add support to autrenew letsencrypt certificates, still testing

2020-06-27 16:55:52 +02:00 · 2020-06-27 16:55:52 +02:00 · 0e0c634e37
commit 0e0c634e37
parent 12895a364f
9 changed files with 179 additions and 23 deletions
--- a/files/letsencrypt_deploy_challenge.sh
+++ b/files/letsencrypt_deploy_challenge.sh
@ -0,0 +1,5 @@
+#!/bin/bash
+
+for i in $LETSENCRYPT_CHALLENGE_SERVERS; do
+	ssh -i /etc/letsencrypt/renewkey -o "StrictHostKeyChecking no" letsencrypt@$i $(< $LETSENCRYPT_TOKEN ) $1 $2
+done
--- a/files/letsencrypt_renew.sh
+++ b/files/letsencrypt_renew.sh
@ -0,0 +1,30 @@
+#!/bin/bash
+set -euo pipefail
+
+source $1
+
+daysleft=$(/usr/local/bin/acme-primitives.py remaining_days "$LETSENCRYPT_CRT" || echo "0") 2>/dev/null
+[ "$daysleft" -lt "$LETSENCRYPT_REMAININGDAYS" ] || exit 0
+
+folder="$(mktemp -d)"
+cd "$folder"
+/usr/local/bin/acme-primitives.py get_cert --directory 'https://acme-v02.api.letsencrypt.org/directory' --acc /etc/ssl/letsencrypt_account.key --csr $LETSENCRYPT_CSR /usr/local/bin/letsencrypt_deploy_challenge.sh > chained.pem
+
+cat chained.pem "$LETSENCRYPT_KEY" > full.pem
+openssl x509 -in chained.pem > cert.pem
+
+chown -R root:ssl-cert .
+chmod 0644 chained.pem
+chmod 0644 cert.pem
+chmod 0640 full.pem
+
+mv chained.pem "$LETSENCRYPT_CHAIN"
+mv cert.pem "$LETSENCRYPT_CRT"
+mv full.pem "$LETSENCRYPT_FULL"
+
+cd
+rm -r "$folder"
+
+for i in $LETSENCRYPT_SERVICES; do
+	/bin/systemctl "$i" restart
+done