|
@@ -1,241 +0,0 @@
|
1
|
|
-#!/bin/bash
|
2
|
|
-#
|
3
|
|
-# author: Koshuba V.O.
|
4
|
|
-# license: GPL 2.0
|
5
|
|
-# create 2022
|
6
|
|
-#
|
7
|
|
-version="0.2.9";
|
8
|
|
-sname="certbot4mail";
|
9
|
|
-# необходимы для работы: nginx,certbot
|
10
|
|
-# create new cert
|
11
|
|
-path_ssl="/etc/ssl";
|
12
|
|
-path_cert="/etc/letsencrypt/live";
|
13
|
|
-source "/etc/scripts/certbot4mail/certbot4mail.conf";
|
14
|
|
-## - nginx
|
15
|
|
-nginx_enable="/etc/nginx/sites-enabled";
|
16
|
|
-nginx_available="/etc/nginx/sites-available";
|
17
|
|
-##
|
18
|
|
-www_root="/tmp/letsencrypt";
|
19
|
|
-##
|
20
|
|
-path_tmp="/tmp/certbot";
|
21
|
|
-##
|
22
|
|
-log="/var/log/syslog";
|
23
|
|
-#
|
24
|
|
-cmd=$1;
|
25
|
|
-#-list enable sites
|
26
|
|
-scan_list=();
|
27
|
|
-#
|
28
|
|
-
|
29
|
|
-function createCert() {
|
30
|
|
-#
|
31
|
|
-for ((dmn=0; dmn != ${#domains[@]}; dmn++))
|
32
|
|
- do
|
33
|
|
-eval local dreg="(" $(echo -e ${domains[$dmn]}) ")";
|
34
|
|
- if [ "$cmd" == "--create" ];
|
35
|
|
- then
|
36
|
|
- certbot -m "${dreg[1]}";
|
37
|
|
- else
|
38
|
|
- certbot --update-registration -m "${dreg[1]}" -d "${dreg[0]}" ;
|
39
|
|
- fi
|
40
|
|
-##
|
41
|
|
-## example manual: certbot certonly --webroot --webroot-path /tmp/letsencrypt/ -d mydomen.ru
|
42
|
|
-certbot certonly --webroot --webroot-path $www_root/ -d ${dreg[0]}
|
43
|
|
-done
|
44
|
|
-}
|
45
|
|
-
|
46
|
|
-function renew() {
|
47
|
|
-certbot renew;
|
48
|
|
-valtrue=0;
|
49
|
|
-rdate=$(date +%Y-%m-%d);
|
50
|
|
-rtime=$(date +%H:%M);
|
51
|
|
-for ((dmn=0; dmn != ${#domains[@]}; dmn++))
|
52
|
|
- do
|
53
|
|
- eval local dreg="(" $(echo -e ${domains[$dmn]}) ")";
|
54
|
|
- keydate=$(ls -l --time-style=long-iso $path_cert/${dreg[0]}/cert.pem |awk {'print$6'});
|
55
|
|
- keytime=$(ls -l --time-style=long-iso $path_cert/${dreg[0]}/cert.pem |awk {'print$7'});
|
56
|
|
- if [ "$keydate" = "$rdate" ] && [ "$keytime" = "$rtime" ];
|
57
|
|
- then
|
58
|
|
- ((valtrue++));
|
59
|
|
- cat $path_cert/${dreg[0]}/cert.pem > $path_ssl/private/${dreg[0]}.pem;
|
60
|
|
- cat $path_cert/${dreg[0]}/chain.pem >> $path_ssl/private/${dreg[0]}.pem;
|
61
|
|
- cat $path_cert/${dreg[0]}/fullchain.pem >> $path_ssl/private/${dreg[0]}.pem;
|
62
|
|
- cat $path_cert/${dreg[0]}/privkey.pem >> $path_ssl/private/${dreg[0]}.pem;
|
63
|
|
-#
|
64
|
|
-# to postfix
|
65
|
|
- if [ ! -d $path_ssl/manual ]; then
|
66
|
|
- mkdir -p $path_ssl/manual;
|
67
|
|
- fi
|
68
|
|
- cat $path_cert/${dreg[0]}/fullchain.pem >> $path_ssl/manual/fullchain.pem;
|
69
|
|
- cat $path_cert/${dreg[0]}/privkey.pem >> $path_ssl/manual/privkey.pem;
|
70
|
|
-#
|
71
|
|
-
|
72
|
|
- cp -f $path_ssl/private/${dreg[0]}.pem $path_ssl/certs/${dreg[0]}.pem
|
73
|
|
- cd $path_ssl/certs
|
74
|
|
- chmod 600 ${dreg[0]}.pem
|
75
|
|
- ln -sf ${dreg[0]}.pem `openssl x509 -noout -hash < ${dreg[0]}.pem`.0
|
76
|
|
- cd $path_ssl
|
77
|
|
- echo "$(date) - certbot4mail.sh: update cert for ${domains[$dmn]}">> $log;
|
78
|
|
- fi
|
79
|
|
-done
|
80
|
|
