virtubox
/
ee-acme-sh
mirror of https://github.com/VirtuBox/ee-acme-sh.git
1
0
Fork 0
Code Issues Releases Wiki Activity

add cert-only option

This commit is contained in:
VirtuBox 2018-09-21 13:59:06 +02:00
parent 966c068377
commit 0e62447ae7
1 changed files with 163 additions and 111 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

274
script/ee-acme.sh
View File

@ -1,145 +1,170 @@
#!/bin/bash
_help() {
echo "Issue and install SSL certificates using acme.sh with EasyEngine"
echo "Usage: ee-acme [type] <domain> [mode]"
echo " Types:"
echo " -d, --domain <domain_name> ..... for domain.tld + www.domain.tld"
echo " -s, --subdomain <subdomain_name> ....... for sub.domain.tld"
echo " -w, --wildcard <domain_name> ..... for domain.tld + *.domain.tld"
echo " Modes:"
echo " --standalone ..... acme challenge in standalone mode"
echo " --cf ..... acme challenge in dns mode with Cloudflare"
echo " Options:"
echo " --cert-only ... do not change nginx configuration, only display it"
echo " -h, --help, help ... displays this help information"
echo "Examples:"
echo ""
echo "domain.tld + www.domain.tld in standalone mode :"
echo " ee-acme -d domain.tld --standalone"
echo ""
echo "sub.domain.tld in dns mode with Cloudflare :"
echo " ee-acme -s sub.domain.tld --cf"
echo ""
echo "wildcard certificate for domain.tld in dns mode with Cloudflare :"
echo " ee-acme -w domain.tld --cf"
echo ""
echo "domain.tld + www.domain.tld in standalone mode without editing Nginx configuration :"
echo " ee-acme -d domain.tld --standalone --cert-only"
echo ""
return 0
}
if [ ! -f /etc/systemd/system/multi-user.target.wants/nginx.service ]; then
{
sudo systemctl enable nginx.service
sudo systemctl start nginx
} >>/var/log/ee-acme-sh.log
fi
_help() {
echo "Issue and install SSL certificates using acme.sh with EasyEngine"
echo "Usage: ee-acme [type] <domain> [mode]"
echo " Types:"
echo " -d, --domain <domain_name> ..... for domain.tld + www.domain.tld"
echo " -s, --subdomain <subdomain_name> ....... for sub.domain.tld"
echo " -w, --wildcard <domain_name> ..... for domain.tld + *.domain.tld"
echo " Modes:"
echo " --standalone ..... acme challenge in standalone mode"
echo " --cf ..... acme challenge in dns mode with Cloudflare"
echo " Options:"
echo " -h, --help, help ... displays this help information"
echo "Examples:"
echo ""
echo "domain.tld + www.domain.tld in standalone mode :"
echo " ee-acme -d domain.tld --standalone"
echo ""
echo "sub.domain.tld in dns mode with Cloudflare"
echo " ee-acme -s sub.domain.tld --cf"
echo ""
echo "wildcard certificate for domain.tld in dns mode with Cloudflare :"
echo " ee-acme -w domain.tld --cf"
echo ""
return 0
}
if [ ! -f /etc/systemd/system/multi-user.target.wants/nginx.service ]; then
{
sudo systemctl enable nginx.service
sudo systemctl start nginx
} >>/var/log/ee-acme-sh.log
fi
while [[ $# -gt 0 ]]; do
arg="$1"
case $arg in
while [[ $# -gt 0 ]]; do
arg="$1"
case $arg in
-d | --domain)
domain_name=$2
domain_type=domain
shift
;;
;;
-s | --subdomain)
domain_name=$2
domain_type=subdomain
shift
;;
;;
-w | --wildcard)
domain_name=$2
domain_type=wildcard
shift
;;
;;
--cf)
acme_validation=cloudflare
shift
;;
;;
--standalone)
acme_validation=standalone
shift
;;
;;
--cert-only)
cert_only=1
shift
;;
-h | --help | help)
_help
exit 1
;;
;;
*) # positional args
;;
esac
shift
;;
esac
shift
done
if [ -z "$domain_name" ]; then
echo ""
echo "What is your domain ?: "
read -r domain_name
echo ""
fi
if [ -z "$cert_only" ]; then
cert_only=0
fi
if [ -z "$acme_validation" ]; then
echo ""
echo "Do you want to use standalone mode [1] or dns mode with Cloudflare [2] ?"
