#!/bin/sh # Script de renouvellement de certificat buypass go ssl # Copyright 2021 Alarig Le Lay # Released under the 2-clause BSD license. # Bootstrap du bordel : # Création de la clé d’authentification au service ACME # openssl genrsa -out account.key 4096 # Création du CSR et de la clé privée # openssl req -nodes -newkey rsa:4096 -sha256 -keyout \ # bulbizarre.swordarmor.fr.key -out bulbizarre.swordarmor.fr.csr # Génératon du cerificat # ./acme_tiny.py --account-key ../account.key --csr \ # ../bulbizarre.swordarmor.fr.csr --acme-dir /var/www/le-challenges/ > \ # ../signed.crt service="$1" domain="$2" base_dir='/etc/ssl' certok=0 _write_err () { >&2 printf "$1" } if [ $# != 2 ]; then _write_err "Paramètre manquant\n" _write_err "$0 \$service \$domain\n" exit 1 fi # 2592000 secondes correspondent à 30 jour openssl x509 -checkend 2678400 -noout -in $base_dir/$service/${domain}.crt if [ $? = 0 ]; then printf "$base_dir/$service/${domain}.crt est valide pour plus d’un " printf "mois\n" exit 1 fi if [ ! -f "$base_dir/$service/${domain}.csr" ]; then _write_err ".csr introuvable : $base_dir/$service/${domain}.csr\n" exit 1 fi # sauvegarde du dossier actuel cp -r "$base_dir/$service" "$base_dir/$service-$(date +%F)" if [ $? != 0 ]; then _write_err "Erreur de sauvegarde du dossier $base_dir/$service\n" exit 1 fi mv $base_dir/$service/$domain.crt $base_dir/$service/$domain.crt.bak-$(date +%F) mv $base_dir/$service/$domain.chained.crt $base_dir/$service/$domain.chained.crt-$(date +%F) mv $base_dir/$service/$domain.intermediate.crt $base_dir/$service/$domain.intermediate.crt-$(date +%F) certbot certonly \ --dns-rfc2136 \ --dns-rfc2136-credentials /usr/local/src/renew_cert/rfc2136.conf \ --dns-rfc2136-propagation-seconds 30 \ --csr /etc/ssl/$service/$domain.csr \ --cert-path /etc/ssl/$service/$domain.crt \ --chain-path /etc/ssl/$service/$domain.intermediate.crt # on peut pas tester le code de retour, il est != 0 même quand ça marche… mv 0000_chain.pem /etc/ssl/$service/$domain.chained.crt if [ "${service}" = "inspircd" ]; then kill -USR1 $(cat /run/inspircd/inspircd.pid) else rc-service $service reload fi if [ $? = 0 ]; then rm -r "$base_dir/$service-$(date +%F)" fi exit 0 # bulbizarre ~ # openssl verify -CAfile /etc/ssl/lets-encrypt-x1-cross-signed.pem # /etc/ssl/apache2/akilina.swordarmor.fr.crt # /etc/ssl/apache2/akilina.swordarmor.fr.crt: CN = akilina.swordarmor.fr # error 20 at 0 depth lookup:unable to get local issuer certificate # bulbizarre ~ # echo $? # 2 # bulbizarre ~ # openssl verify -CAfile /etc/ssl/lets-encrypt-x3-cross-signed.pem # /etc/ssl/apache2/akilina.swordarmor.fr.crt # /etc/ssl/apache2/akilina.swordarmor.fr.crt: OK # bulbizarre ~ # echo $? # 0