forked from Celti/lets-nfsn.sh
-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathtls-setup.sh
executable file
·172 lines (155 loc) · 4.48 KB
/
tls-setup.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
#!/bin/sh
Help=no
Reinstall=no
Verbose=no
Quiet=no
set -e
while [ ${#} -gt 0 ]
do
Arg=${1}
shift 1
case ${Arg} in
"-h"|"--help")
Help=yes
;;
"-q"|"--quiet")
Quiet=yes
;;
"-r"|"--reinstall")
Reinstall=yes
;;
"-v"|"--verbose")
Verbose=yes
;;
*)
echo "Bad argument: ${Arg}"
return 20
esac
done
if [ "${Help}" = "yes" ]
then
echo
echo "YourPrompt> ${0} [-r|--reinstall] [-v|--verbose]"
echo "YourPrompt> ${0} <-h|--help>"
echo
echo "Options:"
echo " -h, --help = Display this output."
echo " -q, --quiet = Suppress renewal messages. (No news is good news.)"
echo " -r, --reinstall = Reinstall existing certificates."
echo " -v, --verbose = Don't suppress boring output."
echo
return 0
fi
. /usr/local/etc/dehydrated/config
if [ ! -d "${BASEDIR}" ]
then
echo "Creating base directory for Dehydrated."
mkdir "${BASEDIR}"
fi
if [ ! -d "${BASEDIR}/accounts" ]
then
echo
echo "To use Let's Encrypt you must agree to their Subscriber Agreement,"
echo "which is linked from:"
echo
echo " https://letsencrypt.org/repository/"
echo
echo -n "Do you accept the Let's Encrypt Subscriber Agreement (y/n)? "
read yes
case $yes in
y|Y|yes|YES|Yes|yup)
break 2
;;
*)
echo "OK, tls-setup.sh will be aborted."
return 30
esac
/usr/local/bin/dehydrated --register --accept-terms
fi
if [ ! -d "${WELLKNOWN}" ]
then
echo "Creating well-known directory for Let's Encrypt challenges."
mkdir -p "${WELLKNOWN}"
fi
if [ ! -f ${BASEDIR}/domains.txt ] || [ ! -f ${BASEDIR}/.domains-txt-is-precious ]
then
/usr/local/bin/nfsn list-aliases >${BASEDIR}/domains.txt
fi
if [ ! -s "${BASEDIR}/domains.txt" ]
then
echo "There are no aliases for this site."
return 10
fi
for Alias in `cat "${BASEDIR}/domains.txt"`
do
if [ -d "/home/public/${Alias}" ]
then
AliasWellKnown="/home/public/${Alias}/.well-known"
if [ -h "${AliasWellKnown}" ]
then
echo "Upgrading ${AliasWellKnown}"
rm "${AliasWellKnown}"
fi
if [ ! -d "${AliasWellKnown}" ]
then
echo "Creating .well-known directory for ${Alias}."
mkdir "${AliasWellKnown}"
fi
ACMEChallenge="${AliasWellKnown}/acme-challenge"
if [ ! -h "${ACMEChallenge}" ]
then
if [ -e "${ACMEChallenge}" ]
then
echo "Please remove existing ${ACMEChallenge} to use this script." >&2
return 40
fi
echo "Linking acme-challenge for ${Alias}."
ln -s ../../.well-known/acme-challenge ${ACMEChallenge}
fi
fi
if [ "${Reinstall}" = "yes" ]
then
cat \
"${BASEDIR}/certs/${Alias}/cert.pem" \
"${BASEDIR}/certs/${Alias}/chain.pem" \
"${BASEDIR}/certs/${Alias}/privkey.pem" \
| /usr/local/bin/nfsn -i set-tls
fi
done
if [ "${Reinstall}" = "yes" ]
then
return 0
fi
/usr/local/bin/dehydrated --cron >${BASEDIR}/dehydrated.out
cp ${BASEDIR}/dehydrated.out ${BASEDIR}/dehydrated.check
if [ "${Verbose}" = "no" ]
then
mv ${BASEDIR}/dehydrated.check ${BASEDIR}/dehydrated.checkin
fgrep -v INFO: ${BASEDIR}/dehydrated.checkin | fgrep -v unchanged | fgrep -v 'Skipping renew' | fgrep -v 'Reusing account from' | fgrep -v 'Certificate will not expire' | fgrep -v 'Creating chain cache directory' | fgrep -v 'Checking expire date' | fgrep -v 'Running automatic cleanup' | egrep -v '^Processing' | fgrep -v 'Fetching account URL' | cat >${BASEDIR}/dehydrated.check
if [ "${Quiet}" = "yes" ]
then
mv ${BASEDIR}/dehydrated.check ${BASEDIR}/dehydrated.checkin
fgrep -v 'Moving unused file to archive directory' ${BASEDIR}/dehydrated.checkin | fgrep -v 'Certificate will expire (Less than 30 days). Renewing!' | egrep -v '^ \+ (Signing|Generating|Requesting|Received|Handling|Deploying|Checking|Cleaning|Responding|Creating|Installing) ' | fgrep -v 'Challenge is valid!' | fgrep -v 'pending challenge(s)' | fgrep -v 'Done!' | fgrep -v 'OK: Setup was fully confirmed.' | egrep -v '^e[0-9]+: OK \(' | cat >${BASEDIR}/dehydrated.check
fi
fi
[ -f ${BASEDIR}/dehydrated.checkin ] && rm -f ${BASEDIR}/dehydrated.checkin
if [ "`cat ${BASEDIR}/dehydrated.check`" != "" -o "${Verbose}" = "yes" ]
then
cat "${BASEDIR}/dehydrated.out"
fi
if ! /usr/local/bin/nfsn test-cron tlssetup | fgrep -q 'exists=true'
then
echo Adding scheduled task to renew certificates.
if [ "${Verbose}" = "no" ]
then
if [ "${Quiet}" = "yes" ]
then
/usr/local/bin/nfsn add-cron tlssetup "/usr/local/bin/tls-setup.sh -q" me ssh '?' '*' '*'
else
/usr/local/bin/nfsn add-cron tlssetup /usr/local/bin/tls-setup.sh me ssh '?' '*' '*'
fi
else
/usr/local/bin/nfsn add-cron tlssetup "/usr/local/bin/tls-setup.sh -v" me ssh '?' '*' '*'
fi
fi
exit 0