From 44b2480e031a7f83a755685021394df6f79f411b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 27 Sep 2019 10:15:33 +0200 Subject: [PATCH] certbot: improve hooks --- certbot/files/hooks/apache.sh | 5 +++-- certbot/files/hooks/commit-etc.sh | 1 + certbot/files/hooks/dovecot.sh | 3 ++- certbot/files/hooks/haproxy.sh | 10 ++++++++-- certbot/files/hooks/nginx.sh | 5 +++-- certbot/files/hooks/postfix.sh | 3 ++- 6 files changed, 19 insertions(+), 8 deletions(-) diff --git a/certbot/files/hooks/apache.sh b/certbot/files/hooks/apache.sh index 86b2c10d..9692c3c5 100644 --- a/certbot/files/hooks/apache.sh +++ b/certbot/files/hooks/apache.sh @@ -1,5 +1,6 @@ #!/bin/sh +readonly PROGNAME=$(basename "$0") readonly VERBOSE=${VERBOSE:-"0"} readonly QUIET=${QUIET:-"0"} @@ -16,8 +17,8 @@ debug() { apache2ctl_bin=$(command -v apache2ctl) if [ -n "$(pidof apache2)" ] && [ -n "${apache2ctl_bin}" ]; then - if grep -r -E "letsencrypt" /etc/apache2/; then - if ${apache2ctl_bin} configtest > /dev/null; then + if grep -q -r -E "letsencrypt" /etc/apache2/; then + if ${apache2ctl_bin} configtest > /dev/null 2>&1; then debug "Apache detected... reloading" systemctl reload apache2 else diff --git a/certbot/files/hooks/commit-etc.sh b/certbot/files/hooks/commit-etc.sh index a37ec85d..970fa81b 100644 --- a/certbot/files/hooks/commit-etc.sh +++ b/certbot/files/hooks/commit-etc.sh @@ -1,5 +1,6 @@ #!/bin/sh +readonly PROGNAME=$(basename "$0") readonly VERBOSE=${VERBOSE:-"0"} readonly QUIET=${QUIET:-"0"} diff --git a/certbot/files/hooks/dovecot.sh b/certbot/files/hooks/dovecot.sh index d09e668c..49ec9bb5 100644 --- a/certbot/files/hooks/dovecot.sh +++ b/certbot/files/hooks/dovecot.sh @@ -1,5 +1,6 @@ #!/bin/sh +readonly PROGNAME=$(basename "$0") readonly VERBOSE=${VERBOSE:-"0"} readonly QUIET=${QUIET:-"0"} @@ -17,7 +18,7 @@ doveconf_bin=$(command -v doveconf) if [ -n "$(pidof dovecot)" ] && [ -n "${doveconf_bin}" ]; then if ${doveconf_bin} | grep -E "^ssl_cert[^_]" | grep -q "letsencrypt"; then - if ${doveconf_bin} > /dev/null; then + if ${doveconf_bin} > /dev/null 2>&1; then debug "Dovecot detected... reloading" systemctl reload dovecot else diff --git a/certbot/files/hooks/haproxy.sh b/certbot/files/hooks/haproxy.sh index 0ddc32e8..1e99cc88 100644 --- a/certbot/files/hooks/haproxy.sh +++ b/certbot/files/hooks/haproxy.sh @@ -1,5 +1,6 @@ #!/bin/sh +readonly PROGNAME=$(basename "$0") readonly VERBOSE=${VERBOSE:-"0"} readonly QUIET=${QUIET:-"0"} @@ -18,12 +19,17 @@ if [ -z "${RENEWED_LINEAGE}" ]; then fi haproxy_bin=$(command -v haproxy) +haproxy_cert_dir="/etc/ssl/haproxy/" if [ -n "$(pidof haproxy)" ] && [ -n "${haproxy_bin}" ]; then if [ -f "${RENEWED_LINEAGE}/fullchain.pem" ] && [ -f "${RENEWED_LINEAGE}/privkey.pem" ]; then - haproxy_cert_file="/etc/ssl/haproxy/$(basename "${RENEWED_LINEAGE}").pem" + haproxy_cert_file="${haproxy_cert_dir}/$(basename "${RENEWED_LINEAGE}").pem" failed_cert_file="/root/$(basename "${RENEWED_LINEAGE}").failed.pem" + # shellcheck disable=SC2174 + mkdir --mode=700 --parents "${haproxy_cert_dir}" + chown root: "${haproxy_cert_dir}" + debug "Concatenating certificate files to ${haproxy_cert_file}" cat "${RENEWED_LINEAGE}/fullchain.pem" "${RENEWED_LINEAGE}/privkey.pem" > "${haproxy_cert_file}" chmod 600 "${haproxy_cert_file}" @@ -37,7 +43,7 @@ if [ -n "$(pidof haproxy)" ] && [ -n "${haproxy_bin}" ]; then error "Key and cert don't match, we moved the file to ${failed_cert_file} for inspection" fi - if ${haproxy_bin} -c -f /etc/haproxy/haproxy.cfg > /dev/null; then + if ${haproxy_bin} -c -f /etc/haproxy/haproxy.cfg > /dev/null 2>&1; then debug "HAProxy detected... reloading" systemctl reload apache2 else diff --git a/certbot/files/hooks/nginx.sh b/certbot/files/hooks/nginx.sh index 4c212634..aafbedd3 100644 --- a/certbot/files/hooks/nginx.sh +++ b/certbot/files/hooks/nginx.sh @@ -1,5 +1,6 @@ #!/bin/sh +readonly PROGNAME=$(basename "$0") readonly VERBOSE=${VERBOSE:-"0"} readonly QUIET=${QUIET:-"0"} @@ -16,8 +17,8 @@ debug() { nginx_bin=$(command -v nginx) if [ -n "$(pidof nginx)" ] && [ -n "${nginx_bin}" ]; then - if grep --dereference-recursive -E "letsencrypt" /etc/nginx/sites-enabled; then - if ${nginx_bin} -t > /dev/null; then + if grep -q --dereference-recursive -E "letsencrypt" /etc/nginx/sites-enabled; then + if ${nginx_bin} -t > /dev/null 2>&1; then debug "Nginx detected... reloading" systemctl reload nginx else diff --git a/certbot/files/hooks/postfix.sh b/certbot/files/hooks/postfix.sh index f08a0334..3a9b3b3d 100644 --- a/certbot/files/hooks/postfix.sh +++ b/certbot/files/hooks/postfix.sh @@ -1,5 +1,6 @@ #!/bin/sh +readonly PROGNAME=$(basename "$0") readonly VERBOSE=${VERBOSE:-"0"} readonly QUIET=${QUIET:-"0"} @@ -17,7 +18,7 @@ postconf_bin=$(command -v postconf) if [ -n "$(pidof master)" ] && [ -n "${postconf_bin}" ]; then if ${postconf_bin} | grep -E "^smtpd_tls_cert_file" | grep -q "letsencrypt"; then - if ${postconf_bin} > /dev/null; then + if ${postconf_bin} > /dev/null 2>&1; then debug "Postfix detected... reloading" systemctl reload postfix else