repo/luan: host/renewSsl.sh annotate

annotate host/renewSsl.sh @ 2080:d7de1f976c1d ssltesting

use site/xyz/ssl/ for fullchain

author	Violet7
date	Tue, 09 Dec 2025 17:33:51 -0800
parents	385ab09fb2ca
children	cdc9a31c6f71

rev	line source
1632 0344a535b1db add doc fffilimonov parents: diff changeset	1 #!/bin/bash
2072 b934176dfcf1 https hacks Franklin Schmidt <fschmidt@gmail.com> parents: 2061 diff changeset	2 set -e
1632 0344a535b1db add doc fffilimonov parents: diff changeset	3
2076 385ab09fb2ca initial draft Violet7 parents: 2072 diff changeset	4 if [ -n "$1" ]; then
385ab09fb2ca initial draft Violet7 parents: 2072 diff changeset	5 cd "$1" \|\| echo "no first argument passed, staying in cwd"
385ab09fb2ca initial draft Violet7 parents: 2072 diff changeset	6 fi
2048 59f3a7f3d10b add check for local_https in renewSsl.sh Violet7 parents: 2037 diff changeset	7
2037 a4435e2e3417 Edit scripts to use acme-tiny Violet7 parents: 1758 diff changeset	8 ROOTPWD=$(pwd)
2076 385ab09fb2ca initial draft Violet7 parents: 2072 diff changeset	9 # this awkward method is used for portability
385ab09fb2ca initial draft Violet7 parents: 2072 diff changeset	10 ROOTPWDOWNER=$(ls -ld $ROOTPWD \| awk '{printf "%s", $3}')
385ab09fb2ca initial draft Violet7 parents: 2072 diff changeset	11
385ab09fb2ca initial draft Violet7 parents: 2072 diff changeset	12 # change to owner of host/ if running as root
385ab09fb2ca initial draft Violet7 parents: 2072 diff changeset	13 # prevents nginx being unable to read files owned by root
385ab09fb2ca initial draft Violet7 parents: 2072 diff changeset	14 if [ "$(id -u)" -eq 0 ]; then
385ab09fb2ca initial draft Violet7 parents: 2072 diff changeset	15 echo "switching to $ROOTPWDOWNER in order to preserve permissions"
385ab09fb2ca initial draft Violet7 parents: 2072 diff changeset	16 exec sudo -u $ROOTPWDOWNER "$0" "$@"
385ab09fb2ca initial draft Violet7 parents: 2072 diff changeset	17 fi
385ab09fb2ca initial draft Violet7 parents: 2072 diff changeset	18
2048 59f3a7f3d10b add check for local_https in renewSsl.sh Violet7 parents: 2037 diff changeset	19 KEYFILE="$ROOTPWD/local/tiny_account.key"
2037 a4435e2e3417 Edit scripts to use acme-tiny Violet7 parents: 1758 diff changeset	20 for SITEROOT in "$ROOTPWD"/sites/*; do
2048 59f3a7f3d10b add check for local_https in renewSsl.sh Violet7 parents: 2037 diff changeset	21 {
59f3a7f3d10b add check for local_https in renewSsl.sh Violet7 parents: 2037 diff changeset	22 # Skip if not a directory
59f3a7f3d10b add check for local_https in renewSsl.sh Violet7 parents: 2037 diff changeset	23 [ -d "$SITEROOT" ] \|\| continue
2037 a4435e2e3417 Edit scripts to use acme-tiny Violet7 parents: 1758 diff changeset	24
2048 59f3a7f3d10b add check for local_https in renewSsl.sh Violet7 parents: 2037 diff changeset	25 DOMAIN=$(basename "$SITEROOT")
59f3a7f3d10b add check for local_https in renewSsl.sh Violet7 parents: 2037 diff changeset	26 CSRFILE="$SITEROOT/$DOMAIN.csr"
59f3a7f3d10b add check for local_https in renewSsl.sh Violet7 parents: 2037 diff changeset	27 FULLCHAIN="$SITEROOT/fullchain.cer"
59f3a7f3d10b add check for local_https in renewSsl.sh Violet7 parents: 2037 diff changeset	28 CHALLENGEDIR="$SITEROOT/site/.well-known/acme-challenge"
59f3a7f3d10b add check for local_https in renewSsl.sh Violet7 parents: 2037 diff changeset	29 TMPOUT="/tmp/$DOMAIN.crt"
59f3a7f3d10b add check for local_https in renewSsl.sh Violet7 parents: 2037 diff changeset	30 echo "Processing domain: $DOMAIN"
1632 0344a535b1db add doc fffilimonov parents: diff changeset	31
2048 59f3a7f3d10b add check for local_https in renewSsl.sh Violet7 parents: 2037 diff changeset	32 # local_https.sh does not create a csr file, assume
59f3a7f3d10b add check for local_https in renewSsl.sh Violet7 parents: 2037 diff changeset	33 # it is a self-signed local cert if it doesn't exist
59f3a7f3d10b add check for local_https in renewSsl.sh Violet7 parents: 2037 diff changeset	34 if [ ! -f "$CSRFILE" ]; then
