From e558ae96e8bd41a0aa29de93b0c2ba3e2a60e13c Mon Sep 17 00:00:00 2001 From: gyurix Date: Sat, 8 Mar 2025 11:37:41 +0100 Subject: [PATCH] Refactor letsencrypt script for improved readability and consistency --- start.letsencrypt.sh | 140 +++++++++++++++++++++---------------------- 1 file changed, 69 insertions(+), 71 deletions(-) diff --git a/start.letsencrypt.sh b/start.letsencrypt.sh index a735d4a..449a418 100755 --- a/start.letsencrypt.sh +++ b/start.letsencrypt.sh @@ -7,37 +7,35 @@ LOG_DIR=/var/tmp/shared/output LOG_FILE=$LOG_DIR/letsencrypt.txt LETSENCRYPT_OUTPUT=$LOG_DIR/letsencrypt.json DATE=$(date +"%Y-%m-%d-%H-%M") - - echo "email $EMAIL" echo "DOMAIN: $DOMAIN" if [ "$LETSENCRYPT_SERVER" != "" ]; then - L_S="--server $LETSENCRYPT_SERVER" + L_S="--server $LETSENCRYPT_SERVER" fi if [ "$EAB_KID" != "" ]; then - EK="--eab-kid $EAB_KID" + EK="--eab-kid $EAB_KID" fi if [ "$EAB_HMAC_KEY" != "" ]; then - EHK="--eab-hmac-key $EAB_HMAC_KEY" + EHK="--eab-hmac-key $EAB_HMAC_KEY" fi TIMEOUT=$TIMEOUT if [[ -z "$TIMEOUT" ]]; then - TIMEOUT=10; + TIMEOUT=10 fi RESTART=$RESTART if [[ -z "$RESTART" ]]; then - RESTART=5; + RESTART=5 fi sending_error_msg() { - echo "there was unsucessfuly created "$DOMAIN" at date: "$DATE; + echo "there was unsucessfuly created "$DOMAIN" at date: "$DATE } create_json() { @@ -45,87 +43,87 @@ create_json() { TMP_FILE=$(mktemp) install -m 664 -g 65534 /dev/null $TMP_FILE jq 'if . == null or . == [] then [{"domain": "'$DOMAIN'", "date": "'$DATE'", "status": "'$STATUS'", "log": "'$LOG'"}] else . + [{"domain": "'$DOMAIN'", -"date": "'$DATE'", "status": "'$STATUS'", "log": "'$LOG'"}] end' $LETSENCRYPT_OUTPUT > $TMP_FILE +"date": "'$DATE'", "status": "'$STATUS'", "log": "'$LOG'"}] end' $LETSENCRYPT_OUTPUT >$TMP_FILE mv $TMP_FILE $LETSENCRYPT_OUTPUT rm $TMP_FILE } start_letsencrypt() { - cd /root - curl https://get.acme.sh | sh -s email=$EMAIL - cd /root/.acme.sh - chmod a+x ./acme.sh - RESPONSE=$(./acme.sh $L_S $EK $EHK --issue --standalone --keylength 4096 -d $DOMAIN --cert-file /etc/ssl/keys/$DOMAIN/cert.pem --key-file /etc/ssl/keys/$DOMAIN/key.pem --fullchain-file /etc/ssl/keys/$DOMAIN/fullchain.pem > $LOG_FILE); - if [[ "$(echo $?)" == "1" ]]; then - for retries in $(seq 0 $((RESTART + 1))); do - if [[ $retries -le $RESTART ]] ; then - # Check certificate issuer - ISSUER=$(openssl x509 -in /etc/ssl/keys/$DOMAIN/fullchain.pem -text -noout |grep -w CN |grep Issuer | cut -d '=' -f2); - SUBJECT=$(openssl x509 -in /etc/ssl/keys/$DOMAIN/fullchain.pem -text -noout |grep -w CN |grep Subject | cut -d '=' -f2); - if [ "$ISSUER" == "$SUBJECT" ]; then - echo "Self signed certificate found"; - RESPONSE=$(./acme.sh $L_S $EK $EHK --issue --standalone --keylength 4096 -d $DOMAIN --cert-file /etc/ssl/keys/$DOMAIN/cert.pem --key-file /etc/ssl/keys/$DOMAIN/key.pem --fullchain-file /etc/ssl/keys/$DOMAIN/fullchain.pem >> $LOG_FILE); - if [[ "$(echo $?)" != "1" ]]; then - sleep $TIMEOUT; - echo "Restarting number is only: "$retries" so try again" - fi - else - sleep $TIMEOUT; - echo "Restarting number is only: "$retries" so try again" - fi - else - echo "Reached retrying limit: "$RESTART" ,giving up" + cd /root + curl https://get.acme.sh | sh -s email=$EMAIL + cd /root/.acme.sh + chmod a+x ./acme.sh + RESPONSE=$(./acme.sh $L_S $EK $EHK --issue --standalone --keylength 4096 -d $DOMAIN --cert-file /etc/ssl/keys/$DOMAIN/cert.pem --key-file /etc/ssl/keys/$DOMAIN/key.pem --fullchain-file /etc/ssl/keys/$DOMAIN/fullchain.pem >$LOG_FILE) + if [[ "$(echo $?)" == "1" ]]; then + for retries in $(seq 0 $((RESTART + 1))); do + if [[ $retries -le $RESTART ]]; then + # Check certificate issuer + ISSUER=$(openssl x509 -in /etc/ssl/keys/$DOMAIN/fullchain.pem -text -noout | grep -w CN | grep Issuer | cut -d '=' -f2) + SUBJECT=$(openssl x509 -in /etc/ssl/keys/$DOMAIN/fullchain.pem -text -noout | grep -w CN | grep Subject | cut -d '=' -f2) + if [ "$ISSUER" == "$SUBJECT" ]; then + echo "Self signed certificate found" + RESPONSE=$(./acme.sh $L_S $EK $EHK --issue --standalone --keylength 4096 -d $DOMAIN --cert-file /etc/ssl/keys/$DOMAIN/cert.pem --key-file /etc/ssl/keys/$DOMAIN/key.pem --fullchain-file /etc/ssl/keys/$DOMAIN/fullchain.pem >>$LOG_FILE) + if [[ "$(echo $?)" != "1" ]]; then + sleep $TIMEOUT + echo "Restarting number is only: "$retries" so try again" + fi + else + sleep $TIMEOUT + echo "Restarting number is only: "$retries" so try again" + fi + else + echo "Reached retrying limit: "$RESTART" ,giving up" echo "Creating log json from letsencrypt output" STATUS=failed create_json $STATUS - fi + fi - done - else - echo "Created or renew successfuly the certificate for $DOMAIN" + done + else + echo "Created or renew successfuly the certificate for $DOMAIN" echo "Creating log json from letsencrypt output" STATUS=success create_json $STATUS - fi + fi } check_new_cert() { - #DATE=$(date +%s) - if [[ -f /etc/ssl/keys/$DOMAIN/key.pem && -f /etc/ssl/keys/$DOMAIN/fullchain.pem && -f /etc/ssl/keys/$DOMAIN/cert.pem ]] ; then - #D1=$(date -r /etc/ssl/keys/$DOMAIN/fullchain.pem +%s) - #DIFF=$(expr $DATE - $D1); - #if [ $DIFF < 3600 ]; then touch /etc/ssl/keys/$DOMAIN/new_certificate; fi - NEW=$(openssl x509 -in /etc/ssl/keys/$DOMAIN/fullchain.pem -fingerprint -noout) - if [ "$ORIGINAL" != "$NEW" ]; then - touch /etc/ssl/keys/$DOMAIN/new_certificate; - fi - else - sending_error_msg $DOMAIN $DATE; - fi + #DATE=$(date +%s) + if [[ -f /etc/ssl/keys/$DOMAIN/key.pem && -f /etc/ssl/keys/$DOMAIN/fullchain.pem && -f /etc/ssl/keys/$DOMAIN/cert.pem ]]; then + #D1=$(date -r /etc/ssl/keys/$DOMAIN/fullchain.pem +%s) + #DIFF=$(expr $DATE - $D1); + #if [ $DIFF < 3600 ]; then touch /etc/ssl/keys/$DOMAIN/new_certificate; fi + NEW=$(openssl x509 -in /etc/ssl/keys/$DOMAIN/fullchain.pem -fingerprint -noout) + if [ "$ORIGINAL" != "$NEW" ]; then + touch /etc/ssl/keys/$DOMAIN/new_certificate + fi + else + sending_error_msg $DOMAIN $DATE + fi } -LETSENCRYPT_FILE=$(find /etc/ssl/keys/ -type f -name letsencrypt); -if [ -n "$LETSENCRYPT_FILE" ] || [ "$DOMAIN" != "" ] ; then - DOMAIN=$(jq -r .DOMAIN $LETSENCRYPT_FILE) ; - rm $LETSENCRYPT_FILE; - ORIGINAL=$(openssl x509 -in /etc/ssl/keys/$DOMAIN/fullchain.pem -fingerprint -noout) - if [ "$DOMAIN" != "localhost" ]; then - if [ ! -f $LETSENCRYPT_OUTPUT ] then +LETSENCRYPT_FILE=$(find /etc/ssl/keys/ -type f -name letsencrypt) +if [ -n "$LETSENCRYPT_FILE" ] || [ "$DOMAIN" != "" ]; then + DOMAIN=$(jq -r .DOMAIN $LETSENCRYPT_FILE) + rm $LETSENCRYPT_FILE + ORIGINAL=$(openssl x509 -in /etc/ssl/keys/$DOMAIN/fullchain.pem -fingerprint -noout) + if [ "$DOMAIN" != "localhost" ]; then + if [ ! -f $LETSENCRYPT_OUTPUT ]; then install -m 664 -g 65534 /dev/null $LETSENCRYPT_OUTPUT - echo '[]' > $LETSENCRYPT_OUTPUT + echo '[]' >$LETSENCRYPT_OUTPUT fi - start_letsencrypt; - check_new_cert - fi + start_letsencrypt + check_new_cert + fi -else - cd /domains - for i in `ls` ; do - DOMAIN=$(jq -r .DOMAIN $i) ; - if [ "$DOMAIN" != "localhost" ]; then - ORIGINAL=$(openssl x509 -in /etc/ssl/keys/$DOMAIN/fullchain.pem -fingerprint -noout) - start_letsencrypt $DOMAIN; - check_new_cert - fi - done ; +else + cd /domains + for i in $(ls); do + DOMAIN=$(jq -r .DOMAIN $i) + if [ "$DOMAIN" != "localhost" ]; then + ORIGINAL=$(openssl x509 -in /etc/ssl/keys/$DOMAIN/fullchain.pem -fingerprint -noout) + start_letsencrypt $DOMAIN + check_new_cert + fi + done fi