106 lines
3.2 KiB
Bash
106 lines
3.2 KiB
Bash
|
#!/bin/bash
|
|||
|
|
# This script will run on new cert and on cron renew
|
|||
|
|
# there is one cert by service
|
|||
|
|
|
|||
|
|
# TODO make it an ansible script
|
|||
|
|
# No
|
|||
|
|
|
|||
|
|
# Les arguments du pauvre
|
|||
|
|
if [ "$#" -eq 1 ] && [ "$1" = '-v' ] ; then
|
|||
|
|
verbose=true
|
|||
|
|
else
|
|||
|
|
verbose=false
|
|||
|
|
fi
|
|||
|
|
|
|||
|
|
# Variable
|
|||
|
|
acmeroot=/var/www/letsencrypt
|
|||
|
|
|
|||
|
|
# Création du répertoire
|
|||
|
|
mkdir -p "$acmeroot"
|
|||
|
|
|
|||
|
|
# With trailing slash or it will be a prefix selector
|
|||
|
|
#nginx_sites_dir="/etc/nginx/sites-enabled/"
|
|||
|
|
nginx_sites_dir="/etc/nginx/sites-enabled/"
|
|||
|
|
|
|||
|
|
for file in "$nginx_sites_dir"* ; do
|
|||
|
|
if $verbose ; then
|
|||
|
|
echo '-------------------------'
|
|||
|
|
echo "$file"
|
|||
|
|
fi
|
|||
|
|
|
|||
|
|
service_name="$(basename "$file")"
|
|||
|
|
|
|||
|
|
# Getting just the domain names
|
|||
|
|
domains="$(grep '^[[:blank:]]*[^#][[:blank:]]*server_name' "$file" | sed 's/ _ / /g' | sed 's/server_name//g' | sed 's/default_server//g' | sed -e 's/^[[:space:]]*//' | cut -d ';' -f 1)"
|
|||
|
|
if [ -n "$domains" ] ; then
|
|||
|
|
# If using dummy cert, disabling it
|
|||
|
|
if [ "$(readlink "/etc/letsencrypt/live/$service_name/fullchain.pem")" = "/etc/letsencrypt/live/dummy/fullchain.pem" ] ; then
|
|||
|
|
rm -r "/etc/letsencrypt/live/$service_name"
|
|||
|
|
fi
|
|||
|
|
|
|||
|
|
# removing duplicates
|
|||
|
|
domains="$(echo $domains | awk '{for (i=1;i<=NF;i++) if (!a[$i]++) printf("%s%s",$i,FS)}{printf("\n")}')"
|
|||
|
|
echo "$domains"
|
|||
|
|
|
|||
|
|
# adding -d before every domain
|
|||
|
|
domains="-d $(echo $domains | sed 's/ / -d /g')"
|
|||
|
|
|
|||
|
|
# Run certbot
|
|||
|
|
command="certbot certonly -n --expand --agree-tos --webroot -w "$acmeroot" --email contact@jean-cloud.org --cert-name "$(basename $file)" $domains"
|
|||
|
|
if $verbose ; then
|
|||
|
|
echo $command
|
|||
|
|
fi
|
|||
|
|
out="$($command 2>&1)"
|
|||
|
|
result="$?"
|
|||
|
|
|
|||
|
|
if [ "$result" -eq 0 ] && [[ "$out" = *"Certificate not yet due for renewal; no action taken."* ]]; then
|
|||
|
|
echo "Cert still valid"
|
|||
|
|
elif [ "$result" -eq 0 ] ; then
|
|||
|
|
echo "Cert renewed or obtained"
|
|||
|
|
#new_cert="$(echo "$out" | grep -oE '/etc/letsencrypt/live/.*/fullchain.pem')"
|
|||
|
|
#echo "'$new_cert'"
|
|||
|
|
#new_cert_dir="$(dirname "$out")"
|
|||
|
|
#echo "'$new_cert_dir'"
|
|||
|
|
|
|||
|
|
#if [ -d "$new_cert_dir" ] ; then
|
|||
|
|
# echo "New cert dir : '$new_cert_dir'"
|
|||
|
|
# echo "cp '$new_cert_dir/*' '/data/proxy/certs/'"
|
|||
|
|
#else
|
|||
|
|
# echo "Error parsiong dir name"
|
|||
|
|
#fi
|
|||
|
|
|
|||
|
|
elif [ "$result" -eq 1 ] ; then
|
|||
|
|
echo "Cert failed"
|
|||
|
|
echo " ------------------------------------------"
|
|||
|
|
echo "$out"
|
|||
|
|
echo " ------------------------------------------"
|
|||
|
|
else
|
|||
|
|
echo "Unknown error : $result.\n$out"
|
|||
|
|
fi
|
|||
|
|
fi
|
|||
|
|
done
|
|||
|
|
|
|||
|
|
ls /etc/letsencrypt/live/*000* &> /dev/null
|
|||
|
|
if [ "$?" -eq 0 ] ; then
|
|||
|
|
echo " ---------------------------------------------------------------------------------------------"
|
|||
|
|
echo "Bad certs detected in letsencrypt dir. Nginx conf wont work…"
|
|||
|
|
echo "rm -r /etc/letsencrypt/live/*000* /etc/letsencrypt/archive/*000* /etc/letsencrypt/renewal/*000*"
|
|||
|
|
echo " ---------------------------------------------------------------------------------------------"
|
|||
|
|
fi
|
|||
|
|
|
|||
|
|
|
|||
|
|
nginx -t
|
|||
|
|
code="$?"
|
|||
|
|
if [ "$code" -ne 0 ] ; then
|
|||
|
|
echo "Nginx test error, can’t reloat it"
|
|||
|
|
exit 1
|
|||
|
|
fi
|
|||
|
|
|
|||
|
|
nginx -s reload
|
|||
|
|
code="$?"
|
|||
|
|
if [ "$code" -ne 0 ] ; then
|
|||
|
|
echo "Nginx reload error, GENERAL ALEEEEEEEEERT!!!!!"
|
|||
|
|
exit 1
|
|||
|
|
fi
|
|||
|
|
echo "Done. No error detected."
|