-
Notifications
You must be signed in to change notification settings - Fork 1
/
spssl
177 lines (152 loc) · 6.19 KB
/
spssl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
#!/bin/bash
# Let's Encrypt SSL automation for [ServerPilot free plan](http://bit.ly/serverpilot)
# by Renato Frota - https://github.com/renatofrota/letsencrypt-ssl-serverpilot
v="v0.2"
lebin=/usr/bin/letsencrypt
nginxvhosts=/etc/nginx-sp/vhosts.d
nginxssl=/etc/nginx-sp/ssl
apachevhosts=/etc/apache-sp/vhosts.d
usersdir=/srv/users
appsdir=apps
certsdir=/etc/letsencrypt/live
cronjobfile=/etc/cron.daily/letsencrypt-renew-cron
leoutput=letsencrypt.script.log
echo "
***********************************************************************
* Let's Encrypt SSL certificates issuance and renewals *
* automation for ServerPilot free plan (http://bit.ly/serverpilot) *
***********************************************************************
* Think on how much $ you're saving and buy me some coffee! :) *
***********************************************************************
* Pense em quanta grana você está economizando e me pague um café! :) *
***********************************************************************
* https://github.com/renatofrota/letsencrypt-ssl-serverpilot *
***********************************************************************
"
# allow only root
[ "$EUID" -ne 0 ] && echo "Please run as root or use sudo." && exit
echo -n "You are running ${v}. "; read -rep "Press any key to proceed..." -n 1 pause
# prepare env
mkdir -p /etc/letsencrypt/live
# Check for Let's Encrypt installation
if [ ! -f "$lebin" ]
then
echo "Let's Encrypt is not installed. Would you like to install it?"
read -p "Y or N " -n 1 -r
echo ""
if [[ "$REPLY" =~ ^[Yy]$ ]]
then
cd $HOME && \
sudo apt-get update && \
sudo apt-get install software-properties-common && \
sudo add-apt-repository ppa:certbot/certbot && \
sudo apt-get update && \
sudo apt-get install certbot
else
exit
fi
fi
[ ! -f "$lebin" ] && echo "Installation failed. Please refer to https://certbot.eff.org for instructions."
echo -e "\nExisting users on your server:"
/bin/ls -1 $usersdir
echo -e "\nPlease enter the username that runs the app which you want to issue a certificate:"
read username
[ ! -d "$usersdir/$username" ] && echo "Error: invalid user" && exit
echo -e "\nThe user you selected has the following apps:"
/bin/ls -1 $usersdir/$username/$appsdir
echo -e "\nPlease enter the app name which you want to issue a certificate:"
read app
[ ! -d "$usersdir/$username/$appsdir/$app" ] && echo "Error: invalid app" && exit
echo -e "\nThis app has the following domains confiured in ServerPilot:"
for domain in $(grep -E 'ServerName|ServerAlias' $apachevhosts/$app.conf | sed -e 's;.*ServerName;;g' | sed -e 's;.*ServerAlias;;g' | xargs echo)
do
echo $domain
done
echo -e "\nPlease enter the (sub)domain names you want included in SSL (separated by space)"
echo -e "or leave blank to issue the SSL certificate for all the app domains"
echo -e "Note: all domains you include must be already pointed to this server"
read readdomains
if [ ! -z "$readdomains" ]
then
domains=()
for domain in $readdomains
do
if [[ $domain != "ServerName server-$app" ]]
then
domains+=("$domain")
ddomains+=("-d $domain")
fi
done
certname=${readdomains[0]}
else
domains=()
certname=""
for domain in $(grep -E 'ServerName|ServerAlias' $apachevhosts/$app.conf | sed -e 's;.*ServerName;;g' | sed -e 's;.*ServerAlias;;g' | xargs echo)
do
if [[ $domain != "ServerName server-$app" ]]
then
[ -z "$certname" ] && certname=$domain
domains+=("$domain")
ddomains+=("-d $domain")
fi
done
fi
if ( ! find $certsdir -mmin -1 -name cert.pem -exec false {} + )
then
echo "Please wait at least 1 minute before running this script again"
exit
fi
letsencrypt certonly --webroot -w $usersdir/$username/$appsdir/$app/public ${ddomains[@]} | sudo tee $leoutput
if ( find $certsdir -mmin -1 -name cert.pem -exec false {} + )
then
echo "Error: the certificate could not be issued for domain(s) ${domains[@]}"
echo "See $leoutput for more info"
exit
else
certfile=$(grep "fullchain.pem" $leoutput)
certkey=$(grep "privkey.pem" $leoutput)
echo "The certificate has been successfully issued for domain(s) ${domains[@]}:"
echo "Certificate: $certfile"
echo "Private Key: $certkey"
fi
configfile=$nginxvhosts/$app-ssl.conf
echo "
server {
listen 443 ssl spdy;
listen [::]:443 ssl spdy;
server_name" > $configfile
for domain in ${domains[@]}
do
echo " $domain" >> $configfile
done
echo " ;
root $usersdir/$username/$appsdir/$app/public;
ssl_certificate_key ssl/$app.key;
ssl_certificate ssl/$app.combined_crt;
access_log $usersdir/$username/log/$app/${app}_nginx.access.log main;
access_log $usersdir/$username/log/$app/${app}_nginx.access_ssl.log main;
error_log $usersdir/$username/log/$app/${app}_nginx.error.log;
error_log $usersdir/$username/log/$app/${app}_nginx.error_ssl.log;
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-SSL on;
proxy_set_header X-Forwarded-Proto \$scheme;
include $nginxvhosts/$app.d/*.ssl_conf;
include $nginxvhosts/$app.d/*.conf;
}
" >> $configfile
echo -e "\nConfig file written ($configfile):"
cat $configfile
ln -s $certkey $nginxssl/$app.key
ln -s $certfile $nginxssl/$app.combined_crt
echo -e "\nSSL symlinks generated:\n"
ls -lh $nginxssl/$app.key
ls -lh $nginxssl/$app.combined_crt
echo -e "\nRestarting nginx"
sudo service nginx-sp restart
echo -e "\n(re-)Installing daily cronjob for automated renewals"
echo -e '#!/bin/bash\nletsencrypt renew --renew-hook "service nginx-sp restart" >>/root/letsencrypt.renew.log 2>&1' > $cronjobfile
chmod +x $cronjobfile
ls -lh $cronjobfile
echo -e "\nDone!"