blob: 8a150549e26ace87c5dc6c724cf0b97b556aaa9e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
|
#!/usr/bin/env bash
single=0 # merge the certs into a single cert
force=0 # if to skip similariaty checks or not
quiet=0 # should i shut up?!?!? :<
cert='cert.pem' # where the public cert should go
key='cert.key' # where the private cert should go
domain='localhost' # the domain to copy certs from
usage() {
printf "usage: recert [-hsfq] [-d DOMAIN] [-c CERT] [-k KEY]\n\n"
printf "\t-h\t\tshow the help message\n"
printf "\t-s\t\tcombine the certs into a single cert\n"
printf "\t-f\t\tskip cert equal checks (force)\n"
printf "\t-q\t\tquiet output\n"
printf "\t-d DOMAIN\tthe domain name to recert\n"
printf "\t-c CERT\t\tthe destination path for the cert\n"
printf "\t-k KEY\t\tthe destination path for the key (no -s)\n"
}
hash() {
if [ -f "$1" ]; then
sha3sum "$1" | awk '{ print $1 }';
fi
}
letscert() {
certbot certonly \
--preferred-chain "ISRG Root X1" \
--key-type rsa \
--webroot --webroot-path "/var/www/html" \
-d "$1"
}
recert_log() {
if [ $quiet = 0 ]; then
printf "$*" 1>&2
fi
}
chk_command() {
if ! command -v "$1" > /dev/null; then
>&2 echo "error: command '$1' could not be found"
exit 1
fi
}
while getopts ":hsfqd:c:k:" arg > /dev/null; do
case $arg in
h)
usage
exit 0
;;
s)
single=1
;;
f)
force=1
;;
q)
quiet=1
;;
d)
domain=${OPTARG}
;;
c)
cert=${OPTARG}
;;
k)
key=${OPTARG}
;;
?)
echo "unknown option"
exit 1
;;
esac
done
chk_command "getopts"
chk_command "certbot"
chk_command "openssl"
if [ ! "$cert" = "cert.pem" ] && [ "$key" = "cert.key" ]; then
name=${cert%.*}
key="$name.key"
fi
# Step 1: make sure letsencrypt certs exist (create if not)
lets_root="/etc/letsencrypt/live"
lets_cert="$lets_root/$domain/fullchain.pem"
lets_key="$lets_root/$domain/privkey.pem"
if [ ! -f "$lets_cert" ] && [ ! -f "$lets_key" ]; then
letscert "$domain"
fi
# Step 2: make sure certs wont expire soon (create if will)
if openssl x509 -checkend 604800 -noout -in "$lets_cert" > /dev/null; then
# certificate is good, only update if forced
if [ $force = 1 ]; then
rm "$lets_root"/*
rmdir "$lets_root"
recert_log "renewing... "
letscert "$domain"
else
recert_log "up to date... "
fi
else
recert_log "renewing... "
letscert "$domain"
fi
# Step 3: store lets encrypt cert into tmp file
tmp=$(mktemp)
if [ $single = 1 ]; then
{
cat "$lets_cert";
echo;
cat "$lets_key";
} >> "$tmp"
fi
# Step 4: copy certs
recert_log "copied certs\n"
if [ $single = 1 ]; then
cp "$tmp" "$cert"
else
cp "$lets_cert" "$cert"
cp "$lets_key" "$key"
fi
# Cleanup
rm "$tmp"
|
