alarig/renew_cert
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
renew_cert/renew_cert_dns.sh
Alarig Le Lay 9fda2b204f rfc2136: add support
2023-10-29 12:07:20 +01:00

90 lines
2.7 KiB
Bash
Executable file
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/bin/sh
# Script de renouvellement de certificat buypass go ssl
# Copyright 2021 Alarig Le Lay <alarig@swordarmor.fr>
# Released under the 2-clause BSD license.
# Bootstrap du bordel :
# Création de la clé dauthentification au service ACME
# openssl genrsa -out account.key 4096
# Création du CSR et de la clé privée
# openssl req -nodes -newkey rsa:4096 -sha256 -keyout \
# bulbizarre.swordarmor.fr.key -out bulbizarre.swordarmor.fr.csr
# Génératon du cerificat
# ./acme_tiny.py --account-key ../account.key --csr \
# ../bulbizarre.swordarmor.fr.csr --acme-dir /var/www/le-challenges/ > \
# ../signed.crt
service="$1"
domain="$2"
base_dir='/etc/ssl'
certok=0
_write_err () {
>&2 printf "$1"
}
if [ $# != 2 ]; then
_write_err "Paramètre manquant\n"
_write_err "$0 \$service \$domain\n"
exit 1
fi
# 2592000 secondes correspondent à 30 jour
openssl x509 -checkend 2678400 -noout -in $base_dir/$service/${domain}.crt
if [ $? = 0 ]; then
printf "$base_dir/$service/${domain}.crt est valide pour plus dun "
printf "mois\n"
exit 1
fi
if [ ! -f "$base_dir/$service/${domain}.csr" ]; then
_write_err ".csr introuvable : $base_dir/$service/${domain}.csr\n"
exit 1
fi
# sauvegarde du dossier actuel
cp -r "$base_dir/$service" "$base_dir/$service-$(date +%F)"
if [ $? != 0 ]; then
_write_err "Erreur de sauvegarde du dossier $base_dir/$service\n"
exit 1
fi
mv $base_dir/$service/$domain.crt $base_dir/$service/$domain.crt.bak-$(date +%F)
mv $base_dir/$service/$domain.chained.crt $base_dir/$service/$domain.chained.crt-$(date +%F)
mv $base_dir/$service/$domain.intermediate.crt $base_dir/$service/$domain.intermediate.crt-$(date +%F)
certbot certonly \
--dns-rfc2136 \
--dns-rfc2136-credentials /usr/local/src/renew_cert/rfc2136.conf \
--dns-rfc2136-propagation-seconds 30 \
--csr /etc/ssl/$service/$domain.csr \
--cert-path /etc/ssl/$service/$domain.crt \
--chain-path /etc/ssl/$service/$domain.intermediate.crt
# on peut pas tester le code de retour, il est != 0 même quand ça marche…
mv 0000_chain.pem /etc/ssl/$service/$domain.chained.crt
if [ "${service}" = "inspircd" ]; then
kill -USR1 $(cat /run/inspircd/inspircd.pid)
else
rc-service $service reload
fi
if [ $? = 0 ]; then
rm -r "$base_dir/$service-$(date +%F)"
fi
exit 0
# bulbizarre ~ # openssl verify -CAfile /etc/ssl/lets-encrypt-x1-cross-signed.pem
# /etc/ssl/apache2/akilina.swordarmor.fr.crt
# /etc/ssl/apache2/akilina.swordarmor.fr.crt: CN = akilina.swordarmor.fr
# error 20 at 0 depth lookup:unable to get local issuer certificate
# bulbizarre ~ # echo $?
# 2
# bulbizarre ~ # openssl verify -CAfile /etc/ssl/lets-encrypt-x3-cross-signed.pem
# /etc/ssl/apache2/akilina.swordarmor.fr.crt
# /etc/ssl/apache2/akilina.swordarmor.fr.crt: OK
# bulbizarre ~ # echo $?
# 0
Reference in a new issue View git blame Copy permalink