-if [ $valtrue != 0 ];
|
81
|
|
- then
|
82
|
|
- :>/etc/ssl/crt-list.txt
|
83
|
|
- for ((icrt=0; icrt != ${#domains[@]}; icrt++))
|
84
|
|
- do
|
85
|
|
- echo "$path_ssl/${domains[$icrt]}.pem">>/etc/ssl/crt-list.txt
|
86
|
|
- done
|
87
|
|
-fi
|
88
|
|
-}
|
89
|
|
-
|
90
|
|
-
|
91
|
|
-function toSSL() {
|
92
|
|
-if [ -d $path_cert ];
|
93
|
|
- then
|
94
|
|
- for ((dmn=0; dmn != ${#domains[@]}; dmn++))
|
95
|
|
- do
|
96
|
|
- eval local dreg="(" $(echo -e ${domains[$dmn]}) ")";
|
97
|
|
- ((valtrue++));
|
98
|
|
- cat $path_cert/${dreg[0]}/cert.pem > $path_ssl/private/${dreg[0]}.pem;
|
99
|
|
- cat $path_cert/${dreg[0]}/chain.pem >> $path_ssl/private/${dreg[0]}.pem;
|
100
|
|
- cat $path_cert/${dreg[0]}/fullchain.pem >> $path_ssl/private/${dreg[0]}.pem;
|
101
|
|
- cat $path_cert/${dreg[0]}/privkey.pem >> $path_ssl/private/${dreg[0]}.pem;
|
102
|
|
-# to postfix
|
103
|
|
- if [ ! -d $path_ssl/manual ]; then
|
104
|
|
- mkdir -p $path_ssl/manual;
|
105
|
|
- fi
|
106
|
|
- cat $path_cert/${dreg[0]}/fullchain.pem >> $path_ssl/manual/fullchain.pem;
|
107
|
|
- cat $path_cert/${dreg[0]}/privkey.pem >> $path_ssl/manual/privkey.pem;
|
108
|
|
-#
|
109
|
|
- cp -f $path_ssl/private/${dreg[0]}.pem $path_ssl/certs/${dreg[0]}.pem
|
110
|
|
- cd $path_ssl/certs
|
111
|
|
- chmod 600 ${dreg[0]}.pem
|
112
|
|
- ln -sf ${dreg[0]}.pem `openssl x509 -noout -hash < ${dreg[0]}.pem`.0
|
113
|
|
- cd $path_ssl
|
114
|
|
- echo "$(date) - certbot4mail.sh: update certlist for ${domains[$dmn]}">> $log;
|
115
|
|
- done
|
116
|
|
- if [ $valtrue != 0 ];
|
117
|
|
- then
|
118
|
|
- echo >/etc/ssl/crt-list.txt
|
119
|
|
- for ((icrt=0; icrt != ${#domains[@]}; icrt++))
|
120
|
|
- do
|
121
|
|
- eval local dcrt="(" $(echo -e ${domains[$icrt]}) ")";
|
122
|
|
- echo "$path_ssl/private/${dcrt[0]}.pem">>/etc/ssl/crt-list.txt
|
123
|
|
- done
|
124
|
|
- fi
|
125
|
|
- else
|
126
|
|
- echo "Ошибка - отсутствует $path_cert!"
|
127
|
|
-fi
|
128
|
|
-}
|
129
|
|
-
|
130
|
|
-function downSite(){
|
131
|
|
-sudo systemctl stop nginx.service;
|
132
|
|
-
|
133
|
|
-eval list_www="(" $(find $nginx_enable/* -maxdepth 0 -type l -printf '%f\n') ")";
|
134
|
|
-for ((dwx=0; dwx != ${#list_www[@]}; dwx++))
|
135
|
|
- do
|
136
|
|
- rm $nginx_enable/${list_www[dwx]};
|
137
|
|
-done
|
138
|
|
-}
|
139
|
|
-
|
140
|
|
-function upSite(){
|
141
|
|
-sudo systemctl stop nginx.service;
|
142
|
|
-eval cert_bot="(" $(find $nginx_enable/* -maxdepth 0 -type l -printf '%f\n') ")";
|
143
|
|
-for ((cr=0; cr != ${#cert_bot[@]}; cr++))
|
144
|
|
- do
|
145
|
|
- rm $nginx_enable/${cert_bot[cr]};
|
146
|
|
-done
|
147
|
|
-for ((dnm=0; dnm != ${#domains[@]}; dnm++))
|
148
|
|
- do
|
149
|
|
-eval local dcert="(" $(echo -e ${domains[$dnm]}) ")";
|
150
|
|
- sitename="${dcert[0]}";
|
151
|
|
- siteport="${dcert[2]}";
|
152
|
|
- createConf;
|
153
|
|
-done
|
154
|
|
-sudo systemctl start nginx.service;
|
155
|
|
-}
|
156
|
|
-
|
157
|
|
-
|
158
|
|
-function createConf(){
|
159
|
|
-if [ ! -d $path_tmp ];
|
160
|
|
- then
|
