45 lines
1.4 KiB
Bash
Executable File
45 lines
1.4 KiB
Bash
Executable File
#!/usr/bin/bash
|
|
set -o nounset
|
|
|
|
WORKDIR=$(dirname "$(realpath $0)")
|
|
EMAIL="mail@mail.ru"
|
|
|
|
### cron
|
|
# check that the cert will last at least 2 days from now to prevent too frequent renewal
|
|
# comment out this line for the first run
|
|
if [ "${1:-renew}" != "--first-time" ]
|
|
then
|
|
start_timestamp=`date +%s --date="$(openssl x509 -startdate -noout -in /var/lib/ipa/certs/httpd.crt | cut -d= -f2)"`
|
|
now_timestamp=`date +%s`
|
|
let diff=($now_timestamp-$start_timestamp)/86400
|
|
if [ "$diff" -lt "2" ]; then
|
|
echo "Certificate is actuality"
|
|
exit 0
|
|
fi
|
|
fi
|
|
cd "$WORKDIR"
|
|
# cert renewal is needed if we reached this line
|
|
|
|
# cleanup
|
|
rm -f "$WORKDIR"/*.pem
|
|
rm -f "$WORKDIR"/httpd-csr.*
|
|
|
|
# generate CSR
|
|
OPENSSL_PASSWD_FILE="/var/lib/ipa/passwds/$HOSTNAME-443-RSA"
|
|
[ -f "$OPENSSL_PASSWD_FILE" ] && OPENSSL_EXTRA_ARGS="-passin file:$OPENSSL_PASSWD_FILE" || OPENSSL_EXTRA_ARGS=""
|
|
openssl req -new -sha256 -config "$WORKDIR/ipa-httpd.cnf" -key /var/lib/ipa/private/httpd.key -out "$WORKDIR/httpd-csr.der" $OPENSSL_EXTRA_ARGS
|
|
|
|
# httpd process prevents letsencrypt from working, stop it
|
|
service httpd stop
|
|
|
|
# get a new cert
|
|
letsencrypt certonly --standalone --csr "$WORKDIR/httpd-csr.der" --email "$EMAIL" --agree-tos
|
|
|
|
# replace the cert
|
|
cp /var/lib/ipa/certs/httpd.crt /var/lib/ipa/certs/httpd.crt.bkp
|
|
mv -f "$WORKDIR/0000_cert.pem" /var/lib/ipa/certs/httpd.crt
|
|
restorecon -v /var/lib/ipa/certs/httpd.crt
|
|
|
|
# start httpd with the new cert
|
|
service httpd start
|