blob: cb929c96d9eae5771d402dcaf82a62bb47e10ce5 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
#!/bin/bash
# Obtain or renew certificates from letsencrypt, to be used with nginx
# webroot verification.
#
# A certificate will be issued for all server names defined in server
# blocks that contain 'include letsencrypt'.
#
# The pre-hook is used to remove snakeoil certificates that are
# required to bootstrap nginx configurations (nginx fails to start
# without ssl certificates). The hook is required because certbot does
# not overwrite foreign certificates, as described in this issue
# https://github.com/certbot/certbot/issues/3396
set -o errexit
email="jakob@odersky.com"
extra_flags=()
if [ "$1" = --test ]; then
extra_flags+=("--test-cert")
fi
sites_enabled=($(
find /etc/nginx/sites-enabled/ \
-not -type d \
-exec grep -q -e '^[^#]*include letsencrypt' {} \; \
-print))
if [[ ${#sites_enabled[@]} -eq 0 ]]; then
# no sites use ssl, exit immediately
exit 0
fi
host_lines=($(sed --quiet \
's/^[^#]*server_name \([^_].*\);/\1/p' \
"${sites_enabled[@]}"))
hosts=$(echo -n "${host_lines[@]}" | tr "[:space:]" ",")
function cleanup() {
mkdir --parents /etc/letsencrypt/live/nginx
cp --no-clobber \
/etc/ssl/private/ssl-cert-snakeoil.key \
/etc/letsencrypt/live/nginx/privkey.pem
cp --no-clobber \
/etc/ssl/certs/ssl-cert-snakeoil.pem \
/etc/letsencrypt/live/nginx/fullchain.pem
service nginx reload
}
trap cleanup ERR
mkdir --parents /var/www/letsencrypt
certbot certonly "${extra_flags[@]}" \
--noninteractive \
--agree-tos \
--email "$email" \
--cert-name nginx \
--webroot --webroot-path /var/www/letsencrypt \
--pre-hook "sh -c '(openssl x509 -in /etc/letsencrypt/live/nginx/fullchain.pem -noout -text) | grep --quiet letsencrypt || rm -r /etc/letsencrypt/live/nginx'" \
-d "$hosts"
service nginx reload
|
