From 6995d11ce06ac3ba6ab0fabafd7b0f5b7be8459b Mon Sep 17 00:00:00 2001
From: Jakob Odersky <jakob@odersky.com>
Date: Fri, 12 Jan 2018 15:35:13 -0800
Subject: Make script more robust

---
 README.md         |  2 +-
 debian/control    |  2 +-
 nginx-letsencrypt | 41 ++++++++++++++++++++++++++++++-----------
 3 files changed, 32 insertions(+), 13 deletions(-)

diff --git a/README.md b/README.md
index 7ef3cea..8891655 100644
--- a/README.md
+++ b/README.md
@@ -26,7 +26,7 @@ environment:
   - webroot: does not require a server shutdown and offers isolation,
     however it requires manual intervention to bootstrap a system with
     an initial certificate, since nginx will not start if the `ssl`
-    directive is set and there are no certificates. (Therefore one
+    directive is set and there are no certificates. (Therefore, one
     would be required to first configure the webroot, run certbot and
     then add an ssl entry).
 
diff --git a/debian/control b/debian/control
index 7079043..05e7178 100644
--- a/debian/control
+++ b/debian/control
@@ -8,7 +8,7 @@ Vcs-Git: https://github.com/jodersky/nginx-letsencrypt.git
 
 Package: nginx-letsencrypt
 Architecture: all
-Depends: nginx, letsencrypt, ssl-cert, ${misc:Depends}
+Depends: nginx, letsencrypt, openssl, ssl-cert, ${misc:Depends}
 Description: Issue certificates by letsencrypt for nginx virtual hosts.
  Simplify the process by which letsencrypt certificates are issued for virtual
  hosts controlled by nginx.
diff --git a/nginx-letsencrypt b/nginx-letsencrypt
index 9c598ff..cb929c9 100755
--- a/nginx-letsencrypt
+++ b/nginx-letsencrypt
@@ -10,9 +10,8 @@
 # without ssl certificates). The hook is required because certbot does
 # not overwrite foreign certificates, as described in this issue
 # https://github.com/certbot/certbot/issues/3396
-set -o exiterr
+set -o errexit
 
-# TODO: make email configurable
 email="jakob@odersky.com"
 
 extra_flags=()
@@ -21,15 +20,34 @@ if [ "$1" = --test ]; then
 fi
 
 sites_enabled=($(
-    find /etc/nginx/sites-enabled/ \
-	 -not -type d -exec \
-	 grep -q -e '^[[:space:]]*[^#][[:space:]]*include letsencrypt' {} \; \
-	 -print))
-host_lines=$(sed -n \
-		 's/^[[:space:]]*[^#][[:space:]]*server_name \([^_].*\);/\1/p' \
-		 "${sites_enabled[@]}")
-hosts=$(echo "${host_lines[@]}" | tr "[:space:]" ",")
+		   find /etc/nginx/sites-enabled/ \
+			-not -type d \
+			-exec grep -q -e '^[^#]*include letsencrypt' {} \; \
+			-print))
 
+if [[ ${#sites_enabled[@]} -eq 0 ]]; then
+    # no sites use ssl, exit immediately
+    exit 0
+fi
+
+host_lines=($(sed --quiet \
+		  's/^[^#]*server_name \([^_].*\);/\1/p' \
+		  "${sites_enabled[@]}"))
+hosts=$(echo -n "${host_lines[@]}" | tr "[:space:]" ",")
+
+function cleanup() {
+    mkdir --parents /etc/letsencrypt/live/nginx
+    cp --no-clobber \
+       /etc/ssl/private/ssl-cert-snakeoil.key \
+       /etc/letsencrypt/live/nginx/privkey.pem
+    cp --no-clobber \
+       /etc/ssl/certs/ssl-cert-snakeoil.pem \
+       /etc/letsencrypt/live/nginx/fullchain.pem
+    service nginx reload
+}
+trap cleanup ERR
+
+mkdir --parents /var/www/letsencrypt
 certbot certonly "${extra_flags[@]}" \
 	--noninteractive \
 	--agree-tos \
@@ -37,5 +55,6 @@ certbot certonly "${extra_flags[@]}" \
 	--cert-name nginx \
 	--webroot --webroot-path /var/www/letsencrypt \
 	--pre-hook "sh -c '(openssl x509 -in /etc/letsencrypt/live/nginx/fullchain.pem -noout -text) | grep --quiet letsencrypt || rm -r /etc/letsencrypt/live/nginx'" \
-	--post-hook "systemctl reload nginx" \
 	-d "$hosts"
+
+service nginx reload
-- 
cgit v1.2.3