safebox/letsencrypt
7
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Refactor letsencrypt script for improved readability and consistency
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
gyurix
2025-03-08 11:37:41 +01:00
parent 815c154a28
commit e558ae96e8
1 changed files with 69 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files

140
start.letsencrypt.sh
View File

@@ -7,37 +7,35 @@ LOG_DIR=/var/tmp/shared/output
LOG_FILE=$LOG_DIR/letsencrypt.txt LOG_FILE=$LOG_DIR/letsencrypt.txt
LETSENCRYPT_OUTPUT=$LOG_DIR/letsencrypt.json LETSENCRYPT_OUTPUT=$LOG_DIR/letsencrypt.json
DATE=$(date +"%Y-%m-%d-%H-%M") DATE=$(date +"%Y-%m-%d-%H-%M")
echo "email $EMAIL" echo "email $EMAIL"
echo "DOMAIN: $DOMAIN" echo "DOMAIN: $DOMAIN"
if [ "$LETSENCRYPT_SERVER" != "" ]; then if [ "$LETSENCRYPT_SERVER" != "" ]; then
L_S="--server $LETSENCRYPT_SERVER" L_S="--server $LETSENCRYPT_SERVER"
fi fi
if [ "$EAB_KID" != "" ]; then if [ "$EAB_KID" != "" ]; then
EK="--eab-kid $EAB_KID" EK="--eab-kid $EAB_KID"
fi fi
if [ "$EAB_HMAC_KEY" != "" ]; then if [ "$EAB_HMAC_KEY" != "" ]; then
EHK="--eab-hmac-key $EAB_HMAC_KEY" EHK="--eab-hmac-key $EAB_HMAC_KEY"
fi fi
TIMEOUT=$TIMEOUT TIMEOUT=$TIMEOUT
if [[ -z "$TIMEOUT" ]]; then if [[ -z "$TIMEOUT" ]]; then
TIMEOUT=10; TIMEOUT=10
fi fi
RESTART=$RESTART RESTART=$RESTART
if [[ -z "$RESTART" ]]; then if [[ -z "$RESTART" ]]; then
RESTART=5; RESTART=5
fi fi
sending_error_msg() { sending_error_msg() {
echo "there was unsucessfuly created "$DOMAIN" at date: "$DATE; echo "there was unsucessfuly created "$DOMAIN" at date: "$DATE
} }
create_json() { create_json() {
@@ -45,87 +43,87 @@ create_json() {
TMP_FILE=$(mktemp) TMP_FILE=$(mktemp)
install -m 664 -g 65534 /dev/null $TMP_FILE install -m 664 -g 65534 /dev/null $TMP_FILE
jq 'if . == null or . == [] then [{"domain": "'$DOMAIN'", "date": "'$DATE'", "status": "'$STATUS'", "log": "'$LOG'"}] else . + [{"domain": "'$DOMAIN'", jq 'if . == null or . == [] then [{"domain": "'$DOMAIN'", "date": "'$DATE'", "status": "'$STATUS'", "log": "'$LOG'"}] else . + [{"domain": "'$DOMAIN'",
"date": "'$DATE'", "status": "'$STATUS'", "log": "'$LOG'"}] end' $LETSENCRYPT_OUTPUT > $TMP_FILE "date": "'$DATE'", "status": "'$STATUS'", "log": "'$LOG'"}] end' $LETSENCRYPT_OUTPUT >$TMP_FILE
mv $TMP_FILE $LETSENCRYPT_OUTPUT mv $TMP_FILE $LETSENCRYPT_OUTPUT
rm $TMP_FILE rm $TMP_FILE
} }
start_letsencrypt() { start_letsencrypt() {
cd /root cd /root
curl https://get.acme.sh | sh -s email=$EMAIL curl https://get.acme.sh | sh -s email=$EMAIL
cd /root/.acme.sh cd /root/.acme.sh
chmod a+x ./acme.sh chmod a+x ./acme.sh
