Created
November 5, 2020 12:27
-
-
Save ladar/e3159537a0943d0f31abf2af78665551 to your computer and use it in GitHub Desktop.
Setup the TLS cert using the certbot, and renew using a cron job.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash -eux | |
| if [ -z $DOMAIN ]; then | |
| tput setaf 1; printf "\n\nDOMAIN parameter needed by the apache-virthost module.\n\n"; tput sgr0 | |
| exit 1 | |
| fi | |
| # Install git. | |
| yum --quiet --assumeyes install wget git rsync perl-Git perl-Error | |
| # Ensure the certbot directories don't already exist. | |
| if [ -d /opt/letsencrypt/ ]; then | |
| rm -rf /opt/letsencrypt/ | |
| fi | |
| if [ -d /opt/certbot/ ]; then | |
| rm -rf /opt/certbot/ | |
| fi | |
| if [ -d /opt/eff.org/ ]; then | |
| rm -rf /opt/eff.org/ | |
| fi | |
| if [ -d $HOME/.local/share/letsencrypt/ ]; then | |
| rm -rf $HOME/.local/share/letsencrypt/ | |
| fi | |
| if [ -f $HOME/.local/share/letsencrypt ]; then | |
| rm -rf $HOME/.local/share/letsencrypt | |
| fi | |
| # Ensure iptables is running. | |
| service iptables status &>/dev/null | |
| if [ "$?" != "0" ]; then | |
| tput setaf 1; printf "\n\nThe iptables service isn't running. Exiting.\n\n"; tput sgr0 | |
| exit 1 | |
| fi | |
| # Clone the certbot repo. | |
| git clone https://github.com/certbot/certbot /opt/certbot | |
| # Ensure port 8080 is accessible from the internet. | |
| iptables -I INPUT 3 -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT | |
| iptables -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT --to-ports 8080 | |
| # Launch certbot with the standalone webserver. | |
| /opt/certbot/certbot-auto certonly --standalone --http-01-port 8080 --non-interactive --agree-tos --rsa-key-size 4096 --email "hostmaster@${DOMAIN}" -d "${DOMAIN},www.${DOMAIN}" | |
| # To add more domains use... | |
| # /opt/certbot/certbot-auto certonly --standalone --http-01-port 8080 --non-interactive --agree-tos --expand --rsa-key-size 4096 --email "hostmaster@${DOMAIN}" -d "${DOMAIN},www.${DOMAIN}" | |
| iptables -D PREROUTING -t nat -p tcp --dport 80 -j REDIRECT --to-ports 8080 | |
| iptables -D INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT | |
| # Create a combined certificate chain and private key file for those daemons which prefer the simplicity. | |
| cat /etc/letsencrypt/live/${DOMAIN}/privkey.pem /etc/letsencrypt/live/${DOMAIN}/fullchain.pem > /etc/letsencrypt/live/${DOMAIN}/combined.pem | |
| chmod 600 /etc/letsencrypt/live/${DOMAIN}/combined.pem | |
| sed -i -e "s/.*renew_before_expiry.*/renew_before_expiry = 60 days/g" /etc/letsencrypt/renewal/${DOMAIN}.conf | |
| cat <<-EOF > /etc/cron.daily/certbot.${DOMAIN} | |
| #!/bin/bash | |
| # Default exit status. | |
| CODE=0 | |
| # Wait up to 60 minutes before starting, so all the renewals don't fire at once. | |
| let PAUSE=\$RANDOM%3600 | |
| sleep \$PAUSE | |
| # Ask the certbot to renew and then combine the resulting cert files. | |
| iptables -I INPUT 3 -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT | |
| iptables -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT --to-ports 8080 | |
| /opt/certbot/certbot-auto renew --quiet --non-interactive --cert-name ${DOMAIN} || CODE=1 | |
| iptables -D PREROUTING -t nat -p tcp --dport 80 -j REDIRECT --to-ports 8080 | |
| iptables -D INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT | |
| [ \$CODE == 0 ] && cat /etc/letsencrypt/live/${DOMAIN}/privkey.pem /etc/letsencrypt/live/${DOMAIN}/fullchain.pem > /etc/letsencrypt/live/${DOMAIN}/combined.pem || CODE=1 | |
| [ \$CODE == 0 ] && [ -f /etc/init.d/httpd ] && service httpd reload &>/dev/null | |
| exit 0 | |
| EOF | |
| chmod +x /etc/cron.daily/certbot.${DOMAIN} | |
| chcon "unconfined_u:object_r:bin_t:s0" /etc/cron.daily/certbot.${DOMAIN} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment