letsencrypt-tools/etc/letsencrypt/renewal-hooks/deploy/cp-to-etc-ssl.sh

34 lines
1.0 KiB
Bash
Raw Normal View History

2021-03-27 16:15:03 -07:00
#!/bin/bash
# script is run once per domain after successful renewal with these vars available:
# $RENEWED_LINEAGE=/etc/letsencrypt/live/example.com
# $RENEWED_DOMAINS="example.com www.example.com"
# makes sure vars were passed and LE cert exits
if [ ! -n "$RENEWED_LINEAGE" ]; then
exit 1
fi
if [ ! -f "$RENEWED_LINEAGE/fullchain.pem" ]; then
exit 1
fi
if [ ! -d "/etc/ssl/letsencrypt" ]; then
install --owner=root --group=ssl-cert --mode=750 --directory /etc/ssl/letsencrypt
fi
DOMAIN=`basename $RENEWED_LINEAGE`
PEM="/etc/ssl/letsencrypt/$DOMAIN.pem"
# If the file doesn't already exist first create empty file with correct ownership and
# permissions. Thus the copied cert is *never* world readable, not even for an instant.
if [ ! -f "$PEM" ]; then
install --owner=root --group=ssl-cert --mode=640 /dev/null $PEM
fi
cat $RENEWED_LINEAGE/fullchain.pem > $PEM
cat $RENEWED_LINEAGE/privkey.pem >> $PEM
# set perms & ownership again just for good measure, should be redundant
chmod 640 $PEM
chown root:ssl-cert $PEM