added reload-services.sh, added DNS TXT authenticator

This commit is contained in:
Matthew Saunders Brown 2022-04-20 12:06:18 -07:00
parent ac90b2db03
commit c61f7c70f7
4 changed files with 48 additions and 24 deletions

View File

@ -11,36 +11,32 @@ help()
echo "$thisfilename" echo "$thisfilename"
echo "Create a Let's Encrypt certificate." echo "Create a Let's Encrypt certificate."
echo "" echo ""
echo "Usage: $thisfilename domain [OPTIONS]" echo "Usage: $thisfilename domain -d <domain> [-t] [-n] [-h]"
echo "" echo ""
echo " -h Print this help." echo " -h Print this help."
echo " -d <domain> Domain (hostname) to create certificate for."
echo " -t Obtain certificates using a DNS TXT record (if you are using PowerDNS for DNS.)"
echo " -n Dry Run - don't create cert, just echo command to run." echo " -n Dry Run - don't create cert, just echo command to run."
exit exit
} }
# check for and set domain # set options
if [ -n "$1" ]; then while getopts "hd:tn" opt; do
if [ $1 == "-h" ]; then case "${opt}" in
h )
help help
else exit;;
domain=$1 d ) # domain name (hostname) to create cert for
shift domain=${OPTARG,,}
# basic but good enough domain name regex validation # basic but good enough domain name regex validation
if [[ ! $domain =~ ^(([a-zA-Z](-?[a-zA-Z0-9])*)\.)+[a-zA-Z]{2,}$ ]] ; then if [[ ! $domain =~ ^(([a-zA-Z](-?[a-zA-Z0-9])*)\.)+[a-zA-Z]{2,}$ ]] ; then
echo "ERROR: Invalid domain name: $1" echo "ERROR: Invalid domain name: $1"
exit 1 exit 1
fi fi
fi ;;
else t )
help dnstxt=true
fi ;;
# set any options that were passed
while getopts "hn" opt; do
case "${opt}" in
h )
help
exit;;
n ) n )
dryrun=true dryrun=true
;; ;;
@ -54,7 +50,16 @@ while getopts "hn" opt; do
done done
# set vars # set vars
command="certbot certonly --cert-name $domain" command="certbot certonly"
if [[ -n $dnstxt ]]; then
if [[ -f ~/.pdns-credentials.ini ]]; then
command="$command --authenticator certbot-dns-powerdns:dns-powerdns --certbot-dns-powerdns:dns-powerdns-credentials ~/.pdns-credentials.ini --certbot-dns-powerdns:dns-powerdns-propagation-seconds 3"
else
echo "ERROR: ~/.pdns-credentials.ini config file does not exist, can't use -t (DNS TXT authenticator)."
exit 1
fi
fi
dnscheck=false dnscheck=false
ips=(`ip -4 -o addr show | awk '{ print $4 }' | cut -d / -f 1`) ips=(`ip -4 -o addr show | awk '{ print $4 }' | cut -d / -f 1`)

View File

@ -9,3 +9,4 @@ non-interactive = True
standalone = True standalone = True
http-01-port=18080 http-01-port=18080
deploy-hook = /etc/letsencrypt/renewal-hooks/deploy/cp-to-etc-ssl.sh deploy-hook = /etc/letsencrypt/renewal-hooks/deploy/cp-to-etc-ssl.sh
post-hook = /etc/letsencrypt/renewal-hooks/post/reload-services.sh

View File

@ -0,0 +1,18 @@
#!/bin/bash
# This script is run once after an attempt to renew one or more certs.
# Array of services to reload. A default list of typical services is listed.
# Note that service will only be restarted if it's installed and active,
# it's safe to have inactive/unneeded services in this array.
# Change this to suit your needs.
services=(apache2 dovecot exim4 haproxy postfix)
# Cycle through each service.
for service in "${services[@]}"; do
# Check if service is active.
if systemctl --quiet is-active $service; then
# Reload service.
systemctl reload $service
fi
done

View File

@ -41,7 +41,7 @@ fi
echo echo
cp etc/apache2/conf-available/certbot.conf /etc/apache2/conf-available/certbot.conf cp etc/apache2/conf-available/certbot.conf /etc/apache2/conf-available/certbot.conf
a2enmod --quiet proxy a2enmod --quiet proxy proxy_http
a2enconf --quiet certbot a2enconf --quiet certbot
systemctl restart apache2 systemctl restart apache2