126 lines
4.9 KiB
Bash
126 lines
4.9 KiB
Bash
#!/bin/bash
|
|
|
|
#CONFIG:
|
|
|
|
#using dry_run, certificates are not actually generated, instead it will only do test run.
|
|
#Remember that if you build certificates (dry_run=false) then don't keep on doing it in short interval (more than 5in a day), as otherwise certbot might apply rate limits on further usages.
|
|
dry_run=true
|
|
|
|
#Create it from Cloudflare, and limit it the DNZ zone of your domain.
|
|
cloudflare_token=''
|
|
|
|
#Script will check this directory for empty, to determine to create or renew ssl certificates.
|
|
live_certs_dir="certs/live/test.com";
|
|
|
|
#-d test.com, -d *.test.com means certificate for: test.com and it's wildcard subdomains.
|
|
#Only 1 certificate will be generated, regardless of number of subdomains provided here.
|
|
new_ssl_command="docker run --rm -v ./certs:/etc/letsencrypt -v #cloudflare_token_file#:/certbot-cloudflare certbot/dns-cloudflare certonly #dry_run_arg# --dns-cloudflare --dns-cloudflare-credentials /certbot-cloudflare -d test.com -d \*.test.com --preferred-challenges dns-01 --preferred-chain 'ISRG Root X1' --non-interactive --dns-cloudflare-propagation-seconds 20 --agree-tos --email w3goodies.com@gmail.com";
|
|
|
|
#domains cant be changed in renewal. If you want to change, then clear certs/* folder and regenerate certificates.
|
|
renew_command="docker run --rm -v ./certs:/etc/letsencrypt -v #cloudflare_token_file#:/certbot-cloudflare certbot/dns-cloudflare renew #dry_run_arg# --non-interactive --agree-tos --email w3goodies.com@gmail.com --no-random-sleep-on-renew"
|
|
|
|
#posthook is executed if certificate is created for first time, or if "${live_certs_dir}/cert.pem" file is modified (based on checking last modified time).
|
|
post_hook="docker-compose restart nginx"
|
|
|
|
#END CONFIG
|
|
|
|
#chdir to current dir.
|
|
cd "$(dirname "$0")"
|
|
|
|
#remove trailing slash from live_certs_dir
|
|
live_certs_dir=${live_certs_dir%/}
|
|
|
|
separator="=========="
|
|
|
|
#Set cloudflare token in file because certbot requires it inside a file.
|
|
cloudflare_token_file="./cf-tmp"
|
|
echo "dns_cloudflare_api_token = ${cloudflare_token}" > ${cloudflare_token_file}
|
|
chmod 600 ${cloudflare_token_file}
|
|
new_ssl_command=${new_ssl_command//#cloudflare_token_file#/$cloudflare_token_file}
|
|
renew_command=${renew_command//#cloudflare_token_file#/$cloudflare_token_file}
|
|
|
|
#Set dry run flag in command if true.
|
|
dry_run_arg=""
|
|
if [ "$dry_run" = true ] ; then
|
|
dry_run_arg=" --dry-run"
|
|
fi
|
|
new_ssl_command=${new_ssl_command//#dry_run_arg#/$dry_run_arg}
|
|
renew_command=${renew_command//#dry_run_arg#/$dry_run_arg}
|
|
|
|
echo ""
|
|
|
|
certbotNotice="It's not a dry-run, therefore don't keep generating/renewing certificates (more than 5 in a day), as certbot has rate limitations.";
|
|
|
|
#Check if certificate exist
|
|
live_cert_file="${live_certs_dir}/cert.pem"
|
|
if [ -d "$live_certs_dir" ] && [ -f "$live_cert_file" ]
|
|
then
|
|
#Renew
|
|
last_modified_time=$(date -r "${live_cert_file}")
|
|
|
|
echo "${separator}"
|
|
echo "Certificates folder exist: ${live_certs_dir}"
|
|
echo "TRYING TO RENEW CERTIFICATES..."
|
|
echo "${separator}"
|
|
if [ "$dry_run" = true ] ; then
|
|
echo -e "\n${separator}\n[DRY-RUN ENABLED]\n${separator}\n"
|
|
else
|
|
echo -e "\n${separator}\n[${certbotNotice}]\n${separator}\n"
|
|
fi
|
|
echo -e "Output from renew command:\n"
|
|
|
|
eval "${renew_command}"
|
|
|
|
if [ $? -eq 0 ]; then
|
|
echo -e "${separator}\nCommand exited successfully.\n${separator}\n"
|
|
|
|
#Check if file is modified.
|
|
new_modified_time=$(date -r "${live_cert_file}")
|
|
if [ "$last_modified_time" != "$new_modified_time" ]; then
|
|
echo -e "${separator}\nChange found in: ${live_cert_file}, therefore executing posthook.\n${separator}\n";
|
|
|
|
eval "${post_hook}"
|
|
|
|
if [ $? -eq 0 ]; then
|
|
echo -e "\n${separator}\nPost hook successfully executed.\n${separator}\n"
|
|
else
|
|
echo -e "\n${separator}\nERROR! Unable to execute post hook.\n${separator}"
|
|
fi
|
|
else
|
|
echo -e "${separator}\nNo change in certificate so posthook is ignored.\n${separator}"
|
|
fi
|
|
else
|
|
echo -e "\n${separator}\nERROR! Exiting.\n${separator}"
|
|
fi
|
|
else
|
|
#Create
|
|
echo "${separator}"
|
|
echo "Certificates folder does not exist: ${live_certs_dir}"
|
|
echo "TRYING TO CREATE SSL CERTIFICATES..."
|
|
if [ "$dry_run" = true ] ; then
|
|
echo -e "\n${separator}\n[DRY-RUN ENABLED]\n${separator}\n"
|
|
else
|
|
echo -e "\n${separator}\n[${certbotNotice}]\n${separator}\n"
|
|
fi
|
|
echo -e "Output from new ssl command:\n"
|
|
|
|
eval "${new_ssl_command}"
|
|
|
|
if [ $? -eq 0 ]; then
|
|
echo -e "\n${separator}\nCommand exited successfully therefore executing posthook.\n${separator}\n"
|
|
eval "${post_hook}"
|
|
|
|
if [ $? -eq 0 ]; then
|
|
echo "Post hook successfully executed."
|
|
else
|
|
echo -e "\n${separator}\nERROR! Unable to execute post hook.\n${separator}"
|
|
fi
|
|
else
|
|
echo -e "\n${separator}\nERROR! Exiting.\n${separator}"
|
|
fi
|
|
fi
|
|
|
|
echo ""
|
|
|
|
#Remove tmp file
|
|
rm -f ${cloudflare_token_file} |