#!/bin/bash
# Obtain or renew certificates from letsencrypt, to be used with nginx
# webroot verification.
#
# A certificate will be issued for all server names defined in server
# blocks that contain 'include letsencrypt'.
#
# The pre-hook is used to remove snakeoil certificates that are
# required to bootstrap nginx configurations (nginx fails to start
# without ssl certificates). The hook is required because certbot does
# not overwrite foreign certificates, as described in this issue
# https://github.com/certbot/certbot/issues/3396
set -o errexit

extra_flags=()
if [ "$1" = --test ]; then
    extra_flags+=("--test-cert")
fi

sites_enabled=($(
		   find /etc/nginx/sites-enabled/ \
			-not -type d \
			-exec grep -q -e '^[^#]*include letsencrypt' {} \; \
			-print))

if [[ ${#sites_enabled[@]} -eq 0 ]]; then
    # no sites use ssl, exit immediately
    exit 0
fi

host_lines=($(sed --quiet \
		  's/^[^#]*server_name \([^_].*\);/\1/p' \
		  "${sites_enabled[@]}"))
hosts=$(echo -n "${host_lines[@]}" | tr "[:space:]" ",")

function cleanup() {
    mkdir --parents /etc/letsencrypt/live/nginx
    cp --no-clobber \
       /etc/ssl/private/ssl-cert-snakeoil.key \
       /etc/letsencrypt/live/nginx/privkey.pem
    cp --no-clobber \
       /etc/ssl/certs/ssl-cert-snakeoil.pem \
       /etc/letsencrypt/live/nginx/fullchain.pem
    service nginx reload
}
trap cleanup ERR

mkdir --parents /var/www/letsencrypt
certbot certonly "${extra_flags[@]}" \
	--noninteractive \
	--agree-tos \
	--cert-name nginx \
	--webroot --webroot-path /var/www/letsencrypt \
	--pre-hook "sh -c '(openssl x509 -in /etc/letsencrypt/live/nginx/fullchain.pem -noout -text) | grep --quiet letsencrypt || rm -r /etc/letsencrypt/live/nginx'" \
	-d "$hosts"

service nginx reload