while [[ $acme_choice != "1" && $acme_choice != "2" ]]; do
read -p "Select an option [1-2]: " acme_choice
done
if [ -z "$domain_name" ]; then
echo ""
echo "What is your domain ?: "
read -r domain_name
echo ""
fi
if [ -z "$acme_validation" ]; then
echo ""
echo "Do you want to use standalone mode [1] or dns mode with Cloudflare [2] ?"
while [[ $acme_choice != "1" && $acme_choice != "2" ]]; do
read -p "Select an option [1-2]: " acme_choice
done
fi
if [ $acme_choice = "1" ]; then
acme_validation=standalone
fi
if [ $acme_choice = "1" ]; then
acme_validation=standalone
elif [ $acme_choice = "2" ]; then
acme_validation=cloudflare
fi
acme_validation=cloudflare
fi
if [ ! -f /etc/nginx/sites-available/$domain_name ]; then
echo "Error: non existant domain"
exit 1
fi
if [ ! -f /etc/nginx/sites-available/$domain_name ]; then
echo "Error: non existant domain"
exit 1
fi
if [ ! -d $HOME/.acme.sh/${domain_name}_ecc ]; then
if [ $acme_validation = "cloudflare" ]; then
if [ $domain_type = "domain" ]; then
$HOME/.acme.sh/acme.sh --issue -d $domain_name -d www.$domain_name --keylength ec-384 --dns dns_cf --dnssleep 60
CF_ACME_ACCOUNT_CHECK=$(grep "CF" .acme.sh/account.conf)
if [[ $acme_validation = "cloudflare" && -z "$CF_ACME_ACCOUNT_CHECK" ]]; then
echo ""
echo "What is your Cloudflare email address ? :"
echo ""
read -r cf_email
echo "What is your Cloudflare API Key ? You API Key is available on https://www.cloudflare.com/a/profile"
read -r cf_api_key
echo "SAVED_CF_Key='$cf_api_key'" >> .acme.sh/account.conf
echo "SAVED_CF_Email='$cf_email'" >> .acme.sh/account.conf
fi
if [ ! -d $HOME/.acme.sh/${domain_name}_ecc ]; then
if [ $acme_validation = "cloudflare" ]; then
if [ $domain_type = "domain" ]; then
$HOME/.acme.sh/acme.sh --issue -d $domain_name -d www.$domain_name --keylength ec-384 --dns dns_cf --dnssleep 60
elif [ $domain_type = "subdomain" ]; then
$HOME/.acme.sh/acme.sh --issue -d $domain_name --keylength ec-384 --dns dns_cf --dnssleep 60
$HOME/.acme.sh/acme.sh --issue -d $domain_name --keylength ec-384 --dns dns_cf --dnssleep 60
elif [ $domain_type = "wildcard" ]; then
$HOME/.acme.sh/acme.sh --issue -d $domain_name -d "*.$domain_name" --keylength ec-384 --dns dns_cf --dnssleep 60
fi
elif [ $acme_validation = "standalone" ]; then
sudo apt-get install socat -y
if [ $domain_type = "domain" ]; then
$HOME/.acme.sh/acme.sh --issue -d $domain_name -d www.$domain_name --keylength ec-384 --standalone --pre-hook "service nginx stop " --post-hook "service nginx start"
elif [ $domain_type = "subdomain" ]; then
$HOME/.acme.sh/acme.sh --issue -d $domain_name --keylength ec-384 --standalone --pre-hook "service nginx stop " --post-hook "service nginx start"
elif [ $domain_type = "wildcard" ]; then
echo "standalone mode do not support wildcard certificates"
exit 1
fi
$HOME/.acme.sh/acme.sh --issue -d $domain_name -d "*.$domain_name" --keylength ec-384 --dns dns_cf --dnssleep 60
fi
elif [ $acme_validation = "standalone" ]; then
sudo apt-get install socat -y
if [ $domain_type = "domain" ]; then
$HOME/.acme.sh/acme.sh --issue -d $domain_name -d www.$domain_name --keylength ec-384 --standalone --pre-hook "service nginx stop " --post-hook "service nginx start"
elif [ $domain_type = "subdomain" ]; then
$HOME/.acme.sh/acme.sh --issue -d $domain_name --keylength ec-384 --standalone --pre-hook "service nginx stop " --post-hook "service nginx start"
elif [ $domain_type = "wildcard" ]; then
echo "standalone mode do not support wildcard certificates"
exit 1
fi
else
echo "certificate already exist !"
exit 1
fi
else
echo "certificate already exist !"