RESPONSE=$(./acme.sh $L_S $EK $EHK --issue --standalone --keylength 4096 -d $DOMAIN --cert-file /etc/ssl/keys/$DOMAIN/cert.pem --key-file /etc/ssl/keys/$DOMAIN/key.pem --fullchain-file /etc/ssl/keys/$DOMAIN/fullchain.pem > $LOG_FILE); RESPONSE=$(./acme.sh $L_S $EK $EHK --issue --standalone --keylength 4096 -d $DOMAIN --cert-file /etc/ssl/keys/$DOMAIN/cert.pem --key-file /etc/ssl/keys/$DOMAIN/key.pem --fullchain-file /etc/ssl/keys/$DOMAIN/fullchain.pem >$LOG_FILE)
if [[ "$(echo $?)" == "1" ]]; then if [[ "$(echo $?)" == "1" ]]; then
for retries in $(seq 0 $((RESTART + 1))); do for retries in $(seq 0 $((RESTART + 1))); do
if [[ $retries -le $RESTART ]] ; then if [[ $retries -le $RESTART ]]; then
# Check certificate issuer # Check certificate issuer
ISSUER=$(openssl x509 -in /etc/ssl/keys/$DOMAIN/fullchain.pem -text -noout |grep -w CN |grep Issuer | cut -d '=' -f2); ISSUER=$(openssl x509 -in /etc/ssl/keys/$DOMAIN/fullchain.pem -text -noout | grep -w CN | grep Issuer | cut -d '=' -f2)
SUBJECT=$(openssl x509 -in /etc/ssl/keys/$DOMAIN/fullchain.pem -text -noout |grep -w CN |grep Subject | cut -d '=' -f2); SUBJECT=$(openssl x509 -in /etc/ssl/keys/$DOMAIN/fullchain.pem -text -noout | grep -w CN | grep Subject | cut -d '=' -f2)
if [ "$ISSUER" == "$SUBJECT" ]; then if [ "$ISSUER" == "$SUBJECT" ]; then
echo "Self signed certificate found"; echo "Self signed certificate found"
RESPONSE=$(./acme.sh $L_S $EK $EHK --issue --standalone --keylength 4096 -d $DOMAIN --cert-file /etc/ssl/keys/$DOMAIN/cert.pem --key-file /etc/ssl/keys/$DOMAIN/key.pem --fullchain-file /etc/ssl/keys/$DOMAIN/fullchain.pem >> $LOG_FILE); RESPONSE=$(./acme.sh $L_S $EK $EHK --issue --standalone --keylength 4096 -d $DOMAIN --cert-file /etc/ssl/keys/$DOMAIN/cert.pem --key-file /etc/ssl/keys/$DOMAIN/key.pem --fullchain-file /etc/ssl/keys/$DOMAIN/fullchain.pem >>$LOG_FILE)
if [[ "$(echo $?)" != "1" ]]; then if [[ "$(echo $?)" != "1" ]]; then
sleep $TIMEOUT; sleep $TIMEOUT
echo "Restarting number is only: "$retries" so try again" echo "Restarting number is only: "$retries" so try again"
fi fi
else else
sleep $TIMEOUT; sleep $TIMEOUT
echo "Restarting number is only: "$retries" so try again" echo "Restarting number is only: "$retries" so try again"
fi fi
else else
echo "Reached retrying limit: "$RESTART" ,giving up" echo "Reached retrying limit: "$RESTART" ,giving up"
echo "Creating log json from letsencrypt output" echo "Creating log json from letsencrypt output"
STATUS=failed STATUS=failed
create_json $STATUS create_json $STATUS
fi fi
done done
else else
echo "Created or renew successfuly the certificate for $DOMAIN" echo "Created or renew successfuly the certificate for $DOMAIN"
