#!/bin/bash

# script is run once per domain after successful renewal with these vars available:
# $RENEWED_LINEAGE=/etc/letsencrypt/live/example.com
# $RENEWED_DOMAINS="example.com www.example.com"

# makes sure vars were passed and LE cert exits
if [ ! -n "$RENEWED_LINEAGE" ]; then
  exit 1
fi

if [ ! -f "$RENEWED_LINEAGE/fullchain.pem" ]; then
  exit 1
fi

if [ ! -d "/etc/ssl/letsencrypt" ]; then
  install --owner=root --group=ssl-cert --mode=750 --directory /etc/ssl/letsencrypt
fi

DOMAIN=`basename $RENEWED_LINEAGE`
PEM="/etc/ssl/letsencrypt/$DOMAIN.pem"

# If the file doesn't already exist first create empty file with correct ownership and
# permissions. Thus the copied cert is *never* world readable, not even for an instant.
if [ ! -f "$PEM" ]; then
  install --owner=root --group=ssl-cert --mode=640 /dev/null $PEM
fi

cat $RENEWED_LINEAGE/fullchain.pem > $PEM
cat $RENEWED_LINEAGE/privkey.pem >> $PEM
# set perms & ownership again just for good measure, should be redundant
chmod 640 $PEM
chown root:ssl-cert $PEM