Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Let's Encrypt manual certificate renew for a static private key
#!/bin/bash
# Cron wrapper, call this directly from your cron. Depends on renew script (letsencrypt_manual_renew.sh).
ADMIN_EMAIL=hostmaster@server.tld
RENEWLOG=`/srv/data_server/certs/tools/letsencrypt_manual_renew.sh 2>&1`
rc=$?
if [[ $rc -ne 0 ]]; then
echo "Renewal error."
echo "$RENEWLOG" | /usr/bin/mail -s "Error: Could not renew TLS certificates" $ADMIN_EMAIL
else
echo "Renewed"
# Reload all daemons using this certificate
/bin/systemctl reload nginx
/bin/systemctl reload prosody
/bin/systemctl reload postfix
/bin/systemctl force-reload dovecot
echo "Daemons reloaded"
fi
exit $rc
#!/bin/bash
# Renew script, called from cron wrapper script (letsencrypt_cron_wrapper.sh).
WEB_PATH=/srv/data_server/web
CERTS_PATH=/srv/data_server/certs
rm -r $CERTS_PATH/next 2> /dev/null
mkdir $CERTS_PATH/next
/usr/bin/letsencrypt certonly -a webroot --webroot-path=$WEB_PATH/default --csr=$CERTS_PATH/server.csr --cert-path=$CERTS_PATH/next/server.crt.only --chain-path=$CERTS_PATH/next/server.crt.chain --fullchain-path=$CERTS_PATH/next/server.crt.full --text --non-interactive
rc=$?
if [[ $rc -ne 0 ]]; then
echo "Error: Could not renew"
# Rollback (cleanup)
rm -r $CERTS_PATH/next
echo "Previous certificate is still active"
else
echo "Success: Renewed"
# Validate (consolidate)
rm -r $CERTS_PATH/previous 2> /dev/null
mv $CERTS_PATH/current $CERTS_PATH/previous
mv $CERTS_PATH/next $CERTS_PATH/current
# Revoke previous certificate
/usr/bin/letsencrypt revoke --cert-path $CERTS_PATH/previous/server.crt.full --text --non-interactive
if [[ $? -ne 0 ]]; then
echo "Warning: Previous certificate could not be revoked"
fi
# Final cleanup
rm -r $CERTS_PATH/previous
echo "Renewed certificate now active"
fi
exit $rc
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment