#!/bin/sh set -e case $1 in # Renew certificates, trust in certbot's algorithms renew) /usr/bin/certbot renew --quiet --agree-tos ;; bootstrap) for site in ${SUTTY} api.${SUTTY}; do test -d "/etc/letsencrypt/live/${site}" && exit 0 # Get the certificate for the domain, the webserver will need # access to this directory /usr/bin/certbot certonly --email "certbot@${SUTTY}" \ --webroot \ --agree-tos \ --webroot-path /var/lib/letsencrypt \ -d "${site}" cd /etc/letsencrypt/live ln -s ${SUTTY} default done ;; # Generate certificates *) # Save headers here headers=/tmp/headers # Gets ETag from previous headers test -f "${headers}" \ && etag="$(grep "^ Etag: " "${headers}" | cut -d : -f 2)" # Get site list from the API and transform to a list. Save headers # for next run. Use ETag to avoid running when nothing changed wget --user="${HTTP_BASIC_USER}" --password="${HTTP_BASIC_PASSWORD}" \ --header="If-None-Match:${etag}" -qSO - \ "https://api.${SUTTY}/v1/sites.json" \ 2>"${headers}" \ | jq --raw-output .[] \ | while read name; do # If the site name doesn't end with a dot, it's a subdomain domain="$(echo "${name}" | sed "s/[^\.]$/&.${SUTTY}/")" domain="${domain%.}" # Generate a certificate for www also for d in ${domain} www.${domain}; do # Skip already existing domains test -d "/etc/letsencrypt/live/${d}" && continue # Get the certificate for the domain, the webserver will need # access to this directory /usr/bin/certbot certonly --email "certbot@${SUTTY}" \ --webroot \ --agree-tos \ --webroot-path /var/lib/letsencrypt \ -d "${d}" done done # Fix permissions, users in group ssl have read access find /etc/letsencrypt -type d | xargs -r chmod 2750 find /etc/letsencrypt -type f | xargs -r chmod 640 chgrp -R ssl /etc/letsencrypt esac