Last active
September 16, 2016 23:04
-
-
Save thomaswilburn/9924d88f8f668da34a3c to your computer and use it in GitHub Desktop.
A wrapper for acme-tiny to request and update certificates
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
#Crash on any failed command | |
set -e | |
dir=`dirname $0` | |
# the domains directory should contain one config file per domain | |
# each file contains a list of subdomains | |
# for example, here's domains/thomaswilburn.net: | |
# thomaswilburn.net | |
# www.thomaswilburn.net | |
# mail.thomaswilburn.net | |
for config in domains/* | |
do | |
domain=`basename $config` | |
echo "Processing certs for $domain" | |
readarray -t hosts < $config | |
#Copy any existing cert to a backup | |
if [ -f $dir/certs/$domain-chained.pem ]; then | |
datestamp=$(date +"%m%d%Y") | |
cp $dir/certs/$domain-chained.pem $dir/certs/$domain-backup-$datestamp.pem | |
fi | |
#Create CSR if it doesn't exist | |
if [ ! -f $dir/$domain.csr ]; then | |
list=`printf "DNS:%s," "${hosts[@]}"` | |
# remove last comma | |
list=${list%?} | |
list="[SAN]\nsubjectAltName=$list" | |
echo $list | |
openssl req -new -sha256 -key $dir/$domain.key \ | |
-subj "/" -reqexts SAN \ | |
-config \ | |
<(cat /etc/pki/tls/openssl.cnf \ | |
<(printf $list)) \ | |
> $dir/$domain.csr | |
fi | |
#Get certificate | |
python $dir/acme_tiny.py \ | |
--account-key $dir/account.key \ | |
--csr $dir/$domain.csr \ | |
--acme-dir $dir/challenges/ \ | |
> $dir/certs/$domain-signed.crt | |
#Get the intermediate cert from LE | |
wget -O - https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > $dir/certs/intermediate.pem | |
#Chain the cert for nginx | |
cat $dir/certs/$domain-signed.crt $dir/certs/intermediate.pem > $dir/certs/$domain-chained.pem | |
done | |
#Reload nginx | |
/etc/init.d/nginx restart |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment