-
Notifications
You must be signed in to change notification settings - Fork 2
/
renewCerts.sh
executable file
·74 lines (62 loc) · 2.9 KB
/
renewCerts.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
#!/bin/bash
# A script to renew certificates with certbot and send chat message with result
# Example usage, expected within crontab:
# 0 18 * * SUN /root/renewCerts.sh
# Requirements:
# certbot (installed on the host, not in a container),
# nginx already configured to point to letsencrypt certificates, and
# Environment variables in /home/deploy/.env:
# - REVERSE_PROXY_CONTAINER_GROUP
# - WEB_SERVER_HOSTNAME
# - ZULIP_BASE_URL
# - ZULIP_BOT_EMAIL_ADDRESS
# - ZULIP_BOT_API_KEY
# - ZULIP_STREAM
# - ZULIP_TOPIC
set -eo pipefail
test -x "$(command -v certbot)"
# Instead of sourcing /home/deploy/.env verbatim, source only strictly formed and used env vars.
# shellcheck source=.env.example
. <(grep -E '^(WEB_SERVER_HOSTNAME|REVERSE_PROXY_CONTAINER_GROUP|ZULIP_BASE_URL|ZULIP_BOT_EMAIL_ADDRESS|ZULIP_BOT_API_KEY|ZULIP_STREAM|ZULIP_TOPIC)=[a-zA-Z0-9"\/\:\.\@\_\-]+$' /home/deploy/.env)
test ! -z "$WEB_SERVER_HOSTNAME"
test ! -z "$REVERSE_PROXY_CONTAINER_GROUP"
test ! -z "$ZULIP_BASE_URL"
test ! -z "$ZULIP_BOT_EMAIL_ADDRESS"
test ! -z "$ZULIP_BOT_API_KEY"
test ! -z "$ZULIP_STREAM"
test ! -z "$ZULIP_TOPIC"
set +eo pipefail
function fin() {
# Exit. Also notify of the result via chat if an API key is present.
exit_code=0
error_message=$1
message="✅ Certificate renewals (or checks) for https://${WEB_SERVER_HOSTNAME} succeeded."
if test ! -z "$error_message"; then
exit_code=1
message="❌ Certificate renewals (or checks) for https://${WEB_SERVER_HOSTNAME} FAILED: ${error_message}"
fi
curl -X POST "${ZULIP_BASE_URL}/api/v1/messages" \
-u "${ZULIP_BOT_EMAIL_ADDRESS}:${ZULIP_BOT_API_KEY}" \
--data-urlencode type=stream \
--data-urlencode "to=${ZULIP_STREAM}" \
--data-urlencode "topic=${ZULIP_TOPIC}" \
--data-urlencode "content=${message}"
exit $exit_code
}
certbot certonly -n --domain="$WEB_SERVER_HOSTNAME" --standalone --keep-until-expiring \
|| fin "$(tail -n 10 /var/log/letsencrypt/letsencrypt.log)"
# Make sure the reverse proxy user has read/execute privileges on the cert and key files.
chgrp -R "$REVERSE_PROXY_CONTAINER_GROUP" /etc/letsencrypt/{live,archive} \
|| fin "Failed to chgrp /etc/letsencrypt/{live,archive} to $REVERSE_PROXY_CONTAINER_GROUP"
chmod -R g+rx /etc/letsencrypt/{live,archive} \
|| fin "Failed to add group read and execute permissions to /etc/letsencrypt/{live,archive}"
# For unknown reasons, sending the reload signal to the nginx process inside the
# container fails to have nginx pick up new certificates. Instead, do a full
# container restart. See issue
# https://github.com/PhilanthropyDataCommons/deploy/issues/90. This can likely
# break active connections but shouldn't lose sessions.
docker restart deploy_reverse-proxy_1 \
|| fin "Failed to restart to reverse proxy container"
(( $(docker ps | grep -c reverse-proxy) == "1" )) \
|| fin "The reverse-proxy container is no longer running"
fin