forked from evolix/ansible-roles
evoacme: add error and debug function
This commit is contained in:
parent
9527aff68a
commit
2dbdfb6600
|
@ -18,14 +18,24 @@ usage() {
|
||||||
echo ""
|
echo ""
|
||||||
}
|
}
|
||||||
|
|
||||||
|
debug() {
|
||||||
|
[ "$CRON" = "NO" ] && echo "$1"
|
||||||
|
}
|
||||||
|
|
||||||
|
error() {
|
||||||
|
echo "error: $1" >&2
|
||||||
|
[ "$1" = "invalid argument(s)" ] && usage
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
mkconf_apache() {
|
mkconf_apache() {
|
||||||
echo "Apache detected... first configuration"
|
debug "Apache detected... first configuration"
|
||||||
[ -f "/etc/apache2/ssl/${vhost}.conf" ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $CRT_DIR/${vhost}/live/fullchain.pem~" "/etc/apache2/ssl/${vhost}.conf"
|
[ -f "/etc/apache2/ssl/${vhost}.conf" ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $CRT_DIR/${vhost}/live/fullchain.pem~" "/etc/apache2/ssl/${vhost}.conf"
|
||||||
apache2ctl -t
|
apache2ctl -t
|
||||||
}
|
}
|
||||||
|
|
||||||
mkconf_nginx() {
|
mkconf_nginx() {
|
||||||
echo "Nginx detected... first configuration"
|
debug "Nginx detected... first configuration"
|
||||||
[ -f "/etc/nginx/ssl/${vhost}.conf" ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $CRT_DIR/${vhost}/live/fullchain.pem;~" "/etc/nginx/ssl/${vhost}.conf"
|
[ -f "/etc/nginx/ssl/${vhost}.conf" ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $CRT_DIR/${vhost}/live/fullchain.pem;~" "/etc/nginx/ssl/${vhost}.conf"
|
||||||
nginx -t
|
nginx -t
|
||||||
}
|
}
|
||||||
|
@ -43,22 +53,22 @@ main() {
|
||||||
|
|
||||||
# misc verifications
|
# misc verifications
|
||||||
[ "$1" = "-h" ] || [ "$1" = "--help" ] && usage && exit 0
|
[ "$1" = "-h" ] || [ "$1" = "--help" ] && usage && exit 0
|
||||||
which openssl >/dev/null || ( echo "error: openssl command not installed" && exit 1 )
|
which openssl >/dev/null || error "openssl command not installed"
|
||||||
which certbot >/dev/null || ( echo "error: certbot command not installed" && exit 1 )
|
which certbot >/dev/null || error "certbot command not installed"
|
||||||
[ ! -d $ACME_DIR ] && echo "error: $ACME_DIR is not a directory" && exit 1
|
[ ! -d $ACME_DIR ] && error "$ACME_DIR is not a directory"
|
||||||
[ ! -d $CSR_DIR ] && echo "error: $CSR_DIR is not a directory" && exit 1
|
[ ! -d $CSR_DIR ] && error "$CSR_DIR is not a directory"
|
||||||
[ ! -d $LOG_DIR ] && echo "error: $LOG_DIR is not a directory" && exit 1
|
[ ! -d $LOG_DIR ] && error "$LOG_DIR is not a directory"
|
||||||
[ "$#" -ge 3 ] || [ "$#" -le 0 ] && echo "error: invalid argument(s)" && usage && exit 1
|
[ "$#" -ge 3 ] || [ "$#" -le 0 ] && error "invalid argument(s)"
|
||||||
[ "$#" -eq 2 ] && [ "$1" != "--cron" ] && echo "error: invalid argument(s)" && usage && exit 1
|
[ "$#" -eq 2 ] && [ "$1" != "--cron" ] && error "invalid argument(s)"
|
||||||
|
|
||||||
[ "$#" -eq 1 ] && vhost=$(basename "$1" .conf) && CRON=NO
|
[ "$#" -eq 1 ] && vhost=$(basename "$1" .conf) && CRON=NO
|
||||||
[ "$#" -eq 2 ] && vhost=$(basename "$2" .conf) && CRON=YES
|
[ "$#" -eq 2 ] && vhost=$(basename "$2" .conf) && CRON=YES
|
||||||
|
|
||||||
# verify .csr file
|
# verify .csr file
|
||||||
