blob: 9c598ff92f84a51c502aa51a4f7fdf75f479b577 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
#!/bin/bash
# Obtain or renew certificates from letsencrypt, to be used with nginx
# webroot verification.
#
# A certificate will be issued for all server names defined in server
# blocks that contain 'include letsencrypt'.
#
# The pre-hook is used to remove snakeoil certificates that are
# required to bootstrap nginx configurations (nginx fails to start
# without ssl certificates). The hook is required because certbot does
# not overwrite foreign certificates, as described in this issue
# https://github.com/certbot/certbot/issues/3396
set -o exiterr
# TODO: make email configurable
email="jakob@odersky.com"
extra_flags=()
if [ "$1" = --test ]; then
extra_flags+=("--test-cert")
fi
sites_enabled=($(
find /etc/nginx/sites-enabled/ \
-not -type d -exec \
grep -q -e '^[[:space:]]*[^#][[:space:]]*include letsencrypt' {} \; \
-print))
host_lines=$(sed -n \
's/^[[:space:]]*[^#][[:space:]]*server_name \([^_].*\);/\1/p' \
"${sites_enabled[@]}")
hosts=$(echo "${host_lines[@]}" | tr "[:space:]" ",")
certbot certonly "${extra_flags[@]}" \
--noninteractive \
--agree-tos \
--email "$email" \
--cert-name nginx \
--webroot --webroot-path /var/www/letsencrypt \
--pre-hook "sh -c '(openssl x509 -in /etc/letsencrypt/live/nginx/fullchain.pem -noout -text) | grep --quiet letsencrypt || rm -r /etc/letsencrypt/live/nginx'" \
--post-hook "systemctl reload nginx" \
-d "$hosts"
|