-
Notifications
You must be signed in to change notification settings - Fork 0
/
letsencrypt_autorenew.sh
164 lines (133 loc) · 4.83 KB
/
letsencrypt_autorenew.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
#!/bin/sh
for arg in "$@"; do
shift
case "$arg" in
"--webroot") set -- "$@" "-w" ;;
"--webroot-path") set -- "$@" "-p" ;;
"--email") set -- "$@" "-e" ;;
*) set -- "$@" "$arg"
esac
done
OPTIND=1
while getopts "wp:e:" opt ; do
case "$opt" in
w) authenticator_mode="webroot" ;;
p) webroot_path=$OPTARG ;;
e) email=$OPTARG ;;
esac
done
shift $(expr $OPTIND - 1)
if [ $USER = "root" ] ; then
green="\033[0;32m"
blue="\033[0;36m"
orange="\033[0;33m"
red="\033[1;31m"
nc="\033[0m"
log_path="/var/log/letsencrypt_autorenew.log"
if [ -d "/opt/certbot/" ]; then
letsencrypt_path="/opt/certbot/"
else
letsencrypt_path="" # define here your Let's Encrypt path
fi
if [ -d "/etc/letsencrypt/live/" ]; then
ssl_certificates_path="/etc/letsencrypt/live/"
else
ssl_certificates_path="" # define here your custom SSL certificate path
fi
if [ -f "/etc/apache2/apache2.conf" ] ; then
webserver="apache2"
elif [ -f "/etc/nginx/nginx.conf" ] ; then
webserver="nginx"
else
webserver="" # define here your custom webserver service name
fi
if [ "$authenticator_mode" = "webroot" ] ; then
if [ -z "$webroot_path" ] ; then
webroot_path="/var/www/html"
fi
authenticator="--webroot --webroot-path "$webroot_path
else
authenticator_mode="standalone"
authenticator="-a standalone"
fi
if [ -z "$email" ] ; then
email=$USER"@"$(hostname)
fi
cd $ssl_certificates_path
echo ""
echo " "$(ls -lR | grep ^d | wc -l)" SSL certificates founded in "$ssl_certificates_path
echo ""
if [ "$authenticator_mode" = "standalone" ] ; then
service $webserver stop
fi
renewed_domains=0
renewal_failed_domains=0
for certificates in */ ; do
certificate=$certificates"fullchain.pem"
not_after=`echo $(openssl x509 -noout -enddate -in $certificate) | sed -e "s/notAfter=//g"`
not_after_timestamp=`date -d "$not_after" +%s`
now_timestamp=`date +%s`
days_remaining=$(((not_after_timestamp-now_timestamp)/86400))
subject=`echo $(openssl x509 -noout -subject -in $certificate) | sed -e "s/subject= \/CN=//g"`
alternative_dns=`echo $(openssl x509 -text -noout -in $certificate | grep DNS) | sed -e "s/DNS:/-d /g; s/-d $subject//g; s/,//g; s/ //g; s/-d/ -d /g"`
alternative_dns_string=`echo "$alternative_dns" | sed -e "s/ -d /, /g"`
rsa_key_size=`echo $(openssl x509 -text -noout -in $certificate | grep "Public-Key") | sed -e "s/Public-Key: (//g; s/ bit)//g"`
if [ "$days_remaining" -lt 4 ] ; then
echo " ["${red}"Critical"${nc}"] "$subject""$alternative_dns_string
echo " "$days_remaining" days remaining before expiration"
echo " Renewing certificate..."
$letsencrypt_path/certbot-auto certonly $authenticator --force-renewal --rsa-key-size $rsa_key_size --renew-by-default --email $email --text --agree-tos -d $subject""$alternative_dns > $log_path > /dev/null 2>&1
if [ "$?" = 0 ] ; then
echo " "${green}"OK"${nc}
echo ""
renewed_domains=$((renewed_domains+1))
else
echo " "${red}"Failed"${nc}
echo ""
renewal_failed_domains=$((renewal_failed_domains+1))
fi
elif [ "$days_remaining" -lt 20 ] ; then
echo " ["${orange}"Warning"${nc}"] "$subject""$alternative_dns_string
echo " "$days_remaining" days remaining before expiration"
echo " Renewing certificate..."
$letsencrypt_path/certbot-auto certonly $authenticator --force-renewal --rsa-key-size $rsa_key_size --renew-by-default --email $email --text --agree-tos -d $subject""$alternative_dns > $log_path > /dev/null 2>&1
if [ "$?" = 0 ] ; then
echo " "${green}"OK"${nc}
echo ""
renewed_domains=$((renewed_domains+1))
else
echo " "${red}"Failed"${nc}
echo ""
renewal_failed_domains=$((renewal_failed_domains+1))
fi
elif [ "$days_remaining" -lt 31 ] ; then
echo " ["${blue}"Info"${nc}"] "$subject""$alternative_dns_string
echo " "$days_remaining" days remaining before expiration"
echo ""
else
echo " ["${green}"OK"${nc}"] "$subject""$alternative_dns_string
echo " "$days_remaining" days remaining before expiration"
echo ""
fi
done
if [ "$authenticator_mode" = "standalone" ] ; then
service $webserver start
fi
if [ "$renewed_domains" -eq 1 ] ; then
echo " 1 SSL certificate have been renewed ! Relaunch the script again to see the result"
echo ""
elif [ "$renewed_domains" -gt 1 ] ; then
echo " "$renewed_domains" SSL certificates have been renewed ! Relaunch the script again to see the result"
echo ""
fi
if [ "$renewal_failed_domains" -eq 1 ] ; then
echo " 1 SSL certificate have failed to renew ! Log details : "$log_path
echo ""
elif [ "$renewal_failed_domains" -gt 1 ] ; then
echo " "$renewal_failed_domains" SSL certificates have failed to renew ! Log details : "$log_path
echo ""
fi
else
echo "You are not root :("
echo ""
fi