#!/bin/bash
#
# author: Koshuba V.O.
# license: GPL 2.0
# create 2022
#
version="0.2.4";
sname="autocertbot";
# необходимы для работы: nginx,certbot
# create new cert
path_ssl="/etc/ssl";
path_cert="/etc/letsencrypt/live";
source "/etc/scripts/certbot4nginx/auto4certbot.conf";
## - nginx
nginx_enable="/etc/nginx/sites-enabled";
nginx_available="/etc/nginx/sites-available";
##
www_root="/tmp/letsencrypt";
##
path_tmp="/tmp/certbot";
##
log="/var/log/syslog";
#
cmd=$1;
#-list enable sites
scan_list=();
#
function createCert() {
#
for ((dmn=0; dmn != ${#domains[@]}; dmn++))
do
eval local dreg="(" $(echo -e ${domains[$dmn]}) ")";
if [ "$cmd" == "--create" ];
then
certbot -m "${dreg[1]}";
else
certbot --update-registration -m "${dreg[1]}";
fi
##
## example manual: certbot certonly --webroot --webroot-path /tmp/letsencrypt -d mydomen.ru
certbot certonly --webroot --webroot-path $www_root -d ${dreg[0]}
done
}
function renew() {
certbot renew;
valtrue=0;
rdate=$(date +%Y-%m-%d);
rtime=$(date +%H:%M);
for ((dmn=0; dmn != ${#domains[@]}; dmn++))
do
eval local dreg="(" $(echo -e ${domains[$dmn]}) ")";
keydate=$(ls -l --time-style=long-iso $path_cert/${dreg[0]}/cert.pem |awk {'print$6'});
keytime=$(ls -l --time-style=long-iso $path_cert/${dreg[0]}/cert.pem |awk {'print$7'});
if [ "$keydate" = "$rdate" ] && [ "$keytime" = "$rtime" ];
then
((valtrue++));
cat $path_cert/${dreg[0]}/cert.pem > $path_ssl/private/${dreg[0]}.pem;
cat $path_cert/${dreg[0]}/chain.pem >> $path_ssl/private/${dreg[0]}.pem;
cat $path_cert/${dreg[0]}/fullchain.pem >> $path_ssl/private/${dreg[0]}.pem;
cat $path_cert/${dreg[0]}/privkey.pem >> $path_ssl/private/${dreg[0]}.pem;
#
cp -f $path_ssl/private/${dreg[0]}.pem $path_ssl/certs/${dreg[0]}.pem
cd $path_ssl/certs
chmod 600 ${dreg[0]}.pem
ln -sf ${dreg[0]}.pem `openssl x509 -noout -hash < ${dreg[0]}.pem`.0
cd $path_ssl
echo "$(date) - auto4certbot.sh: update cert for ${domains[$dmn]}">> $log;
fi
done
if [ $valtrue != 0 ];
then
:>/etc/ssl/crt-list.txt
for ((icrt=0; icrt != ${#domains[@]}; icrt++))
do
echo "$path_ssl/${domains[$icrt]}.pem">>/etc/ssl/crt-list.txt
done
fi
}
function toSSL() {
if [ -d $path_cert ];
then
for ((dmn=0; dmn != ${#domains[@]}; dmn++))
do
eval local dreg="(" $(echo -e ${domains[$dmn]}) ")";
((valtrue++));
cat $path_cert/${dreg[0]}/cert.pem > $path_ssl/private/${dreg[0]}.pem;
cat $path_cert/${dreg[0]}/chain.pem >> $path_ssl/private/${dreg[0]}.pem;
cat $path_cert/${dreg[0]}/fullchain.pem >> $path_ssl/private/${dreg[0]}.pem;
cat $path_cert/${dreg[0]}/privkey.pem >> $path_ssl/private/${dreg[0]}.pem;
#
cp -f $path_ssl/private/${dreg[0]}.pem $path_ssl/certs/${dreg[0]}.pem
cd $path_ssl/certs
chmod 600 ${dreg[0]}.pem
ln -sf ${dreg[0]}.pem `openssl x509 -noout -hash < ${dreg[0]}.pem`.0
cd $path_ssl
echo "$(date) - auto4certbot.sh: update certlist for ${domains[$dmn]}">> $log;
done
if [ $valtrue != 0 ];
then
echo >/etc/ssl/crt-list.txt
for ((icrt=0; icrt != ${#domains[@]}; icrt++))
do
eval local dcrt="(" $(echo -e ${domains[$icrt]}) ")";
echo "$path_ssl/private/${dcrt[0]}.pem">>/etc/ssl/crt-list.txt
done
fi
else
echo "Ошибка - отсутствует $path_cert!"
