152 lines
4.8 KiB
Bash
152 lines
4.8 KiB
Bash
# This is a anonymized version of the script I use to renew all my SSL certs
|
|
# across my servers. This will not work out of the box for anyone as your network will be
|
|
# different. But may be useful starting place for others.
|
|
#
|
|
# I use a cronjob that runs this every week. It only replaces certificates when a certificate has been renewed.
|
|
|
|
# Renews/creates cert from letsencrypt & places it where it needs to be.
|
|
# Currently, that is:
|
|
# * DSM/Synology
|
|
# * Unifi Protect
|
|
# * Home Assistant
|
|
|
|
DOMAIN=example.com # Change to your domain
|
|
CERT_DIRECTORY="/etc/letsencrypt/live/$DOMAIN"
|
|
ME=$(basename "$0")
|
|
ONLY=
|
|
FORCE=false
|
|
CREATE_NEW_CERT=false
|
|
SERVERS=(synology homeassistant protect) # Whatever your server names are
|
|
ssl_user=ssl_updater # User for remote servers that can update certs
|
|
|
|
# Get args
|
|
# ================================
|
|
POSITIONAL_ARGS=()
|
|
|
|
while [[ $# -gt 0 ]]; do
|
|
case $1 in
|
|
-o|--only)
|
|
if [[ ! " ${SERVERS[*]} " =~ " ${2} " ]]; then
|
|
echo "[$ME] Unknown servername: $2. Use one of the known servers: $SERVERS"
|
|
exit 1
|
|
fi
|
|
ONLY="$2"
|
|
shift # past argument
|
|
shift # past value
|
|
;;
|
|
--force)
|
|
FORCE=true
|
|
shift # past argument
|
|
;;
|
|
--create)
|
|
CREATE_NEW_CERT=true
|
|
shift # past argument
|
|
;;
|
|
-*|--*)
|
|
echo "[$ME] Unknown option $1"
|
|
exit 1
|
|
;;
|
|
*)
|
|
POSITIONAL_ARGS+=("$1") # save positional arg
|
|
shift # past argument
|
|
;;
|
|
esac
|
|
done
|
|
|
|
set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
|
|
# ================================
|
|
|
|
# Use certbot to renew certificate
|
|
# ================================
|
|
echo "Running certbot..."
|
|
if [ "$CREATE_NEW_CERT" == "true" ]; then
|
|
echo "[$ME] Creating a new certificate from scratch"
|
|
cert_flags="--insert-your-flags --creds etc *.$DOMAIN" # Modify this line for the parameters you use to create your cert
|
|
{ CERTBOT_ERROR=$(sudo certbot certonly $cert_flags 2>&1 >&3 3>&-); } 3>&1
|
|
errcode=$?
|
|
else
|
|
echo "[$ME] Renewing certificate"
|
|
{ CERTBOT_ERROR=$(sudo certbot renew 2>&1 >&3 3>&-); } 3>&1
|
|
errcode=$?
|
|
fi
|
|
if [ "$errcode" != "0" ]; then
|
|
echo "$CERTBOT_ERROR"
|
|
echo "[$ME] Error encountered with certbot. Halting."
|
|
echo "[$ME] Error code: $errcode"
|
|
exit
|
|
fi
|
|
# ================================
|
|
|
|
# Exit or continue if certificate not renewed, depending on flags
|
|
# ================================
|
|
if echo "$CERTBOT_ERROR" | grep 'Cert not yet due for renewal'; then
|
|
if [ "$FORCE" != "true" ]; then
|
|
echo "[$ME] Certbot not due for renewal--halting."
|
|
echo "[$ME] To continue anyway (to sync the existing cert), use flag --force"
|
|
exit 0
|
|
else
|
|
echo "[$ME] --force specified--continuing to sync certs"
|
|
fi
|
|
fi
|
|
|
|
if [ "$ONLY" != "" ]; then
|
|
echo "--only specified. Will only sync certs to: $ONLY"
|
|
fi
|
|
# ================================
|
|
|
|
# Synology (NAS)
|
|
# This script used here is referenced in this companion gist:
|
|
# https://gist.github.com/catchdave/69854624a21ac75194706ec20ca61327
|
|
# ================================
|
|
if [[ -z "$ONLY" || "$ONLY" == "synology" ]]; then
|
|
server=synology.$DOMAIN
|
|
echo ""
|
|
echo "[$ME] Copying certificates to synology"
|
|
sudo scp ${CERT_DIRECTORY}/{privkey,fullchain,cert}.pem $ssl_user@$server:/tmp/
|
|
if [ "$?" = "0" ]; then
|
|
echo "[$ME] > Replacing certs on $server...."
|
|
ssh $ssl_user@$server 'sudo ./replace_certs.sh'
|
|
if [ "$?" != "0" ]; then
|
|
echo "[$ME] > ERROR replacing certs to $server"
|
|
fi
|
|
else
|
|
echo "[$ME] > Error occurred copying files to $server"
|
|
fi
|
|
fi
|
|
# ================================
|
|
|
|
# Home Assistant
|
|
# ================================
|
|
if [[ -z "$ONLY" || "$ONLY" == "homeassistant" ]]; then
|
|
server=homeassistant.$DOMAIN
|
|
echo ""
|
|
echo "[$ME] Copying certificates to home assistant"
|
|
sudo scp ${CERT_DIRECTORY}/{privkey,fullchain,cert}.pem $ssl_user@$server:/usr/share/hassio/ssl/
|
|
if [ "$?" = "0" ]; then
|
|
echo "[$ME] > Restarting NGINX SSL Proxy...."
|
|
ssh $ssl_user@$server 'sudo ha addons restart core_nginx_proxy'
|
|
else
|
|
echo "[$ME] > Error occurred copying files to $server"
|
|
fi
|
|
fi
|
|
# ================================
|
|
|
|
# Unifi Protect
|
|
# ================================
|
|
if [[ -z "$ONLY" || "$ONLY" == "protect" ]]; then
|
|
server="protect.$DOMAIN"
|
|
echo ""
|
|
echo "[$ME] Copying certificates to $server"
|
|
sudo scp ${CERT_DIRECTORY}/{privkey,fullchain}.pem $ssl_user@$server:/tmp/
|
|
if [ "$?" = "0" ]; then
|
|
echo "[$ME] > Restarting services on Unifi Protect...."
|
|
ssh $ssl_user@$server 'sudo /root/replace_certs_protect.sh'
|
|
if [ "$?" != "0" ]; then
|
|
echo "[$ME] > ERROR restarting services on Unifi protect"
|
|
fi
|
|
else
|
|
echo "[$ME] > Error occurred copying files to Unifi Protect"
|
|
fi
|
|
fi
|
|
# ================================
|