test ! -f "$CSR_DIR/${vhost}.csr" && echo "error: $CSR_DIR/${vhost}.csr absent" && exit 1
|
[ ! -f "$CSR_DIR/${vhost}.csr" ] && error "$CSR_DIR/${vhost}.csr absent"
|
||||||
test ! -r "$CSR_DIR/${vhost}.csr" && echo "error: $CSR_DIR/${vhost}.csr is not readable" && exit 1
|
[ ! -r "$CSR_DIR/${vhost}.csr" ] && error "$C´SR_DIR/${vhost}.csr is not readable"
|
||||||
openssl req -noout -modulus -in "$CSR_DIR/${vhost}.csr" >/dev/null || ( echo "error: $CSR_DIR/${vhost}.csr is invalid" && exit 1 )
|
openssl req -noout -modulus -in "$CSR_DIR/${vhost}.csr" >/dev/null || error "$CSR_DIR/${vhost}.csr is invalid"
|
||||||
[ "$CRON" = "NO" ] && echo "Using CSR file: $CSR_DIR/${vhost}.csr"
|
debug "Using CSR file: $CSR_DIR/${vhost}.csr"
|
||||||
|
|
||||||
# Hook for evoadmin-web in cluster mode : check master status
|
# Hook for evoadmin-web in cluster mode : check master status
|
||||||
if [ -f "/home/${vhost}/state" ]; then
|
if [ -f "/home/${vhost}/state" ]; then
|
||||||
|
@ -72,43 +82,43 @@ main() {
|
||||||
fi
|
fi
|
||||||
|
|
||||||
DATE=$(date "+%Y%m%d")
|
DATE=$(date "+%Y%m%d")
|
||||||
[ ! -n "$DATE" ] && echo "error: invalid date" && exit 1
|
[ ! -n "$DATE" ] && error "invalid date"
|
||||||
|
|
||||||
|
|
||||||
# If live link already exists, it's not our first time...
|
# If live link already exists, it's not our first time...
|
||||||
if [ -h "$CRT_DIR/${vhost}/live" ]; then
|
if [ -h "$CRT_DIR/${vhost}/live" ]; then
|
||||||
openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/live/cert.crt" >/dev/null || ( echo "error: $CRT_DIR/${vhost}/live/cert.crt is invalid" && exit 1 )
|
openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/live/cert.crt" >/dev/null || error "$CRT_DIR/${vhost}/live/cert.crt is invalid"
|
||||||
|
|
||||||
# Verify if our certificate will expire
|
# Verify if our certificate will expire
|
||||||
crt_end_date=$(openssl x509 -noout -enddate -in "$CRT_DIR/${vhost}/live/cert.crt" | cut -d= -f2)
|
crt_end_date=$(openssl x509 -noout -enddate -in "$CRT_DIR/${vhost}/live/cert.crt" | cut -d= -f2)
|
||||||
date_renew=$(date -ud "$crt_end_date - $SSL_MINDAY days" +"%s")
|
date_renew=$(date -ud "$crt_end_date - $SSL_MINDAY days" +"%s")
|
||||||
date_today=$(date +'%s')
|
date_today=$(date +'%s')
|
||||||
[ "$date_today" -lt "$date_renew" ] && ( [ "$CRON" = "NO" ] && echo "Cert $CRT_DIR/${vhost}/live/cert.crt expires at $crt_end_date => more than $SSL_MINDAY days: thxbye." || true ) && exit 0
|
[ "$date_today" -lt "$date_renew" ] && debug "Cert $CRT_DIR/${vhost}/live/cert.crt expires at $crt_end_date => more than $SSL_MINDAY days: thxbye." && exit 0
|
||||||
else
|
else
|
||||||
which apache2ctl >/dev/null && mkconf_apache
|
which apache2ctl >/dev/null && mkconf_apache
|
||||||
which nginx >/dev/null && mkconf_nginx
|
which nginx >/dev/null && mkconf_nginx
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# renew certificate with certbot
|
# renew certificate with certbot
|
||||||
[ -d "$CRT_DIR/${vhost}/${DATE}" ] && echo "error: $CRT_DIR/${vhost}/${DATE} directory already exists, remove it manually." && exit 1
|
[ -d "$CRT_DIR/${vhost}/${DATE}" ] && error "$CRT_DIR/${vhost}/${DATE} directory already exists, remove it manually."
