blob: da75067a0e36daa9178912a1a74eeee3b8098542 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
|
#!/bin/bash
set -euo pipefail
IFS=$'\n\t'
#############
# This script resigns certificates already in use.
# It uses lets-ca.sh to do this.
# by Dennis Eriksen, dennis@eriksen.im, 2015-12-21
#############
################################################################################
# TODO
################################################################################
# Make sure the script doesn't just loop over infinitely many certificates. It
# should probably handle ~5/week. I'm thinking it should take the five oldest,
# that are over one month old.
################################################################################
# Config
################################################################################
readonly CERTDIR="/etc/letsencrypt/certs"
readonly LETSCASH="/usr/local/sbin/lets-ca.sh"
readonly LOGFILE="/var/log/lets-ca.sh-cron.log"
readonly DEBUG=FALSE
# Time To Expiry - When do we resign certificates?
readonly TTE=5184000 # 60 days.
# How many certs do we take each run?
readonly NUMCERTS=3
TMP=$(mktemp)
################################################################################
# echo
################################################################################
echo() {
[[ "$DEBUG" == TRUE ]] && builtin echo "$1"
logger -p cron.info -t lets-ca.sh-cron "$1"
}
error() {
builtin echo "$1"
logger -p cron.err -s -t lets-ca.sh-cron "$1"
}
################################################################################
# cleanup
################################################################################
trap cleanup EXIT
trap caughterror INT TERM
cleanup() {
rm $TMP
}
caughterror() {
local rv=$?
cleanup
error "Script exited early. Something happened."
exit $rv
}
################################################################################
# main
################################################################################
main() {
local domain
local i=0
for domain in $(ls $CERTDIR); do
# Don't do more certs than specified
if [[ $i == $NUMCERTS ]]; then
echo "\$NUMCERTS reached. $domain will have to wait."
continue
fi
# Check if all the files are there
if [[ ! -f "$CERTDIR/$domain/$domain.key" ]] || \
[[ ! -f "$CERTDIR/$domain/$domain.crt" ]] || \
[[ ! -f "$CERTDIR/$domain/$domain.csr" ]]; then
error "The CRT, CSR or KEY for $domain seems to be missing."
# Let's continue the for-loop instead of aborting.
continue
fi
# There's no need to renew certs with more than 60 days of validity left
if openssl x509 -in $CERTDIR/$domain/$domain.crt -noout -checkend $TTE; then
echo "$domain is still valid for at least another $(($TTE/60/60/24))days."
continue
fi
# Check if there are any services specified with the cert
if [[ -f "$CERTDIR/$domain/services" ]] && \
[[ ! -z "$CERTDIR/$domain/services" ]]; then
cat $CERTDIR/$domain/services >> $TMP
fi
# Do the dirty deed
echo "Resigning $domain"
[[ ! "$DEBUG" == TRUE ]] && $LETSCASH -q -s $domain
echo "Deploying $domain"
[[ ! "$DEBUG" == TRUE ]] && $LETSCASH -q -d $domain
# Number of domains handled so far.
((i+=1))
done
# Reload any services associated with the certificates (if specified)
if [[ ! -z "$TMP" ]]; then
for service in $(sort $TMP | uniq); do
echo "Reloading $service"
[[ ! "$DEBUG" == TRUE ]] && systemctl reload $service
done
fi
}
[[ "$DEBUG" == TRUE ]] && set -x
main
exit 0
|
