#!/usr/bin/env bash | |
#Crash on any failed command | |
set -e | |
dir=`dirname $0` | |
# the domains directory should contain one config file per domain | |
# each file contains a list of subdomains | |
# for example, here's domains/thomaswilburn.net: | |
# thomaswilburn.net | |
# www.thomaswilburn.net | |
# mail.thomaswilburn.net | |
for config in domains/* | |
do | |
domain=`basename $config` | |
echo "Processing certs for $domain" | |
readarray -t hosts < $config | |
#Copy any existing cert to a backup | |
if [ -f $dir/certs/$domain-chained.pem ]; then | |
datestamp=$(date +"%m%d%Y") | |
cp $dir/certs/$domain-chained.pem $dir/certs/$domain-backup-$datestamp.pem | |
fi | |
#Create CSR if it doesn't exist | |
if [ ! -f $dir/$domain.csr ]; then | |
list=`printf "DNS:%s," "${hosts[@]}"` | |
# remove last comma | |
list=${list%?} | |
list="[SAN]\nsubjectAltName=$list" | |
echo $list | |
openssl req -new -sha256 -key $dir/$domain.key \ | |
-subj "/" -reqexts SAN \ | |
-config \ | |
<(cat /etc/pki/tls/openssl.cnf \ | |
<(printf $list)) \ | |
> $dir/$domain.csr | |
fi | |
#Get certificate | |
python $dir/acme_tiny.py \ | |
--account-key $dir/account.key \ | |
--csr $dir/$domain.csr \ | |
--acme-dir $dir/challenges/ \ | |
> $dir/certs/$domain-signed.crt | |
#Get the intermediate cert from LE | |
wget -O - https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > $dir/certs/intermediate.pem | |
#Chain the cert for nginx | |
cat $dir/certs/$domain-signed.crt $dir/certs/intermediate.pem > $dir/certs/$domain-chained.pem | |
done | |
#Reload nginx | |
/etc/init.d/nginx restart |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment