#!/bin/sh

# renew all certs in ~/certs that match *-letsencrypt.pem
# probably want to run this under chronic.

set -e
set -u

cd ~/certs
expire_time=$(( 3600 * 24 * 7 * 3 ))
err=0

for i in *-letsencrypt.pem; do
  echo "=== $i ==="
  if openssl x509 -checkend "$expire_time" -noout < "$i"; then
    echo "$i is current."
  else
    cn="${i%-letsencrypt.pem}"
    if [ "$cn" = "$i" ]; then
      echo >&2 "Cannot figure out hostname for $i."
      err=1
      continue
    fi
    echo "Need to renew $cn"
    if ! request-letsencrypt "$cn"; then
      echo >&2 "Letsencrypt request for $cn failed."
      err=1
      continue
    fi
    if ! make-combined-crt "$cn"; then
      echo >&2 "make-combined-crt for $cn failed."
      err=1
      continue
    fi
  fi
  echo
done

# cron daily will run logrotate which will reload apache anyway
exit $err