diff --git a/evoacme/files/certbot.cron b/evoacme/files/certbot.cron index 9e1d34de..53de93d9 100755 --- a/evoacme/files/certbot.cron +++ b/evoacme/files/certbot.cron @@ -1,6 +1,17 @@ -#!/bin/bash +#!/bin/sh -ls /etc/letsencrypt/*.crt 2>/dev/null |sed 's/.crt//'|while read vhost; -do - evoacme $(basename $vhost)>/dev/null +[ -f /etc/default/evoacme ] && . /etc/default/evoacme +[ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt' +[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed' + +find ${CRT_DIR} -maxdepth 1 -mindepth 1 -type d ! -path "*accounts" -exec basename {} \; | while read vhost; do + evoacme $vhost >/dev/null +done + +# Compatibility with older version of evoacme +find ${CRT_DIR} -maxdepth 1 -mindepth 1 -type f -name "*.crt" -exec basename {} .crt \; | while read vhost; do + [ -f /etc/apache2/ssl/${vhost}.conf ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $SELF_SIGNED_DIR/${vhost}.pem~" /etc/apache2/ssl/${vhost}.conf + [ -f /etc/nginx/ssl/${vhost}.conf ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $SELF_SIGNED_DIR/${vhost}.pem;~" /etc/nginx/ssl/${vhost}.conf + rm ${CRT_DIR}/${vhost}.crt ${CRT_DIR}/${vhost}-chain.pem ${CRT_DIR}/${vhost}-fullchain.pem + evoacme $vhost >/dev/null done diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index 888e5cb3..d0940944 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -1,13 +1,16 @@ #!/bin/bash -[ -f /etc/default/evoacme ] && source /etc/default/evoacme +[ -f /etc/default/evoacme ] && . /etc/default/evoacme [ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private' +[ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt' [ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests' [ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed' +[ -z "${DH_DIR}" ] && DH_DIR='/etc/ssl/dhparam' vhost=$(basename $1 .conf) +DATE=$(date "+%Y%m%d") -SSL_EMAIL=$(grep emailAddress /etc/letsencrypt/openssl.cnf|cut -d'=' -f2|xargs) +SSL_EMAIL=$(grep emailAddress ${CRT_DIR}/openssl.cnf|cut -d'=' -f2|xargs) if [ -n "$SSL_EMAIL" ]; then emailopt="--email $SSL_EMAIL" else @@ -17,60 +20,43 @@ fi # Check master status for evoadmin-cluster if [ -f /home/${vhost}/state ]; then grep -q "STATE=master" /home/${vhost}/state - if [ $? -ne 0 ]; then - exit 0 - fi + [ $? -ne 0 ] && exit 0 fi -if [ -f $CRT_DIR/${vhost}.crt ]; then - renew=true - crt_end_date=`openssl x509 -noout -enddate -in $CRT_DIR/${vhost}.crt|sed -e "s/.*=//"` +if [ -h $CRT_DIR/${vhost}/live ]; then + crt_end_date=`openssl x509 -noout -enddate -in $CRT_DIR/${vhost}/live/cert.crt|sed -e "s/.