-
Notifications
You must be signed in to change notification settings - Fork 73
/
renew-le.sh
executable file
·51 lines (43 loc) · 1.49 KB
/
renew-le.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
#!/usr/bin/bash
set -o nounset -o errexit
WORKDIR=$(dirname "$(realpath $0)")
EMAIL=""
### cron
# skip renewal if the cert is still valid for more than 30 days
# comment out this line for the first run
if [ "${1:-renew}" != "--first-time" ]
then
end_timestamp=`date +%s --date="$(openssl x509 -enddate -noout -in /var/lib/ipa/certs/httpd.crt | cut -d= -f2)"`
now_timestamp=`date +%s`
let diff=($end_timestamp-$now_timestamp)/86400
if [ "$diff" -gt "30" ]; then
exit 0
fi
fi
cd "$WORKDIR"
# cert renewal is needed if we reached this line
# cleanup
rm -f "$WORKDIR"/*.pem
rm -f "$WORKDIR"/httpd-csr.*
# generate CSR
OPENSSL_PASSWD_FILE="/var/lib/ipa/passwds/$HOSTNAME-443-RSA"
[ -f "$OPENSSL_PASSWD_FILE" ] && OPENSSL_EXTRA_ARGS="-passin file:$OPENSSL_PASSWD_FILE" || OPENSSL_EXTRA_ARGS=""
openssl req -new -sha256 -config "$WORKDIR/ipa-httpd.cnf" -key /var/lib/ipa/private/httpd.key -out "$WORKDIR/httpd-csr.der" $OPENSSL_EXTRA_ARGS
# httpd process prevents letsencrypt from working, stop it
if ! command -v service >/dev/null 2>&1; then
systemctl stop httpd
else
service httpd stop
fi
# get a new cert
letsencrypt certonly --standalone --csr "$WORKDIR/httpd-csr.der" --email "$EMAIL" --agree-tos
# replace the cert
cp /var/lib/ipa/certs/httpd.crt /var/lib/ipa/certs/httpd.crt.bkp
mv -f "$WORKDIR/0000_cert.pem" /var/lib/ipa/certs/httpd.crt
restorecon -v /var/lib/ipa/certs/httpd.crt
# start httpd with the new cert
if ! command -v service >/dev/null 2>&1; then
systemctl start httpd
else
service httpd start
fi