#!/bin/bash

RENEW_BEFORE={{ letsencrypt_renew_before }}
LETSENCRYPT_BIN={{ letsencrypt_auto }}
LE_CERT_DIR={{ letsencrypt_certs_dir }}
LE_SERVICES_SCRIPT_DIR={{ letsencrypt_services_scripts_dir }}
LOG_DIR={{ letsencrypt_logdir }}
VALIDITY_RETVAL=0
DOMAINS="{{ letsencrypt_domains }}"
CERT_DOMAINS_LIST=
ACTION=certonly
RETVAL=0

# Check if the cert file exists. If not, it is a certificate request and not a renewal.
if [ -f $LE_CERT_DIR/cert.pem ] ; then
    VALIDITY_CHECK=$( openssl x509 -checkend $RENEW_BEFORE -noout -in $LE_CERT_DIR/cert.pem )
    VALIDITY_RETVAL=$?
    if [ $VALIDITY_RETVAL -eq 0 ] ; then
        echo "The certificate is still valid" >> $LOG_DIR/letsencrypt_request.log
        exit 0
    else
        ACTION=renew
    fi
fi

if [ "$ACTION" === "certonly" ] ; then
    for dom in $DOMAINS ; do
        CERT_DOMAINS_LIST+=" -d $dom"
    done
fi

# Ask for a new certificate. First request or renewal are the same. We only support the standalone method right now
$LETSENCRYPT_BIN $ACTION $CERT_DOMAINS_LIST --http-01-port {{ letsencrypt_standalone_port }} --config /etc/letsencrypt/cli.ini >> $LOG_DIR/letsencrypt_request.log 2>&1
RETVAL=$?

# Run the reconfiguration scripts to make the involved services load the new certificate
for f in $( /bin/ls -1 $LE_SERVICES_SCRIPT_DIR ) ; do
    if [ -x $LE_SERVICES_SCRIPT_DIR/$f ] ; then
        echo "Running $LE_SERVICES_SCRIPT_DIR/$f" >> $LOG_DIR/letsencrypt_request.log
        $LE_SERVICES_SCRIPT_DIR/$f >> $LOG_DIR/letsencrypt_request.log 2>&1
    fi
done

exit 0