48 lines
1.8 KiB
Plaintext
48 lines
1.8 KiB
Plaintext
|
#!/usr/bin/env bash
|
||
|
|
||
|
# Domain specifies the site for withc you download the certs
|
||
|
DOMAIN="site.example.com"
|
||
|
|
||
|
# Bucket is the source for the cert
|
||
|
BUCKET="https://minio.example.com/certs"
|
||
|
|
||
|
# Service is the service that needs to be restarted for nginx apache2 postfix ... this script works out of the box
|
||
|
# for other services the download path must be changed acordingly.
|
||
|
# std for my preferred setup is the certs for the service is in a ssl folder in the config dir for the service
|
||
|
SERVICE="nginx"
|
||
|
|
||
|
MAXWAIT=30
|
||
|
|
||
|
# Put this in crontab for every 12 hours
|
||
|
# Assuming Apache, and that your private key and certificate are located in
|
||
|
# - /etc/apache2/privkey.pem
|
||
|
# - /etc/apache2/fullchain.pem , respectively
|
||
|
|
||
|
#set -euf -o pipefail
|
||
|
|
||
|
sleep $((RANDOM % MAXWAIT))
|
||
|
|
||
|
# Create teh needed Directory in the Service Config Directory
|
||
|
mkdir -p /etc/$SERVICE/ssl
|
||
|
|
||
|
# Download the latest certificate to a temporarily location so we can check validity
|
||
|
curl -s -o /etc/$SERVICE/ssl/$DOMAIN.fullchain $BUCKET/$DOMAIN.fullchain
|
||
|
curl -s -o /etc/$SERVICE/ssl/$DOMAIN.chain $BUCKET/$DOMAIN.chain
|
||
|
curl -s -o /etc/$SERVICE/ssl/$DOMAIN.crt $BUCKET/$DOMAIN.crt
|
||
|
curl -s -o /etc/$SERVICE/ssl/$DOMAIN.key $BUCKET/$DOMAIN.key
|
||
|
curl -s -o /etc/$SERVICE/ssl/$DOMAIN.pem $BUCKET/$DOMAIN.pem
|
||
|
curl -s -o /etc/$SERVICE/ssl/$DOMAIN.pfx $BUCKET/$DOMAIN.pfx
|
||
|
|
||
|
|
||
|
# Verify the certificate is valid for our existing key (should be)
|
||
|
MOD_CRT=`openssl x509 -modulus -noout -in /etc/$SERVICE/ssl/$DOMAIN.crt | openssl md5`
|
||
|
MOD_KEY=`openssl rsa -modulus -noout -in /etc/$SERVICE/ssl/$DOMAIN.key | openssl md5`
|
||
|
if [ "$MOD_CRT" != "$MOD_KEY" ]; then
|
||
|
echo "Key didn't match: $MOD_CRT vs $MOD_KEY"
|
||
|
#exit 1
|
||
|
fi
|
||
|
|
||
|
# Deploy the certificate and graceful reload
|
||
|
echo "New certificate: " `openssl x509 -in /etc/$SERVICE/ssl/$DOMAIN.fullchain -noout -subject -dates -issuer`
|
||
|
|
||
|
systemctl reload $SERVICE
|