blob: d929cbb1db73fa2f3c1ba86bcf4df3b680f90729 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
|
#!/bin/sh
#
# This script can be both used to request/obtain new certificate(s) from
# Let's Encrypt through ACME challenges:
# $ ./acme-client.sh -n -N
# to expand the domains listed in the certificate:
# $ ./acme-client.sh -e
# and be used to renew the obtained certificate(s) (default action):
# $ ./acme-client.sh
# which can be called by periodic(8).
#
# This script will be weekly executed in order to renew the certificate(s)
# by adding such configurations to "/etc/periodic.conf":
# weekly_acme_client_enable="YES"
# weekly_acme_client_renewscript="/usr/local/etc/acme/acme-client.sh"
# weekly_acme_client_deployscript="/usr/local/etc/acme/deploy.sh"
#
# Output files:
# * etc/acme/privkey.pem : account private key
# * etc/ssl/acme/private/<domain>.pem : domain private key
# * etc/ssl/acme/<domain>/fullchain.pem : domain certificate
#
# XXX/TODO:
# * How to remove/revoke a SAN from the certificate?
#
#
# Aaron LI
# 2017-04-19
#
umask 027
BASEDIR="/usr/local/etc/acme"
SSLDIR="/usr/local/etc/ssl/acme"
DOMAINSFILE="${BASEDIR}/domains.txt"
CHALLENGEDIR="/usr/local/www/acme/.well-known/acme-challenge"
# Default to show verbose information
VERBOSE="true"
# Additional arguments for "acme-client"
ARGS=""
usage() {
cat << _EOF_
usage:
`basename $0` [-h] [-efLnNv] [-d domains.txt]
-e : allow expanding the domains listed in the certificate
-f : force updating the certificate signature even if its too soon
-n : create a new 4096-bit RSA account key if one does not already exist
-N : create a new 4096-bit RSA domain key if one does not already exist
-q : be quiet (default to show verbose information)
-d domains.txt : text file with one domain and its sub-domains per line
(default: ${DOMAINSFILE})
_EOF_
}
while getopts "efhnNqd:" opt; do
case "$opt" in
h)
usage
exit 1
;;
e)
ARGS="${ARGS} -e"
;;
f)
ARGS="${ARGS} -F"
;;
n)
ARGS="${ARGS} -n"
;;
N)
ARGS="${ARGS} -N"
;;
q)
VERBOSE="false"
;;
d)
DOMAINSFILE="${OPTARG}"
;;
[?])
usage
exit 2
;;
esac
done
if [ "${VERBOSE}" = "true" ]; then
ARGS="${ARGS} -v"
fi
# HACK???
[ ! -f "/etc/ssl/cert.pem" ] && \
ln -sv /usr/local/etc/ssl/cert.pem /etc/ssl/cert.pem
[ ! -d "${CHALLENGEDIR}" ] && mkdir -pv ${CHALLENGEDIR}
[ ! -d "${SSLDIR}/private" ] && mkdir -pvm700 "${SSLDIR}/private"
printf "\n=== $(date) ===\n=== CMD: $0 $* ===\n"
grep -v '^\s*#' "${DOMAINSFILE}" | while read domain line; do
printf "-------------------------------------------------------------\n"
printf "[${domain}] ${line}\n"
printf "-------------------------------------------------------------\n"
CERTSDIR="${SSLDIR}/${domain}"
[ ! -d "${CERTSDIR}" ] && mkdir -pm755 "${CERTSDIR}"
set +e # RC=2 when time to expire > 30 days
acme-client -b -C "${CHALLENGEDIR}" \
-k "${SSLDIR}/private/${domain}.pem" \
-c "${CERTSDIR}" \
${ARGS} \
${domain} ${line}
RC=$?
set -e
[ $RC -ne 0 -a $RC -ne 2 ] && exit $RC
done
printf "-------------------------------------------------------------\n"
exit 0
|
