snippets/nginx-proxy-manager/site-ssl

48 lines
1.8 KiB
Plaintext
Raw Normal View History

2024-01-07 12:01:42 +01:00
#!/usr/bin/env bash
# Domain specifies the site for withc you download the certs
DOMAIN="site.example.com"
# Bucket is the source for the cert
BUCKET="https://minio.example.com/certs"
# Service is the service that needs to be restarted for nginx apache2 postfix ... this script works out of the box
# for other services the download path must be changed acordingly.
# std for my preferred setup is the certs for the service is in a ssl folder in the config dir for the service
SERVICE="nginx"
MAXWAIT=30
# Put this in crontab for every 12 hours
# Assuming Apache, and that your private key and certificate are located in
# - /etc/apache2/privkey.pem
# - /etc/apache2/fullchain.pem , respectively
#set -euf -o pipefail
sleep $((RANDOM % MAXWAIT))
# Create teh needed Directory in the Service Config Directory
mkdir -p /etc/$SERVICE/ssl
# Download the latest certificate to a temporarily location so we can check validity
curl -s -o /etc/$SERVICE/ssl/$DOMAIN.fullchain $BUCKET/$DOMAIN.fullchain
curl -s -o /etc/$SERVICE/ssl/$DOMAIN.chain $BUCKET/$DOMAIN.chain
curl -s -o /etc/$SERVICE/ssl/$DOMAIN.crt $BUCKET/$DOMAIN.crt
curl -s -o /etc/$SERVICE/ssl/$DOMAIN.key $BUCKET/$DOMAIN.key
curl -s -o /etc/$SERVICE/ssl/$DOMAIN.pem $BUCKET/$DOMAIN.pem
curl -s -o /etc/$SERVICE/ssl/$DOMAIN.pfx $BUCKET/$DOMAIN.pfx
# Verify the certificate is valid for our existing key (should be)
MOD_CRT=`openssl x509 -modulus -noout -in /etc/$SERVICE/ssl/$DOMAIN.crt | openssl md5`
MOD_KEY=`openssl rsa -modulus -noout -in /etc/$SERVICE/ssl/$DOMAIN.key | openssl md5`
if [ "$MOD_CRT" != "$MOD_KEY" ]; then
echo "Key didn't match: $MOD_CRT vs $MOD_KEY"
#exit 1
fi
# Deploy the certificate and graceful reload
echo "New certificate: " `openssl x509 -in /etc/$SERVICE/ssl/$DOMAIN.fullchain -noout -subject -dates -issuer`
systemctl reload $SERVICE