From 13f0d7044a34553fe36c76155ed2d4328f885eb3 Mon Sep 17 00:00:00 2001 From: Stefan Huber Date: Tue, 17 Aug 2021 09:34:57 +0200 Subject: [PATCH] letsencrypt: Add initial scripts --- letsencrypt/renew-requestcert.sh | 3 ++ letsencrypt/renewal.sh | 61 ++++++++++++++++++++++++++++++++ 2 files changed, 64 insertions(+) create mode 100644 letsencrypt/renew-requestcert.sh create mode 100644 letsencrypt/renewal.sh diff --git a/letsencrypt/renew-requestcert.sh b/letsencrypt/renew-requestcert.sh new file mode 100644 index 0000000..17faea4 --- /dev/null +++ b/letsencrypt/renew-requestcert.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +openssl req -new -sha256 -key /etc/ssl/letsencrypt/domain.key -subj "/C=US/O=Acme/CN=sthu.org" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com")) -out /etc/ssl/letsencrypt/domain.csr diff --git a/letsencrypt/renewal.sh b/letsencrypt/renewal.sh new file mode 100644 index 0000000..e6a4658 --- /dev/null +++ b/letsencrypt/renewal.sh @@ -0,0 +1,61 @@ +#!/bin/sh + +set -e + +LOGFILE=/var/log/letsencrypt.log + +echo "Running on $(date)..." >> ${LOGFILE} + +# Check if we have a web server running. +PORT80=$(lsof -ti :80 | wc -l) + +# If no web server then start one and open port 80. +if [ $PORT80 = 0 ]; then + cd /var/www/challenges + nohup python3 -m http.server 80 > /dev/null 2>&1 & + iptables -A INPUT -i venet0 -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT + ip6tables -A INPUT -i venet0 -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT +fi + + +cd /etc/ssl/letsencrypt + +# Get a updated certificate. +for i in `seq 1 3`; do + if acme-tiny --account-key account.key --csr domain.csr --acme-dir /var/www/challenges \ + > signed_new.crt 2>> ${LOGFILE} + then + + wget -q -O chain_new.pem https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem + + # Check that the cert is valid. + if openssl verify -CAfile chain_new.pem signed_new.crt; then + mv -f chain_new.pem chain.pem + mv -f signed_new.crt signed.crt + cat signed.crt chain.pem > fullchain.pem + + echo "" + echo "[Success] Acme tiny successfully renewed certificate." | tee -a ${LOGFILE} + echo "" + + # Reload services + for serv in apache nginx dovecot postfix; do + systemctl is-active --quiet ${serv} && systemctl reload ${serv} + done + else + echo "[Error] Acme tiny have problems." | tee -a ${LOGFILE} >&2 + fi + break + else + # Sleep for max 9999 seconds, then try again. + echo "[Notice] Acme tiny retry triggered." | tee -a ${LOGFILE} >&2 + sleep `tr -cd 0-9 < /dev/urandom | head -c 4` + fi +done + +# Stop temp web server and close port 80 if needed. +if [ $PORT80 = 0 ]; then + iptables -D INPUT -i venet0 -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT + ip6tables -D INPUT -i venet0 -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT + pkill -f http.server +fi -- 2.39.5