zii/renew-cloudfront.sh

## renew-cloudfront.sh
#!/usr/bin/env bash
# certbot续期脚本, 同时更新aws cloudfront证书
# 参考 https://taylor.callsen.me/lets-encrypt-integrating-certificate-auto-renewal-with-aws-cloudfront/
# 1. 生成网站的泛域名证书 certbot certonly --manual --force-renew --preferred-challenges dns -d *.catlabs.cn -d catlabs.cn
# 2. 每月续期 crontab -e
# 0 0 * */1 * /usr/bin/certbot certonly --manual --force-renew --preferred-challenges dns -d *.catlabs.cn -d catlabs.cn
# 2. 安装aws cli:
# $ curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
# unzip awscliv2.zip
# sudo ./aws/install
# 3. 部署钩子脚本
# certbot renew --deploy-hook .../certbot-aws.sh
# cp certbot-cloudfront.sh /etc/letsencrypt/renewal-hooks/deploy

set -e

export AWS_ACCESS_KEY_ID=XXXXXXXXXXXX
export AWS_SECRET_ACCESS_KEY=xxxxxxxxxxxxxxxxxx
export AWS_DEFAULT_REGION=us-east-1 # 不用改
export PYTHONIOENCODING=utf8
DOMAIN=xxxx.com

# 上传新证书到aws证书管理器
newCertARN=$(aws acm import-certificate --certificate fileb:///etc/letsencrypt/live/$DOMAIN/cert.pem --private-key fileb:///etc/letsencrypt/live/$DOMAIN/privkey.pem --certificate-chain fileb:///etc/letsencrypt/live/$DOMAIN/fullchain.pem | \
  python3 -c "import sys, json; print(json.load(sys.stdin)['CertificateArn'])")

echo "newCertARN:" $newCertARN

# 修改单个DIST_ID的配置
function update() {
	AWS_CLOUDFRONT_DIST_ID=$1
	currentCFETag=$(aws cloudfront get-distribution-config --id $AWS_CLOUDFRONT_DIST_ID | \
	  python3 -c "import sys, json; print(json.load(sys.stdin)['ETag'])")

	echo "etag:" $currentCFETag

	updatedDistConfig=$(aws cloudfront get-distribution-config --id $AWS_CLOUDFRONT_DIST_ID | \
	  python3 -c "import sys, json, ast; \
	    distConfig=json.load(sys.stdin); \
	    distConfig['DistributionConfig']['ViewerCertificate']['ACMCertificateArn']='"$newCertARN"'; \
	    distConfig['DistributionConfig']['ViewerCertificate']['Certificate']='"$newCertARN"'; \
	    print(json.dumps(distConfig['DistributionConfig']))")

	#echo "DistConfig:" $updatedDistConfig

	aws cloudfront update-distribution --if-match=''"$currentCFETag"'' --id $AWS_CLOUDFRONT_DIST_ID --distribution-config=''"$updatedDistConfig"'' > /dev/null

	echo "update ok:" $AWS_CLOUDFRONT_DIST_ID $?
}

# 更新同一个域名下的不同子域
update EXXXXXXXXXXXX
	#!/usr/bin/env bash
	# certbot续期脚本, 同时更新aws cloudfront证书
	# 参考 https://taylor.callsen.me/lets-encrypt-integrating-certificate-auto-renewal-with-aws-cloudfront/
	# 1. 生成网站的泛域名证书 certbot certonly --manual --force-renew --preferred-challenges dns -d *.catlabs.cn -d catlabs.cn
	# 2. 每月续期 crontab -e
	# 0 0 * /1 /usr/bin/certbot certonly --manual --force-renew --preferred-challenges dns -d *.catlabs.cn -d catlabs.cn
	# 2. 安装aws cli:
	# $ curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
	# unzip awscliv2.zip
	# sudo ./aws/install
	# 3. 部署钩子脚本
	# certbot renew --deploy-hook .../certbot-aws.sh
	# cp certbot-cloudfront.sh /etc/letsencrypt/renewal-hooks/deploy

	set -e

	export AWS_ACCESS_KEY_ID=XXXXXXXXXXXX
	export AWS_SECRET_ACCESS_KEY=xxxxxxxxxxxxxxxxxx
	export AWS_DEFAULT_REGION=us-east-1 # 不用改
	export PYTHONIOENCODING=utf8
	DOMAIN=xxxx.com

	# 上传新证书到aws证书管理器
	newCertARN=$(aws acm import-certificate --certificate fileb:///etc/letsencrypt/live/$DOMAIN/cert.pem --private-key fileb:///etc/letsencrypt/live/$DOMAIN/privkey.pem --certificate-chain fileb:///etc/letsencrypt/live/$DOMAIN/fullchain.pem \| \
	python3 -c "import sys, json; print(json.load(sys.stdin)['CertificateArn'])")

	echo "newCertARN:" $newCertARN

	# 修改单个DIST_ID的配置
	function update() {
	AWS_CLOUDFRONT_DIST_ID=$1
	currentCFETag=$(aws cloudfront get-distribution-config --id $AWS_CLOUDFRONT_DIST_ID \| \
	python3 -c "import sys, json; print(json.load(sys.stdin)['ETag'])")

	echo "etag:" $currentCFETag

	updatedDistConfig=$(aws cloudfront get-distribution-config --id $AWS_CLOUDFRONT_DIST_ID \| \
	python3 -c "import sys, json, ast; \
	distConfig=json.load(sys.stdin); \
	distConfig['DistributionConfig']['ViewerCertificate']['ACMCertificateArn']='"$newCertARN"'; \
	distConfig['DistributionConfig']['ViewerCertificate']['Certificate']='"$newCertARN"'; \
	print(json.dumps(distConfig['DistributionConfig']))")

	#echo "DistConfig:" $updatedDistConfig

	aws cloudfront update-distribution --if-match=''"$currentCFETag"'' --id $AWS_CLOUDFRONT_DIST_ID --distribution-config=''"$updatedDistConfig"'' > /dev/null

	echo "update ok:" $AWS_CLOUDFRONT_DIST_ID $?
	}

	# 更新同一个域名下的不同子域
	update EXXXXXXXXXXXX