X-Git-Url: https://git.sthu.org/?p=shutils.git;a=blobdiff_plain;f=letsencrypt%2Frenewal.sh;fp=letsencrypt%2Frenewal.sh;h=e6a4658f8b39c89759437b6d0bd253aa1055fc8e;hp=0000000000000000000000000000000000000000;hb=13f0d7044a34553fe36c76155ed2d4328f885eb3;hpb=93df33f1404a71ec713a6c05a4f66ce61e946100

diff --git a/letsencrypt/renewal.sh b/letsencrypt/renewal.sh
new file mode 100644
index 0000000..e6a4658
--- /dev/null
+++ b/letsencrypt/renewal.sh
@@ -0,0 +1,61 @@
+#!/bin/sh
+
+set -e
+
+LOGFILE=/var/log/letsencrypt.log
+
+echo "Running on $(date)..." >> ${LOGFILE}
+
+# Check if we have a web server running.
+PORT80=$(lsof -ti :80 | wc -l)
+
+# If no web server then start one and open port 80.
+if [ $PORT80 = 0 ]; then
+  cd /var/www/challenges
+  nohup python3 -m http.server 80 > /dev/null 2>&1 &
+  iptables -A INPUT -i venet0 -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
+  ip6tables -A INPUT -i venet0 -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
+fi
+
+
+cd /etc/ssl/letsencrypt
+
+# Get a updated certificate.
+for i in `seq 1 3`; do
+  if acme-tiny --account-key account.key --csr domain.csr --acme-dir /var/www/challenges \
+       > signed_new.crt 2>> ${LOGFILE}
+  then
+
+    wget -q -O chain_new.pem https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem
+
+    # Check that the cert is valid.
+    if openssl verify -CAfile chain_new.pem signed_new.crt; then
+      mv -f chain_new.pem chain.pem
+      mv -f signed_new.crt signed.crt
+      cat signed.crt chain.pem > fullchain.pem
+
+      echo ""
+      echo "[Success] Acme tiny successfully renewed certificate." | tee -a ${LOGFILE}
+      echo ""
+
+      # Reload services
+      for serv in apache nginx dovecot postfix; do
+        systemctl is-active --quiet ${serv} && systemctl reload ${serv}
+      done
+    else
+      echo "[Error] Acme tiny have problems." | tee -a ${LOGFILE} >&2
+    fi
+    break
+  else
+    # Sleep for max 9999 seconds, then try again.
+    echo "[Notice] Acme tiny retry triggered." | tee -a ${LOGFILE} >&2
+    sleep `tr -cd 0-9 < /dev/urandom | head -c 4`
+  fi
+done
+
+# Stop temp web server and close port 80 if needed.
+if [ $PORT80 = 0 ]; then
+  iptables -D INPUT -i venet0 -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
+  ip6tables -D INPUT -i venet0 -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
+  pkill -f http.server
+fi