-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathobtain-LE-certs.sh
executable file
·146 lines (118 loc) · 5.13 KB
/
obtain-LE-certs.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
#!/usr/bin/env bash
# Inspiration for script
# https://community.letsencrypt.org/t/automated-deployment-of-key-cert-from-reverse-proxy-to-internal-systems/64491/4
# https://gist.github.com/onnimonni/b49779ebc96216771a6be3de46449fa1
# Put this in crontab for every 12 hours
# Assumptions of script:
# SSL Certs are obtained through Let's Encrypt
# This script will grab fullchain.pem file from host that renewed the Let's Encrypt certs. On the host - after updating the LE certs, the fullchain.pem is copied to directory via a --deploy-hook script for distribution within Local LAN computers. Apache configuration restricts access of this file to IP addresses on the Local LAN
# fullchain.pem file is not secret in that it is normally read and passed in headers during the normal SSL handshake
# Script also assumes the the privkey.pem has previously been distributed since this key is secret. This script will check for presence of privkey.pem and will exit if key is not found. privkey.pem file should not change with LE certification renewal since certs are renewed with --reuse-key option that reuses the private key.
# Depending on application, script can either restart apache or other service. Script should work on Linux/BSD operating systems
#For reference the deploy-hook script is referenced here:
##!/usr/bin/env bash
#set -e
#for domain in $RENEWED_DOMAINS; do
# # Just an example, you can use any non-sensitive storage medium you want
# cp -rL "$RENEWED_LINEAGE/fullchain.pem" /usr/local/www/main/certs/
#done
#For reference -- this could be placed within Apache Virtual Host section
# <Directory /usr/local/www/main/certs>
# Require all denied
# Options -Indexes
# <RequireAll>
# Require ip 10.0.1.0/24
# </RequireAll>
# </Directory>
#### VARIABLES SECTION -- PLEASE MODIFY#
## Server Variables
## Server where Certs will be Obtained -- LAN SERVER
SERVER="10.0.1.158"
SERVER_PATH="/certs/fullchain.pem"
#SERVER_DOMAIN="example.com"
## Local Variables
## Local Directory where certs are located
CERTS_DIR="/usr/local/etc/letsencrypt/live/${SERVER_DOMAIN}"
OS=`uname`
## Please specify service name here:
## If apache web server SERVICE_NAME="apache"
## If other service other than apache use service name -- ie SERVICE_NAME="xo-server.service"
SERVICE_NAME="xo-server.service"
### END VARIABLE SECTION
## FUNCTION SECTION
get_sha256sum() {
cat $1 | shasum -a 256 | head -c 64
}
error(){
echo "ERROR: $1"
exit 1
}
## END FUNCTION SECTION
## MAIN
set -euf -o pipefail
##Valididty Check for CERTS_DIR
if [ ! -d "${CERTS_DIR:+$CERTS_DIR/}" ] ##If $CERTS_DIR IS NOT a directory or symbolic link
then
CERTS_DIR="/etc/letsencrypt/live/${SERVER_DOMAIN}"
if [ ! -d "${CERTS_DIR:+$CERTS_DIR/}" ]
then
echo "Can't find certificate directory on local host...Exiting"
exit 1
fi
fi
# Download the latest certificate to a temporarily location so we can check validity
#curl -s -k -R -o /tmp/fullchain.pem "https://${SERVER}${SERVER_PATH}"
wget -S -q --no-check-certificate -O /tmp/fullchain.pem "https://${SERVER}${SERVER_PATH}" >>/dev/null 2>>/dev/null
# Verify the certificate is valid for our existing key (should be)
MOD_CRT=$(openssl x509 -noout -modulus -in /tmp/fullchain.pem | openssl md5)
#Check Existence of privkey.pem on local server
if [ ! -f ${CERTS_DIR}/privkey.pem ]; then
error "File ${CERTS_DIR}/privkey.pem does not exist!. Please install Let's Encrypt privkey.pem to ${CERTS_DIR}"
fi
MOD_KEY=$(openssl rsa -noout -modulus -in ${CERTS_DIR}/privkey.pem | openssl md5)
if [ "$MOD_CRT" != "$MOD_KEY" ]; then
error "Key didn't match: $MOD_CRT vs $MOD_KEY"
fi
# Deploy the certificate and restart service if new fullchain.pem is different than old fullchain.pem
SHA256_OLD=0
if [ -f "${CERTS_DIR}/fullchain.pem" ]; then
SHA256_OLD=$(get_sha256sum "${CERTS_DIR}/fullchain.pem")
fi
SHA256_NEW=$(get_sha256sum "/tmp/fullchain.pem")
#echo "SHA256 current file: $SHA256_OLD"
#echo "SHA256 new file: $SHA256_NEW"
if [ ${SHA256_OLD} != ${SHA256_NEW} ]
then
echo "New certificate: $(openssl x509 -in /tmp/fullchain.pem -noout -subject -dates -issuer)"
DATE=`date +"%m-%d-%Y-%T"`
if [ -f "${CERTS_DIR}/fullchain.pem" ]; then
mv ${CERTS_DIR}/fullchain.pem ${CERTS_DIR}/fullchain-${DATE}.pem
fi
cp -p /tmp/fullchain.pem ${CERTS_DIR}/fullchain.pem
rm /tmp/fullchain.pem
if [ $SERVICE_NAME == "apache" ]
then
apachectl -k graceful
echo -n "Restarting Service:${SERVICE_NAME}..."
elif [[ "${SERVICE_NAME}" =~ \.service$ ]]
then
if [ $OS == "Linux" ]
then
systemctl stop ${SERVICE_NAME}
sleep 20
systemctl start ${SERVICE_NAME}
echo -n "Restarting Service:${SERVICE_NAME}..."
#echo "In restart Linux service"
elif [ $OS == "FreeBSD" ]
then
service ${SERVICE_NAME} stop
sleep 20
service ${SERVICE_NAME} start
echo -n "Restarting Service:${SERVICE_NAME}..."
#echo "In restart BSD service"
fi
fi
else
echo "Your current ${CERTS_DIR}/fullchain.pem is up-to-date. No restart of services are needed"
fi
echo "Done"