Mercurial Hosting > luan
annotate host/renewSsl.sh @ 2117:1e247cd012ee ssltesting
use site_dir/ssl for all ssl related files; raise error() on empty acme-tiny output.
| author | Violet7 |
|---|---|
| date | Tue, 06 Jan 2026 09:01:44 -0800 |
| parents | 39d4215259ec |
| children |
| rev | line source |
|---|---|
| 1632 | 1 #!/bin/bash |
| 2072 | 2 set -e |
| 1632 | 3 |
| 2076 | 4 if [ -n "$1" ]; then |
| 2083 | 5 cd "$1" || echo "no first argument passed, staying in cwd" |
| 2076 | 6 fi |
| 2048 | 7 |
| 2037 | 8 ROOTPWD=$(pwd) |
| 2076 | 9 # this awkward method is used for portability |
| 10 ROOTPWDOWNER=$(ls -ld $ROOTPWD | awk '{printf "%s", $3}') | |
| 11 | |
| 12 # change to owner of host/ if running as root | |
| 13 # prevents nginx being unable to read files owned by root | |
| 14 if [ "$(id -u)" -eq 0 ]; then | |
| 2083 | 15 echo "switching to $ROOTPWDOWNER in order to preserve permissions" |
| 16 exec sudo -u $ROOTPWDOWNER "$0" "$@" | |
| 2076 | 17 fi |
| 18 | |
| 2048 | 19 KEYFILE="$ROOTPWD/local/tiny_account.key" |
| 2037 | 20 for SITEROOT in "$ROOTPWD"/sites/*; do |
| 2083 | 21 { |
| 22 # Skip if not a directory | |
| 23 [ -d "$SITEROOT" ] || continue | |
| 2037 | 24 |
| 2083 | 25 DOMAIN=$(basename "$SITEROOT") |
| 26 SSLDIR="$SITEROOT/ssl" | |
| 27 CSRFILE="$SSLDIR/$DOMAIN.csr" | |
| 28 FULLCHAIN="$SSLDIR/fullchain.cer" | |
|
2117
1e247cd012ee
use site_dir/ssl for all ssl related files; raise error() on empty acme-tiny output.
Violet7
parents:
2083
diff
changeset
|
29 CHALLENGEDIR="$SSLDIR/.well-known/acme-challenge" |
| 2083 | 30 TMPOUT="$SSLDIR/$DOMAIN.crt.tmp" |
| 31 echo "Processing domain: $DOMAIN" | |
| 1632 | 32 |
| 2083 | 33 # local_https.sh does not create a csr file, assume |
| 34 # it is a self-signed local cert if it doesn't exist | |
| 35 if [ ! -f "$CSRFILE" ]; then | |
| 36 echo "CSR file not found, assuming self-signed and skipping." | |
| 37 continue | |
| 38 fi | |
| 2048 | 39 |
| 2083 | 40 mkdir -p "$CHALLENGEDIR" |
| 1632 | 41 |
| 2083 | 42 "$ROOTPWD/acme_tiny" \ |
| 43 --account-key "$KEYFILE" \ | |
| 44 --csr "$CSRFILE" \ | |
| 45 --acme-dir "$CHALLENGEDIR" \ | |
| 46 >"$TMPOUT" | |
| 2076 | 47 |
| 2083 | 48 # If TMPOUT is empty, something failed. |
| 49 # Do not modify the current fullchain. | |
| 50 if [ ! -s "$TMPOUT" ]; then | |
| 51 echo "Error: $TMPOUT is empty - please see previous output for details.\nContinuing to next domain..." | |
| 52 rm -f "$TMPOUT" | |
| 53 continue | |
| 54 fi | |
| 2037 | 55 |
| 2083 | 56 # check if exists |
| 57 if [ -f "$FULLCHAIN" ]; then | |
| 58 mv $FULLCHAIN "$FULLCHAIN.old" | |
| 59 fi | |
| 2037 | 60 |
| 2083 | 61 mv "$TMPOUT" "$FULLCHAIN" |
| 2048 | 62 |
| 2083 | 63 echo "Renewed certificate for $DOMAIN" |
| 64 } || { | |
| 65 echo "Error processing $SITEROOT — skipping." | |
| 66 } | |
| 2037 | 67 done |
| 68 | |
| 2050 | 69 sudo /usr/local/bin/nginx -s reload -c "$(pwd)/local/nginx.conf" |
| 2037 | 70 echo "Nginx reloaded." |