Fix regression introduced in 8523874dcec2c4bec0ec5fe7180e6cf4fca9ab9e
[tools.git] / letsencrypt-helper / refresh-acme-certificate-standalone
1 #!/bin/bash
2
3 # Copyright (C) 2016 Andreas Bilke <andreas@bilke.org>
4 #
5 # Permission is hereby granted, free of charge, to any person obtaining
6 # a copy of this software and associated documentation files (the
7 # "Software"), to deal in the Software without restriction, including
8 # without limitation the rights to use, copy, modify, merge, publish,
9 # distribute, sublicense, and/or sell copies of the Software, and to
10 # permit persons to whom the Software is furnished to do so, subject to
11 # the following conditions:
12 #
13 # The above copyright notice and this permission notice shall be
14 # included in all copies or substantial portions of the Software.
15 #
16 # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
17 # EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
18 # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
19 # NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
20 # LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
21 # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
22 # WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
23
24 set -e
25 set -u
26 set -f
27
28 if [ $# -ne 1 ];
29 then
30 echo "Usage: $0 <domain-name>" >&2
31 exit 1
32 fi
33
34 DOMAIN="$1"
35
36 PUBLIC_KEY_DIR=/etc/ssl/server-certs
37 CSR_DIR=~letsencrypt/csr
38 ACME_DIR=~letsencrypt/fake-webroot
39 ACME_ACCOUNT_KEY=~letsencrypt/account.key
40 ACME_TINY_PROG=~letsencrypt/acme-tiny/acme_tiny.py
41 ACME_TINY_RESPONDER=~letsencrypt/tools/letsencrypt-helper/acme-http-responder.py
42
43 HOOKS_DIR=/etc/acme-tools
44
45 expire_days=21
46 expire_time=$(( $expire_days * 24 * 60 * 60 ))
47
48 if [ ! -e "$ACME_TINY_PROG" ];
49 then
50 echo "Could not find acme-tiny program" >&2
51 exit 1
52 fi
53
54 if [ ! -e "$ACME_ACCOUNT_KEY" ];
55 then
56 echo "Could not find acme-tiny accout key" >&2
57 exit 1
58 fi
59
60 if [ ! -e $ACME_DIR ];
61 then
62 echo "Could not find webroot at $ACME_DIR" >&2
63 exit 1
64 fi
65
66 if [ ! -e "$CSR_DIR/$DOMAIN.csr" ];
67 then
68 echo "Could not find $CSR_DIR/$DOMAIN.csr" >&2
69 exit 1
70 fi
71
72 if [ -e "$PUBLIC_KEY_DIR/$DOMAIN.intermediate.pem" ] && openssl x509 -checkend $expire_time -noout -in "$PUBLIC_KEY_DIR/$DOMAIN.intermediate.pem";
73 then
74 echo "Certificate for $DOMAIN is valid for more than $expire_days days. Don't refresh."
75 exit 0
76 fi
77
78 SERVER_PORT=8765
79
80 if [ ! -e $ACME_TINY_RESPONDER ];
81 then
82 echo "Can't find stand alone responder" >&2
83 exit 1
84 fi
85
86 echo "Setting up firewall rules"
87 iptables -I INPUT -p tcp --dport "$SERVER_PORT" -j ACCEPT
88 iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports "$SERVER_PORT"
89 iptables -t nat -I OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports "$SERVER_PORT"
90
91 echo "Starting acme-http-responder"
92 SERVER_COMMAND="$ACME_TINY_RESPONDER --web-root $ACME_DIR --port $SERVER_PORT"
93 su -s /bin/bash -c "$SERVER_COMMAND" letsencrypt &
94
95 TMP_SIGNED_CERT=`mktemp` || exit 1
96 trap "rm -f $TMP_SIGNED_CERT" EXIT
97
98 ACME_TINY_COMMAND="python $ACME_TINY_PROG --account-key $ACME_ACCOUNT_KEY --csr $CSR_DIR/$DOMAIN.csr --acme-dir $ACME_DIR"
99 echo "Starting acme-tiny client"
100 su -c "$ACME_TINY_COMMAND" -s /bin/sh letsencrypt > $TMP_SIGNED_CERT
101 cat $TMP_SIGNED_CERT "$PUBLIC_KEY_DIR/$DOMAIN.intermediate.pem"
102
103 echo "Kill acme-http-responder"
104 kill -TERM `pgrep -u letsencrypt`
105
106 echo "Delete firewall rules"
107 iptables -D INPUT -p tcp --dport "$SERVER_PORT" -j ACCEPT
108 iptables -t nat -D PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports "$SERVER_PORT"
109 iptables -t nat -D OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports "$SERVER_PORT"
110
111 if [ -d "$HOOKS_DIR" ];
112 then
113 find $HOOKS_DIR -name "*.sh" -executable -exec {} "$DOMAIN" \;
114 fi