evoacme: refactoring
This commit is contained in:
parent
1032c4aec7
commit
267f1ffc88
|
@ -1,6 +1,17 @@
|
||||||
#!/bin/bash
|
#!/bin/sh
|
||||||
|
|
||||||
ls /etc/letsencrypt/*.crt 2>/dev/null |sed 's/.crt//'|while read vhost;
|
[ -f /etc/default/evoacme ] && . /etc/default/evoacme
|
||||||
do
|
[ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt'
|
||||||
evoacme $(basename $vhost)>/dev/null
|
[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed'
|
||||||
|
|
||||||
|
find ${CRT_DIR} -maxdepth 1 -mindepth 1 -type d ! -path "*accounts" -exec basename {} \; | while read vhost; do
|
||||||
|
evoacme $vhost >/dev/null
|
||||||
|
done
|
||||||
|
|
||||||
|
# Compatibility with older version of evoacme
|
||||||
|
find ${CRT_DIR} -maxdepth 1 -mindepth 1 -type f -name "*.crt" -exec basename {} .crt \; | while read vhost; do
|
||||||
|
[ -f /etc/apache2/ssl/${vhost}.conf ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $SELF_SIGNED_DIR/${vhost}.pem~" /etc/apache2/ssl/${vhost}.conf
|
||||||
|
[ -f /etc/nginx/ssl/${vhost}.conf ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $SELF_SIGNED_DIR/${vhost}.pem;~" /etc/nginx/ssl/${vhost}.conf
|
||||||
|
rm ${CRT_DIR}/${vhost}.crt ${CRT_DIR}/${vhost}-chain.pem ${CRT_DIR}/${vhost}-fullchain.pem
|
||||||
|
evoacme $vhost >/dev/null
|
||||||
done
|
done
|
||||||
|
|
|
@ -1,13 +1,16 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
[ -f /etc/default/evoacme ] && source /etc/default/evoacme
|
[ -f /etc/default/evoacme ] && . /etc/default/evoacme
|
||||||
[ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private'
|
[ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private'
|
||||||
|
[ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt'
|
||||||
[ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests'
|
[ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests'
|
||||||
[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed'
|
[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed'
|
||||||
|
[ -z "${DH_DIR}" ] && DH_DIR='/etc/ssl/dhparam'
|
||||||
|
|
||||||
vhost=$(basename $1 .conf)
|
vhost=$(basename $1 .conf)
|
||||||
|
DATE=$(date "+%Y%m%d")
|
||||||
|
|
||||||
SSL_EMAIL=$(grep emailAddress /etc/letsencrypt/openssl.cnf|cut -d'=' -f2|xargs)
|
SSL_EMAIL=$(grep emailAddress ${CRT_DIR}/openssl.cnf|cut -d'=' -f2|xargs)
|
||||||
if [ -n "$SSL_EMAIL" ]; then
|
if [ -n "$SSL_EMAIL" ]; then
|
||||||
emailopt="--email $SSL_EMAIL"
|
emailopt="--email $SSL_EMAIL"
|
||||||
else
|
else
|
||||||
|
@ -17,60 +20,43 @@ fi
|
||||||
# Check master status for evoadmin-cluster
|
# Check master status for evoadmin-cluster
|
||||||
if [ -f /home/${vhost}/state ]; then
|
if [ -f /home/${vhost}/state ]; then
|
||||||
grep -q "STATE=master" /home/${vhost}/state
|
grep -q "STATE=master" /home/${vhost}/state
|
||||||
if [ $? -ne 0 ]; then
|
[ $? -ne 0 ] && exit 0
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -f $CRT_DIR/${vhost}.crt ]; then
|
if [ -h $CRT_DIR/${vhost}/live ]; then
|
||||||
renew=true
|
crt_end_date=`openssl x509 -noout -enddate -in $CRT_DIR/${vhost}/live/cert.crt|sed -e "s/.*=//"`
|
||||||
crt_end_date=`openssl x509 -noout -enddate -in $CRT_DIR/${vhost}.crt|sed -e "s/.*=//"`
|
|
||||||
date_crt=`date -ud "$crt_end_date" +"%s"`
|
date_crt=`date -ud "$crt_end_date" +"%s"`
|
||||||
date_today=`date +'%s'`
|
date_today=`date +'%s'`
|
||||||
date_diff=$(( ( $date_crt - $date_today ) / (60*60*24) ))
|
date_diff=$(( ( $date_crt - $date_today ) / (60*60*24) ))
|
||||||
if [ $date_diff -ge $SSL_MINDAY ]; then
|
[ $date_diff -ge $SSL_MINDAY ] && exit 0
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
