#!/bin/sh # SSL Renewal Script # Checks expiry and attempts renewal if < 3 days echo "[SSL-Renew] Starting check at $(date)..." # Ensure ACME snippet is present (idempotent) /scripts/inject_acme.sh # Iterate configs to find certs for conf in /etc/nginx/conf.d/*.conf; do [ -e "$conf" ] || continue # Extract Cert File CRT_FILE=$(grep -E "\s*ssl_certificate\s+" "$conf" | sed -r 's/.*ssl_certificate\s+(.*);/\1/' | head -n 1) # Extract Server Name for Certbot DOMAIN=$(grep -E "\s*server_name\s+" "$conf" | sed -r 's/.*server_name\s+(.*);/\1/' | head -n 1) # Validation: Skip configs without SSL or Domain if [ -z "$CRT_FILE" ] || [ -z "$DOMAIN" ]; then # echo "[SSL-Renew] Skipping $conf (No SSL/Domain found)" continue fi if [ -f "$CRT_FILE" ]; then # Check if cert expires in the next 3 days (259200 seconds) # openssl -checkend returns 0 if valid for the duration, 1 if expires if openssl x509 -checkend 259200 -noout -in "$CRT_FILE" > /dev/null; then echo "[SSL-Renew] Cert for $DOMAIN is valid." else echo "[SSL-Renew] WARNING: Cert for $DOMAIN expires soon (or is invalid)!" echo "[SSL-Renew] Attempting renewal via Certbot..." # Attempt non-interactive renewal certbot certonly --webroot -w /var/www/certbot \ -d "$DOMAIN" \ --email suporte@itguys.com.br \ --agree-tos \ --no-eff-email \ --non-interactive \ --keep-until-expiring if [ $? -eq 0 ]; then echo "[SSL-Renew] Certbot success. Updating symlinks/files..." LE_CERT="/etc/letsencrypt/live/$DOMAIN/fullchain.pem" LE_KEY="/etc/letsencrypt/live/$DOMAIN/privkey.pem" if [ -f "$LE_CERT" ]; then cp "$LE_CERT" "$CRT_FILE" chmod 644 "$CRT_FILE" # Key file assumption: usually same name but .key/privkey.pem KEY_FILE=$(grep -E "\s*ssl_certificate_key\s+" "$conf" | sed -r 's/.*ssl_certificate_key\s+(.*);/\1/' | head -n 1) if [ -f "$KEY_FILE" ]; then # If key path is found, copy it cp "$LE_KEY" "$KEY_FILE" chmod 644 "$KEY_FILE" else # Fallback: try to derive key path from cert path if variable is empty # (This handles edge cases where parsing failed but cert existed) echo "[SSL-Renew] Warning: Could not parse ssl_certificate_key from config." fi echo "[SSL-Renew] Files updated. Queuing NGINX reload." RELOAD_NEEDED=1 fi else echo "[SSL-Renew] Certbot failed for $DOMAIN." fi fi else echo "[SSL-Renew] CRT Not Found for $DOMAIN. Generating Self-Signed Bootstrap Cert..." # Ensure dir exists mkdir -p "$(dirname "$CRT_FILE")" KEY_FILE=$(grep -E "\s*ssl_certificate_key\s+" "$conf" | sed -r 's/.*ssl_certificate_key\s+(.*);/\1/' | head -n 1) if [ -z "$KEY_FILE" ]; then echo "[SSL-Renew] Error: Cannot determine key file path for bootstrap. Skipping." continue fi mkdir -p "$(dirname "$KEY_FILE")" # Generate minimal self-signed cert valid for 1 day (forces renewal next run) openssl req -x509 -nodes -days 1 -newkey rsa:2048 \ -keyout "$KEY_FILE" \ -out "$CRT_FILE" \ -subj "/C=BR/ST=SP/L=Bootstrap/O=ITGuys/CN=$DOMAIN" chmod 644 "$KEY_FILE" "$CRT_FILE" echo "[SSL-Renew] Bootstrap Cert created. Nginx should be able to start." fi done if [ "$RELOAD_NEEDED" = "1" ]; then echo "[SSL-Renew] Reloading NGINX..." nginx -s reload fi echo "[SSL-Renew] Check complete."