summaryrefslogtreecommitdiff
path: root/letsencrypt-helpers/renew-as-required
blob: 768d23f2c5fad4df862845692b7406b7d91a60de (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
#!/bin/sh

# renew all certs in ~/certs that match *-letsencrypt.pem
# probably want to run this under chronic.

set -e
set -u

cd ~/certs
expire_time=$(( 3600 * 24 * 7 * 3 ))
err=0

for i in *-letsencrypt.pem; do
  echo "=== $i ==="
  if openssl x509 -checkend "$expire_time" -noout < "$i"; then
    echo "$i is current."
  else
    cn="${i%-letsencrypt.pem}"
    if [ "$cn" = "$i" ]; then
      echo >&2 "Cannot figure out hostname for $i."
      err=1
      continue
    fi
    echo "Need to renew $cn"
    if ! request-letsencrypt "$cn"; then
      echo >&2 "Letsencrypt request for $cn failed."
      err=1
      continue
    fi
    if ! make-combined-crt "$cn"; then
      echo >&2 "make-combined-crt for $cn failed."
      err=1
      continue
    fi
  fi
  echo
done

# cron daily will run logrotate which will reload apache anyway
exit $err