Skip to content

Instantly share code, notes, and snippets.

@Chaz6

Chaz6/update-ssl-certs.bash

Last active April 25, 2020 17:57
Show Gist options
  • Save Chaz6/1125b92b35f7f19fefbbd9fbf5a6004e to your computer and use it in GitHub Desktop.
Save Chaz6/1125b92b35f7f19fefbbd9fbf5a6004e to your computer and use it in GitHub Desktop.
Download ZIP
Script to update ssl certificates for nginx, unifi and weechat using certbot and systemd
Raw
update-ssl-certs.bash
#!/bin/bash
UNIFI_DOMAIN="unifi.example.com"
WEECHAT_DOMAIN="weechat.example.com"
WEECHAT_USER="username"
DOMAIN_LIST="$UNIFI_DOMAIN $WEECHAT_DOMAIN www.example.com"
########################################################################
#
# Program header
#
########################################################################
CAT=/bin/cat
CERTBOT=/usr/bin/certbot
CHMOD=/usr/bin/chmod
CHOWN=/usr/bin/chown
FIND=/usr/bin/find
KEYTOOL=/bin/keytool
OPENSSL=/usr/bin/openssl
RM=/bin/rm
SU=/usr/bin/su
SYSTEMCTL=/bin/systemctl
TEST=/usr/bin/test
TOUCH=/usr/bin/touch
WHOAMI=/usr/bin/whoami
for command in CAT CERTBOT CHMOD CHOWN FIND KEYTOOL OPENSSL RM SU SYSTEMCTL TEST TOUCH WHOAMI
do
if [ ! -f ${!command} ]
then
echo "Please install ${!command}"
exit 1
fi
done
if [ "$(${WHOAMI})" != "root" ]; then
echo "Script must be run as root!"
exit 1
fi
########################################################################
#
# Renew certificates using certbot
#
########################################################################
${CERTBOT} renew
########################################################################
#
# Update nginx certificates
#
########################################################################
reload_nginx=0
for domain in ${DOMAIN_LIST}
do
if ${TEST} $(${FIND} /etc/letsencrypt/live/${domain}/cert.pem -mmin -60)
then
if [ ! -f /etc/nginx/ssl/${domain}_ssl.pem ]
then
${TOUCH} /etc/nginx/ssl/${domain}_ssl.pem
${CHOWN} nginx:nginx /etc/nginx/ssl/${domain}_ssl.pem
${CHMOD} 0600 /etc/nginx/ssl/${domain}_ssl.pem
${TOUCH} /etc/nginx/ssl/${domain}_fullchain.pem
${CHOWN} nginx:nginx /etc/nginx/ssl/${domain}_fullchain.pem
${CHMOD} 0600 /etc/nginx/ssl/${domain}_fullchain.pem
fi
${CAT} /etc/letsencrypt/live/${domain}/cert.pem /etc/letsencrypt/live/${domain}/privkey.pem > /etc/nginx/ssl/${domain}_ssl.pem
${CAT} /etc/letsencrypt/live/${domain}/fullchain.pem > /etc/nginx/ssl/${domain}_fullchain.pem
reload_nginx=1
fi
done
if [ $reload_nginx -ne 0 ]
then
${SYSTEMCTL} reload nginx.service
fi
########################################################################
#
# Update weechat certificates
#
########################################################################
if test $(${FIND} /etc/letsencrypt/live/${WEECHAT_DOMAIN}/cert.pem -mmin -60)
then
${CAT} /etc/letsencrypt/live/${WEECHAT_DOMAIN}/cert.pem /etc/letsencrypt/live/${WEECHAT_DOMAIN}/privkey.pem > /home/${WEECHAT_USER}/.weechat/ssl/${WEECHAT_DOMAIN}_ssl.pem
${CAT} /etc/letsencrypt/live/${WEECHAT_DOMAIN}/fullchain.pem > /home/${WEECHAT_USER}/.weechat/ssl/${WEECHAT_DOMAIN}_fullchain.pem
${SU} -c 'echo "*/relay sslcertkey" > /home/${WEECHAT_USER}/.weechat/weechat_fifo_*' ${WEECHAT_USER}
fi
########################################################################
#
# Update unifi certificates
#
########################################################################
if test $(${FIND} /etc/letsencrypt/live/${UNIFI_DOMAIN}/cert.pem -mmin -60)
then
${SYSTEMCTL} stop unifi.service
${OPENSSL} \
pkcs12 \
-export \
-inkey /etc/letsencrypt/live/${UNIFI_DOMAIN}/privkey.pem \
-in /etc/letsencrypt/live/${UNIFI_DOMAIN}/fullchain.pem \
-out /tmp/${UNIFI_DOMAIN}.p12 \
-name ubnt \
-password pass:temppass
${KEYTOOL} \
-importkeystore \
-deststorepass aircontrolenterprise \
-destkeypass aircontrolenterprise \
-destkeystore /opt/UniFi/data/keystore \
-srckeystore /tmp/${UNIFI_DOMAIN}.p12 \
-srcstoretype PKCS12 \
-srcstorepass temppass \
-alias ubnt \
-noprompt
${RM} -f /tmp/${UNIFI_DOMAIN}.p12
${SYSTEMCTL} start unifi.service
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment