5 LOGFILE
=/var
/log
/letsencrypt.log
7 echo "Running on $(date)..." >> ${LOGFILE}
9 # Check if we have a web server running.
10 PORT80
=$
(lsof
-ti :80 |
wc -l)
12 # If no web server then start one and open port 80.
13 if [ $PORT80 = 0 ]; then
14 cd /var
/www
/challenges
15 nohup python3
-m http.server
80 > /dev
/null
2>&1 &
16 /usr
/sbin
/iptables
-A INPUT
-p tcp
--dport 80 -m conntrack
--ctstate NEW
-j ACCEPT
17 /usr
/sbin
/ip6tables
-A INPUT
-p tcp
--dport 80 -m conntrack
--ctstate NEW
-j ACCEPT
21 cd /etc
/ssl
/letsencrypt
25 # Get a updated certificate.
26 for i
in `seq 1 3`; do
27 if acme-tiny
--account-key account.key
--csr domain.csr
--acme-dir /var
/www
/challenges \
28 > signed_new.crt
2>> ${LOGFILE}
31 wget
-q -O chain_new.pem https
://letsencrypt.org
/certs
/lets-encrypt-r3.pem
33 # Check that the cert is valid.
34 if openssl verify
-CAfile chain_new.pem signed_new.crt
; then
35 mv -f chain_new.pem chain.pem
36 mv -f signed_new.crt signed.crt
37 cat signed.crt chain.pem
> fullchain.pem
41 echo "[Success] Acme tiny successfully renewed certificate." |
tee -a ${LOGFILE}
45 for serv
in apache nginx dovecot postfix
; do
46 systemctl is-active
--quiet ${serv} && systemctl reload
${serv}
52 echo "[Error] Verification of obtained cert failed." |
tee -a ${LOGFILE} >&2
55 # Sleep for max 999 seconds, then try again.
56 sleep `tr -cd 0-9 < /dev/urandom | head -c 3`
60 if [ ${SUCCESS} = 0 ]; then
61 echo "[Error] Reached max number of retry attempts." |
tee -a ${LOGFILE} >&2
65 # Stop temp web server and close port 80 if needed.
66 if [ $PORT80 = 0 ]; then
67 /usr
/sbin
/iptables
-D INPUT
-p tcp
--dport 80 -m conntrack
--ctstate NEW
-j ACCEPT
68 /usr
/sbin
/ip6tables
-D INPUT
-p tcp
--dport 80 -m conntrack
--ctstate NEW
-j ACCEPT