forked from FlippingBinary/lets-encrypt-tlsa
-
Notifications
You must be signed in to change notification settings - Fork 0
/
letsencrypt-request
105 lines (94 loc) · 3.33 KB
/
letsencrypt-request
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
#!/usr/bin/env bash
##
## letsencrypt-request
##
## This script requests a signature from Let's Encrypt CA with a reusable
## keypair, overriding the default behavior of certbot.
##
## Source: https://flippingbinary.com
##
## Copyright 2017 Jonathan Musselwhite
##
## Permission is hereby granted, free of charge, to any person obtaining a copy
## of this software and associated documentation files (the "Software"), to
## deal in the Software without restriction, including without limitation the
## rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
## sell copies of the Software, and to permit persons to whom the Software is
## furnished to do so, subject to the following conditions:
##
## The above copyright notice and this permission notice shall be included in
## all copies or substantial portions of the Software.
##
## THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
## IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
## FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
## AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
## LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
## OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
## THE SOFTWARE.
##
###
###### CHECK SETTINGS ######
EMAIL=UnconfiguredScript@example.com
MAIN_DIR=/etc/ssl/letsencrypt
LOG_DIR=/var/log/letsencrypt
###### CHECK SETTINGS ######
[ -f /etc/default/letsencrypt-tlsa ] && . /etc/default/letsencrypt-tlsa
if [ "$#" -lt 1 ]
then
echo "Usage: $0 domain" >&2
echo " domain MUST be the first listed domain" >&2
echo " additional arguments (such as alternate domains) are ignored" >&2
exit 1
fi
# Set some environment variables to clean things up a little down below
DATE=$(date +%Y%m%d%H%M%S)
COMMON_NAME="$1"
LOG_PATH=${LOG_DIR}/${COMMON_NAME}.log
ARCHIVE_DIR=${MAIN_DIR}/archive/${COMMON_NAME}
CSR_DIR=${MAIN_DIR}/csr/${COMMON_NAME}
CERT_PATH="${ARCHIVE_DIR}/cert-${DATE}.pem"
FULLCHAIN_PATH="${ARCHIVE_DIR}/fullchain-${DATE}.pem"
CHAIN_PATH="${ARCHIVE_DIR}/chain-${DATE}.pem"
# Locate the latest certificate signing request
unset -v latest
for file in "${CSR_DIR}"/csr-*.der; do
[[ $file -nt $latest ]] && latest=$file
done
if [ ! -f "${latest}" ]
then
echo "Error: Couldn't find a certificate signing request!" >&2
echo " Cannot request certificate!" >&2
exit 1
fi
# Make sure the directory exists to prevent simple problems
mkdir -p ${ARCHIVE_DIR}
mkdir -p ${LOG_DIR}
# Finally request the actual signed certificate
certbot certonly \
-n \
--agree-tos \
-m ${EMAIL} \
--webroot \
--csr ${latest} \
--preferred-challenges http-01 \
-w /var/www/${COMMON_NAME} \
--fullchain-path ${FULLCHAIN_PATH} \
--chain-path ${CHAIN_PATH} \
--cert-path ${CERT_PATH} >> ${LOG_PATH} 2>&1
if [ ! -f ${FULLCHAIN_PATH} ]; then
echo "Error: Failed to create fullchain file!" >&2
fi
if [ ! -f ${CHAIN_PATH} ]; then
echo "Error: Failed to create chain file!" >&2
fi
if [ ! -f ${CERT_PATH} ]; then
echo "Error: Failed to create cert file!" >&2
fi
if [ ! -f ${FULLCHAIN_PATH} -o ! -f ${CHAIN_PATH} -o ! -f ${CERT_PATH} ]; then
echo "Error: Failed to generate required files!"
if [ -f ${LOG_PATH} ]; then
tail ${LOG_PATH} # just show the last few lines
fi
exit 1;
fi