aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/lets-ca.sh-cron
diff options
context:
space:
mode:
authorDennis Eriksen <dennis@eriksen.im>2016-01-18 14:23:40 +0100
committerDennis Eriksen <dennis@eriksen.im>2016-01-18 14:23:40 +0100
commit55562c573adf8a66a9ecacecd0f2ee473cf4c29f (patch)
treeb61c374127071bceceb9c25dd9564fdec3ed8efb /lets-ca.sh-cron
downloadlets-ca.sh-55562c573adf8a66a9ecacecd0f2ee473cf4c29f.tar.gz
initial commit
Diffstat (limited to '')
-rw-r--r--lets-ca.sh-cron156
1 files changed, 156 insertions, 0 deletions
diff --git a/lets-ca.sh-cron b/lets-ca.sh-cron
new file mode 100644
index 0000000..da75067
--- /dev/null
+++ b/lets-ca.sh-cron
@@ -0,0 +1,156 @@
+#!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
+#############
+
+# This script resigns certificates already in use.
+# It uses lets-ca.sh to do this.
+
+# by Dennis Eriksen, dennis@eriksen.im, 2015-12-21
+
+#############
+
+
+
+
+################################################################################
+
+# TODO
+
+################################################################################
+
+# Make sure the script doesn't just loop over infinitely many certificates. It
+# should probably handle ~5/week. I'm thinking it should take the five oldest,
+# that are over one month old.
+
+
+
+################################################################################
+
+# Config
+
+################################################################################
+
+readonly CERTDIR="/etc/letsencrypt/certs"
+
+readonly LETSCASH="/usr/local/sbin/lets-ca.sh"
+
+readonly LOGFILE="/var/log/lets-ca.sh-cron.log"
+
+readonly DEBUG=FALSE
+
+# Time To Expiry - When do we resign certificates?
+readonly TTE=5184000 # 60 days.
+
+# How many certs do we take each run?
+readonly NUMCERTS=3
+
+TMP=$(mktemp)
+
+
+
+################################################################################
+
+# echo
+
+################################################################################
+
+echo() {
+ [[ "$DEBUG" == TRUE ]] && builtin echo "$1"
+ logger -p cron.info -t lets-ca.sh-cron "$1"
+}
+
+error() {
+ builtin echo "$1"
+ logger -p cron.err -s -t lets-ca.sh-cron "$1"
+}
+
+
+
+################################################################################
+
+# cleanup
+
+################################################################################
+
+trap cleanup EXIT
+trap caughterror INT TERM
+
+cleanup() {
+ rm $TMP
+}
+
+caughterror() {
+ local rv=$?
+ cleanup
+ error "Script exited early. Something happened."
+ exit $rv
+}
+
+
+
+################################################################################
+
+# main
+
+################################################################################
+
+main() {
+ local domain
+ local i=0
+
+ for domain in $(ls $CERTDIR); do
+
+ # Don't do more certs than specified
+ if [[ $i == $NUMCERTS ]]; then
+ echo "\$NUMCERTS reached. $domain will have to wait."
+ continue
+ fi
+
+ # Check if all the files are there
+ if [[ ! -f "$CERTDIR/$domain/$domain.key" ]] || \
+ [[ ! -f "$CERTDIR/$domain/$domain.crt" ]] || \
+ [[ ! -f "$CERTDIR/$domain/$domain.csr" ]]; then
+ error "The CRT, CSR or KEY for $domain seems to be missing."
+ # Let's continue the for-loop instead of aborting.
+ continue
+ fi
+
+ # There's no need to renew certs with more than 60 days of validity left
+ if openssl x509 -in $CERTDIR/$domain/$domain.crt -noout -checkend $TTE; then
+ echo "$domain is still valid for at least another $(($TTE/60/60/24))days."
+ continue
+ fi
+
+ # Check if there are any services specified with the cert
+ if [[ -f "$CERTDIR/$domain/services" ]] && \
+ [[ ! -z "$CERTDIR/$domain/services" ]]; then
+ cat $CERTDIR/$domain/services >> $TMP
+ fi
+
+ # Do the dirty deed
+ echo "Resigning $domain"
+ [[ ! "$DEBUG" == TRUE ]] && $LETSCASH -q -s $domain
+ echo "Deploying $domain"
+ [[ ! "$DEBUG" == TRUE ]] && $LETSCASH -q -d $domain
+
+ # Number of domains handled so far.
+ ((i+=1))
+
+ done
+
+ # Reload any services associated with the certificates (if specified)
+ if [[ ! -z "$TMP" ]]; then
+ for service in $(sort $TMP | uniq); do
+ echo "Reloading $service"
+ [[ ! "$DEBUG" == TRUE ]] && systemctl reload $service
+ done
+ fi
+
+}
+
+[[ "$DEBUG" == TRUE ]] && set -x
+
+main
+
+exit 0