161
|
|
- mkdir -p $path_tmp;
|
162
|
|
-fi
|
163
|
|
-
|
164
|
|
-if [ ! -d $www_root ];
|
165
|
|
- then
|
166
|
|
- mkdir -p $www_root/.well-known/acme-challenge;
|
167
|
|
-chown -R www-data:www-data $www_root;
|
168
|
|
-fi
|
169
|
|
- echo >$path_tmp/$sitename.conf;
|
170
|
|
- echo -e 'server { listen 0.0.0.0:'"$siteport"';' >>$path_tmp/$sitename.conf;
|
171
|
|
- echo -e '\n' >>$path_tmp/$sitename.conf;
|
172
|
|
- echo -e 'server_name '"$sitename"';' >>$path_tmp/$sitename.conf;
|
173
|
|
- echo -e '\n' >>$path_tmp/$sitename.conf;
|
174
|
|
- echo -e 'location /.well-known/acme-challenge {' >>$path_tmp/$sitename.conf;
|
175
|
|
- echo -e ' allow all;' >>$path_tmp/$sitename.conf;
|
176
|
|
- echo -e ' autoindex off;' >>$path_tmp/$sitename.conf;
|
177
|
|
- echo -e ' default_type "text/plain";' >>$path_tmp/$sitename.conf;
|
178
|
|
- echo -e ' root '"$www_root"';' >>$path_tmp/$sitename.conf;
|
179
|
|
- echo -e '}' >>$path_tmp/$sitename.conf;
|
180
|
|
- echo -e '\n' >>$path_tmp/$sitename.conf;
|
181
|
|
- echo -e 'location = /.well-known {' >>$path_tmp/$sitename.conf;
|
182
|
|
- echo -e ' return 404;' >>$path_tmp/$sitename.conf;
|
183
|
|
- echo -e '}' >>$path_tmp/$sitename.conf;
|
184
|
|
- echo -e '\n' >>$path_tmp/$sitename.conf;
|
185
|
|
- echo -e 'error_page 404 /404.html;' >>$path_tmp/$sitename.conf;
|
186
|
|
- echo -e 'error_page 500 502 503 504 /50x.html;' >>$path_tmp/$sitename.conf;
|
187
|
|
- echo -e '\n' >>$path_tmp/$sitename.conf;
|
188
|
|
- echo -e 'error_log /var/log/nginx/err-certbot.log;' >>$path_tmp/$sitename.conf;
|
189
|
|
- echo -e 'access_log /var/log/nginx/access-certbot.log;' >>$path_tmp/$sitename.conf;
|
190
|
|
- echo -e '}' >>$path_tmp/$sitename.conf;
|
191
|
|
-ln -s $path_tmp/$sitename.conf $nginx_enable/$sitename.conf
|
192
|
|
-}
|
193
|
|
-
|
194
|
|
-function restartMail(){
|
195
|
|
-/etc/init.d/dbmail restart;
|
196
|
|
-/etc/init.d/stunnel4 restart;
|
197
|
|
-/etc/init.d/postfix restart;
|
198
|
|
-}
|
199
|
|
-
|
200
|
|
-
|
201
|
|
-case "$cmd" in
|
202
|
|
-
|
203
|
|
-## create cert
|
204
|
|
-"--create" | "--create" )
|
205
|
|
-
|
206
|
|
-downSite;
|
207
|
|
-createCert;
|
208
|
|
-upSite;
|
209
|
|
-toSSL;
|
210
|
|
-downSite;
|
211
|
|
-restartMail;
|
212
|
|
-;;
|
213
|
|
-
|
214
|
|
-## update cert
|
215
|
|
-"--update" | "--update" )
|
216
|
|
-
|
217
|
|
-downSite;
|
218
|
|
-renew;
|
219
|
|
-upSite;
|
220
|
|
-toSSL;
|
221
|
|
-downSite;
|
222
|
|
-restartMail;
|
223
|
|
-;;
|
224
|
|
-
|
225
|
|
-## update cert force
|
226
|
|
-"--flist" | "--flist" )
|
227
|
|
-toSSL;
|
228
|
|
-restartMail;
|
229
|
|
-;;
|
230
|
|
-
|
231
|
|
-## start defaults
|
232
|
|
-
|
233
|
|
-* )
|
234
|
|
-echo "please input pameters: certbot4mail.sh --create | --update | --flist";
|
235
|
|
-echo "certbot4mail.sh --create; create new certificate"
|
236
|
|
-echo "certbot4mail.sh --update; update certificates;"
|
237
|
|
-echo "certbot4mail.sh --flist; update certificates from ssl;"
|
238
|
|
-;;
|
239
|
|
-esac
|
240
|
|
-
|
241
|
|
-exit
|