diff options
author | Dennis Eriksen <dennis@eriksen.im> | 2016-01-18 14:23:40 +0100 |
---|---|---|
committer | Dennis Eriksen <dennis@eriksen.im> | 2016-01-18 14:23:40 +0100 |
commit | 55562c573adf8a66a9ecacecd0f2ee473cf4c29f (patch) | |
tree | b61c374127071bceceb9c25dd9564fdec3ed8efb /lets-ca.sh-cron | |
download | lets-ca.sh-55562c573adf8a66a9ecacecd0f2ee473cf4c29f.tar.gz |
initial commit
Diffstat (limited to '')
-rw-r--r-- | lets-ca.sh-cron | 156 |
1 files changed, 156 insertions, 0 deletions
diff --git a/lets-ca.sh-cron b/lets-ca.sh-cron new file mode 100644 index 0000000..da75067 --- /dev/null +++ b/lets-ca.sh-cron @@ -0,0 +1,156 @@ +#!/bin/bash +set -euo pipefail +IFS=$'\n\t' +############# + +# This script resigns certificates already in use. +# It uses lets-ca.sh to do this. + +# by Dennis Eriksen, dennis@eriksen.im, 2015-12-21 + +############# + + + + +################################################################################ + +# TODO + +################################################################################ + +# Make sure the script doesn't just loop over infinitely many certificates. It +# should probably handle ~5/week. I'm thinking it should take the five oldest, +# that are over one month old. + + + +################################################################################ + +# Config + +################################################################################ + +readonly CERTDIR="/etc/letsencrypt/certs" + +readonly LETSCASH="/usr/local/sbin/lets-ca.sh" + +readonly LOGFILE="/var/log/lets-ca.sh-cron.log" + +readonly DEBUG=FALSE + +# Time To Expiry - When do we resign certificates? +readonly TTE=5184000 # 60 days. + +# How many certs do we take each run? +readonly NUMCERTS=3 + +TMP=$(mktemp) + + + +################################################################################ + +# echo + +################################################################################ + +echo() { + [[ "$DEBUG" == TRUE ]] && builtin echo "$1" + logger -p cron.info -t lets-ca.sh-cron "$1" +} + +error() { + builtin echo "$1" + logger -p cron.err -s -t lets-ca.sh-cron "$1" +} + + + +################################################################################ + +# cleanup + +################################################################################ + +trap cleanup EXIT +trap caughterror INT TERM + +cleanup() { + rm $TMP +} + +caughterror() { + local rv=$? + cleanup + error "Script exited early. Something happened." + exit $rv +} + + + +################################################################################ + +# main + +################################################################################ + +main() { + local domain + local i=0 + + for domain in $(ls $CERTDIR); do + + # Don't do more certs than specified + if [[ $i == $NUMCERTS ]]; then + echo "\$NUMCERTS reached. $domain will have to wait." + continue + fi + + # Check if all the files are there + if [[ ! -f "$CERTDIR/$domain/$domain.key" ]] || \ + [[ ! -f "$CERTDIR/$domain/$domain.crt" ]] || \ + [[ ! -f "$CERTDIR/$domain/$domain.csr" ]]; then + error "The CRT, CSR or KEY for $domain seems to be missing." + # Let's continue the for-loop instead of aborting. + continue + fi + + # There's no need to renew certs with more than 60 days of validity left + if openssl x509 -in $CERTDIR/$domain/$domain.crt -noout -checkend $TTE; then + echo "$domain is still valid for at least another $(($TTE/60/60/24))days." + continue + fi + + # Check if there are any services specified with the cert + if [[ -f "$CERTDIR/$domain/services" ]] && \ + [[ ! -z "$CERTDIR/$domain/services" ]]; then + cat $CERTDIR/$domain/services >> $TMP + fi + + # Do the dirty deed + echo "Resigning $domain" + [[ ! "$DEBUG" == TRUE ]] && $LETSCASH -q -s $domain + echo "Deploying $domain" + [[ ! "$DEBUG" == TRUE ]] && $LETSCASH -q -d $domain + + # Number of domains handled so far. + ((i+=1)) + + done + + # Reload any services associated with the certificates (if specified) + if [[ ! -z "$TMP" ]]; then + for service in $(sort $TMP | uniq); do + echo "Reloading $service" + [[ ! "$DEBUG" == TRUE ]] && systemctl reload $service + done + fi + +} + +[[ "$DEBUG" == TRUE ]] && set -x + +main + +exit 0 |