echo "Creating log json from letsencrypt output" echo "Creating log json from letsencrypt output"
STATUS=success STATUS=success
create_json $STATUS create_json $STATUS
fi fi
} }
check_new_cert() { check_new_cert() {
#DATE=$(date +%s) #DATE=$(date +%s)
if [[ -f /etc/ssl/keys/$DOMAIN/key.pem && -f /etc/ssl/keys/$DOMAIN/fullchain.pem && -f /etc/ssl/keys/$DOMAIN/cert.pem ]] ; then if [[ -f /etc/ssl/keys/$DOMAIN/key.pem && -f /etc/ssl/keys/$DOMAIN/fullchain.pem && -f /etc/ssl/keys/$DOMAIN/cert.pem ]]; then
#D1=$(date -r /etc/ssl/keys/$DOMAIN/fullchain.pem +%s) #D1=$(date -r /etc/ssl/keys/$DOMAIN/fullchain.pem +%s)
#DIFF=$(expr $DATE - $D1); #DIFF=$(expr $DATE - $D1);
#if [ $DIFF < 3600 ]; then touch /etc/ssl/keys/$DOMAIN/new_certificate; fi #if [ $DIFF < 3600 ]; then touch /etc/ssl/keys/$DOMAIN/new_certificate; fi
NEW=$(openssl x509 -in /etc/ssl/keys/$DOMAIN/fullchain.pem -fingerprint -noout) NEW=$(openssl x509 -in /etc/ssl/keys/$DOMAIN/fullchain.pem -fingerprint -noout)
if [ "$ORIGINAL" != "$NEW" ]; then if [ "$ORIGINAL" != "$NEW" ]; then
touch /etc/ssl/keys/$DOMAIN/new_certificate; touch /etc/ssl/keys/$DOMAIN/new_certificate
fi fi
else else
sending_error_msg $DOMAIN $DATE; sending_error_msg $DOMAIN $DATE
fi fi
} }
LETSENCRYPT_FILE=$(find /etc/ssl/keys/ -type f -name letsencrypt); LETSENCRYPT_FILE=$(find /etc/ssl/keys/ -type f -name letsencrypt)
if [ -n "$LETSENCRYPT_FILE" ] || [ "$DOMAIN" != "" ] ; then if [ -n "$LETSENCRYPT_FILE" ] || [ "$DOMAIN" != "" ]; then
DOMAIN=$(jq -r .DOMAIN $LETSENCRYPT_FILE) ; DOMAIN=$(jq -r .DOMAIN $LETSENCRYPT_FILE)
rm $LETSENCRYPT_FILE; rm $LETSENCRYPT_FILE
ORIGINAL=$(openssl x509 -in /etc/ssl/keys/$DOMAIN/fullchain.pem -fingerprint -noout) ORIGINAL=$(openssl x509 -in /etc/ssl/keys/$DOMAIN/fullchain.pem -fingerprint -noout)
if [ "$DOMAIN" != "localhost" ]; then if [ "$DOMAIN" != "localhost" ]; then
if [ ! -f $LETSENCRYPT_OUTPUT ] then if [ ! -f $LETSENCRYPT_OUTPUT ]; then
install -m 664 -g 65534 /dev/null $LETSENCRYPT_OUTPUT install -m 664 -g 65534 /dev/null $LETSENCRYPT_OUTPUT
echo '[]' > $LETSENCRYPT_OUTPUT echo '[]' >$LETSENCRYPT_OUTPUT
fi fi
start_letsencrypt; start_letsencrypt
check_new_cert check_new_cert
fi fi
else else
cd /domains cd /domains
for i in `ls` ; do for i in $(ls); do
DOMAIN=$(jq -r .DOMAIN $i) ; DOMAIN=$(jq -r .DOMAIN $i)
if [ "$DOMAIN" != "localhost" ]; then if [ "$DOMAIN" != "localhost" ]; then
ORIGINAL=$(openssl x509 -in /etc/ssl/keys/$DOMAIN/fullchain.pem -fingerprint -noout) ORIGINAL=$(openssl x509 -in /etc/ssl/keys/$DOMAIN/fullchain.pem -fingerprint -noout)
start_letsencrypt $DOMAIN; start_letsencrypt $DOMAIN
check_new_cert check_new_cert
fi fi
done ; done
fi fi