NgixProxy_Pathfinder/_backup/scripts/renew_ssl.sh

#!/bin/sh
# SSL Renewal Script
# Checks expiry and attempts renewal if < 3 days

echo "[SSL-Renew] Starting check at $(date)..."

# Ensure ACME snippet is present (idempotent)
/scripts/inject_acme.sh

# Iterate configs to find certs
for conf in /etc/nginx/conf.d/*.conf; do
    [ -e "$conf" ] || continue

    # Extract Cert File
    CRT_FILE=$(grep -E "\s*ssl_certificate\s+" "$conf" | sed -r 's/.*ssl_certificate\s+(.*);/\1/' | head -n 1)

    # Extract Server Name for Certbot
    DOMAIN=$(grep -E "\s*server_name\s+" "$conf" | sed -r 's/.*server_name\s+(.*);/\1/' | head -n 1)

    # Validation: Skip configs without SSL or Domain
    if [ -z "$CRT_FILE" ] || [ -z "$DOMAIN" ]; then
        # echo "[SSL-Renew] Skipping $conf (No SSL/Domain found)"
        continue
    fi

    if [ -f "$CRT_FILE" ]; then
        # Check if cert expires in the next 3 days (259200 seconds)
        # openssl -checkend returns 0 if valid for the duration, 1 if expires
        if openssl x509 -checkend 259200 -noout -in "$CRT_FILE" > /dev/null; then
            echo "[SSL-Renew] Cert for $DOMAIN is valid."
        else
             echo "[SSL-Renew] WARNING: Cert for $DOMAIN expires soon (or is invalid)!"
             echo "[SSL-Renew] Attempting renewal via Certbot..."

             # Attempt non-interactive renewal
             certbot certonly --webroot -w /var/www/certbot \
                -d "$DOMAIN" \
                --email suporte@itguys.com.br \
                --agree-tos \
                --no-eff-email \
                --non-interactive \
                --keep-until-expiring

             if [ $? -eq 0 ]; then
                echo "[SSL-Renew] Certbot success. Updating symlinks/files..."

                LE_CERT="/etc/letsencrypt/live/$DOMAIN/fullchain.pem"
                LE_KEY="/etc/letsencrypt/live/$DOMAIN/privkey.pem"

                if [ -f "$LE_CERT" ]; then
                    cp "$LE_CERT" "$CRT_FILE"
                    chmod 644 "$CRT_FILE"

                    # Key file assumption: usually same name but .key/privkey.pem
                    KEY_FILE=$(grep -E "\s*ssl_certificate_key\s+" "$conf" | sed -r 's/.*ssl_certificate_key\s+(.*);/\1/' | head -n 1)
                    if [ -f "$KEY_FILE" ]; then
                        # If key path is found, copy it
                        cp "$LE_KEY" "$KEY_FILE"
                        chmod 644 "$KEY_FILE"
                    else
                        # Fallback: try to derive key path from cert path if variable is empty
                        # (This handles edge cases where parsing failed but cert existed)
                        echo "[SSL-Renew] Warning: Could not parse ssl_certificate_key from config."
                    fi

                    echo "[SSL-Renew] Files updated. Queuing NGINX reload."
                    RELOAD_NEEDED=1
                fi
             else
                echo "[SSL-Renew] Certbot failed for $DOMAIN."
             fi
        fi
    else
        echo "[SSL-Renew] CRT Not Found for $DOMAIN. Generating Self-Signed Bootstrap Cert..."

        # Ensure dir exists
        mkdir -p "$(dirname "$CRT_FILE")"

        KEY_FILE=$(grep -E "\s*ssl_certificate_key\s+" "$conf" | sed -r 's/.*ssl_certificate_key\s+(.*);/\1/' | head -n 1)

        if [ -z "$KEY_FILE" ]; then
           echo "[SSL-Renew] Error: Cannot determine key file path for bootstrap. Skipping."
           continue
        fi

        mkdir -p "$(dirname "$KEY_FILE")"

        # Generate minimal self-signed cert valid for 1 day (forces renewal next run)
        openssl req -x509 -nodes -days 1 -newkey rsa:2048 \
          -keyout "$KEY_FILE" \
          -out "$CRT_FILE" \
          -subj "/C=BR/ST=SP/L=Bootstrap/O=ITGuys/CN=$DOMAIN"

        chmod 644 "$KEY_FILE" "$CRT_FILE"

        echo "[SSL-Renew] Bootstrap Cert created. Nginx should be able to start."
    fi
done

if [ "$RELOAD_NEEDED" = "1" ]; then
    echo "[SSL-Renew] Reloading NGINX..."
    nginx -s reload
fi

echo "[SSL-Renew] Check complete."