118 lines
3.9 KiB
Bash
118 lines
3.9 KiB
Bash
#!/bin/bash
|
|
|
|
# Make sure to load environment variables.
|
|
. ~/.bashrc
|
|
|
|
ACME_DIR="/root/.acme.sh"
|
|
ACME="${ACME_DIR}/acme.sh --force"
|
|
BASE="/srv/ssl"
|
|
ECHO_PREFIX="[acme.sh Helper Script]"
|
|
|
|
CMD_PARAMS="$@";
|
|
|
|
# Check if we should use BuyPass instead of Let's Encrypt
|
|
# as the certificate authority for this certificate.
|
|
BUYPASS=0;
|
|
if [[ "${CMD_PARAMS}" =~ "--buypass" ]]; then
|
|
BUYPASS=1;
|
|
echo "${ECHO_PREFIX} '--buypass' specified - Using BuyPass CA (Go SSL)."
|
|
fi
|
|
|
|
# BuyPass requires a valid email to be registered
|
|
# before we issue certificates.
|
|
if [[ $BUYPASS -eq 1 ]]; then
|
|
CA_DIR="${ACME_DIR}/ca/api.buypass.com";
|
|
|
|
if [[ ! -d "${CA_DIR}" ]]; then
|
|
echo "${ECHO_PREFIX} Account email for BuyPass CA (required)?"
|
|
read ACCOUNT_EMAIL
|
|
|
|
eval "${ACME} --server https://api.buypass.com/acme/directory --register-account --accountemail '${ACCOUNT_EMAIL}'"
|
|
fi
|
|
fi
|
|
|
|
# Create directory if it exists, make sure permissions are as strict as possible.
|
|
echo "${ECHO_PREFIX} Creating base certificate directory: ${BASE}"
|
|
mkdir -p $BASE
|
|
chmod -R 600 $BASE
|
|
chown -R root:root $BASE
|
|
|
|
echo "${ECHO_PREFIX} Name of folder containing certificates? (Will be created under ${BASE})"
|
|
read FOLDERNAME
|
|
|
|
echo "${ECHO_PREFIX} Creating folder if it doesn't exist: ${BASE}/${FOLDERNAME}"
|
|
mkdir -p "${BASE}/${FOLDERNAME}"
|
|
|
|
# ¯\_(ツ)_/¯ - https://timmurphy.org/2012/03/09/convert-a-delimited-string-into-an-array-in-bash/
|
|
OIFS=$IFS
|
|
IFS=' '
|
|
|
|
echo "${ECHO_PREFIX} Space-separated list of domains to generate a certificate for?"
|
|
echo "${ECHO_PREFIX} You can specify a DNS provider or webroot for each domain. For example: some.example.com:/var/www/html other.example.com:dns_cf"
|
|
read DOMAIN_LIST
|
|
|
|
DOMAINS=($DOMAIN_LIST)
|
|
IFS=$OIFS
|
|
DOMAIN_PARAMS=""
|
|
ACME_PARAMS=""
|
|
|
|
for (( i = 0; i < ${#DOMAINS[@]}; i++ )); do
|
|
DOMAIN="${DOMAINS[$i]}";
|
|
DOMAIN_NAME="$(echo $DOMAIN | cut -d ':' -f 1)";
|
|
PROVIDER_NAME="$(echo $DOMAIN | cut -d ':' -f 2)";
|
|
|
|
PROVIDER_TYPE="--dns";
|
|
if [[ -z "${PROVIDER_NAME}" ]]; then
|
|
PROVIDER_NAME="dns_cf";
|
|
fi
|
|
|
|
# Starts with a slash, we assume it's a path & webroot.
|
|
if [[ "${PROVIDER_NAME}" =~ "^/"* ]]; then
|
|
PROVIDER_TYPE="-w";
|
|
fi
|
|
|
|
DOMAIN_PARAMS+=" -d ${DOMAIN_NAME}";
|
|
ACME_PARAMS+=" -d ${DOMAIN_NAME} ${PROVIDER_TYPE} ${PROVIDER_NAME}";
|
|
done
|
|
|
|
# DNS handler is now specified as part of the domain list.
|
|
# echo "${ECHO_PREFIX} DNS? [y/N]"
|
|
# read IS_DNS
|
|
|
|
# IS_DNS=${IS_DNS,,}
|
|
# if [[ $IS_DNS == *"y"* ]]; then
|
|
# echo "${ECHO_PREFIX} DNS provider? For example: Cloudflare = dns_cf."
|
|
# echo "${ECHO_PREFIX} Provider also assumes the proper environment variables are set. Read: https://github.com/Neilpang/acme.sh/tree/master/dnsapi#how-to-use-dns-api"
|
|
# read DNS_PROVIDER
|
|
|
|
# ACME_PARAMS+="--dns ${DNS_PROVIDER}"
|
|
# else
|
|
# echo "${ECHO_PREFIX} Webroot? For example: /var/www/html"
|
|
# read WEBROOT_DIR
|
|
|
|
# ACME_PARAMS+="-w ${WEBROOT_DIR}"
|
|
# fi
|
|
|
|
# Make sure we point to the right CA.
|
|
if [[ $BUYPASS -eq 1 ]]; then
|
|
ACME_PARAMS+=" --server https://api.buypass.com/acme/directory"
|
|
else
|
|
# For some reason acme.sh is now using ZeroSSL as the default CA for new certs.
|
|
# I hate change, so we force Let's Encrypt unless BuyPass is used.
|
|
ACME_PARAMS+=" --server letsencrypt"
|
|
fi
|
|
|
|
echo "${ECHO_PREFIX} Reload command? For example: nginx -s reload"
|
|
read RELOADCMD
|
|
|
|
echo "${ECHO_PREFIX} Requesting certificate using the chosen methods:"
|
|
eval "${ACME} ${ACME_PARAMS} --issue"
|
|
|
|
SSL_PATH="$BASE/$FOLDERNAME"
|
|
if [[ "$?" == "0" ]]; then
|
|
echo "${ECHO_PREFIX} Certificate request completed. Installing certificate with reload command."
|
|
eval "${ACME} ${DOMAIN_PARAMS} --key-file '${SSL_PATH}/key.pem' --fullchain-file '${SSL_PATH}/fullchain.pem' --cert-file '${SSL_PATH}/cert.pem' --ca-file '${SSL_PATH}/chain.pem' --reloadcmd '${RELOADCMD}' --install-cert"
|
|
else
|
|
echo "${ECHO_PREFIX} An error occurred during certificate request. Aborting."
|
|
fi
|