59f3a7f3d10b add check for local_https in renewSsl.sh Violet7 parents: 2037 diff changeset	35 echo "CSR file not found, assuming self-signed and skipping."
59f3a7f3d10b add check for local_https in renewSsl.sh Violet7 parents: 2037 diff changeset	36 continue
59f3a7f3d10b add check for local_https in renewSsl.sh Violet7 parents: 2037 diff changeset	37 fi
59f3a7f3d10b add check for local_https in renewSsl.sh Violet7 parents: 2037 diff changeset	38
59f3a7f3d10b add check for local_https in renewSsl.sh Violet7 parents: 2037 diff changeset	39 mkdir -p "$CHALLENGEDIR"
1632 0344a535b1db add doc fffilimonov parents: diff changeset	40
2061 dd10659fcdb9 Renew ssl monthly instead of daily; Fix renewSsl.sh Violet7 parents: 2052 diff changeset	41 "$ROOTPWD/acme_tiny" \
2048 59f3a7f3d10b add check for local_https in renewSsl.sh Violet7 parents: 2037 diff changeset	42 --account-key "$KEYFILE" \
59f3a7f3d10b add check for local_https in renewSsl.sh Violet7 parents: 2037 diff changeset	43 --csr "$CSRFILE" \
59f3a7f3d10b add check for local_https in renewSsl.sh Violet7 parents: 2037 diff changeset	44 --acme-dir "$CHALLENGEDIR" \
2076 385ab09fb2ca initial draft Violet7 parents: 2072 diff changeset	45 >"$TMPOUT"
385ab09fb2ca initial draft Violet7 parents: 2072 diff changeset	46
385ab09fb2ca initial draft Violet7 parents: 2072 diff changeset	47 wc -c <$TMPOUT
385ab09fb2ca initial draft Violet7 parents: 2072 diff changeset	48
385ab09fb2ca initial draft Violet7 parents: 2072 diff changeset	49 # If TMPOUT is empty, something failed.
385ab09fb2ca initial draft Violet7 parents: 2072 diff changeset	50 if [ ! -s "$TMPOUT" ]; then
385ab09fb2ca initial draft Violet7 parents: 2072 diff changeset	51 echo "Error: $TMPOUT is empty - please see previous output for details.\nContinuing to next domain..."
385ab09fb2ca initial draft Violet7 parents: 2072 diff changeset	52 rm -f "$TMPOUT"
385ab09fb2ca initial draft Violet7 parents: 2072 diff changeset	53 continue
385ab09fb2ca initial draft Violet7 parents: 2072 diff changeset	54 fi
2037 a4435e2e3417 Edit scripts to use acme-tiny Violet7 parents: 1758 diff changeset	55
2048 59f3a7f3d10b add check for local_https in renewSsl.sh Violet7 parents: 2037 diff changeset	56 # check if exists
59f3a7f3d10b add check for local_https in renewSsl.sh Violet7 parents: 2037 diff changeset	57 if [ -f "$FULLCHAIN" ]; then
59f3a7f3d10b add check for local_https in renewSsl.sh Violet7 parents: 2037 diff changeset	58 mv $FULLCHAIN "$FULLCHAIN.old"
59f3a7f3d10b add check for local_https in renewSsl.sh Violet7 parents: 2037 diff changeset	59 fi
2037 a4435e2e3417 Edit scripts to use acme-tiny Violet7 parents: 1758 diff changeset	60
2048 59f3a7f3d10b add check for local_https in renewSsl.sh Violet7 parents: 2037 diff changeset	61 mv "$TMPOUT" "$FULLCHAIN"
59f3a7f3d10b add check for local_https in renewSsl.sh Violet7 parents: 2037 diff changeset	62
59f3a7f3d10b add check for local_https in renewSsl.sh Violet7 parents: 2037 diff changeset	63 echo "Renewed certificate for $DOMAIN"
59f3a7f3d10b add check for local_https in renewSsl.sh Violet7 parents: 2037 diff changeset	64 } \|\| {
59f3a7f3d10b add check for local_https in renewSsl.sh Violet7 parents: 2037 diff changeset	65 echo "Error processing $SITEROOT — skipping."
59f3a7f3d10b add check for local_https in renewSsl.sh Violet7 parents: 2037 diff changeset	66 }
2037 a4435e2e3417 Edit scripts to use acme-tiny Violet7 parents: 1758 diff changeset	67 done
a4435e2e3417 Edit scripts to use acme-tiny Violet7 parents: 1758 diff changeset	68
2050 1f4c590bf0ae explicitly specify nginx conf Violet7 parents: 2048 diff changeset	69 sudo /usr/local/bin/nginx -s reload -c "$(pwd)/local/nginx.conf"
2037 a4435e2e3417 Edit scripts to use acme-tiny Violet7 parents: 1758 diff changeset	70 echo "Nginx reloaded."

Mercurial Hosting > luan

annotate host/renewSsl.sh @ 2080:d7de1f976c1d ssltesting