certbot4mac

#!/bin/bash

# Check if certbot brew version is installed
command -v brew >/dev/null 2>&1 || { echo >&2 "This script requires homebrew, please install it: https://brew.sh/"; exit 1; }
command -v certbot >/dev/null 2>&1 || { echo >&2 "This script requires certbot, install it with: brew install certbot"; exit 1; }

insert_into_keychain() {
  CURRENT_CERT=`grep -E -h SSLCertificateFile.+${1} /Library/Server/Web/Config/apache2/sites/*.conf | head -1 | cut -f 2 -d ' ' - | sed 's/\"//g'`
  CURRENT_SHA=`echo $CURRENT_CERT | sed "s:/etc/certificates/$1.::" | sed 's:.cert.pem::'`
  NEW_SHA=`openssl x509 -in /etc/letsencrypt/live/$1/cert.pem -noout -fingerprint -sha1 | cut -f2 -d'=' | sed 's/://g'`
  NEW_CERT="/etc/certificates/$1.$NEW_SHA.cert.pem"
  if [[ $CURRENT_CERT != $NEW_CERT ]]; then
    printf "Will replace certificate $CURRENT_CERT in Apache by new one in /etc/letsencrypt/live/$1/cert.pem with SHA1 $NEW_SHA\n"
    printf "Generating PKCS12 file...\n"
    openssl pkcs12 -export -inkey /etc/letsencrypt/live/$1/privkey.pem -in /etc/letsencrypt/live/$1/cert.pem -certfile /etc/letsencrypt/live/$1/fullchain.pem -out /etc/letsencrypt/live/$1/letsencrypt_sslcert.p12 -passout pass:topsecret
    printf "Importing cert $NEW_SHA in System Keychain..."
    security import /etc/letsencrypt/live/$1/letsencrypt_sslcert.p12 -f pkcs12 -k /Library/Keychains/System.keychain -P topsecret -A
    if [ "$2" == 'renew' ]; then
      # Tell services to use new certificate
      certupdate replace -c $CURRENT_CERT -C $NEW_CERT
      # Delete old certificate
      security delete-certificate -Z $CURRENT_SHA -t /Library/Keychains/System.keychain
    fi
    apachectl restart
  fi
}

if [ "$1" '==' 'renew' ]; then
  certbot renew
  for D in `find /etc/letsencrypt/live -mindepth 1 -type d -exec basename {} \;`
  do
      insert_into_keychain $D $1
  done
elif [ "$1" '==' 'new' ]; then
  certbot certonly --webroot -w $3 -d $2
  insert_into_keychain $2 $1
else
  echo "Usage: $(basename $0) renew|new [domain] [webroot]"
  exit 1
fi