fi
}
function downSite(){
sudo systemctl stop nginx.service;
eval list_www="(" $(find $nginx_enable/* -maxdepth 0 -type l -printf '%f\n') ")";
for ((dwx=0; dwx != ${#list_www[@]}; dwx++))
do
rm $nginx_enable/${list_www[dwx]};
done
for ((dnm=0; dnm != ${#domains[@]}; dnm++))
do
eval local dcert="(" $(echo -e ${domains[$dnm]}) ")";
sitename="${dcert[0]}";
siteport="${dcert[2]}";
createConf;
done
sudo systemctl start nginx.service;
}
function upSite(){
sudo systemctl stop nginx.service;
eval cert_bot="(" $(find $nginx_enable/* -maxdepth 0 -type l -printf '%f\n') ")";
for ((cr=0; cr != ${#cert_bot[@]}; cr++))
do
rm $nginx_enable/${cert_bot[cr]};
done
for ((dwx=0; dwx != ${#list_www[@]}; dwx++))
do
ln -s $nginx_available/${list_www[dwx]} $nginx_enable/${list_www[dwx]};
done
sudo systemctl start nginx.service;
}
function createConf(){
if [ ! -d $path_tmp ];
then
mkdir -p $path_tmp;
fi
if [ ! -d $www_root ];
then
mkdir -p $www_root/.well-known/acme-challenge;
chown -R www-data:www-data $www_root;
fi
echo >$path_tmp/$sitename.conf;
echo -e 'server { listen 0.0.0.0:'"$siteport"';' >>$path_tmp/$sitename.conf;
echo -e '\n' >>$path_tmp/$sitename.conf;
echo -e 'server_name '"$sitename"';' >>$path_tmp/$sitename.conf;
echo -e '\n' >>$path_tmp/$sitename.conf;
#echo -e 'if ($http_host != $server_name){' >> $path_tmp/$sitename.conf;
#echo -e ' rewrite ^(.*)$ http://$server_name$1 redirect;'>>$path_tmp/$sitename.conf;
#echo -e '}' >>$path_tmp/$sitename.conf;
#echo -e '\n' >>$path_tmp/$sitename.conf;
echo -e 'location /.well-known/acme-challenge {' >>$path_tmp/$sitename.conf;
echo -e ' allow all;' >>$path_tmp/$sitename.conf;
echo -e ' autoindex off;' >>$path_tmp/$sitename.conf;
echo -e ' default_type "text/plain";' >>$path_tmp/$sitename.conf;
echo -e ' root '"$www_root"';' >>$path_tmp/$sitename.conf;
echo -e '}' >>$path_tmp/$sitename.conf;
echo -e '\n' >>$path_tmp/$sitename.conf;
echo -e 'location = /.well-known {' >>$path_tmp/$sitename.conf;
echo -e ' return 404;' >>$path_tmp/$sitename.conf;
echo -e '}' >>$path_tmp/$sitename.conf;
echo -e '\n' >>$path_tmp/$sitename.conf;
echo -e 'error_page 404 /404.html;' >>$path_tmp/$sitename.conf;
echo -e 'error_page 500 502 503 504 /50x.html;' >>$path_tmp/$sitename.conf;
echo -e '\n' >>$path_tmp/$sitename.conf;
echo -e 'error_log /var/log/nginx/err-certbot.log;' >>$path_tmp/$sitename.conf;
echo -e 'access_log /var/log/nginx/access-certbot.log;' >>$path_tmp/$sitename.conf;
echo -e '}' >>$path_tmp/$sitename.conf;
ln -s $path_tmp/$sitename.conf $nginx_enable/$sitename.conf
}
case "$cmd" in
## create cert
"--create" | "--create" )
downSite;
createCert;
upSite;
toSSL;
;;
## update cert
"--update" | "--update" )
downSite;
renew;
upSite;
toSSL;
;;
## update cert force
"--flist" | "--flist" )
toSSL;
;;
## start defaults
* )
echo "please input pameters: auto4certbot.sh --create | --update | --flist";
echo "auto4certbot.sh --create; create new certificate"
echo "auto4certbot.sh --update; update certificates;"
echo "auto4certbot.sh --flist; update certificates from ssl;"
;;
esac
exit