#!/bin/bash # hanscees@hanscees.com version 27-03-2016 #This script will renew one or multiple Let's Encrypt domains # by default it uses the staging server. Adjust to use life Let's Encrypt server # Let me know if you built a better script WEBROOT="/var/www/backends/" #we will get certificates for the following domains DOMAINS="www.test-backend.com www.backend.com www.backend.net" #adjust EMAILADMIN="hanscees@hanscees.con" #adjust LECROOT="/etc/letsencrypt/live" mkdir /root/letsencrypt #justincase #lets get certs echo "will get the certs now" & sleep 3 for i in `echo $DOMAINS` ; do echo "getting certs for $i" #If certs do not exist yet FILE="$LECROOT/$i/cert.pem" if [ ! -f "$FILE" ] then echo "$FILE does not exists, so lets get certificates" cd /root/letsencrypt #using staging server? Adjust if neccesary ./letsencrypt-auto certonly -a webroot --webroot-path $WEBROOT -d $i --server \ https://acme-staging.api.letsencrypt.org/directory #./letsencrypt-auto certonly -a webroot --webroot-path $WEBROOT -d $i --server \ https://acme-v01.api.letsencrypt.org/directory sleep 33 # can take a while else echo "there is already a certificate, lets test its age" sleep 3 #only get certs if the current certs arent very youngh: age test if test `find "$LECROOT/$i/cert.pem" -mtime +71` then echo "certificates exist and are rather old" # so lets get new ones cd /root/letsencrypt #using staging server? Adjust if neccesary ./letsencrypt-auto certonly -a webroot --webroot-path $WEBROOT -d $i \ --server https://acme-staging.api.letsencrypt.org/directory #./letsencrypt-auto certonly -a webroot --webroot-path $WEBROOT -d $i \ --server https://acme-v01.api.letsencrypt.org/directory sleep 33 # can take a while else echo " certificates exist, but apparently are very fresh, do not get new ones" sleep 3 # notify and exit this loop iteration, continuing with the next echo "certificate $i not refreshed, they are very new so no problem" | mail -s no-need-refresh-cert-$i $EMAILADMIN continue fi # age test fi # does cert file exist #if all is well we have a new certificate, but we need to adjust it to hiawatha pem format #check if pems are indeed new, or skip, could be an error right? #cd $LECROOT/$i if test `find "$LECROOT/$i/cert.pem" -mmin +3600` then # certificates are old, not refreshed, has been an error # notify and exit this loop iteration, continuing with the next echo "certificate $i not refreshed, send fire department" | mail -s problem-cert-$i $EMAILADMIN continue else # certs are fresh, so lets make a new pem #adjust for non-hiawatha webserver echo "certs $i are in lets make a pem" cat $LECROOT/$i/privkey.pem $LECROOT/$i/cert.pem $LECROOT/$i/chain.pem > $LECROOT/$i/hiawatha-hc.pem chown www-data:www-data $LECROOT/$i/hiawatha-hc.pem chmod 440 $LECROOT/$i/hiawatha-hc.pem echo "pemfile is $LECROOT/$i/hiawatha-hc.pem" fi done # todo, built in some test? /etc/init.d/hiawatha restart #adjust echo "letsencrypt certificates $DOMAINS update just ran, sending email to $EMAILADMIN" echo "letsencrypt certificates $DOMAINS update just ran, please check your websites" | mail -s "letsencrypt-update-$DOMAINS" $EMAILADMIN