exit 1
fi
# check if folder already exist
if [ -d /etc/letsencrypt/live/$domain_name ]; then
sudo rm -rf /etc/letsencrypt/live/$domain_name/*
else
# create folder to store certificate
sudo mkdir -p /etc/letsencrypt/live/$domain_name
fi
# check if folder already exist
if [ -d /etc/letsencrypt/live/$domain_name ]; then
sudo rm -rf /etc/letsencrypt/live/$domain_name/*
else
# create folder to store certificate
sudo mkdir -p /etc/letsencrypt/live/$domain_name
fi
# install the cert and reload nginx
if [ -f $HOME/.acme.sh/${domain_name}_ecc/fullchain.cer ]; then
$HOME/.acme.sh/acme.sh --install-cert -d ${domain_name} --ecc \
--cert-file /etc/letsencrypt/live/${domain_name}/cert.pem \
--key-file /etc/letsencrypt/live/${domain_name}/key.pem \
--fullchain-file /etc/letsencrypt/live/${domain_name}/fullchain.pem \
--reloadcmd "sudo systemctl reload nginx.service"
else
echo "acme.sh failed to issue certificate"
exit 1
fi
# install the cert and reload nginx
if [ -f $HOME/.acme.sh/${domain_name}_ecc/fullchain.cer ]; then
$HOME/.acme.sh/acme.sh --install-cert -d ${domain_name} --ecc \
--cert-file /etc/letsencrypt/live/${domain_name}/cert.pem \
--key-file /etc/letsencrypt/live/${domain_name}/key.pem \
--fullchain-file /etc/letsencrypt/live/${domain_name}/fullchain.pem \
--reloadcmd "sudo systemctl reload nginx.service"
else
echo "acme.sh failed to issue certificate"
exit 1
fi
if [ "$cert_only" = "0" ]; then
if [ -f /etc/letsencrypt/live/${domain_name}/fullchain.pem ] && [ -f /etc/letsencrypt/live/${domain_name}/key.pem ]; then
# add certificate to the nginx vhost configuration
CURRENT=$(nginx -v 2>&1 | awk -F "/" '{print $2}' | grep 1.15)
@ -173,7 +198,7 @@ server {
return 301 https://$domain_name\$request_uri;
}
EOF
elif [ $domain_type = "subdomain" ]; then
elif [ $domain_type = "subdomain" ]; then
cat <<EOF >/etc/nginx/conf.d/force-ssl-$domain_name.conf
server {
listen 80;
@ -182,7 +207,7 @@ server {
return 301 https://$domain_name\$request_uri;
}
EOF
elif [ $domain_type = "wildcard" ]; then
elif [ $domain_type = "wildcard" ]; then
cat <<EOF >/etc/nginx/conf.d/force-ssl-$domain_name.conf
server {
listen 80;
@ -197,7 +222,6 @@ EOF
echo "acme.sh failed to install certificate"
exit 1
fi
VERIFY_NGINX_CONFIG=$(nginx -t 2>&1 | grep failed)
if [ -z "$VERIFY_NGINX_CONFIG" ]; then
echo "####################################"
@ -209,6 +233,34 @@ EOF
echo "Nginx configuration is not correct"
echo "####################################"
fi
}
else
if [ -f /etc/letsencrypt/live/${domain_name}/fullchain.pem ] && [ -f /etc/letsencrypt/live/${domain_name}/key.pem ]; then
# add certificate to the nginx vhost configuration
CURRENT=$(nginx -v 2>&1 | awk -F "/" '{print $2}' | grep 1.15)
if [ -z "$CURRENT" ]; then
echo "###### Nginx configuration"
echo ""
echo " listen 443 ssl http2;"
echo " listen [::]:443 ssl http2;"
echo " ssl on;"
echo " ssl_certificate /etc/letsencrypt/live/$domain_name/fullchain.pem;"
echo " ssl_certificate_key /etc/letsencrypt/live/$domain_name/key.pem;"
echo " ssl_trusted_certificate /etc/letsencrypt/live/$domain_name/cert.pem;"
echo ""
else
echo "###### Nginx configuration"
echo ""
echo " listen 443 ssl http2;"
echo " listen [::]:443 ssl http2;"
echo " ssl_certificate /etc/letsencrypt/live/$domain_name/fullchain.pem;"
echo " ssl_certificate_key /etc/letsencrypt/live/$domain_name/key.pem;"
echo " ssl_trusted_certificate /etc/letsencrypt/live/$domain_name/cert.pem;"
echo ""
fi
fi
fi
alias ee-acme=ee_acme