From 13f0d7044a34553fe36c76155ed2d4328f885eb3 Mon Sep 17 00:00:00 2001
From: Stefan Huber <shuber@sthu.org>
Date: Tue, 17 Aug 2021 09:34:57 +0200
Subject: [PATCH] letsencrypt: Add initial scripts

---
 letsencrypt/renew-requestcert.sh |  3 ++
 letsencrypt/renewal.sh           | 61 ++++++++++++++++++++++++++++++++
 2 files changed, 64 insertions(+)
 create mode 100644 letsencrypt/renew-requestcert.sh
 create mode 100644 letsencrypt/renewal.sh

diff --git a/letsencrypt/renew-requestcert.sh b/letsencrypt/renew-requestcert.sh
new file mode 100644
index 0000000..17faea4
--- /dev/null
+++ b/letsencrypt/renew-requestcert.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+openssl req -new -sha256 -key /etc/ssl/letsencrypt/domain.key -subj "/C=US/O=Acme/CN=sthu.org" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com")) -out /etc/ssl/letsencrypt/domain.csr
diff --git a/letsencrypt/renewal.sh b/letsencrypt/renewal.sh
new file mode 100644
index 0000000..e6a4658
--- /dev/null
+++ b/letsencrypt/renewal.sh
@@ -0,0 +1,61 @@
+#!/bin/sh
+
+set -e
+
+LOGFILE=/var/log/letsencrypt.log
+
+echo "Running on $(date)..." >> ${LOGFILE}
+
+# Check if we have a web server running.
+PORT80=$(lsof -ti :80 | wc -l)
+
+# If no web server then start one and open port 80.
+if [ $PORT80 = 0 ]; then
+  cd /var/www/challenges
+  nohup python3 -m http.server 80 > /dev/null 2>&1 &
+  iptables -A INPUT -i venet0 -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
+  ip6tables -A INPUT -i venet0 -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
+fi
+
+
+cd /etc/ssl/letsencrypt
+
+# Get a updated certificate.
+for i in `seq 1 3`; do
+  if acme-tiny --account-key account.key --csr domain.csr --acme-dir /var/www/challenges \
+       > signed_new.crt 2>> ${LOGFILE}
+  then
+
+    wget -q -O chain_new.pem https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem
+
+    # Check that the cert is valid.
+    if openssl verify -CAfile chain_new.pem signed_new.crt; then
+      mv -f chain_new.pem chain.pem
+      mv -f signed_new.crt signed.crt
+      cat signed.crt chain.pem > fullchain.pem
+
+      echo ""
+      echo "[Success] Acme tiny successfully renewed certificate." | tee -a ${LOGFILE}
+      echo ""
+
+      # Reload services
+      for serv in apache nginx dovecot postfix; do
+        systemctl is-active --quiet ${serv} && systemctl reload ${serv}
+      done
+    else
+      echo "[Error] Acme tiny have problems." | tee -a ${LOGFILE} >&2
+    fi
+    break
+  else
+    # Sleep for max 9999 seconds, then try again.
+    echo "[Notice] Acme tiny retry triggered." | tee -a ${LOGFILE} >&2
+    sleep `tr -cd 0-9 < /dev/urandom | head -c 4`
+  fi
+done
+
+# Stop temp web server and close port 80 if needed.
+if [ $PORT80 = 0 ]; then
+  iptables -D INPUT -i venet0 -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
+  ip6tables -D INPUT -i venet0 -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
+  pkill -f http.server
+fi
-- 
2.30.2