Created
June 6, 2022 19:25
-
-
Save papamoose/84c9fccefb69596fac58bca417cc7ee5 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| umask 022 | |
| {% if letsencrypt_eab %} | |
| server={{ letsencrypt_server }} | |
| kid={{ letsencrypt_eab_kid }} | |
| hmac={{ letsencrypt_eab_hmac }} | |
| acmeurl={{ letsencrypt_acmeurl }} | |
| {% elif letsencrypt_testmode %} | |
| server=acme-staging-v02.api.letsencrypt.org | |
| {% else %} | |
| server=acme-v02.api.letsencrypt.org | |
| {% endif %} | |
| email={{ letsencrypt_email }} | |
| # allows you to add '--days=100' in case you add aliases at a later date | |
| ACTION_OPTIONS="$1" | |
| function restart_webserver(){ | |
| # Find out which web server we are running. | |
| # Supports nginx | |
| # There are a variety of ways this can go wrong. | |
| # Cheers to the person who writes the code to account for this. | |
| for m in nginx apache2 httpd; do | |
| ec=$(pgrep "$m" > /dev/null 2>&1; echo $?) | |
| if [ $ec -eq 0 ]; then | |
| webserver=$m | |
| fi | |
| done | |
| case $webserver in | |
| 'nginx') | |
| [ -x /bin/systemctl ] && /bin/systemctl try-reload-or-restart nginx.service | |
| [ ! -x /bin/systemctl ] && /etc/init.d/nginx reload | |
| ;; | |
| 'apache2') | |
| [ -x /bin/systemctl ] && /bin/systemctl try-reload-or-restart apache2.service | |
| [ ! -x /bin/systemctl ] && /etc/init.d/apache2 reload | |
| ;; | |
| 'httpd') | |
| [ -x /bin/systemctl ] && /bin/systemctl try-reload-or-restart httpd.service | |
| [ ! -x /bin/systemctl ] && /etc/init.d/httpd reload | |
| ;; | |
| *) | |
| echo "Web server not supported. Please add support." | |
| exit 1 | |
| ;; | |
| esac | |
| } | |
| function certsymlinker(){ | |
| commonname="$1" | |
| ln -sf "/etc/letsencrypt/certificates/${commonname}.crt" "/etc/letsencrypt/ssl/${commonname}.crt" | |
| ln -sf "/etc/letsencrypt/certificates/${commonname}.issuer.crt" "/etc/letsencrypt/ssl/${commonname}.inter" | |
| ln -sf "/etc/letsencrypt/certificates/${commonname}.key" "/etc/letsencrypt/ssl/${commonname}.key" | |
| } | |
| function main(){ | |
| webserver_restart=0 | |
| # old versions of `ss` do not have the `-H` option | |
| http_pid=$(ss -tlp 'sport = :80'| sed '1d' | sed -n -e 's/^.*,pid=\(.*\),.*$/\1/p' | uniq) | |
| lego_port={{ letsencrypt_port }} | |
| # allow for HTTP-01 challenge on non-webserver systems | |
| [ "$http_pid" = "" ] && lego_port=80 | |
| for m in /etc/letsencrypt/active-sites.d/*.list; do | |
| # commonname=certtest3.example.com | |
| # aliases=() | |
| source "${m}" | |
| # If a symlink doesn't exist yet, assume that we have not got a cert for this yet, | |
| # and set it up to use snakeoil until we get a certificate | |
| test -L "/etc/letsencrypt/ssl/${commonname}.crt" || ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem "/etc/letsencrypt/ssl/${commonname}.crt" | |
| test -L "/etc/letsencrypt/ssl/${commonname}.key" || ln -s /etc/ssl/private/ssl-cert-snakeoil.key "/etc/letsencrypt/ssl/${commonname}.key" | |
| test -L "/etc/letsencrypt/ssl/${commonname}.inter" || ln -s /etc/ssl/certs/ca-certificates.crt "/etc/letsencrypt/ssl/${commonname}.inter" | |
| {% raw %} | |
| len=${#aliases[@]} | |
| alias_list='' | |
| # Got aliases? Create a string we can append to the 'lego' command. | |
| if [ ${#aliases[@]} -gt 0 ]; then | |
| for (( i=0; i<len; i++ )); do | |
| alias_list+=" --domains=${aliases[$i]} " | |
| done | |
| fi | |
| # is it a new certificate request? | |
| if [ -f "/etc/letsencrypt/certificates/${commonname}.crt" ] && [ -f "/etc/letsencrypt/accounts/${server}/${email}/account.json" ]; then | |
| f=($(openssl x509 -noout -text -in "/etc/letsencrypt/certificates/${commonname}.crt" | grep DNS | sed -e 's/DNS://g' -e 's/,//g' -e 's/^\s\{1,\}//')) | |
| g=($commonname ${aliases[@]}) | |
| if [ ${#g[@]} -eq ${#f[@]} ]; then | |
| action='renew' | |
| ACTION_OPTIONS="$ACTION_OPTIONS --renew-hook=/usr/local/sbin/letsencrypt-renew-hook" | |
| else | |
| action='run' | |
| fi | |
| else | |
| action='run' | |
| fi | |
| {% endraw %} | |
| /usr/local/bin/lego \ | |
| --server="$acmeurl" \ | |
| {% if letsencrypt_eab %} | |
| --eab \ | |
| --kid=${kid} \ | |
| --hmac=${hmac} \ | |
| --key-type=rsa4096 \ | |
| {% endif %} | |
| --accept-tos \ | |
| --email={{ letsencrypt_email }} \ | |
| --http \ | |
| --http.port=:$lego_port \ | |
| --domains=${commonname} ${alias_list} \ | |
| --path="/etc/letsencrypt" \ | |
| $action \ | |
| $ACTION_OPTIONS | |
| lego_ec=$? | |
| if [ $lego_ec -eq 0 ] && [ $(/bin/readlink -f "/etc/letsencrypt/ssl/${commonname}.crt" | grep -q snakeoil; echo $?) -eq 0 ]; then | |
| certsymlinker "${commonname}" | |
| webserver_restart=1 | |
| elif [ -L "/etc/letsencrypt/ssl/${commonname}.crt" ] && [ ! -e "/etc/letsencrypt/ssl/${commonname}.crt" ] && [ -f "/etc/letsencrypt/certificates/${commonname}.crt" ]; then | |
| # fixing broken symlinks | |
| # probably an uncommon case | |
| certsymlinker "${commonname}" | |
| webserver_restart=1 | |
| fi | |
| done | |
| if [ $webserver_restart -gt 0 ]; then | |
| restart_webserver | |
| fi | |
| } | |
| main |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment