Create create_ssl_certs.sh
This commit is contained in:
catchdave
GitHub
parent
aae90bf5ae
commit
cf03a835c1
151
create_ssl_certs.sh
Normal file
151
create_ssl_certs.sh
Normal file
@ -0,0 +1,151 @@
|
||||
# This is a anonymized version of the script I use to renew all my SSL certs
|
||||
# across my servers. This will not work out of the box for anyone as your network will be
|
||||
# different. But may be useful starting place for others.
|
||||
#
|
||||
# I use a cronjob that runs this every week. It only replaces certificates when a certificate has been renewed.
|
||||
|
||||
# Renews/creates cert from letsencrypt & places it where it needs to be.
|
||||
# Currently, that is:
|
||||
# * DSM/Synology
|
||||
# * Unifi Protect
|
||||
# * Home Assistant
|
||||
|
||||
DOMAIN=example.com # Change to your domain
|
||||
CERT_DIRECTORY="/etc/letsencrypt/live/$DOMAIN"
|
||||
ME=$(basename "$0")
|
||||
ONLY=
|
||||
FORCE=false
|
||||
CREATE_NEW_CERT=false
|
||||
SERVERS=(synology homeassistant protect) # Whatever your server names are
|
||||
ssl_user=ssl_updater # User for remote servers that can update certs
|
||||
|
||||
# Get args
|
||||
# ================================
|
||||
POSITIONAL_ARGS=()
|
||||
|
||||
while [[ $# -gt 0 ]]; do
|
||||
case $1 in
|
||||
-o|--only)
|
||||
if [[ ! " ${SERVERS[*]} " =~ " ${2} " ]]; then
|
||||
echo "[$ME] Unknown servername: $2. Use one of the known servers: $SERVERS"
|
||||
exit 1
|
||||
fi
|
||||
ONLY="$2"
|
||||
shift # past argument
|
||||
shift # past value
|
||||
;;
|
||||
--force)
|
||||
FORCE=true
|
||||
shift # past argument
|
||||
;;
|
||||
--create)
|
||||
CREATE_NEW_CERT=true
|
||||
shift # past argument
|
||||
;;
|
||||
-*|--*)
|
||||
echo "[$ME] Unknown option $1"
|
||||
exit 1
|
||||
;;
|
||||
*)
|
||||
POSITIONAL_ARGS+=("$1") # save positional arg
|
||||
shift # past argument
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
|
||||
# ================================
|
||||
|
||||
# Use certbot to renew certificate
|
||||
# ================================
|
||||
echo "Running certbot..."
|
||||
if [ "$CREATE_NEW_CERT" == "true" ]; then
|
||||
echo "[$ME] Creating a new certificate from scratch"
|
||||
cert_flags="--insert-your-flags --creds etc *.$DOMAIN" # Modify this line for the parameters you use to create your cert
|
||||
{ CERTBOT_ERROR=$(sudo certbot certonly $cert_flags 2>&1 >&3 3>&-); } 3>&1
|
||||
errcode=$?
|
||||
else
|
||||
echo "[$ME] Renewing certificate"
|
||||
{ CERTBOT_ERROR=$(sudo certbot renew 2>&1 >&3 3>&-); } 3>&1
|
||||
errcode=$?
|
||||
fi
|
||||
if [ "$errcode" != "0" ]; then
|
||||
echo "$CERTBOT_ERROR"
|
||||
echo "[$ME] Error encountered with certbot. Halting."
|
||||
echo "[$ME] Error code: $errcode"
|
||||
exit
|
||||
fi
|
||||
# ================================
|
||||
|
||||
# Exit or continue if certificate not renewed, depending on flags
|
||||
# ================================
|
||||
if echo "$CERTBOT_ERROR" | grep 'Cert not yet due for renewal'; then
|
||||
if [ "$FORCE" != "true" ]; then
|
||||
echo "[$ME] Certbot not due for renewal--halting."
|
||||
echo "[$ME] To continue anyway (to sync the existing cert), use flag --force"
|
||||
exit 0
|
||||
else
|
||||
echo "[$ME] --force specified--continuing to sync certs"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$ONLY" != "" ]; then
|
||||
echo "--only specified. Will only sync certs to: $ONLY"
|
||||
fi
|
||||
# ================================
|
||||
|
||||
# Synology (NAS)
|
||||
# This script used here is referenced in this companion gist:
|
||||
# https://gist.github.com/catchdave/69854624a21ac75194706ec20ca61327
|
||||
# ================================
|
||||
if [[ -z "$ONLY" || "$ONLY" == "synology" ]]; then
|
||||
server=synology.$DOMAIN
|
||||
echo ""
|
||||
echo "[$ME] Copying certificates to synology"
|
||||
sudo scp ${CERT_DIRECTORY}/{privkey,fullchain,cert}.pem $ssl_user@$server:/tmp/
|
||||
if [ "$?" = "0" ]; then
|
||||
echo "[$ME] > Replacing certs on $server...."
|
||||
ssh $ssl_user@$server 'sudo ./replace_certs.sh'
|
||||
if [ "$?" != "0" ]; then
|
||||
echo "[$ME] > ERROR replacing certs to $server"
|
||||
fi
|
||||
else
|
||||
echo "[$ME] > Error occurred copying files to $server"
|
||||
fi
|
||||
fi
|
||||
# ================================
|
||||
|
||||
# Home Assistant
|
||||
# ================================
|
||||
if [[ -z "$ONLY" || "$ONLY" == "homeassistant" ]]; then
|
||||
server=homeassistant.$DOMAIN
|
||||
echo ""
|
||||
echo "[$ME] Copying certificates to home assistant"
|
||||
sudo scp ${CERT_DIRECTORY}/{privkey,fullchain,cert}.pem $ssl_user@$server:/usr/share/hassio/ssl/
|
||||
if [ "$?" = "0" ]; then
|
||||
echo "[$ME] > Restarting NGINX SSL Proxy...."
|
||||
ssh $ssl_user@$server 'sudo ha addons restart core_nginx_proxy'
|
||||
else
|
||||
echo "[$ME] > Error occurred copying files to $server"
|
||||
fi
|
||||
fi
|
||||
# ================================
|
||||
|
||||
# Unifi Protect
|
||||
# ================================
|
||||
if [[ -z "$ONLY" || "$ONLY" == "protect" ]]; then
|
||||
server="protect.$DOMAIN"
|
||||
echo ""
|
||||
echo "[$ME] Copying certificates to $server"
|
||||
sudo scp ${CERT_DIRECTORY}/{privkey,fullchain}.pem $ssl_user@$server:/tmp/
|
||||
if [ "$?" = "0" ]; then
|
||||
echo "[$ME] > Restarting services on Unifi Protect...."
|
||||
ssh $ssl_user@$server 'sudo /root/replace_certs_protect.sh'
|
||||
if [ "$?" != "0" ]; then
|
||||
echo "[$ME] > ERROR restarting services on Unifi protect"
|
||||
fi
|
||||
else
|
||||
echo "[$ME] > Error occurred copying files to Unifi Protect"
|
||||
fi
|
||||
fi
|
||||
# ================================
|
||||
Loading…
Reference in New Issue
Block a user