From 8d78b86e684290ee7296bf7b8d526db3148dbd10 Mon Sep 17 00:00:00 2001
From: Jakob Odersky <jakob@odersky.com>
Date: Tue, 26 Dec 2017 14:07:01 +0100
Subject: Clean up debian configuration files

---
 nginx-letsencrypt | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100755 nginx-letsencrypt

(limited to 'nginx-letsencrypt')

diff --git a/nginx-letsencrypt b/nginx-letsencrypt
new file mode 100755
index 0000000..5db460a
--- /dev/null
+++ b/nginx-letsencrypt
@@ -0,0 +1,30 @@
+#!/bin/sh
+# Obtain or renew certificates from letsencrypt, to be used with nginx
+# webroot verification.
+#
+# Domains to be certified are defined in /etc/nginx/domains.
+#
+# The pre-hook is used to remove snakeoil certificates that are
+# required to bootstrap nginx configurations (nginx fails to start
+# without ssl certificates). The hook is required because certbot does
+# not overwrite foreign certificates, as described in this issue
+# https://github.com/certbot/certbot/issues/3396
+set -o exiterr
+set -o unset
+
+email="jakob@odersky.com"
+
+extra_flags=""
+if [ "$1" = --test ]; then
+    extra_flags="--test-cert"
+fi
+
+certbot certonly $extra_flags \
+	--noninteractive \
+	--agree-tos \
+	--email "$email" \
+	--cert-name nginx \
+	--webroot --webroot-path /var/www/letsencrypt \
+	--pre-hook "sh -c '(openssl x509 -in /etc/letsencrypt/live/nginx/fullchain.pem -noout -text) | grep --quiet letsencrypt || rm -r /etc/letsencrypt/live/nginx'" \
+	--post-hook "systemctl reload nginx" \
+	-d "$(grep "^[^#;]" /etc/nginx/letsencryptdomains | paste --delimiter=, --serial)"
-- 
cgit v1.2.3