Helper script to update MySQL / MariaDB TLS after renewing LetsEncrypt certificate

update-mysql-letsencrypt

#!/bin/bash

DOMAIN="$1"
SOURCE="/etc/letsencrypt/live/${DOMAIN}"
DESTINATION="/var/lib/mysql/pki"
USER="mysql."

# Validate provided domain
if [ -z "${DOMAIN}" ] || [ ! -d "${SOURCE}" ]; then
  printf "Please enter a valid domain (provided '%s')\n" "${DOMAIN}"
  exit 1
fi

# Create files
mkdir -p "${DESTINATION}"
cp "${SOURCE}/cert.pem" "${DESTINATION}"
openssl x509 -in "${SOURCE}/chain.pem" > "${DESTINATION}/chain.pem"
openssl rsa -in "${SOURCE}/privkey.pem" -out "${DESTINATION}/privkey.pem"

# Set permissions
chown -R "${USER}" "${DESTINATION}"
chmod 600 $DESTINATION/*.pem

# Reload TLS
mysql --user=root --execute="FLUSH SSL"

Example usage:

update-mysql-letsencrypt example.com

(where example.com represents the directory in /etc/letsencrypt/live/*)