forked from ISTI-ansible-roles/ansible-roles
35 lines
1.2 KiB
Plaintext
35 lines
1.2 KiB
Plaintext
|
#!/bin/bash
|
||
|
|
|
||
|
|
RENEW_BEFORE={{ letsencrypt_renew_before }}
|
||
|
|
LETSENCRYPT_BIN={{ letsencrypt_auto }}
|
||
|
|
LE_CERT_DIR={{ letsencrypt_certs_dir }}
|
||
|
|
LE_SERVICES_SCRIPT_DIR={{ letsencrypt_services_scripts_dir }}
|
||
|
|
LOG_DIR={{ letsencrypt_logdir }}
|
||
|
|
VALIDITY_RETVAL=0
|
||
|
|
RETVAL=0
|
||
|
|
|
||
|
|
# Check if the cert file exists. If not, it is a certificate request and not a renewal.
|
||
|
|
if [ -f $LE_CERT_DIR/cert.pem ] ; then
|
||
|
|
VALIDITY_CHECK=$( openssl x509 -checkend $RENEW_BEFORE -noout -in $LE_CERT_DIR/cert.pem )
|
||
|
|
VALIDITY_RETVAL=$?
|
||
|
|
if [ $VALIDITY_RETVAL -eq 0 ] ; then
|
||
|
|
echo "The certificate is still valid" >> $LOG_DIR/letsencrypt_request.log
|
||
|
|
exit 0
|
||
|
|
fi
|
||
|
|
fi
|
||
|
|
|
||
|
|
# Ask for a new certificate. First request or renewal are the same. We only support the standalone method right now
|
||
|
|
$LETSENCRYPT_BIN certonly --http-01-port {{ letsencrypt_standalone_port }} --config /etc/letsencrypt/cli.ini >> $LOG_DIR/letsencrypt_request.log 2>&1
|
||
|
|
RETVAL=$?
|
||
|
|
|
||
|
|
# Run the reconfiguration scripts to make the involved services load the new certificate
|
||
|
|
for f in $( /bin/ls -1 $LE_SERVICES_SCRIPT_DIR ) ; do
|
||
|
|
if [ -x $f ] ; then
|
||
|
|
echo "Running $f" >> $LOG_DIR/letsencrypt_request.log
|
||
|
|
$f >> $LOG_DIR/letsencrypt_request.log 2>&1
|
||
|
|
fi
|
||
|
|
done
|
||
|
|
|
||
|
|
exit 0
|
||
|
|
|