#!/bin/sh

email="-m $EMAIL"
DOMAIN=$DOMAIN

echo "email $EMAIL"
echo "DOMAIN: $DOMAIN"

if [ "$LETSENCRYPT_SERVER" != "" ]; then
        L_S="--server $LETSENCRYPT_SERVER"
fi

if [ "$EAB_KID" != "" ]; then
        EK="--eab-kid $EAB_KID"
fi

if [ "$EAB_HMAC_KEY" != "" ]; then
        EHK="--eab-hmac-key $EAB_HMAC_KEY"
fi

TIMEOUT=$TIMEOUT
if [[ -z "$TIMEOUT" ]]; then
	TIMEOUT=10;
fi

RESTART=$RESTART
if [[ -z "$RESTART" ]]; then
	RESTART=5;
fi

sending_error_msg() {

	echo "there was unsucessfuly created "$DOMAIN" at date: "$DATE;
}

start_letsencrypt() {
	cd /root
	curl https://get.acme.sh | sh -s email=$EMAIL
	cd /root/.acme.sh
	chmod a+x ./acme.sh
	RESPONSE=$(./acme.sh $L_S $EK $EHK --issue --standalone --keylength 4096 -d $DOMAIN --cert-file /etc/ssl/keys/$DOMAIN/cert.pem --key-file /etc/ssl/keys/$DOMAIN/key.pem --fullchain-file /etc/ssl/keys/$DOMAIN/fullchain.pem);
	if [[ "$(echo $?)" == "1" ]]; then	
		for retries in $(seq 0 $((RESTART + 1))); do
			if [[ $retries -le $RESTART ]] ; then
				# Check certificate issuer
				ISSUER=$(openssl x509 -in /etc/ssl/keys/$DOMAIN/fullchain.pem -text -noout |grep -w CN |grep Issuer |  cut -d '=' -f2);
				SUBJECT=$(openssl x509 -in /etc/ssl/keys/$DOMAIN/fullchain.pem -text -noout |grep -w CN |grep Subject | cut -d '=' -f2);
				if [ "$ISSUER" == "$SUBJECT" ]; then
					echo "Self signed certificate found";
					RESPONSE=$(./acme.sh $L_S $EK $EHK --issue --standalone --keylength 4096 -d $DOMAIN --cert-file /etc/ssl/keys/$DOMAIN/cert.pem --key-file /etc/ssl/keys/$DOMAIN/key.pem --fullchain-file /etc/ssl/keys/$DOMAIN/fullchain.pem);
					if [[ "$(echo $?)" != "1" ]]; then
						sleep $TIMEOUT;
						echo "Restarting number is only: "$retries" so try again"
					fi
				else
					sleep $TIMEOUT;
					echo "Restarting number is only: "$retries" so try again"
				fi
			else
				echo "Reached retrying limit: "$RESTART" ,giving up"
			fi

		done
	else
		echo "Created or renew successfuly the certificate for $DOMAIN"
	fi
}

check_new_cert() {
	#DATE=$(date +%s)
	if [[ -f /etc/ssl/keys/$DOMAIN/key.pem && -f /etc/ssl/keys/$DOMAIN/fullchain.pem && -f /etc/ssl/keys/$DOMAIN/cert.pem ]] ; then
		#D1=$(date -r /etc/ssl/keys/$DOMAIN/fullchain.pem +%s)
		#DIFF=$(expr $DATE - $D1);
		#if [ $DIFF < 3600 ]; then touch /etc/ssl/keys/$DOMAIN/new_certificate; fi
		NEW=$(openssl x509 -in /etc/ssl/keys/$DOMAIN/fullchain.pem -fingerprint -noout)
		if [ "$ORIGINAL" !=  "$NEW" ]; then
			touch /etc/ssl/keys/$DOMAIN/new_certificate;
		fi
	else
		sending_error_msg $DOMAIN $DATE;
	fi
}

LETSENCRYPT_FILE=$(find /etc/ssl/keys/ -type f -name letsencrypt);
if [ -n "$LETSENCRYPT_FILE" ] ; then
	DOMAIN=$(jq -r .DOMAIN $LETSENCRYPT_FILE) ;
	rm $LETSENCRYPT_FILE;
	ORIGINAL=$(openssl x509 -in /etc/ssl/keys/$DOMAIN/fullchain.pem -fingerprint -noout)
	if [ "$DOMAIN" != "localhost" ]; then
		start_letsencrypt;
		check_new_cert
	fi

else 
	cd /domains
	for i in `ls` ; do
		DOMAIN=$(jq -r .DOMAIN $i) ;
		if [ "$DOMAIN" != "localhost" ]; then
			ORIGINAL=$(openssl x509 -in /etc/ssl/keys/$DOMAIN/fullchain.pem -fingerprint -noout)
			start_letsencrypt $DOMAIN;
			check_new_cert
		fi
	done ;
fi