-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathcert-renewal-haproxy.sh
executable file
·109 lines (91 loc) · 2.87 KB
/
cert-renewal-haproxy.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
#!/bin/bash
# automation of certificate renewal for let's encrypt and haproxy
# - checks all certificates under /etc/letsencrypt/live and renews
# those about about to expire in less than 4 weeks
# - creates haproxy.pem files in /etc/letsencrypt/live/domain.tld/
# - soft-restarts haproxy to apply new certificates
# usage:
# sudo ./cert-renewal-haproxy.sh
###################
## configuration ##
###################
EMAIL="[email protected]"
LE_CLIENT="/path/to/letsencrypt-auto"
HAPROXY_RELOAD_CMD="service haproxy reload"
WEBROOT="/var/lib/haproxy"
# Enable to redirect output to logfile (for silent cron jobs)
# LOGFILE="/var/log/certrenewal.log"
######################
## utility function ##
######################
function issueCert {
$LE_CLIENT certonly --text --webroot --webroot-path ${WEBROOT} --renew-by-default --agree-tos --email ${EMAIL} $1 &>/dev/null
return $?
}
function logger_error {
if [ -n "${LOGFILE}" ]
then
echo "[error] ${1}\n" >> ${LOGFILE}
fi
>&2 echo "[error] ${1}"
}
function logger_info {
if [ -n "${LOGFILE}" ]
then
echo "[info] ${1}\n" >> ${LOGFILE}
else
echo "[info] ${1}"
fi
}
##################
## main routine ##
##################
le_cert_root="/etc/letsencrypt/live"
if [ ! -d ${le_cert_root} ]; then
logger_error "${le_cert_root} does not exist!"
exit 1
fi
# check certificate expiration and run certificate issue requests
# for those that expire in under 4 weeks
renewed_certs=()
exitcode=0
while IFS= read -r -d '' cert; do
if ! openssl x509 -noout -checkend $((4*7*86400)) -in "${cert}"; then
subject="$(openssl x509 -noout -subject -in "${cert}" | grep -o -E 'CN=[^ ,]+' | tr -d 'CN=')"
subjectaltnames="$(openssl x509 -noout -text -in "${cert}" | sed -n '/X509v3 Subject Alternative Name/{n;p}' | sed 's/\s//g' | tr -d 'DNS:' | sed 's/,/ /g')"
domains="-d ${subject}"
for name in ${subjectaltnames}; do
if [ "${name}" != "${subject}" ]; then
domains="${domains} -d ${name}"
fi
done
issueCert "${domains}"
if [ $? -ne 0 ]
then
logger_error "failed to renew certificate! check /var/log/letsencrypt/letsencrypt.log!"
exitcode=1
else
renewed_certs+=("$subject")
logger_info "renewed certificate for ${subject}"
fi
else
logger_info "none of the certificates requires renewal"
fi
done < <(find /etc/letsencrypt/live -name cert.pem -print0)
# create haproxy.pem file(s)
for domain in ${renewed_certs[@]}; do
cat ${le_cert_root}/${domain}/privkey.pem ${le_cert_root}/${domain}/fullchain.pem | sudo tee ${le_cert_root}/${domain}/haproxy.pem >/dev/null
if [ $? -ne 0 ]; then
logger_error "failed to create haproxy.pem file!"
exit 1
fi
done
# soft-restart haproxy
if [ "${#renewed_certs[@]}" -gt 0 ]; then
$HAPROXY_RELOAD_CMD
if [ $? -ne 0 ]; then
logger_error "failed to reload haproxy!"
exit 1
fi
fi
exit ${exitcode}