{http_code}")
	if [ $http_statuscode -ne 200 ]; then
	echo -e "${RD}Script download failed: $http_statuscode${NC}"
	else
	if cmp $temp_file $script_path; then
	echo -e ">> Downloader script up to date.";
	else
	[ -n "$debug" ] && echo "Downloaded update: $temp_file"
	echo -e "${GN}>> Found newer downloader script, updating..${NC}"
	mv $script_path "$temp_dir/$script_filename.$ts.backup"
	echo "Backing up: $script_path -> $temp_dir/$script_filename.$ts.backup"
	cp $temp_file $script_path
	echo "Updated: $temp_file -> $script_path"
	chmod +x $script_path
	echo "Starting updated script.."
	$script_path
	exit 0
	fi
	fi
	fi



	if [ "$lego_server_lookup" = "true" ]; then
	tmp="${lego_server#*://}" # Remove the protocol (everything up to '://')
	legohost="${tmp%%/*}" # Remove everything after the hostname (path, query string, fragment identifier)
	legohost="${legohost%%:*}"

	ip_address="$(nslookup $legohost $name_server \| grep -E 'Address: [0-9]' \| awk '{print $2}')"
	lego_server=$(echo "$lego_server" \| sed "s/$legohost/$ip_address/")

	echo "Resolved lego server: $lego_server"
	fi

	api_crt_path="certwarden/api/v1/download/certificates/$cert_name"
	api_key_path="certwarden/api/v1/download/privatekeys/$cert_name"

	temp_crt="$temp_dir/cert.pem"
	temp_key="$temp_dir/key.pem"
	temp_key_pkcs8="$temp_dir/key.pkcs8.pem"
	backup_crt="${crt_path}.$ts.backup"
	backup_key="${key_path}.$ts.backup"

	if : ; then
	[ -n "$debug" ] && echo "Calling: $lego_server/$api_crt_path"
	http_statuscode=$(curl -L --connect-timeout 10 -s $lego_server/$api_crt_path -H "apiKey: $crt_apikey" --output "$temp_crt" --write-out "%{http_code}")
	if test $http_statuscode -ne 200; then echo -e "${RD}Cert download failed: $http_statuscode${NC}"; exit "$http_statuscode"; fi
	[ "$1" != "-f" ] && {
	cmp -s $temp_crt $crt_path && echo -e "${WH}>> Certificate already up to date; nothing to do, exiting.${NC}" && exit 0
	echo -e "${GN}>> Found newer certificate!${NC}"
	}
	fi

	if [ -n "$key_apikey" ]; then
	[ -n "$debug" ] && echo "Calling: $lego_server/$api_key_path"
	http_statuscode=$(curl -L --connect-timeout 10 -s $lego_server/$api_key_path -H "apiKey: $key_apikey" --output "$temp_key" --write-out "%{http_code}")
	if test $http_statuscode -ne 200; then echo -e "${RD}Key download failed: $http_statuscode${NC}"; exit "$http_statuscode"; fi

	[ "$1" != "-f" ] && { cmp -s $temp_key $key_path && echo -e "${WH}>> Keys have not changed.${NC}" && key_apikey=''; }
	fi

	## Downloads successful, proceed to copy

	echo "Backing up: $crt_path -> $backup_crt"
	cp "$crt_path" "$backup_crt"
	echo "Updating: $crt_path"
	cp $temp_crt $crt_path

	if [ -n "$key_apikey" ]; then
	echo "Backing up: $key_path -> $backup_key"
	cp "$key_path" "$backup_key"
	echo "Updating: $key_path"
	cp $temp_key $key_path
	fi

	if [ -n "$reload_cmd" ]; then
	echo "Reloading service with: $reload_cmd"
	eval "$reload_cmd"
	fi
	# Generic
	cert_name=xxxx
	crt_apikey=....
	key_apikey=....
	lego_server=http://xxxx:4050
	lego_server_lookup=true
	name_server=192.168.1.1

	# Adguard Home
	crt_path=/opt/AdGuardHome/cert/tls.crt
	key_path=/opt/AdGuardHome/cert/tls.key
	reload_cmd=service AdGuardHome restart

	# OpenWRT
	crt_path=/etc/uhttpd.crt
	key_path=/etc/uhttpd.key
	reload_cmd=service uhttpd restart

	# Proxmox
	crt_path=/etc/pve/local/pve-ssl.pem
	key_path=/etc/pve/local/pve-ssl.key
	reload_cmd=service pveproxy restart

	# Plex
	crt_path=/usr/lib/plexmediaserver/tls/tls.crt
	key_path=/usr/lib/plexmediaserver/tls/tls.key
	reload_cmd=openssl pkcs12 -export -in /usr/lib/plexmediaserver/tls/tls.crt -inkey /usr/lib/plexmediaserver/tls/tls.key -out /usr/lib/plexmediaserver/tls/tls.pfx -passout pass: && service plexmediaserver restart