blob: d79387e5d13571563c70be76e7c72916c6e0ba83 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
|
#!/usr/bin/env bash
set -e
# Check I'm root.
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root" 1>&2
exit 1
fi
# Check certbot version.
certbot --version
# Check domain
if [[ -z "$CRUPEST_DOMAIN" ]]; then
echo "CRUPEST_DOMAIN can't be empty!" 1>&2
exit 1
fi
# Check email
if [[ -z "$CRUPEST_EMAIL" ]]; then
echo "CRUPEST_EMAIL can't be empty!" 1>&2
exit 2
fi
# Check CRUPEST_CERT_PATH, default to /etc/letsencrypt/live/$CRUPEST_DOMAIN/fullchain.pem
if [ -z "$CRUPEST_CERT_PATH" ]; then
CRUPEST_CERT_PATH="/etc/letsencrypt/live/$CRUPEST_DOMAIN/fullchain.pem"
fi
# Check CRUPEST_CERT_PATH exists.
if [ ! -f "$CRUPEST_CERT_PATH" ]; then
echo "Cert file does not exist. You may want to generate it manually with aio script." 1>&2
exit 3
fi
echo "Root domain:" "$CRUPEST_DOMAIN"
echo "Email:" "$CRUPEST_EMAIL"
echo "Cert path: ${CRUPEST_CERT_PATH}"
# Check CRUPEST_AUTO_CERTBOT_RENEW_COMMAND is defined.
if [ -z "$CRUPEST_AUTO_CERTBOT_RENEW_COMMAND" ]; then
echo "CRUPEST_AUTO_CERTBOT_RENEW_COMMAND is not defined or empty. Will use the default one."
else
printf "CRUPEST_AUTO_CERTBOT_RENEW_COMMAND is defined as:\n%s\n" "$CRUPEST_AUTO_CERTBOT_RENEW_COMMAND"
fi
domains_str="$(/get-cert-domains.py "${CRUPEST_CERT_PATH}")"
printf "Domain list:\n%s\n" "$domains_str"
mapfile -t domains <<< "$domains_str"
for domain in "${domains[@]}"; do
domain_options=("${domain_options[@]}" -d "$domain")
done
options=(-n --agree-tos -m "$CRUPEST_EMAIL" --webroot -w /var/www/certbot "${domain_options[@]}")
if [ -n "$CRUPEST_AUTO_CERTBOT_POST_HOOK" ]; then
printf "You have defined a post hook:\n%s\n" "$CRUPEST_AUTO_CERTBOT_POST_HOOK"
options=("${options[@]}" --post-hook "$CRUPEST_AUTO_CERTBOT_POST_HOOK")
fi
# Use test server to test.
certbot certonly --force-renewal --test-cert --dry-run "${options[@]}"
function check_and_renew_cert {
expire_info=$(openssl x509 -enddate -noout -in "$CRUPEST_CERT_PATH")
# Get ssl certificate expire date.
expire_date=$(echo "$expire_info" | cut -d= -f2)
echo "SSL certificate expire date: $expire_date"
# Convert expire date to UNIX timestamp.
expire_timestamp="$(date -d "$expire_date" +%s)"
# Minus expire timestamp with 30 days in UNIX timestamp.
renew_timestamp="$((expire_timestamp - 2592000))"
echo "Renew SSL certificate at: $(date -d @$renew_timestamp)"
# Get rest time til renew.
rest_time_in_second="$((renew_timestamp - $(date +%s)))"
rest_time_in_day=$((rest_time_in_second / 86400))
echo "Rest time til renew: $rest_time_in_second seconds, aka, about $rest_time_in_day days"
# Do we have rest time?
if [ $rest_time_in_second -gt 0 ]; then
# Sleep 1 hour.
echo "I'm going to sleep for 1 day to check again."
sleep 1d
else
# No, renew now.
echo "Renewing now..."
if [ -n "$CRUPEST_AUTO_CERTBOT_RENEW_COMMAND" ]; then
$CRUPEST_AUTO_CERTBOT_RENEW_COMMAND
else
certbot certonly "${options[@]}"
fi
fi
}
# Run check_and_renew_cert in infinate loop.
while true; do
check_and_renew_cert
done
|
