34 lines
1.0 KiB
Bash
34 lines
1.0 KiB
Bash
|
#!/bin/bash
|
||
|
|
||
|
# script is run once per domain after successful renewal with these vars available:
|
||
|
# $RENEWED_LINEAGE=/etc/letsencrypt/live/example.com
|
||
|
# $RENEWED_DOMAINS="example.com www.example.com"
|
||
|
|
||
|
# makes sure vars were passed and LE cert exits
|
||
|
if [ ! -n "$RENEWED_LINEAGE" ]; then
|
||
|
exit 1
|
||
|
fi
|
||
|
|
||
|
if [ ! -f "$RENEWED_LINEAGE/fullchain.pem" ]; then
|
||
|
exit 1
|
||
|
fi
|
||
|
|
||
|
if [ ! -d "/etc/ssl/letsencrypt" ]; then
|
||
|
install --owner=root --group=ssl-cert --mode=750 --directory /etc/ssl/letsencrypt
|
||
|
fi
|
||
|
|
||
|
DOMAIN=`basename $RENEWED_LINEAGE`
|
||
|
PEM="/etc/ssl/letsencrypt/$DOMAIN.pem"
|
||
|
|
||
|
# If the file doesn't already exist first create empty file with correct ownership and
|
||
|
# permissions. Thus the copied cert is *never* world readable, not even for an instant.
|
||
|
if [ ! -f "$PEM" ]; then
|
||
|
install --owner=root --group=ssl-cert --mode=640 /dev/null $PEM
|
||
|
fi
|
||
|
|
||
|
cat $RENEWED_LINEAGE/fullchain.pem > $PEM
|
||
|
cat $RENEWED_LINEAGE/privkey.pem >> $PEM
|
||
|
# set perms & ownership again just for good measure, should be redundant
|
||
|
chmod 640 $PEM
|
||
|
chown root:ssl-cert $PEM
|