/letsencrypt.sh
Last active Sep 16, 2016
A wrapper for acme-tiny to request and update certificates
| #!/usr/bin/env bash | |
| #Crash on any failed command | |
| set -e | |
| dir=`dirname $0` | |
| # the domains directory should contain one config file per domain | |
| # each file contains a list of subdomains | |
| # for example, here's domains/thomaswilburn.net: | |
| # thomaswilburn.net | |
| # www.thomaswilburn.net | |
| # mail.thomaswilburn.net | |
| for config in domains/* | |
| do | |
| domain=`basename $config` | |
| echo "Processing certs for $domain" | |
| readarray -t hosts < $config | |
| #Copy any existing cert to a backup | |
| if [ -f $dir/certs/$domain-chained.pem ]; then | |
| datestamp=$(date +"%m%d%Y") | |
| cp $dir/certs/$domain-chained.pem $dir/certs/$domain-backup-$datestamp.pem | |
| fi | |
| #Create CSR if it doesn't exist | |
| if [ ! -f $dir/$domain.csr ]; then | |
| list=`printf "DNS:%s," "${hosts[@]}"` | |
| # remove last comma | |
| list=${list%?} | |
| list="[SAN]\nsubjectAltName=$list" | |
| echo $list | |
| openssl req -new -sha256 -key $dir/$domain.key \ | |
| -subj "/" -reqexts SAN \ | |
| -config \ | |
| <(cat /etc/pki/tls/openssl.cnf \ | |
| <(printf $list)) \ | |
| > $dir/$domain.csr | |
| fi | |
| #Get certificate | |
| python $dir/acme_tiny.py \ | |
| --account-key $dir/account.key \ | |
| --csr $dir/$domain.csr \ | |
| --acme-dir $dir/challenges/ \ | |
| > $dir/certs/$domain-signed.crt | |
| #Get the intermediate cert from LE | |
| wget -O - https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > $dir/certs/intermediate.pem | |
| #Chain the cert for nginx | |
| cat $dir/certs/$domain-signed.crt $dir/certs/intermediate.pem > $dir/certs/$domain-chained.pem | |
| done | |
| #Reload nginx | |
| /etc/init.d/nginx restart |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment