Created by
Andrey Chesnakov
last modified
Evgenii Subbotin
| #!/bin/sh
# Put this executable into /usr/local/etc/letsencrypt/renewal-hooks/deploy/ directory
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/bin
mgrctl=/usr/local/ispmgr/sbin/mgrctl
for domain in $RENEWED_DOMAINS; do
owner=$($mgrctl -m ispmgr wwwdomain.edit elid="$domain" | grep ^owner= | cut -f2 -d=)
if [ -n "$owner" ]; then
livedir="/usr/local/etc/letsencrypt/live/$domain"
[ -e "/home/httpd-cert/$owner/" ] && certdir="/home/httpd-cert/$owner" || certdir="/home/$owner/data/etc"
[ -e "$certdir/${domain}_le.key" ] && [ -e "$certdir/${domain}_le.crt" ] || continue
for file in "$certdir/${domain}_le.key" "/home/httpd-cert/${domain}.key"; do
[ -e "$file" ] || break
cp -p "$file" "$file~"
cat "$livedir/privkey.pem" >"$file"
done
for file in "$certdir/${domain}_le.crt" "/home/httpd-cert/${domain}.crt"; do
[ -e "$file" ] || break
cp -p "$file" "$file~"
cat "$livedir/cert.pem" >"$file"
done
for file in "$certdir/${domain}_le.bundle" "/home/httpd-cert/${domain}.bundle"; do
[ -e "$file" ] || break
cp -p "$file" "$file~"
cat "$livedir/chain.pem" >"$file"
done
fi
done
killall -USR1 httpd
|
| #!/bin/sh
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/bin
[ -z "$1" ] && printf "usage: $0 <domain> [method]\nexample: $0 mysite.com wildcard\n" && exit 1
domain=$1
method=$2
mgrctl=/usr/local/ispmgr/sbin/mgrctl
wwwdomain=$($mgrctl -m ispmgr wwwdomain.edit elid="$domain")
owner=$(echo "$wwwdomain" | grep ^owner= | cut -f2 -d=)
[ -z "$owner" ] && echo "domain \"$domain\" not found" && exit 1
domain=$(echo "$wwwdomain" | grep ^domain= | cut -f2 -d=)
domain=$(idn $domain)
aliases=$(echo "$wwwdomain" | grep ^alias= | cut -f2 -d=)
aliases=$(idn $aliases)
domains=$domain
[ -n "$aliases" ] && for alias in $aliases; do
[ "$alias" = "*.$domain" ] && star=1 && continue
host "$alias" >/dev/null || continue
domains="$domains,$alias"
done
[ "$domains" = "$domain" ] && [ "$star" = "1" ] && domains="$domains,*.$domain" && method="wildcard"
echo Debug: domain=$domain domains=$domains
if [ "$method" = "wildcard" ]; then
# Obtaining certificate with DNS validation using mgrctl
[ ! -e /root/certbot-dns-ispmgr4/ ] \
&& echo "Please extract https://github.com/ClayRabbit/certbot-dns-ispmgr4/archive/master.zip into /root/certbot-dns-ispmgr4/" && exit 1
certbot-2.7 certonly --agree-tos --manual --manual-public-ip-logging-ok --manual-auth-hook "sh /root/certbot-dns-ispmgr4/authenticator.sh" \
--manual-cleanup-hook "sh /root/certbot-dns-ispmgr4/cleanup.sh" --preferred-challenges dns-01 -d "$domain,*.$domain" || exit $?
elif [ "$method" = "dns" ]; then #not recommended
# Obtaining certificate with DNS (BIND) validation
if [ ! -s /root/.certbot-credentials ]; then
if ! grep -q '^key "certbot" {.*' /etc/namedb/named.conf; then
secret=$(ddns-confgen -k certbot -a hmac-sha256 -q)
[ -z "$secret" ] && echo secret not generated && exit 1
echo $secret >> /etc/namedb/named.conf && service named restart
fi
secret=$(grep -o '^key "certbot" {.*' /etc/namedb/named.conf | cut -f 4 -d '"')
[ -z "$secret" ] && echo secret not found && exit 1
cat <<EOF > /root/.certbot-credentials
dns_rfc2136_server = 127.0.0.1
dns_rfc2136_port = 53
dns_rfc2136_name = certbot
dns_rfc2136_secret = $secret
dns_rfc2136_algorithm = HMAC-SHA256
EOF
chmod -vv 600 /root/.certbot-credentials
fi
#chown -vv :bind /etc/namedb/master/ && chmod -vv 775 /etc/namedb/master/
certbot-2.7 certonly --agree-tos --dns-rfc2136 --dns-rfc2136-propagation-seconds 60 --dns-rfc2136-credentials /root/.certbot-credentials -d "$domains" || exit $?
else
docroot=$(grep -rh "^Alias /.well-known/acme-challenge/" /usr/local/etc/apache22/ | head -1 | cut -w -f3)
if [ -n "$docroot" ]; then
docroot=${docroot%.well-known/acme-challenge/}
else
echo "Alias /.well-known/acme-challenge/ /usr/local/www/apache22/data/.well-known/acme-challenge/" > /usr/local/etc/apache22/Includes/letsencrypt.conf
killall -HUP httpd
docroot=/usr/local/www/apache22/data/
fi
certbot-2.7 certonly --agree-tos --webroot -w "$docroot" -d "$domains" || exit $?
fi
# Installing certificate with Ispmanager
livedir="/usr/local/etc/letsencrypt/live/$domain"
func_list=certificate
func_add=certificate.edit
$mgrctl -m ispmgr "$func_list" su="$owner" | grep -q 'Invalid action certificate' && func_list=cert && func_add=cert.create
if ! $mgrctl -m ispmgr "$func_list" su="$owner" | grep -q "^name=${domain}_le"; then
keydata=$(cat "$livedir/privkey.pem")
crtdata=$(cat "$livedir/cert.pem")
bdldata=$(cat "$livedir/chain.pem")
echo "Adding ${domain}_le certificate..."
result=$($mgrctl -m ispmgr "$func_add" su="$owner" ctype=ready key="${domain}_le" name="$domain" keydata="$keydata" crtdata="$crtdata" bdldata="$bdldata" sok=yes)
[ "$result" != "OK" ] && echo "mgrctl error: $result" && exit 1 || echo "OK"
if echo "$wwwdomain" | grep -q ^ssl=on; then
echo "Activating ${domain}_le certificate..."
$mgrctl -m ispmgr certificate.setup su="$owner" elid="${domain}_le" && killall -USR1 httpd
else
echo "SSL for $domain is not enabled! Certificate added but not activated"
fi
else
echo "Certificate ${domain}_le already exist. Skipping."
fi
# Adding cronjob for certificates renewal
if ! grep -qs '^weekly_certbot_enable="*YES' /etc/periodic.conf && ! grep -q 'certbot-2.7 renew' /etc/crontab; then
certbot=$(which certbot-2.7 | head -1)
python=$(head -1 "$certbot" | grep -o '/.*/python[0-9]*')
[ -z "$python" ] && echo "can't determine python exe for cron" && exit 1
echo "0 0 */2 * * root $python -c 'import random; import time; time.sleep(random.random() * 3600)'; $certbot-2.7 renew" \
>>/etc/crontab
fi
# Installing hook script
file=/usr/local/etc/letsencrypt/renewal-hooks/deploy/isp4-certbot-deploy.sh
if [ ! -e $file ]; then
curl -o "$file" 'https://bitbucket.org/!api/2.0/snippets/ruweb/gA8onx/master/files/isp4-certbot-deploy.sh' \
|| fetch -o "$file" 'https://bitbucket.org/!api/2.0/snippets/ruweb/gA8onx/master/files/isp4-certbot-deploy.sh'
[ $? -eq 0 ] && chmod -h 755 "$file"
fi
|
