#!/bin/bash set -euo pipefail IFS=$'\n\t' ############# # This script resigns certificates already in use. # It uses lets-ca.sh to do this. # by Dennis Eriksen, dennis@eriksen.im, 2015-12-21 ############# ################################################################################ # TODO ################################################################################ # Make sure the script doesn't just loop over infinitely many certificates. It # should probably handle ~5/week. I'm thinking it should take the five oldest, # that are over one month old. ################################################################################ # Config ################################################################################ readonly CERTDIR="/etc/letsencrypt/certs" readonly LETSCASH="/usr/local/sbin/lets-ca.sh" readonly LOGFILE="/var/log/lets-ca.sh-cron.log" readonly DEBUG=FALSE # Time To Expiry - When do we resign certificates? readonly TTE=5184000 # 60 days. # How many certs do we take each run? readonly NUMCERTS=3 TMP=$(mktemp) ################################################################################ # echo ################################################################################ echo() { [[ "$DEBUG" == TRUE ]] && builtin echo "$1" logger -p cron.info -t lets-ca.sh-cron "$1" } error() { builtin echo "$1" logger -p cron.err -s -t lets-ca.sh-cron "$1" } ################################################################################ # cleanup ################################################################################ trap cleanup EXIT trap caughterror INT TERM cleanup() { rm $TMP } caughterror() { local rv=$? cleanup error "Script exited early. Something happened." exit $rv } ################################################################################ # main ################################################################################ main() { local domain local i=0 for domain in $(ls $CERTDIR); do # Don't do more certs than specified if [[ $i == $NUMCERTS ]]; then echo "\$NUMCERTS reached. $domain will have to wait." continue fi # Check if all the files are there if [[ ! -f "$CERTDIR/$domain/$domain.key" ]] || \ [[ ! -f "$CERTDIR/$domain/$domain.crt" ]] || \ [[ ! -f "$CERTDIR/$domain/$domain.csr" ]]; then error "The CRT, CSR or KEY for $domain seems to be missing." # Let's continue the for-loop instead of aborting. continue fi # There's no need to renew certs with more than 60 days of validity left if openssl x509 -in $CERTDIR/$domain/$domain.crt -noout -checkend $TTE; then echo "$domain is still valid for at least another $(($TTE/60/60/24))days." continue fi # Check if there are any services specified with the cert if [[ -f "$CERTDIR/$domain/services" ]] && \ [[ ! -z "$CERTDIR/$domain/services" ]]; then cat $CERTDIR/$domain/services >> $TMP fi # Do the dirty deed echo "Resigning $domain" [[ ! "$DEBUG" == TRUE ]] && $LETSCASH -q -s $domain echo "Deploying $domain" [[ ! "$DEBUG" == TRUE ]] && $LETSCASH -q -d $domain # Number of domains handled so far. ((i+=1)) done # Reload any services associated with the certificates (if specified) if [[ ! -z "$TMP" ]]; then for service in $(sort $TMP | uniq); do echo "Reloading $service" [[ ! "$DEBUG" == TRUE ]] && systemctl reload $service done fi } [[ "$DEBUG" == TRUE ]] && set -x main exit 0