/
letsencrypt-handle-certs.sh
executable file
·131 lines (110 loc) · 3.67 KB
/
letsencrypt-handle-certs.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
#!/bin/bash
#
# Version: 2017081900
#
# https://github.com/mofftech/Server-Automation
# http://www.moff.tech/
#
# Auto renewal of lentsencrypt certs and handle exim special permissions.
# Restart exim4, dovecot and apache2. Designed to be cron friendly.
# Warning! Exim, Dovecot and Apache2 are reloaded at the end.
#
# Add to crontab similar to the following:
# * * */3 * * some_path/letsencrypt-handle-certs.sh
### ###
### Below, set LEDOMAIN,LEINSTALLPATH, check others ###
### ###
LEBASE="/etc/letsencrypt" # LE base config path
LEDOMAIN="" # The domain in the LEBASE path
LELIVEDIR="$LEBASE/live/$LEDOMAIN" # Your LE live certs dir
LEARCHDIR="$LEBASE/archive/$LEDOMAIN" # Your LE archive certs dir
LEFILES="fullchain.pem privkey.pem" # The names of the LE certs
LEINSTALLPATH="some_path/letsencrypt" # Where you run the LE cmds (like "renew")
EXIMDIR="/etc/exim4" # Exim config path
EXIMPERMS="root.Debian-exim" # user.group of Exim certs
### ###
### Nothing below here should need to be customised ###
### ###
# letsencrypt scripts require $PATH to be set
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
# cron has a restricted $PATH. echo should be a builtin.
# This is actually redundant due to PATH export above.
cmd_date="/bin/date"
cmd_service="/usr/sbin/service"
cmd_ls="/bin/ls"
cmd_mv="/bin/mv"
cmd_cp="/bin/cp"
cmd_chown="/bin/chown"
cmd_chmod="/bin/chmod"
cmd_grep="/bin/grep"
cmd_renew="$LEINSTALLPATH/letsencrypt-auto"
# Test existence of cmds
for b in $cmd_date $cmd_service $cmd_ls $cmd_mv $cmd_cp $cmd_chown $cmd_chmod $cmd_grep $cmd_renew; do
if [ ! -f "$b" ]; then
echo -e "$b not installed, or wrong path."
exit 1
fi
done
# Test existence of dirs
for d in $LELIVEDIR $LEARCHDIR $LEINSTALLPATH $EXIMDIR; do
if [ ! -d "$d" ]; then
echo -e "$d not present, cannot continue."
exit 1
fi
done
if [ "$1" == "-d" ]; then
DEBUG="y"
fi
DEBUG="y" # Always debug mode
showledirs() {
echo -e "\n$LELIVEDIR"
$cmd_ls -la "$LELIVEDIR/"
echo -e "\n$LEARCHDIR"
$cmd_ls -la "$LEARCHDIR/"
}
showeximdir() {
echo -e "\n$EXIMDIR"
$cmd_ls -la "$EXIMDIR"
}
[[ ! -z "$DEBUG" ]] && showledirs
DATE="$($cmd_date +%s)"
LEOUTPUT="$($cmd_renew renew)"
if [ "$?" != "0" ]; then
showledirs
echo -e "\nLooks like letsencrypt failed. Exiting."
exit 1
fi
echo -e "$LEOUTPUT"
if [ ! -z "$(echo -e "$LEOUTPUT" | $cmd_grep 'not due for renewal yet')" ]; then
[[ ! -z "$DEBUG" ]] && echo -e "\nHmm, looks like letsencrypt did nothing. Exiting."
exit 0
fi
if [ ! -z "$(echo -e "$LEOUTPUT" | $cmd_grep 'No renewals were attempted')" ]; then
echo -e "\nHmm, looks like letsencrypt did nothing. Exiting."
exit 0
fi
[[ ! -z "$DEBUG" ]] && showledirs
[[ ! -z "$DEBUG" ]] && showeximdir
# Check the certs exist
for f in $LEFILES; do
if [ -f "$LELIVEDIR/$f" ]; then
[[ ! -z "$DEBUG" ]] && echo -e "\n$LELIVEDIR/$f exists."
else
echo -e "\n$LELIVEDIR/$f does not exist! Exiting."
exit 1
fi
done
for f in $LEFILES; do
[[ ! -z "$DEBUG" ]] && echo -e "\nBackup exim cert, copy in the new one."
$cmd_mv "$EXIMDIR/$f" "$EXIMDIR/$f-$DATE"
$cmd_cp "$LELIVEDIR/$f" "$EXIMDIR/"
$cmd_chown "$EXIMPERMS" "$EXIMDIR/$f"
$cmd_chmod 640 "$EXIMDIR/$f"
[[ ! -z "$DEBUG" ]] && $cmd_ls -la "$EXIMDIR/$f"
done
[[ ! -z "$DEBUG" ]] && showeximdir
# Reload new certs
$cmd_service exim4 reload
$cmd_service dovecot reload
$cmd_service apache2 reload
exit 0