106 lines
4.1 KiB
Bash
106 lines
4.1 KiB
Bash
#!/bin/sh
|
|
# SSL Renewal Script
|
|
# Checks expiry and attempts renewal if < 3 days
|
|
|
|
echo "[SSL-Renew] Starting check at $(date)..."
|
|
|
|
# Ensure ACME snippet is present (idempotent)
|
|
/scripts/inject_acme.sh
|
|
|
|
# Iterate configs to find certs
|
|
for conf in /etc/nginx/conf.d/*.conf; do
|
|
[ -e "$conf" ] || continue
|
|
|
|
# Extract Cert File
|
|
CRT_FILE=$(grep -E "\s*ssl_certificate\s+" "$conf" | sed -r 's/.*ssl_certificate\s+(.*);/\1/' | head -n 1)
|
|
|
|
# Extract Server Name for Certbot
|
|
DOMAIN=$(grep -E "\s*server_name\s+" "$conf" | sed -r 's/.*server_name\s+(.*);/\1/' | head -n 1)
|
|
|
|
# Validation: Skip configs without SSL or Domain
|
|
if [ -z "$CRT_FILE" ] || [ -z "$DOMAIN" ]; then
|
|
# echo "[SSL-Renew] Skipping $conf (No SSL/Domain found)"
|
|
continue
|
|
fi
|
|
|
|
if [ -f "$CRT_FILE" ]; then
|
|
# Check if cert expires in the next 3 days (259200 seconds)
|
|
# openssl -checkend returns 0 if valid for the duration, 1 if expires
|
|
if openssl x509 -checkend 259200 -noout -in "$CRT_FILE" > /dev/null; then
|
|
echo "[SSL-Renew] Cert for $DOMAIN is valid."
|
|
else
|
|
echo "[SSL-Renew] WARNING: Cert for $DOMAIN expires soon (or is invalid)!"
|
|
echo "[SSL-Renew] Attempting renewal via Certbot..."
|
|
|
|
# Attempt non-interactive renewal
|
|
certbot certonly --webroot -w /var/www/certbot \
|
|
-d "$DOMAIN" \
|
|
--email suporte@itguys.com.br \
|
|
--agree-tos \
|
|
--no-eff-email \
|
|
--non-interactive \
|
|
--keep-until-expiring
|
|
|
|
if [ $? -eq 0 ]; then
|
|
echo "[SSL-Renew] Certbot success. Updating symlinks/files..."
|
|
|
|
LE_CERT="/etc/letsencrypt/live/$DOMAIN/fullchain.pem"
|
|
LE_KEY="/etc/letsencrypt/live/$DOMAIN/privkey.pem"
|
|
|
|
if [ -f "$LE_CERT" ]; then
|
|
cp "$LE_CERT" "$CRT_FILE"
|
|
chmod 644 "$CRT_FILE"
|
|
|
|
# Key file assumption: usually same name but .key/privkey.pem
|
|
KEY_FILE=$(grep -E "\s*ssl_certificate_key\s+" "$conf" | sed -r 's/.*ssl_certificate_key\s+(.*);/\1/' | head -n 1)
|
|
if [ -f "$KEY_FILE" ]; then
|
|
# If key path is found, copy it
|
|
cp "$LE_KEY" "$KEY_FILE"
|
|
chmod 644 "$KEY_FILE"
|
|
else
|
|
# Fallback: try to derive key path from cert path if variable is empty
|
|
# (This handles edge cases where parsing failed but cert existed)
|
|
echo "[SSL-Renew] Warning: Could not parse ssl_certificate_key from config."
|
|
fi
|
|
|
|
echo "[SSL-Renew] Files updated. Queuing NGINX reload."
|
|
RELOAD_NEEDED=1
|
|
fi
|
|
else
|
|
echo "[SSL-Renew] Certbot failed for $DOMAIN."
|
|
fi
|
|
fi
|
|
else
|
|
echo "[SSL-Renew] CRT Not Found for $DOMAIN. Generating Self-Signed Bootstrap Cert..."
|
|
|
|
# Ensure dir exists
|
|
mkdir -p "$(dirname "$CRT_FILE")"
|
|
|
|
KEY_FILE=$(grep -E "\s*ssl_certificate_key\s+" "$conf" | sed -r 's/.*ssl_certificate_key\s+(.*);/\1/' | head -n 1)
|
|
|
|
if [ -z "$KEY_FILE" ]; then
|
|
echo "[SSL-Renew] Error: Cannot determine key file path for bootstrap. Skipping."
|
|
continue
|
|
fi
|
|
|
|
mkdir -p "$(dirname "$KEY_FILE")"
|
|
|
|
# Generate minimal self-signed cert valid for 1 day (forces renewal next run)
|
|
openssl req -x509 -nodes -days 1 -newkey rsa:2048 \
|
|
-keyout "$KEY_FILE" \
|
|
-out "$CRT_FILE" \
|
|
-subj "/C=BR/ST=SP/L=Bootstrap/O=ITGuys/CN=$DOMAIN"
|
|
|
|
chmod 644 "$KEY_FILE" "$CRT_FILE"
|
|
|
|
echo "[SSL-Renew] Bootstrap Cert created. Nginx should be able to start."
|
|
fi
|
|
done
|
|
|
|
if [ "$RELOAD_NEEDED" = "1" ]; then
|
|
echo "[SSL-Renew] Reloading NGINX..."
|
|
nginx -s reload
|
|
fi
|
|
|
|
echo "[SSL-Renew] Check complete."
|