A wrapper for acme-tiny to request and update certificates

letsencrypt.sh

#!/usr/bin/env bash
#Crash on any failed command
set -e
dir=`dirname $0`

# the domains directory should contain one config file per domain
# each file contains a list of subdomains
# for example, here's domains/thomaswilburn.net:
# thomaswilburn.net
# www.thomaswilburn.net
# mail.thomaswilburn.net
for config in domains/*
do
	domain=`basename $config`
	echo "Processing certs for $domain"
	readarray -t hosts < $config
	
	#Copy any existing cert to a backup
	if [ -f $dir/certs/$domain-chained.pem ]; then
		datestamp=$(date +"%m%d%Y")
		cp $dir/certs/$domain-chained.pem $dir/certs/$domain-backup-$datestamp.pem
	fi

	#Create CSR if it doesn't exist
	if [ ! -f $dir/$domain.csr ]; then
	  list=`printf "DNS:%s," "${hosts[@]}"`
	  # remove last comma
	  list=${list%?}
  	list="[SAN]\nsubjectAltName=$list"
  	echo $list
		openssl req -new -sha256 -key $dir/$domain.key \
		-subj "/" -reqexts SAN \
		-config \
		<(cat /etc/pki/tls/openssl.cnf \
		<(printf $list)) \
		> $dir/$domain.csr
	fi
		
	#Get certificate
	python $dir/acme_tiny.py \
	--account-key $dir/account.key \
	--csr $dir/$domain.csr \
	--acme-dir $dir/challenges/ \
	> $dir/certs/$domain-signed.crt

	#Get the intermediate cert from LE
	wget -O - https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > $dir/certs/intermediate.pem

	#Chain the cert for nginx
	cat $dir/certs/$domain-signed.crt $dir/certs/intermediate.pem > $dir/certs/$domain-chained.pem

done

#Reload nginx
/etc/init.d/nginx restart