-
-
Save philpennock/6cc972e4a9c0b41ffc4729b45a6a1f40 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh -eu | |
# | |
# tls-renew for Hummus certificates; currently exim.org certificates | |
# | |
# This is ~pdp/bin/tls-renew | |
# | |
LegoStateDir=/etc/opt/lego | |
EmailContact=ssladmin@exim.org | |
WebrootBase=/srv/wellknown-web | |
NginxTLSDir=/etc/nginx/tls/lego | |
ALL_SITES="$( cd "${WebrootBase:?}" && echo * )" | |
: "${VERBOSE:=true}" | |
: "${NOTREALLY:=false}" | |
prog="$(basename "$0")" | |
if $VERBOSE; then | |
cp() { /bin/cp -v "$@" ; } | |
trace() { printf >&2 "%s: %s\n" "$prog" "$*" ; } | |
else | |
trace() { true ; } | |
fi | |
die() { printf >&2 "%s: %s\n" "$prog" "$*" ; exit 1; } | |
maybe() { | |
if $NOTREALLY; then | |
printf >&2 "Skipping: %s\n" "$*" | |
else | |
"$@" | |
fi | |
} | |
# site_lego does a lego action for one site. It's currently assuming one | |
# domain per certificate. We could use zsh or switch away from shell or | |
# various things, or just munge the function line. | |
site_lego() { | |
local site="$1" | |
shift | |
maybe lego "--path=$LegoStateDir" "--email=$EmailContact" "--webroot=$WebrootBase/$site" --domains "$site" "$@" | |
} | |
nginx_action() { | |
maybe sudo service nginx "$@" | |
} | |
copy_keycerts() { | |
local site="${1:?}" | |
shift | |
local srcdir="${LegoStateDir:?}/certificates" | |
local destdir="${NginxTLSDir:?}" | |
maybe cp -v "${srcdir}/${site}.key" "${srcdir}/${site}.crt" "${destdir}/./" | |
maybe chmod 644 "${destdir}/${site}.crt" | |
} | |
renew_sites() { | |
[ $# -eq 0 ] && set $ALL_SITES | |
local site | |
for site ; do | |
site_lego "$site" renew | |
copy_keycerts "$site" | |
done | |
nginx_action reload | |
} | |
register_site() { | |
local site="${1:?need a fully-qualified site-name to register}" | |
local needdir="${WebrootBase:?}/${site}/.well-known/acme-challenge" | |
if ! [ -d "$needdir" ]; then | |
cat >&2 <<EOM | |
${prog}: need '${needdir}' to exist first. | |
As root: | |
mkdir -p '${needdir}' | |
chown $(id -un) '${needdir}' | |
and edit the nginx config in /etc/nginx/sites-enabled to direct traffic | |
there; then, try again. | |
EOM | |
exit 1 | |
fi | |
shift | |
local extras e | |
# NB: not whitespace safe, but should not be whitespace in domains anyway | |
extras='' | |
for e; do extras="${extras} --domains $e"; done | |
site_lego "$site" ${extras} run | |
copy_keycerts "$site" | |
cat >&2 <<EOM | |
${prog}: data in place, nginx not configured yet. | |
As root, change the TLS config for ${site} | |
Switch the key/cert material to come from files in ${NginxTLSDir} | |
Then reload nginx. | |
EOM | |
} | |
case "${1:-help}" in | |
help|--help|-h) | |
printf "Usage: %s <renew|register> <site>\n Site may be omitted for renew.\n" "$prog" | |
exit 0 | |
;; | |
renew) | |
shift | |
renew_sites "$@" | |
;; | |
register) | |
shift | |
if [ $# -ge 1 ]; then | |
register_site "$@" | |
else | |
die "register must have a parameter; see help" | |
fi | |
;; | |
justcopy) # not in help, because not common | |
shift | |
for site; do | |
copy_keycerts "$site" | |
done | |
;; | |
reload-nginx) # not in help, because not common | |
shift | |
nginx_action reload | |
;; | |
*) | |
die "unknown command '$1'; see help" | |
;; | |
esac | |
# vim: set ft=sh sw=2 et : |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment