diff --git a/example.com.cron-task.sh b/example.com.cron-task.sh index 0f0e1cd..7777a3e 100755 --- a/example.com.cron-task.sh +++ b/example.com.cron-task.sh @@ -3,10 +3,7 @@ set -e ./generate-and-sign-cert.sh \ - "acmeclient" \ "/etc/nginx/certs/example.com" \ "/CN=example.com" \ "subjectAltName=DNS:example.com,DNS:www.example.com" \ &>> "/var/log/acmeclient/example.com.log" - -service nginx reload diff --git a/generate-and-sign-cert.sh b/generate-and-sign-cert.sh index d79c563..88e76de 100755 --- a/generate-and-sign-cert.sh +++ b/generate-and-sign-cert.sh @@ -2,25 +2,34 @@ set -e -ACMEUSER="$1" -CERTS_DIR="$2" -SUBJ="$3" -EXT="$4" +ACMEUSER="bw" +WWWGROUP="www-data" -if [ -z "$ACMEUSER" ] || [ -z "$CERTS_DIR" ] || [ -z "$SUBJ" ]; then +CERTS_DIR="$1" +SUBJ="$2" +EXT="$3" + +if [ -z "$CERTS_DIR" ] || [ -z "$SUBJ" ]; then echo "Usage:" echo "$0 \\" - echo " acmeuser \\" echo " /mysite/certs/dir/ \\" echo " /CN=mysite.com \\" echo " subjectAltName=DNS:mysite.com,DNS:www.mysite.com" exit 0 fi + BASE_DIR=$(cd `dirname "$0"`; pwd) NAME=`date +%Y-%m-%d--%H-%M-%S--%N` PREFIX="$CERTS_DIR/$NAME" +if openssl x509 -checkend 864000 -noout -in "$CERTS_DIR/public.crt"; then + echo " -------------------------------------------- " + echo " certifiate is actual now ($NAME) " + echo " -------------------------------------------- " + exit 0 +fi + echo " -------------------------------------------- " echo " begin $PREFIX " echo " -------------------------------------------- " @@ -35,17 +44,25 @@ openssl req -newkey rsa:4096 -sha512 -nodes \ sudo -u "$ACMEUSER" "$BASE_DIR/sign-cert.py" "$PREFIX.csr" "$PREFIX.crt" echo "compare modulus" -MUDULUS_CRT=`openssl x509 -noout -modulus -in "$PREFIX.csr"` -MUDULUS_KEY=`openssl rsa -noout -modulus -in "$PREFIX.key"` -if [ "$MODULUS_CRT" != "$MUDULUS_KEY" ]; then +MODULUS_CRT=`openssl x509 -noout -modulus -in "$PREFIX.crt"` +MODULUS_KEY=`openssl rsa -noout -modulus -in "$PREFIX.key"` +if [ "$MODULUS_CRT" != "$MODULUS_KEY" ]; then echo "ERROR: modulus of certificate do not matches modulus of key" exit 1 fi echo "ok" +echo "verify certificate" +openssl verify -CAfile "$PREFIX.crt" "$PREFIX.crt" + +echo "update symlinks" +chown :$WWWGROUP "$PREFIX.key" +chmod g+r "$PREFIX.key" cd "$CERTS_DIR" -ln -fs "$PREFIX.key" "private.key" -ln -fs "$PREFIX.key" "public.crt" +ln -fs "$NAME.key" "private.key" +ln -fs "$NAME.crt" "public.crt" + +service nginx reload echo " -------------------------------------------- " echo " done $PREFIX " diff --git a/sign-cert.py b/sign-cert.py index c9dc8ca..afe5772 100755 --- a/sign-cert.py +++ b/sign-cert.py @@ -12,6 +12,7 @@ from jwcrypto.common import base64url_encode api_url = 'https://acme-staging-v02.api.letsencrypt.org/directory' +#api_url = 'https://acme-v02.api.letsencrypt.org/directory' api_client_key_file = '/home/bw/work/dev/acmeclient-data/api-client-key.json' answers_prefix = '/var/www/html/.well-known/acme-challenge/'