--- /dev/null
+#!/bin/sh
+
+set -e
+
+LOGFILE=/var/log/letsencrypt.log
+
+echo "Running on $(date)..." >> ${LOGFILE}
+
+# Check if we have a web server running.
+PORT80=$(lsof -ti :80 | wc -l)
+
+# If no web server then start one and open port 80.
+if [ $PORT80 = 0 ]; then
+ cd /var/www/challenges
+ nohup python3 -m http.server 80 > /dev/null 2>&1 &
+ iptables -A INPUT -i venet0 -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
+ ip6tables -A INPUT -i venet0 -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
+fi
+
+
+cd /etc/ssl/letsencrypt
+
+# Get a updated certificate.
+for i in `seq 1 3`; do
+ if acme-tiny --account-key account.key --csr domain.csr --acme-dir /var/www/challenges \
+ > signed_new.crt 2>> ${LOGFILE}
+ then
+
+ wget -q -O chain_new.pem https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem
+
+ # Check that the cert is valid.
+ if openssl verify -CAfile chain_new.pem signed_new.crt; then
+ mv -f chain_new.pem chain.pem
+ mv -f signed_new.crt signed.crt
+ cat signed.crt chain.pem > fullchain.pem
+
+ echo ""
+ echo "[Success] Acme tiny successfully renewed certificate." | tee -a ${LOGFILE}
+ echo ""
+
+ # Reload services
+ for serv in apache nginx dovecot postfix; do
+ systemctl is-active --quiet ${serv} && systemctl reload ${serv}
+ done
+ else
+ echo "[Error] Acme tiny have problems." | tee -a ${LOGFILE} >&2
+ fi
+ break
+ else
+ # Sleep for max 9999 seconds, then try again.
+ echo "[Notice] Acme tiny retry triggered." | tee -a ${LOGFILE} >&2
+ sleep `tr -cd 0-9 < /dev/urandom | head -c 4`
+ fi
+done
+
+# Stop temp web server and close port 80 if needed.
+if [ $PORT80 = 0 ]; then
+ iptables -D INPUT -i venet0 -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
+ ip6tables -D INPUT -i venet0 -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
+ pkill -f http.server
+fi
projects / shutils.git / commitdiff