Create a gist now

Instantly share code, notes, and snippets.

A wrapper for acme-tiny to request and update certificates
#!/usr/bin/env bash
#Crash on any failed command
set -e
dir=`dirname $0`
# the domains directory should contain one config file per domain
# each file contains a list of subdomains
# for example, here's domains/thomaswilburn.net:
# thomaswilburn.net
# www.thomaswilburn.net
# mail.thomaswilburn.net
for config in domains/*
do
domain=`basename $config`
echo "Processing certs for $domain"
readarray -t hosts < $config
#Copy any existing cert to a backup
if [ -f $dir/certs/$domain-chained.pem ]; then
datestamp=$(date +"%m%d%Y")
cp $dir/certs/$domain-chained.pem $dir/certs/$domain-backup-$datestamp.pem
fi
#Create CSR if it doesn't exist
if [ ! -f $dir/$domain.csr ]; then
list=`printf "DNS:%s," "${hosts[@]}"`
# remove last comma
list=${list%?}
list="[SAN]\nsubjectAltName=$list"
echo $list
openssl req -new -sha256 -key $dir/$domain.key \
-subj "/" -reqexts SAN \
-config \
<(cat /etc/pki/tls/openssl.cnf \
<(printf $list)) \
> $dir/$domain.csr
fi
#Get certificate
python $dir/acme_tiny.py \
--account-key $dir/account.key \
--csr $dir/$domain.csr \
--acme-dir $dir/challenges/ \
> $dir/certs/$domain-signed.crt
#Get the intermediate cert from LE
wget -O - https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > $dir/certs/intermediate.pem
#Chain the cert for nginx
cat $dir/certs/$domain-signed.crt $dir/certs/intermediate.pem > $dir/certs/$domain-chained.pem
done
#Reload nginx
/etc/init.d/nginx restart
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment