forked from antevens/letsencrypt-freeipa
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrenew.sh
executable file
·107 lines (93 loc) · 4.68 KB
/
renew.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
#!/bin/bash
# Copyright (c) 2017 Antonia Stevens [email protected]
# Permission is hereby granted, free of charge, to any person obtaining a
# copy of this software and associated documentation files (the "Software"),
# to deal in the Software without restriction, including without limitation
# the rights to use, copy, modify, merge, publish, distribute, sublicense,
# and/or sell copies of the Software, and to permit persons to whom the
# Software is furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
# DEALINGS IN THE SOFTWARE.
# Set strict mode
set -euo pipefail
# Version
version='0.0.2'
# Exit if not being run as root
if [ "${EUID:-$(id -u)}" -ne "0" ] ; then
echo "This script needs superuser privileges, suggest running it as root"
exit 1
fi
# Start Unix time
start_time_epoch="$(date +%s)"
# If there is no TTY then it's not interactive
if ! [[ -t 1 ]]; then
interactive=false
fi
# Default is interactive mode unless already set
interactive="${interactive:-true}"
# Safely loads config file
# First parameter is filename, all consequent parameters are assumed to be
# valid configuration parameters
function load_config()
{
config_file="${1}"
# Verify config file permissions are correct and warn if they are not
# Dual stat commands to work with both linux and bsd
shift
while read line; do
if [[ "${line}" =~ ^[^#]*= ]]; then
setting_name="$(echo ${line} | awk --field-separator='=' '{print $1}' | sed --expression 's/^[[:space:]]*//' --expression 's/[[:space:]]*$//')"
setting_value="$(echo ${line} | cut --fields=1 --delimiter='=' --complement | sed --expression 's/^[[:space:]]*//' --expression 's/[[:space:]]*$//')"
if echo "${@}" | grep -q "${setting_name}" ; then
export ${setting_name}="${setting_value}"
echo "Loaded config parameter ${setting_name} with value of '${setting_value}'"
fi
fi
done < "${config_file}";
}
# This script will automatically fetch/renew your LetsEncrypt certificate for all
# defined principals. Before running this script you should run the acompanying
# register script. This script should be scheduled to run from crontab or similar
# as a superuser (root).
# The email address will always default to the hostmaster in the SOA record
# for the first/shortest principal in IPA, this can be overwritten using the
# email environment variable, for example:
# email="[email protected]" ./renew.sh
load_config '/etc/ipa/default.conf' realm
host="$(hostname)"
# Get kerberos ticket to modify DNS entries
kinit -k -t /etc/lets-encrypt.keytab "lets-encrypt/${host}"
domain_args="$(ipa host-show ${host} --raw | grep krbprincipalname | grep 'host/' | sed 's.krbprincipalname: host/.-d .' | sed s/@${realm}//g | sort -r)"
dns_domain_name="$(echo ${host} | awk -F. '{OFS="."; print $(NF-1), $NF; }')"
soa_record="$(dig SOA ${dns_domain_name} + short | grep ^${dns_domain_name}. | grep 'SOA' | awk '{print $6}')"
hostmaster="${soa_record/\./@}"
email="${email:-${hostmaster%\.}}"
letsencrypt_live_dir="/etc/letsencrypt/live"
letsencrypt_pem_dir="$(find -L ${letsencrypt_live_dir} -newermt @${start_time_epoch} -type f -name 'privkey.pem' -exec dirname {} \;)"
# Apply for a new cert using CertBot with DNS verification
certbot certonly --manual \
--preferred-challenges dns \
--manual-public-ip-logging-ok \
--manual-auth-hook 'ipa dnsrecord-mod ${CERTBOT_DOMAIN#*.}. _acme-challenge.${CERTBOT_DOMAIN}. --txt-rec=${CERTBOT_VALIDATION}' \
${domain_args} \
--agree-tos \
--email "${email}" \
--expand \
-n
# If the certificate has bee updated since start of this script
if [ -n "${letsencrypt_pem_dir}" ] ; then
# Install the new Key/Cert, root does not need passwords like mere mortals
echo '' | ipa-server-certinstall -w -d "${letsencrypt_pem_dir}/fullchain.pem" "${letsencrypt_pem_dir}/privkey.pem" --dirman-password='' --pin=''
# Restart Web and Directory Servers
systemctl restart httpd.service
systemctl restart "dirsrv@${realm//./-}.service"
fi