#!/bin/sh email="-m $EMAIL" DOMAIN=$DOMAIN LOG_DIR=/var/tmp/shared/output LOG_FILE=$LOG_DIR/letsencrypt.txt LETSENCRYPT_OUTPUT=$LOG_DIR/letsencrypt.json DATE=$(date +"%Y-%m-%d-%H-%M") echo "email $EMAIL" echo "DOMAIN: $DOMAIN" if [ "$LETSENCRYPT_SERVER" != "" ]; then L_S="--server $LETSENCRYPT_SERVER" fi if [ "$EAB_KID" != "" ]; then EK="--eab-kid $EAB_KID" fi if [ "$EAB_HMAC_KEY" != "" ]; then EHK="--eab-hmac-key $EAB_HMAC_KEY" fi TIMEOUT=$TIMEOUT if [[ -z "$TIMEOUT" ]]; then TIMEOUT=10; fi RESTART=$RESTART if [[ -z "$RESTART" ]]; then RESTART=5; fi sending_error_msg() { echo "there was unsucessfuly created "$DOMAIN" at date: "$DATE; } create_json() { LOG=$(cat $LOG_FILE | base64 -w0) TMP_FILE=$(mktemp) install -m 664 -g 65534 /dev/null $TMP_FILE jq 'if . == null or . == [] then [{"domain": "'$DOMAIN'", "date": "'$DATE'", "status": "'$STATUS'", "log": "'$LOG'"}] else . + [{"domain": "'$DOMAIN'", "date": "'$DATE'", "status": "'$STATUS'", "log": "'$LOG'"}] end' $LETSENCRYPT_OUTPUT > $TMP_FILE mv $TMP_FILE $LETSENCRYPT_OUTPUT rm $TMP_FILE } start_letsencrypt() { cd /root curl https://get.acme.sh | sh -s email=$EMAIL cd /root/.acme.sh chmod a+x ./acme.sh RESPONSE=$(./acme.sh $L_S $EK $EHK --issue --standalone --keylength 4096 -d $DOMAIN --cert-file /etc/ssl/keys/$DOMAIN/cert.pem --key-file /etc/ssl/keys/$DOMAIN/key.pem --fullchain-file /etc/ssl/keys/$DOMAIN/fullchain.pem > $LOG_FILE); if [[ "$(echo $?)" == "1" ]]; then for retries in $(seq 0 $((RESTART + 1))); do if [[ $retries -le $RESTART ]] ; then # Check certificate issuer ISSUER=$(openssl x509 -in /etc/ssl/keys/$DOMAIN/fullchain.pem -text -noout |grep -w CN |grep Issuer | cut -d '=' -f2); SUBJECT=$(openssl x509 -in /etc/ssl/keys/$DOMAIN/fullchain.pem -text -noout |grep -w CN |grep Subject | cut -d '=' -f2); if [ "$ISSUER" == "$SUBJECT" ]; then echo "Self signed certificate found"; RESPONSE=$(./acme.sh $L_S $EK $EHK --issue --standalone --keylength 4096 -d $DOMAIN --cert-file /etc/ssl/keys/$DOMAIN/cert.pem --key-file /etc/ssl/keys/$DOMAIN/key.pem --fullchain-file /etc/ssl/keys/$DOMAIN/fullchain.pem >> $LOG_FILE); if [[ "$(echo $?)" != "1" ]]; then sleep $TIMEOUT; echo "Restarting number is only: "$retries" so try again" fi else sleep $TIMEOUT; echo "Restarting number is only: "$retries" so try again" fi else echo "Reached retrying limit: "$RESTART" ,giving up" echo "Creating log json from letsencrypt output" STATUS=failed create_json $STATUS fi done else echo "Created or renew successfuly the certificate for $DOMAIN" echo "Creating log json from letsencrypt output" STATUS=success create_json $STATUS fi } check_new_cert() { #DATE=$(date +%s) if [[ -f /etc/ssl/keys/$DOMAIN/key.pem && -f /etc/ssl/keys/$DOMAIN/fullchain.pem && -f /etc/ssl/keys/$DOMAIN/cert.pem ]] ; then #D1=$(date -r /etc/ssl/keys/$DOMAIN/fullchain.pem +%s) #DIFF=$(expr $DATE - $D1); #if [ $DIFF < 3600 ]; then touch /etc/ssl/keys/$DOMAIN/new_certificate; fi NEW=$(openssl x509 -in /etc/ssl/keys/$DOMAIN/fullchain.pem -fingerprint -noout) if [ "$ORIGINAL" != "$NEW" ]; then touch /etc/ssl/keys/$DOMAIN/new_certificate; fi else sending_error_msg $DOMAIN $DATE; fi } LETSENCRYPT_FILE=$(find /etc/ssl/keys/ -type f -name letsencrypt); if [ -n "$LETSENCRYPT_FILE" ] || [ "$DOMAIN" != "" ] ; then DOMAIN=$(jq -r .DOMAIN $LETSENCRYPT_FILE) ; rm $LETSENCRYPT_FILE; ORIGINAL=$(openssl x509 -in /etc/ssl/keys/$DOMAIN/fullchain.pem -fingerprint -noout) if [ "$DOMAIN" != "localhost" ]; then if [ ! -f $LETSENCRYPT_OUTPUT ] then install -m 664 -g 65534 /dev/null $LETSENCRYPT_OUTPUT echo '[]' > $LETSENCRYPT_OUTPUT fi start_letsencrypt; check_new_cert fi else cd /domains for i in `ls` ; do DOMAIN=$(jq -r .DOMAIN $i) ; if [ "$DOMAIN" != "localhost" ]; then ORIGINAL=$(openssl x509 -in /etc/ssl/keys/$DOMAIN/fullchain.pem -fingerprint -noout) start_letsencrypt $DOMAIN; check_new_cert fi done ; fi