Create create_ssl_certs.sh

create_ssl_certs.sh

@@ -0,0 +1,151 @@
+# This is a anonymized version of the script I use to renew all my SSL certs
+# across my servers. This will not work out of the box for anyone as your network will be
+# different. But may be useful starting place for others.
+#
+# I use a cronjob that runs this every week. It only replaces certificates when a certificate has been renewed.
+
+# Renews/creates cert from letsencrypt & places it where it needs to be.
+# Currently, that is:
+#    * DSM/Synology 
+#    * Unifi Protect
+#    * Home Assistant
+
+DOMAIN=example.com  # Change to your domain
+CERT_DIRECTORY="/etc/letsencrypt/live/$DOMAIN"
+ME=$(basename "$0")
+ONLY=
+FORCE=false
+CREATE_NEW_CERT=false
+SERVERS=(synology homeassistant protect)  # Whatever your server names are
+ssl_user=ssl_updater  # User for remote servers that can update certs
+
+# Get args
+# ================================
+POSITIONAL_ARGS=()
+
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    -o|--only)
+      if [[ ! " ${SERVERS[*]} " =~ " ${2} " ]]; then
+        echo "[$ME] Unknown servername: $2. Use one of the known servers: $SERVERS"
+        exit 1
+      fi
+      ONLY="$2"
+      shift # past argument
+      shift # past value
+      ;;
+    --force)
+      FORCE=true
+      shift # past argument
+      ;;
+    --create)
+      CREATE_NEW_CERT=true
+      shift # past argument
+      ;;
+    -*|--*)
+      echo "[$ME] Unknown option $1"
+      exit 1
+      ;;
+    *)
+      POSITIONAL_ARGS+=("$1") # save positional arg
+      shift # past argument
+      ;;
+  esac
+done
+
+set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
+# ================================
+
+# Use certbot to renew certificate
+# ================================
+echo "Running certbot..."
+if [ "$CREATE_NEW_CERT" == "true" ]; then
+    echo "[$ME] Creating a new certificate from scratch"
+    cert_flags="--insert-your-flags --creds etc *.$DOMAIN"  # Modify this line for the parameters you use to create your cert
+    { CERTBOT_ERROR=$(sudo certbot certonly $cert_flags 2>&1 >&3 3>&-); } 3>&1
+     errcode=$?
+else
+    echo "[$ME] Renewing certificate"
+    { CERTBOT_ERROR=$(sudo certbot renew 2>&1 >&3 3>&-); } 3>&1
+    errcode=$?
+fi
+if [ "$errcode" != "0" ]; then
+    echo "$CERTBOT_ERROR"
+    echo "[$ME] Error encountered with certbot. Halting."
+    echo "[$ME] Error code: $errcode"
+    exit
+fi
+# ================================
+
+# Exit or continue if certificate not renewed, depending on flags
+# ================================
+if echo "$CERTBOT_ERROR" | grep 'Cert not yet due for renewal'; then
+    if [ "$FORCE" != "true" ]; then
+        echo "[$ME] Certbot not due for renewal--halting."
+        echo "[$ME] To continue anyway (to sync the existing cert), use flag --force"
+        exit 0
+    else
+        echo "[$ME] --force specified--continuing to sync certs"
+    fi
+fi
+
+if [ "$ONLY" != "" ]; then
+    echo "--only specified. Will only sync certs to: $ONLY"
+fi
+# ================================
+
+# Synology (NAS)
+# This script used here is referenced in this companion gist:
+# https://gist.github.com/catchdave/69854624a21ac75194706ec20ca61327
+# ================================
+if [[ -z "$ONLY" || "$ONLY" == "synology" ]]; then
+    server=synology.$DOMAIN
+    echo ""
+    echo "[$ME] Copying certificates to synology"
+    sudo scp ${CERT_DIRECTORY}/{privkey,fullchain,cert}.pem $ssl_user@$server:/tmp/
+    if [ "$?" = "0" ]; then
+        echo "[$ME] > Replacing certs on $server...."
+        ssh $ssl_user@$server 'sudo ./replace_certs.sh'
+        if [ "$?" != "0" ]; then
+            echo "[$ME] > ERROR replacing certs to $server"
+        fi
+    else
+        echo "[$ME] > Error occurred copying files to $server"
+    fi
+fi
+# ================================
+
+# Home Assistant
+# ================================
+if [[ -z "$ONLY" || "$ONLY" == "homeassistant" ]]; then
+    server=homeassistant.$DOMAIN
+    echo ""
+    echo "[$ME] Copying certificates to home assistant"
+    sudo scp ${CERT_DIRECTORY}/{privkey,fullchain,cert}.pem $ssl_user@$server:/usr/share/hassio/ssl/
+    if [ "$?" = "0" ]; then
+        echo "[$ME] > Restarting NGINX SSL Proxy...."
+        ssh $ssl_user@$server 'sudo ha addons restart core_nginx_proxy'
+    else
+        echo "[$ME] > Error occurred copying files to $server"
+    fi
+fi
+# ================================
+
+# Unifi Protect
+# ================================
+if [[ -z "$ONLY" || "$ONLY" == "protect" ]]; then
+    server="protect.$DOMAIN"
+    echo ""
+    echo "[$ME] Copying certificates to $server"
+    sudo scp ${CERT_DIRECTORY}/{privkey,fullchain}.pem $ssl_user@$server:/tmp/
+    if [ "$?" = "0" ]; then
+        echo "[$ME] > Restarting services on Unifi Protect...."
+        ssh $ssl_user@$server 'sudo /root/replace_certs_protect.sh'
+        if [ "$?" != "0" ]; then
+            echo "[$ME] > ERROR restarting services on Unifi protect"
+        fi
+    else
+        echo "[$ME] > Error occurred copying files to Unifi Protect"
+    fi
+fi
+# ================================