web: Use 'acme.sh' to issue and renew certificates

The 'acme-client' seems obsolete and is missing from DPorts.

2 files changed, 46 insertions, 0 deletions

diff --git a/roles/web/templates/acme/deploy.sh.j2 b/roles/web/templates/acme/deploy.sh.j2
new file mode 100644
index 0000000..141b112
--- /dev/null
+++ b/roles/web/templates/acme/deploy.sh.j2
@@ -0,0 +1,27 @@
+#!/bin/sh
+#
+# Deploy the issued certificates.
+#
+# Aaron LI
+# 2019-09-21
+#
+
+SSL_ROOT="{{ web.ssl_root }}"
+[ -d "${SSL_ROOT}" ] || mkdir -p -m 0700 ${SSL_ROOT}
+
+{% for domain in domains %}
+CERT_DIR="${SSL_ROOT}/{{ domain.name }}"
+[ -d "${CERT_DIR}" ] || mkdir -m 0700 ${CERT_DIR}
+acme.sh --install-cert --log /var/log/acme.sh.log \
+    --config-home {{ web.acme_home }}/.acme.sh \
+    --cert-home {{ web.acme_home }}/certs \
+    --domain {{ domain.name }} \
+    --key-file ${CERT_DIR}/key \
+    --cert-file ${CERT_DIR}/cert \
+    --fullchain-file ${CERT_DIR}/fullchain
+
+{% endfor %}
+
+echo "Reload relevant services ..."
+SCRIPT="{{ web.acme_home }}/deploy.local.sh"
+[ -f "${SCRIPT}" ] && sh ${SCRIPT} || exit 0
diff --git a/roles/web/templates/acme/issue.sh.j2 b/roles/web/templates/acme/issue.sh.j2
new file mode 100644
index 0000000..6e63fb4
--- /dev/null
+++ b/roles/web/templates/acme/issue.sh.j2
@@ -0,0 +1,19 @@
+#!/bin/sh
+#
+# Use 'acme.sh' to issue certificates.
+#
+# Aaron LI
+# 2019-09-21
+#
+
+{% for domain in domains %}
+acme.sh --issue --log /var/log/acme.sh.log \
+    --config-home {{ web.acme_home }}/.acme.sh \
+    --domain {{ domain.name }} \
+    {% for sub in domain.sub %}--domain {{ sub }}.{{ domain.name }} {% endfor %} \
+    --webroot {{ web.acme_webroot }} ||
+    echo "WARNING: exit with non-zero code: $?"
+
+{% endfor %}
+
+acme.sh --list