Fix regression introduced in 8523874dcec2c4bec0ec5fe7180e6cf4fca9ab9e
[tools.git] / letsencrypt-helper / refresh-acme-certificate
1 #!/bin/bash
2
3 # Copyright (C) 2016 Andreas Bilke <andreas@bilke.org>
4 #
5 # Permission is hereby granted, free of charge, to any person obtaining
6 # a copy of this software and associated documentation files (the
7 # "Software"), to deal in the Software without restriction, including
8 # without limitation the rights to use, copy, modify, merge, publish,
9 # distribute, sublicense, and/or sell copies of the Software, and to
10 # permit persons to whom the Software is furnished to do so, subject to
11 # the following conditions:
12 #
13 # The above copyright notice and this permission notice shall be
14 # included in all copies or substantial portions of the Software.
15 #
16 # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
17 # EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
18 # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
19 # NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
20 # LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
21 # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
22 # WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
23
24 set -e
25 set -u
26 set -f
27
28 if [ $# -ne 1 ];
29 then
30 echo "Usage: $0 <domain-name>" >&2
31 exit 1
32 fi
33
34 DOMAIN="$1"
35
36 PUBLIC_KEY_DIR=/etc/ssl/server-certs
37 CSR_DIR=~letsencrypt/csr
38 CSR=$CSR_DIR/$DOMAIN.csr
39 ACME_DIR=~letsencrypt/fake-webroot
40 ACME_ACCOUNT_KEY=~letsencrypt/account.key
41 ACME_TINY_PROG=~letsencrypt/acme-tiny/acme_tiny.py
42
43 HOOKS_DIR=/etc/acme-tools
44
45 expire_days=21
46 expire_time=$(( $expire_days * 24 * 60 * 60 ))
47
48 if [ ! -e "$ACME_TINY_PROG" ];
49 then
50 echo "Could not find acme-tiny program" >&2
51 exit 1
52 fi
53
54 if [ ! -e "$ACME_ACCOUNT_KEY" ];
55 then
56 echo "Could not find acme-tiny accout key" >&2
57 exit 1
58 fi
59
60 if [ ! -e $ACME_DIR ];
61 then
62 echo "Could not find webroot at $ACME_DIR" >&2
63 exit 1
64 fi
65
66 if [ ! -e $CSR ];
67 then
68 echo "Could not find $CSR" >&2
69 exit 1
70 fi
71
72 if [ -e "$PUBLIC_KEY_DIR/$DOMAIN.intermediate.pem" ] && openssl x509 -checkend $expire_time -noout -in "$PUBLIC_KEY_DIR/$DOMAIN.intermediate.pem";
73 then
74 echo "Certificate for $DOMAIN is valid for more than $expire_days days. Don't refresh."
75 exit 0
76 fi
77
78 TMP_SIGNED_CERT=`mktemp` || exit 1
79 trap "rm -f $TMP_SIGNED_CERT" EXIT
80
81 ACME_TINY_COMMAND="python $ACME_TINY_PROG --account-key $ACME_ACCOUNT_KEY --csr $CSR --acme-dir $ACME_DIR"
82 echo "Starting acme-tiny client"
83 su -c "$ACME_TINY_COMMAND" -s /bin/sh letsencrypt > $TMP_SIGNED_CERT
84 cp $TMP_SIGNED_CERT "$PUBLIC_KEY_DIR/$DOMAIN.intermediate.pem"
85
86 if [ -d "$HOOKS_DIR" ];
87 then
88 find $HOOKS_DIR -name "*.sh" -executable -exec {} "$DOMAIN" \;
89 fi