Utils for managing letsencrypt certificates and its infrastructure
- letsrenew.sh: Bash Shell script which reads the remaining validity of a x509 certificate and if lower than a given threshold prints a message info/warning or returns boolean true for further processing (=renewal).
- letslink.sh: Bash Shell script which creates a directory for each domain found in the certificates of the certs archive and creates a symlink for the latest pem file (cert, fullchain, chain, privkey). SAN certificates (aka multi-domains) are explicitly supported.
-
Clone the repo to your server. e.g
/opt/letsencrypt-utils
cd /opt git clone https://github.com/h0l0gram/letsencrypt-utils.git
Bash Shell script which reads the remaining validity of a x509 certificate and if lower than a given threshold prints a message info/warning or returns boolean true for further processing (=renewal).
- Create a cron job that runs
letsrenew.sh
at a certain interval or start from bash (see examples)
letsrenew.sh [-f <certFile>] [option]...
certfile: certificate file that shall be analyzed
Options:
-i <days>: if certificate rest validity is lower than <days> a info message is printed
-w <days>: if certificate rest validity is lower than <days> a warning message is printed
-r <days>: if certificate rest validity is lower than <days> 0 is returned 1 otherwise
letsrenew.sh -f letsrenew.com.pem -i 1000
letsrenew.sh -f letsrenew.com.pem -r 10 && <letsencrypt-update.sh>
letsrenew.sh -f letsrenew.com.pem -r 10 && /opt/letsencrypt/letsencrypt-auto certonly --webroot -w /var/www/letsrenew.com/ -d letsrenew.com -d www.letsrenew.com --renew-by-default
Creates a directory for each domain found in the certificates of the certs archive and creates a symlink for the latest pem file (cert, fullchain, chain, privkey). SAN certificates (aka multi-domains) are explicitly supported.. Quickfix for certbot/certbot#1260
- After calling letsrenew.sh, call the letslink.sh with the required parameters. This way, the "latest" folder is always up-to-date.
- If you have a letsencrypt-update.sh add
letslink.sh /etc/letsencrypt/archive /etc/letsencrypt/latest
at the end, before reloading apache/ngix etc.
letslink.sh /etc/letsencrypt/archive /etc/letsencrypt/latest
Result:
/etc/letsencrypt/latest/domain.com/$ ls -lah
lrwxrwxrwx 1 root root 34 Dec 31 19:10 cert.pem -> /etc/letsencrypt/archive/domain.com/cert2.pem
lrwxrwxrwx 1 root root 35 Dec 31 19:10 chain.pem -> /etc/letsencrypt/archive/domain.com/chain2.pem
lrwxrwxrwx 1 root root 39 Dec 31 19:10 fullchain.pem -> /etc/letsencrypt/archive/domain.com/fullchain2.pem
lrwxrwxrwx 1 root root 37 Dec 31 19:10 privkey.pem -> /etc/letsencrypt/archive/domain.com/privkey2.pem
- Shell (bash compatible)
- OpenSSL (to read the existing certificates)
Always welcome! Just drop a comment or raise an issue on https://github.com/h0l0gram/letsencrypt-utils. Thanks