Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Let's Encrypt Auto-Renewal using the Webroot Plugin (Nginx)
#!/bin/bash
web_service='nginx'
FILES=/usr/local/etc/letsencrypt/*.ini
for f in $FILES
do
echo "Renewing for $f file..."
config_file="$f"
le_path='/opt/certbot'
exp_limit=30;
if [ ! -f $config_file ]; then
echo "[ERROR] config file does not exist: $config_file"
exit 1;
fi
domain=`grep "^\s*domains" $config_file | sed "s/^\s*domains\s*=\s*//" | sed 's/(\s*)\|,.*$//'`
cert_file="/etc/letsencrypt/live/$domain/fullchain.pem"
if [ ! -f $cert_file ]; then
echo "[ERROR] certificate file not found for domain $domain."
fi
exp=$(date -d "`openssl x509 -in $cert_file -text -noout|grep "Not After"|cut -c 25-`" +%s)
datenow=$(date -d "now" +%s)
days_exp=$(echo \( $exp - $datenow \) / 86400 |bc)
echo "Checking expiration date for $domain..."
if [ "$days_exp" -gt "$exp_limit" ] ; then
echo "The certificate is up to date, no need for renewal ($days_exp days left)."
continue;
else
echo "The certificate for $domain is about to expire soon. Starting webroot renewal script..."
$le_path/letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --config $config_file
echo "Renewal process finished for domain $domain"
continue;
fi
done
echo "Reloading $web_service"
/usr/sbin/service $web_service reload
# This is an example of the kind of things you can do in a configuration file.
# All flags used by the client can be configured here. Run Let's Encrypt with
# "--help" to learn more about the available options.
# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096
# Always use the staging/testing server
# server = https://acme-staging.api.letsencrypt.org/directory
# Uncomment and update to register with the specified e-mail address
email = you@example.com
# Uncomment and update to generate certificates for the specified
# domains.
domains = example.com, www.example.com
# Uncomment to use a text interface instead of ncurses
# text = True
# Uncomment to use the standalone authenticator on port 443
# authenticator = standalone
# standalone-supported-challenges = tls-sni-01
# Uncomment to use the webroot authenticator. Replace webroot-path with the
# path to the public_html / webroot folder being served by your web server.
# authenticator = webroot
webroot-path = /var/www/example
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.