|
||||||
mkdir -pm 755 "$CRT_DIR/${vhost}/${DATE}"
|
mkdir -pm 755 "$CRT_DIR/${vhost}/${DATE}"
|
||||||
chown -R acme: "$CRT_DIR/${vhost}/${DATE}"
|
chown -R acme: "$CRT_DIR/${vhost}/${DATE}"
|
||||||
[ "$CRON" = "YES" ] && CERTBOT_OPTS="--quiet"
|
[ "$CRON" = "YES" ] && CERTBOT_OPTS="--quiet"
|
||||||
sudo -u acme certbot certonly $CERTBOT_OPTS --webroot --csr "$CSR_DIR/${vhost}.csr" --webroot-path "$ACME_DIR" -n --agree-tos --cert-path="$CRT_DIR/${vhost}/${DATE}/cert.crt" --fullchain-path="$CRT_DIR/${vhost}/${DATE}/fullchain.pem" --chain-path="$CRT_DIR/${vhost}/${DATE}/chain.pem" "$emailopt" --logs-dir "$LOG_DIR" 2>&1 | grep -v "certbot.crypto_util"
|
sudo -u acme certbot certonly $CERTBOT_OPTS --webroot --csr "$CSR_DIR/${vhost}.csr" --webroot-path "$ACME_DIR" -n --agree-tos --cert-path="$CRT_DIR/${vhost}/${DATE}/cert.crt" --fullchain-path="$CRT_DIR/${vhost}/${DATE}/fullchain.pem" --chain-path="$CRT_DIR/${vhost}/${DATE}/chain.pem" "$emailopt" --logs-dir "$LOG_DIR" 2>&1 | grep -v "certbot.crypto_util"
|
||||||
|
|
||||||
# verify if all is right
|
# verify if all is right
|
||||||
openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/${DATE}/cert.crt" >/dev/null || ( echo "error: new $CRT_DIR/${vhost}/${DATE}/cert.crt is invalid" && exit 1 )
|
openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/${DATE}/cert.crt" >/dev/null || error "new $CRT_DIR/${vhost}/${DATE}/cert.crt is invalid"
|
||||||
openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/${DATE}/fullchain.pem" >/dev/null || ( echo "error: new $CRT_DIR/${vhost}/${DATE}/fullchain.pem is invalid" && exit 1 )
|
openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/${DATE}/fullchain.pem" >/dev/null || error "new $CRT_DIR/${vhost}/${DATE}/fullchain.pem is invalid"
|
||||||
openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/${DATE}/chain.pem" >/dev/null || ( echo "error: new $CRT_DIR/${vhost}/${DATE}/chain.pem is invalid" && exit 1 )
|
openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/${DATE}/chain.pem" >/dev/null || error "new $CRT_DIR/${vhost}/${DATE}/chain.pem is invalid"
|
||||||
|
|
||||||
# link dance
|
# link dance
|
||||||
[ -h "$CRT_DIR/${vhost}/live" ] && rm "$CRT_DIR/${vhost}/live"
|
[ -h "$CRT_DIR/${vhost}/live" ] && rm "$CRT_DIR/${vhost}/live"
|
||||||
ln -s "$CRT_DIR/${vhost}/${DATE}" "$CRT_DIR/${vhost}/live"
|
ln -s "$CRT_DIR/${vhost}/${DATE}" "$CRT_DIR/${vhost}/live"
|
||||||
openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/live/cert.crt" >/dev/null || ( echo "error: new $CRT_DIR/{vhost}/live/cert.crt is invalid" && exit 1 )
|
openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/live/cert.crt" >/dev/null || error "new $CRT_DIR/{vhost}/live/cert.crt is invalid"
|
||||||
|
|
||||||
# reload apache or nginx (TODO: need improvments)
|
# reload apache or nginx (TODO: need improvments)
|
||||||
pidof apache2 >/dev/null && apache2ctl -t 2>/dev/null && ( [ "$CRON" = "NO" ] && echo "Apache detected... reloading" || true ) && systemctl reload apache2
|
pidof apache2 >/dev/null && apache2ctl -t 2>/dev/null && debug "Apache detected... reloading" && systemctl reload apache2
|
||||||
pidof nginx >/dev/null && nginx -t 2>/dev/null && ( [ "$CRON" = "NO" ] && echo "Nginx detected... reloading" || true ) && systemctl reload apache2
|
pidof nginx >/dev/null && nginx -t 2>/dev/null && debug "Nginx detected... reloading" && systemctl reload apache2
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue