#!/bin/bash # Make sure to load environment variables. . ~/.bashrc ACME_DIR="/root/.acme.sh" ACME="${ACME_DIR}/acme.sh --force" BASE="/srv/ssl" ECHO_PREFIX="[acme.sh Helper Script]" CMD_PARAMS="$@"; # Check if we should use BuyPass instead of Let's Encrypt # as the certificate authority for this certificate. BUYPASS=0; if [[ "${CMD_PARAMS}" =~ "--buypass" ]]; then BUYPASS=1; echo "${ECHO_PREFIX} '--buypass' specified - Using BuyPass CA (Go SSL)." fi # BuyPass requires a valid email to be registered # before we issue certificates. if [[ $BUYPASS -eq 1 ]]; then CA_DIR="${ACME_DIR}/ca/api.buypass.com"; if [[ ! -d "${CA_DIR}" ]]; then echo "${ECHO_PREFIX} Account email for BuyPass CA (required)?" read ACCOUNT_EMAIL eval "${ACME} --server https://api.buypass.com/acme/directory --register-account --accountemail '${ACCOUNT_EMAIL}'" fi fi # Create directory if it exists, make sure permissions are as strict as possible. echo "${ECHO_PREFIX} Creating base certificate directory: ${BASE}" mkdir -p $BASE chmod -R 600 $BASE chown -R root:root $BASE echo "${ECHO_PREFIX} Name of folder containing certificates? (Will be created under ${BASE})" read FOLDERNAME echo "${ECHO_PREFIX} Creating folder if it doesn't exist: ${BASE}/${FOLDERNAME}" mkdir -p "${BASE}/${FOLDERNAME}" # ¯\_(ツ)_/¯ - https://timmurphy.org/2012/03/09/convert-a-delimited-string-into-an-array-in-bash/ OIFS=$IFS IFS=' ' echo "${ECHO_PREFIX} Space-separated list of domains to generate a certificate for?" echo "${ECHO_PREFIX} You can specify a DNS provider or webroot for each domain. For example: some.example.com:/var/www/html other.example.com:dns_cf" read DOMAIN_LIST DOMAINS=($DOMAIN_LIST) IFS=$OIFS DOMAIN_PARAMS="" ACME_PARAMS="" for (( i = 0; i < ${#DOMAINS[@]}; i++ )); do DOMAIN="${DOMAINS[$i]}"; DOMAIN_NAME="$(echo $DOMAIN | cut -d ':' -f 1)"; PROVIDER_NAME="$(echo $DOMAIN | cut -d ':' -f 2)"; PROVIDER_TYPE="--dns"; if [[ -z "${PROVIDER_NAME}" ]]; then PROVIDER_NAME="dns_cf"; fi # Starts with a slash, we assume it's a path & webroot. if [[ "${PROVIDER_NAME}" =~ "^/"* ]]; then PROVIDER_TYPE="-w"; fi DOMAIN_PARAMS+=" -d ${DOMAIN_NAME}"; ACME_PARAMS+=" -d ${DOMAIN_NAME} ${PROVIDER_TYPE} ${PROVIDER_NAME}"; done # DNS handler is now specified as part of the domain list. # echo "${ECHO_PREFIX} DNS? [y/N]" # read IS_DNS # IS_DNS=${IS_DNS,,} # if [[ $IS_DNS == *"y"* ]]; then # echo "${ECHO_PREFIX} DNS provider? For example: Cloudflare = dns_cf." # echo "${ECHO_PREFIX} Provider also assumes the proper environment variables are set. Read: https://github.com/Neilpang/acme.sh/tree/master/dnsapi#how-to-use-dns-api" # read DNS_PROVIDER # ACME_PARAMS+="--dns ${DNS_PROVIDER}" # else # echo "${ECHO_PREFIX} Webroot? For example: /var/www/html" # read WEBROOT_DIR # ACME_PARAMS+="-w ${WEBROOT_DIR}" # fi # Make sure we point to the right CA. if [[ $BUYPASS -eq 1 ]]; then ACME_PARAMS+=" --server https://api.buypass.com/acme/directory" else # For some reason acme.sh is now using ZeroSSL as the default CA for new certs. # I hate change, so we force Let's Encrypt unless BuyPass is used. ACME_PARAMS+=" --server letsencrypt" fi echo "${ECHO_PREFIX} Reload command? For example: nginx -s reload" read RELOADCMD echo "${ECHO_PREFIX} Requesting certificate using the chosen methods:" eval "${ACME} ${ACME_PARAMS} --issue" SSL_PATH="$BASE/$FOLDERNAME" if [[ "$?" == "0" ]]; then echo "${ECHO_PREFIX} Certificate request completed. Installing certificate with reload command." eval "${ACME} ${DOMAIN_PARAMS} --key-file '${SSL_PATH}/key.pem' --fullchain-file '${SSL_PATH}/fullchain.pem' --cert-file '${SSL_PATH}/cert.pem' --ca-file '${SSL_PATH}/chain.pem' --reloadcmd '${RELOADCMD}' --install-cert" else echo "${ECHO_PREFIX} An error occurred during certificate request. Aborting." fi