forked from szech/qnap-letsencrypt
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrenew_certificate.sh
executable file
·99 lines (85 loc) · 2.72 KB
/
renew_certificate.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
#!/bin/bash
set -e
export PATH="/opt/LEgo/bin":"/usr/bin":"/usr/sbin":$PATH
# VARIABLES, replace these with your own.
PROD_SRV="https://acme-v02.api.letsencrypt.org/directory"
STAGING_SRV="https://acme-staging-v02.api.letsencrypt.org/directory"
DOMAIN=""
EMAIL=""
WEBPATH="/share/Web/"
QTSNOTIFICATION=true
LOGFILE=""
DIR="$(cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
DAYSEXPIRATION=15
TEST=false
# FUNCTIONS
function notify
{
if [ $QTSNOTIFICATION = true ]
then
/sbin/log_tool -a "$1" -t $2
fi
}
function getServer
{
if [ $TEST = true ]
then
SERVER=$STAGING_SRV
else
SERVER=$PROD_SRV
fi
}
###########################################
WORKDIR="$DIR/LEgo"
CERTIFICATENAME="$DOMAIN.pem"
CERTIFICATESDIR="$WORKDIR/certificates"
getServer
# do nothing if certificate is valid for more than 30 days (30*24*60*60)
echo "Checking whether to renew certificate on next $DAYSEXPIRATION days"
[ -s "$CERTIFICATESDIR/$CERTIFICATENAME" ] && \
openssl x509 -in "$CERTIFICATESDIR/$CERTIFICATENAME" \
-checkend $(( 86400 * $DAYSEXPIRATION )) && exit
echo "Running letsencrypt, Getting/Renewing certificate..."
(
lego \
--server $SERVER \
--accept-tos --pem --key-type rsa2048 \
--http --http.webroot $WEBPATH \
--domains $DOMAIN --email $EMAIL --path $WORKDIR run
)
if [ "$?" -ne 0 ];
then
echo "...Error!"
notify "[LetsEncrypt] Unable to renew certificate" 2
exit 1
else
echo "...Success!"
notify "[LetsEncrypt] Certificate renewed with success" 0
fi
echo "Downloading intermediate certificate"
wget --no-verbose --secure-protocol=TLSv1_2 \
-O - https://letsencrypt.org/certs/lets-encrypt-r3.pem > "$CERTIFICATESDIR/intermediate.pem"\
--no-check-certificate -q
echo "OK"
cat "$CERTIFICATESDIR/$DOMAIN.crt" "$CERTIFICATESDIR/intermediate.pem" > "$CERTIFICATESDIR/chained.pem"
echo "Stopping stunnel"
/etc/init.d/stunnel.sh stop
echo "Setting certificates for NAS"
cp /etc/stunnel/stunnel.pem /etc/stunnel/stunnel.pem.old
cat "$CERTIFICATESDIR/$DOMAIN.key" "$CERTIFICATESDIR/chained.pem" > /etc/stunnel/stunnel.pem
cp /etc/stunnel/uca.pem /etc/stunnel/uca.pem.old
cp "$CERTIFICATESDIR/intermediate.pem" /etc/stunnel/uca.pem
# FTP
echo "Setting certificates for FTP"
cp /etc/config/stunnel/backup.key /etc/config/stunnel/backup.key.old
cp "$CERTIFICATESDIR/$DOMAIN.key" /etc/config/stunnel/backup.key
cp /etc/config/stunnel/backup.cert /etc/config/stunnel/backup.cert.old
cp "$CERTIFICATESDIR/$DOMAIN.crt" /etc/config/stunnel/backup.cert
if [ ! -s /etc/stunnel/stunnel.pem ]
then
echo "Error occured, restoring files"
cp -rf /etc/stunnel/stunnel.pem.old /etc/stunnel/stunnel.pem
fi
echo "Done! Service startup and cleanup will follow now..."
/etc/init.d/stunnel.sh start
/etc/init.d/Qthttpd.sh restart