*=//"` date_crt=`date -ud "$crt_end_date" +"%s"` date_today=`date +'%s'` date_diff=$(( ( $date_crt - $date_today ) / (60*60*24) )) - if [ $date_diff -ge $SSL_MINDAY ]; then - exit 0 - fi + [ $date_diff -ge $SSL_MINDAY ] && exit 0 fi -rm -f $CRT_DIR/${vhost}.crt $CRT_DIR/${vhost}-fullchain.pem $CRT_DIR/${vhost}-chain.pem +mkdir -pm 755 $CRT_DIR/${vhost} $CRT_DIR/${vhost}/${DATE} +chown -R acme: $CRT_DIR/${vhost} +sudo -u acme certbot certonly --quiet --webroot --csr $CSR_DIR/${vhost}.csr --webroot-path $ACME_DIR -n --agree-tos --cert-path=$CRT_DIR/${vhost}/${DATE}/cert.crt --fullchain-path=$CRT_DIR/${vhost}/${DATE}/fullchain.pem --chain-path=$CRT_DIR/${vhost}/${DATE}/chain.pem $emailopt --logs-dir $LOG_DIR 2> >(grep -v certbot.crypto_util) -sudo -u acme certbot certonly --quiet --webroot --csr $CSR_DIR/${vhost}.csr --webroot-path $ACME_DIR -n --agree-tos --cert-path=$CRT_DIR/${vhost}.crt --fullchain-path=$CRT_DIR/${vhost}-fullchain.pem --chain-path=$CRT_DIR/${vhost}-chain.pem $emailopt --logs-dir $LOG_DIR 2> >(grep -v certbot.crypto_util) - -if [ $? != 0 ]; then - if [ -d /etc/apache2 ]; then - [ -f /etc/apache2/ssl/${vhost}.conf ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $SELF_SIGNED_DIR/${vhost}.pem~" /etc/apache2/ssl/${vhost}.conf +if [ $? -eq 0 ]; then + ln -sf $CRT_DIR/${vhost}/${DATE} $CRT_DIR/${vhost}/live + which apache2ctl>/dev/null + if [ $? -eq 0 ]; then + [ -f /etc/apache2/ssl/${vhost}.conf ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $CRT_DIR/${vhost}/live/fullchain.pem~" /etc/apache2/ssl/${vhost}.conf + apache2ctl -t 2>/dev/null + [ $? -eq 0 ] && service apache2 reload fi - if [ -d /etc/nginx ]; then - [ -f /etc/nginx/ssl/${vhost}.conf ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $SELF_SIGNED_DIR/${vhost}.pem;~" /etc/nginx/ssl/${vhost}.conf + which nginx>/dev/null + if [ $? -eq 0 ]; then + [ -f /etc/nginx/ssl/${vhost}.conf ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $CRT_DIR/${vhost}/live/fullchain.pem;~" /etc/nginx/ssl/${vhost}.conf + nginx -t 2>/dev/null + [ $? -eq 0 ] && service nginx reload fi - exit 1 + + which haproxy>/dev/null + if [ $? -eq 0 ]; then + mkdir -p /etc/ssl/haproxy -m 700 + cat $CRT_DIR/${vhost}/live/fullchain.pem $SSL_KEY_DIR/${vhost}.key > /etc/ssl/haproxy/${vhost}.pem + [ -f $DH_DIR/${vhost} ] && cat $DH_DIR/${vhost} >> /etc/ssl/haproxy/${vhost}.pem + haproxy -c -f /etc/haproxy/haproxy.cfg 1>/dev/null + [ $? -eq 0 ] && service haproxy reload + fi + exit 0 fi - -which apache2ctl>/dev/null -if [ $? == 0 ]; then - [ -f /etc/apache2/ssl/${vhost}.conf ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $CRT_DIR/${vhost}-fullchain.pem~" /etc/apache2/ssl/${vhost}.conf - apache2ctl -t 2>/dev/null - if [ $? == 0 ]; then - service apache2 reload - fi -fi -which nginx>/dev/null -if [ $? == 0 ]; then - [ -f /etc/nginx/ssl/${vhost}.conf ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $CRT_DIR/${vhost}-fullchain.pem;~" /etc/nginx/ssl/${vhost}.conf - nginx -t 2>/dev/null - if [ $? == 0 ]; then - service nginx reload - fi -fi - -which haproxy>/dev/null -if [ $? == 0 ]; then - mkdir -p /etc/ssl/haproxy -m 700 - cat $CRT_DIR/${vhost}-fullchain.pem $SSL_KEY_DIR/${vhost}.key > /etc/ssl/haproxy/${vhost}.pem - haproxy -c -f /etc/haproxy/haproxy.cfg 1>/dev/null - if [ $? == 0 ]; then - service haproxy reload - fi -fi -exit 0