blob: da75067a0e36daa9178912a1a74eeee3b8098542 (
plain) (
tree)
|
|
#!/bin/bash
set -euo pipefail
IFS=$'\n\t'
#############
# This script resigns certificates already in use.
# It uses lets-ca.sh to do this.
# by Dennis Eriksen, dennis@eriksen.im, 2015-12-21
#############
################################################################################
# TODO
################################################################################
# Make sure the script doesn't just loop over infinitely many certificates. It
# should probably handle ~5/week. I'm thinking it should take the five oldest,
# that are over one month old.
################################################################################
# Config
################################################################################
readonly CERTDIR="/etc/letsencrypt/certs"
readonly LETSCASH="/usr/local/sbin/lets-ca.sh"
readonly LOGFILE="/var/log/lets-ca.sh-cron.log"
readonly DEBUG=FALSE
# Time To Expiry - When do we resign certificates?
readonly TTE=5184000 # 60 days.
# How many certs do we take each run?
readonly NUMCERTS=3
TMP=$(mktemp)
################################################################################
# echo
################################################################################
echo() {
[[ "$DEBUG" == TRUE ]] && builtin echo "$1"
logger -p cron.info -t lets-ca.sh-cron "$1"
}
error() {
builtin echo "$1"
logger -p cron.err -s -t lets-ca.sh-cron "$1"
}
################################################################################
# cleanup
################################################################################
trap cleanup EXIT
trap caughterror INT TERM
cleanup() {
rm $TMP
}
caughterror() {
local rv=$?
cleanup
error "Script exited early. Something happened."
exit $rv
}
################################################################################
# main
################################################################################
main() {
local domain
local i=0
for domain in $(ls $CERTDIR); do
# Don't do more certs than specified
if [[ $i == $NUMCERTS ]]; then
echo "\$NUMCERTS reached. $domain will have to wait."
continue
fi
# Check if all the files are there
if [[ ! -f "$CERTDIR/$domain/$domain.key" ]] || \
[[ ! -f "$CERTDIR/$domain/$domain.crt" ]] || \
[[ ! -f "$CERTDIR/$domain/$domain.csr" ]]; then
error "The CRT, CSR or KEY for $domain seems to be missing."
# Let's continue the for-loop instead of aborting.
continue
fi
# There's no need to renew certs with more than 60 days of validity left
if openssl x509 -in $CERTDIR/$domain/$domain.crt -noout -checkend $TTE; then
echo "$domain is still valid for at least another $(($TTE/60/60/24))days."
continue
fi
# Check if there are any services specified with the cert
if [[ -f "$CERTDIR/$domain/services" ]] && \
[[ ! -z "$CERTDIR/$domain/services" ]]; then
cat $CERTDIR/$domain/services >> $TMP
fi
# Do the dirty deed
echo "Resigning $domain"
[[ ! "$DEBUG" == TRUE ]] && $LETSCASH -q -s $domain
echo "Deploying $domain"
[[ ! "$DEBUG" == TRUE ]] && $LETSCASH -q -d $domain
# Number of domains handled so far.
((i+=1))
done
# Reload any services associated with the certificates (if specified)
if [[ ! -z "$TMP" ]]; then
for service in $(sort $TMP | uniq); do
echo "Reloading $service"
[[ ! "$DEBUG" == TRUE ]] && systemctl reload $service
done
fi
}
[[ "$DEBUG" == TRUE ]] && set -x
main
exit 0
|
