blob: a3f05a2bcabf52576e42e26aaf91fddd7c2ed1bd (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
|
#!/bin/bash
# Obtain or renew certificates from letsencrypt, to be used with nginx
# webroot verification.
#
# A certificate will be issued for all server names defined in server
# blocks that contain 'include letsencrypt'.
set -o errexit
opts=$(getopt -o hn --long help,test -n 'nginx-letsencrypt' -- "$@")
eval set --"$opts"
extra_flags=()
while true; do
case "$1" in
-h|--help)
shift
echo "Usage: $0 [-n|--test]"
exit 0
;;
-n|--test)
shift
extra_flags+=("--test-cert")
;;
--)
shift;
break
;;
*) echo "Internal error!"
exit 1
;;
esac
done
# Any site configuration files that use letsencrypt
sites_enabled=($(
find /etc/nginx/sites-enabled/ \
-not -type d \
-exec grep -q -e '^[^#]*include letsencrypt' {} \; \
-print))
if [[ ${#sites_enabled[@]} -eq 0 ]]; then
# no sites use ssl, exit immediately
exit 0
fi
# Extract server names from enabled sites
host_lines=($(sed --quiet \
's/^[^#]*server_name \([^_].*\);/\1/p' \
"${sites_enabled[@]}"))
hosts=$(echo -n "${host_lines[@]}" | tr "[:space:]" ",")
# Make sure that *any* certificate exists so that nginx can start. If
# a certificate or key is missing, copy snakeoil certificates instead.
function ensure_certificate() {
mkdir --parents /etc/letsencrypt/live/nginx
cp --no-clobber \
/etc/ssl/private/ssl-cert-snakeoil.key \
/etc/letsencrypt/live/nginx/privkey.pem
cp --no-clobber \
/etc/ssl/certs/ssl-cert-snakeoil.pem \
/etc/letsencrypt/live/nginx/fullchain.pem
service nginx reload
}
# Ensure that a certificate exists if this script is encounters an
# error.
trap ensure_certificate ERR
# Issue letsencrypt certificates. Snakeoil certificates that are
# required to bootstrap nginx configurations (nginx fails to start
# without ssl certificates) are removed. The explicit removal is
# required because certbot does not overwrite foreign certificates, as
# described in this issue
# https://github.com/certbot/certbot/issues/3396
ensure_certificate
if ! (openssl x509 -in /etc/letsencrypt/live/nginx/fullchain.pem -noout -text \
| grep --quiet letsencrypt); then
rm -r /etc/letsencrypt/live/nginx
fi
mkdir --parents /var/www/letsencrypt
certbot certonly "${extra_flags[@]}" \
--noninteractive \
--agree-tos \
--cert-name nginx \
--webroot --webroot-path /var/www/letsencrypt \
-d "$hosts"
ensure_certificate
|
