#!/bin/bash

# letsencrypt-sync-certs-to-etc-ssl.sh
#
# Takes all Let's Encrypt certs & keys and concats them in
# to pem files for use by apache, dovecot, exim, haproxy, etc.
#
# Install this script in to /etc/letsencrypt/renewal-hooks/post/
# to have it run automatically after attempting to obtain/renew certificates.
#
# Alternatively you can put the script in a different location and then
# run sync-certs-to-etc-ssl.sh manually after creating or renewing certs,
# or specificy the path to the script with the --post-hook cerbot command option
# to have it automatically run when attempting to obtain/renew certificates.

# must be root
if [ "$USER" != "root" ]; then
  exec sudo -u root $0 $@
fi

# make dir if it doesn't already exist
if [[ ! -e /etc/ssl/letsencrypt/ ]]; then
    install --owner=root --group=ssl-cert --mode=750 --directory /etc/ssl/letsencrypt
fi

# check that Let's Encrpyt archive dir exists before proceeding
if [ ! -d "/etc/letsencrypt/archive" ]; then
  exit
fi

# Get list of Let's Encrpyt certs
#   Check the "archive" dir instead of "live" as "live"
#   has a README file that we don't want in our array.
cd /etc/letsencrypt/archive/
lecerts=(*)
# get list of certs in the SSL dir
cd /etc/ssl/letsencrypt/
sslcerts=(*)

# First cycle thru /etc/ssl/letsencrypt/ and remove any pem
# files that don't have a cert in /etc/ssl/letsencrypt/
# (removes certs that have been deleted from letsencrypt).
for sslcert in "${!sslcerts[@]}"
do
  # set cert variable
  cert=${sslcerts[$sslcert]}
  # remove .pem from end of $cert
  cert=$(basename $cert .pem)
  if [[ ! " ${lecerts[@]} " =~ " $cert " ]]; then
    rm /etc/ssl/letsencrypt/${sslcerts[$sslcert]}
  fi
done

# add / update pem files in /etc/ssl/letsencrypt/
for lecert in "${!lecerts[@]}"
do
  # set cert variable
  cert=${lecerts[$lecert]}
  if [ -f "/etc/ssl/letsencrypt/$cert.pem" ]; then
    # /etc/ssl/letsencrypt/ pem file already exists
    # get modified times and only upate if newer
    LECERTTIME=`date +%s -r /etc/letsencrypt/live/$cert/fullchain.pem`
    SSLCERTTIME=`date +%s -r /etc/ssl/letsencrypt/$cert.pem`
    if [[ $LECERTTIME -gt $SSLCERTTIME ]]; then
      # make sure perms are correct, should be redundant
      chmod 640 /etc/ssl/letsencrypt/$cert.pem
      chown root:ssl-cert /etc/ssl/letsencrypt/$cert.pem
      # replace existing cert with new data
      cat /etc/letsencrypt/live/$cert/fullchain.pem > /etc/ssl/letsencrypt/$cert.pem
      cat /etc/letsencrypt/live/$cert/privkey.pem >> /etc/ssl/letsencrypt/$cert.pem
    fi
  else
    # /etc/ssl/letsencrypt/ pem file does not exists. First create
    # empty file with correct ownership and permissions. Thus the
    # copied cert is *never* world readable, not even for an instant.
    install --owner=root --group=ssl-cert --mode=640 /dev/null /etc/ssl/letsencrypt/$cert.pem
    cat /etc/letsencrypt/live/$cert/fullchain.pem > /etc/ssl/letsencrypt/$cert.pem
    cat /etc/letsencrypt/live/$cert/privkey.pem >> /etc/ssl/letsencrypt/$cert.pem
  fi
done