rm -f $CRT_DIR/${vhost}.crt $CRT_DIR/${vhost}-fullchain.pem $CRT_DIR/${vhost}-chain.pem
|
mkdir -pm 755 $CRT_DIR/${vhost} $CRT_DIR/${vhost}/${DATE}
|
||||||
|
chown -R acme: $CRT_DIR/${vhost}
|
||||||
|
sudo -u acme certbot certonly --quiet --webroot --csr $CSR_DIR/${vhost}.csr --webroot-path $ACME_DIR -n --agree-tos --cert-path=$CRT_DIR/${vhost}/${DATE}/cert.crt --fullchain-path=$CRT_DIR/${vhost}/${DATE}/fullchain.pem --chain-path=$CRT_DIR/${vhost}/${DATE}/chain.pem $emailopt --logs-dir $LOG_DIR 2> >(grep -v certbot.crypto_util)
|
||||||
|
|
||||||
sudo -u acme certbot certonly --quiet --webroot --csr $CSR_DIR/${vhost}.csr --webroot-path $ACME_DIR -n --agree-tos --cert-path=$CRT_DIR/${vhost}.crt --fullchain-path=$CRT_DIR/${vhost}-fullchain.pem --chain-path=$CRT_DIR/${vhost}-chain.pem $emailopt --logs-dir $LOG_DIR 2> >(grep -v certbot.crypto_util)
|
if [ $? -eq 0 ]; then
|
||||||
|
ln -sf $CRT_DIR/${vhost}/${DATE} $CRT_DIR/${vhost}/live
|
||||||
if [ $? != 0 ]; then
|
which apache2ctl>/dev/null
|
||||||
if [ -d /etc/apache2 ]; then
|
if [ $? -eq 0 ]; then
|
||||||
[ -f /etc/apache2/ssl/${vhost}.conf ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $SELF_SIGNED_DIR/${vhost}.pem~" /etc/apache2/ssl/${vhost}.conf
|
[ -f /etc/apache2/ssl/${vhost}.conf ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $CRT_DIR/${vhost}/live/fullchain.pem~" /etc/apache2/ssl/${vhost}.conf
|
||||||
|
apache2ctl -t 2>/dev/null
|
||||||
|
[ $? -eq 0 ] && service apache2 reload
|
||||||
fi
|
fi
|
||||||
if [ -d /etc/nginx ]; then
|
which nginx>/dev/null
|
||||||
[ -f /etc/nginx/ssl/${vhost}.conf ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $SELF_SIGNED_DIR/${vhost}.pem;~" /etc/nginx/ssl/${vhost}.conf
|
if [ $? -eq 0 ]; then
|
||||||
|
[ -f /etc/nginx/ssl/${vhost}.conf ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $CRT_DIR/${vhost}/live/fullchain.pem;~" /etc/nginx/ssl/${vhost}.conf
|
||||||
|
nginx -t 2>/dev/null
|
||||||
|
[ $? -eq 0 ] && service nginx reload
|
||||||
fi
|
fi
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
which apache2ctl>/dev/null
|
which haproxy>/dev/null
|
||||||
if [ $? == 0 ]; then
|
if [ $? -eq 0 ]; then
|
||||||
[ -f /etc/apache2/ssl/${vhost}.conf ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $CRT_DIR/${vhost}-fullchain.pem~" /etc/apache2/ssl/${vhost}.conf
|
mkdir -p /etc/ssl/haproxy -m 700
|
||||||
apache2ctl -t 2>/dev/null
|
cat $CRT_DIR/${vhost}/live/fullchain.pem $SSL_KEY_DIR/${vhost}.key > /etc/ssl/haproxy/${vhost}.pem
|
||||||
if [ $? == 0 ]; then
|
[ -f $DH_DIR/${vhost} ] && cat $DH_DIR/${vhost} >> /etc/ssl/haproxy/${vhost}.pem
|
||||||
service apache2 reload
|
haproxy -c -f /etc/haproxy/haproxy.cfg 1>/dev/null
|
||||||
fi
|
[ $? -eq 0 ] && service haproxy reload
|
||||||
|
fi
|
||||||
|
exit 0
|
||||||
fi
|
fi
|
||||||
which nginx>/dev/null
|
|
||||||
if [ $? == 0 ]; then
|
|
||||||
[ -f /etc/nginx/ssl/${vhost}.conf ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $CRT_DIR/${vhost}-fullchain.pem;~" /etc/nginx/ssl/${vhost}.conf
|
|
||||||
nginx -t 2>/dev/null
|
|
||||||
if [ $? == 0 ]; then
|
|
||||||
service nginx reload
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
which haproxy>/dev/null
|
|
||||||
if [ $? == 0 ]; then
|
|
||||||
mkdir -p /etc/ssl/haproxy -m 700
|
|
||||||
cat $CRT_DIR/${vhost}-fullchain.pem $SSL_KEY_DIR/${vhost}.key > /etc/ssl/haproxy/${vhost}.pem
|
|
||||||
haproxy -c -f /etc/haproxy/haproxy.cfg 1>/dev/null
|
|
||||||
if [ $? == 0 ]; then
|
|
||||||
service haproxy reload
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
exit 0
|
|
||||||
|
|
Loading…
Reference in a new issue