diff options
Diffstat (limited to 'roles/web/files/acme')
-rwxr-xr-x | roles/web/files/acme/acme-client.sh | 12 | ||||
-rw-r--r-- | roles/web/files/acme/deploy.d/nginx | 6 | ||||
-rwxr-xr-x | roles/web/files/acme/deploy.sh | 45 |
3 files changed, 49 insertions, 14 deletions
diff --git a/roles/web/files/acme/acme-client.sh b/roles/web/files/acme/acme-client.sh index 20e1106..d929cbb 100755 --- a/roles/web/files/acme/acme-client.sh +++ b/roles/web/files/acme/acme-client.sh @@ -9,12 +9,16 @@ # $ ./acme-client.sh # which can be called by periodic(8). # -# This script will be weekly executed in order to renew the certificate(s). -# See "/etc/periodic.conf". +# This script will be weekly executed in order to renew the certificate(s) +# by adding such configurations to "/etc/periodic.conf": +# weekly_acme_client_enable="YES" +# weekly_acme_client_renewscript="/usr/local/etc/acme/acme-client.sh" +# weekly_acme_client_deployscript="/usr/local/etc/acme/deploy.sh" # # Output files: -# * .../etc/acme/privkey.pem : account private key -# * .../etc/ssl/acme/private/<domain>.pem : domain private key +# * etc/acme/privkey.pem : account private key +# * etc/ssl/acme/private/<domain>.pem : domain private key +# * etc/ssl/acme/<domain>/fullchain.pem : domain certificate # # XXX/TODO: # * How to remove/revoke a SAN from the certificate? diff --git a/roles/web/files/acme/deploy.d/nginx b/roles/web/files/acme/deploy.d/nginx new file mode 100644 index 0000000..17b571d --- /dev/null +++ b/roles/web/files/acme/deploy.d/nginx @@ -0,0 +1,6 @@ +#!/bin/sh +# +# ACME deployment script +# + +reload nginx diff --git a/roles/web/files/acme/deploy.sh b/roles/web/files/acme/deploy.sh index 5e5ad4d..7464d02 100755 --- a/roles/web/files/acme/deploy.sh +++ b/roles/web/files/acme/deploy.sh @@ -1,22 +1,47 @@ #!/bin/sh -e # -# Restart the services after renewing the certificate(s) to deploy the -# changed certificate(s). -# -# This script will be weekly executed. See "/etc/periodic.conf". +# Deploy the renewed certificate(s) to services. # # Aaron LI # -# Services to be restarted after ACME certificate update -SERVICES="nginx dovecot postfix" +reload() { + local srv="$1" + local rv=0 + if service ${srv} status >/dev/null 2>&1; then + echo "Reloading service ${srv} ..." + service ${srv} reload + echo "ok" + else + echo "WARNING: service ${srv} is not running" >&2 + rv=1 + fi + return ${rv} +} + -printf "-------------------------------------------------------------\n" -for srv in ${SERVICES}; do +restart() { + local srv="$1" + local rv=0 if service ${srv} status >/dev/null 2>&1; then - echo "ACME deploy: restarting ${srv} ..." + echo "Restarting service ${srv} ..." service ${srv} restart + echo "ok" else - echo "ACME deploy: service ${srv} not running" + echo "WARNING: service ${srv} is not running" >&2 + rv=1 + fi + return ${rv} +} + + +echo "=============================================================" +dir="${0%/*}" +rv=0 +for f in ${dir}/deploy.d/*; do + if [ -f "${f}" ]; then + echo "Deploying [${f##*/}] ..." + . "${f}" || rv=$? fi done +exit ${rv} |