Skip to content

Utils for managing letsencrypt certificates and its infrastructure

Notifications You must be signed in to change notification settings

h0l0gram/letsencrypt-utils

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
 
 
 
 
 
 

Repository files navigation

letsencrypt-utils

Utils for managing letsencrypt certificates and its infrastructure

  • letsrenew.sh: Bash Shell script which reads the remaining validity of a x509 certificate and if lower than a given threshold prints a message info/warning or returns boolean true for further processing (=renewal).
  • letslink.sh: Bash Shell script which creates a directory for each domain found in the certificates of the certs archive and creates a symlink for the latest pem file (cert, fullchain, chain, privkey). SAN certificates (aka multi-domains) are explicitly supported.

Install

  • Clone the repo to your server. e.g /opt/letsencrypt-utils

      cd /opt
      git clone https://github.com/h0l0gram/letsencrypt-utils.git
    

letsrenew.sh

Bash Shell script which reads the remaining validity of a x509 certificate and if lower than a given threshold prints a message info/warning or returns boolean true for further processing (=renewal).

Setup

  • Create a cron job that runs letsrenew.sh at a certain interval or start from bash (see examples)

Usage

letsrenew.sh [-f <certFile>] [option]...
  certfile: certificate file that shall be analyzed
Options:
  -i <days>: if certificate rest validity is lower than <days> a info message is printed
  -w <days>: if certificate rest validity is lower than <days> a warning message is printed
  -r <days>: if certificate rest validity is lower than <days> 0 is returned 1 otherwise

Examples

letsrenew.sh -f letsrenew.com.pem -i 1000
letsrenew.sh -f letsrenew.com.pem -r 10 && <letsencrypt-update.sh>
letsrenew.sh -f letsrenew.com.pem -r 10 && /opt/letsencrypt/letsencrypt-auto certonly --webroot -w /var/www/letsrenew.com/ -d letsrenew.com -d www.letsrenew.com --renew-by-default

letslink.sh

Creates a directory for each domain found in the certificates of the certs archive and creates a symlink for the latest pem file (cert, fullchain, chain, privkey). SAN certificates (aka multi-domains) are explicitly supported.. Quickfix for certbot/certbot#1260

Setup

  • After calling letsrenew.sh, call the letslink.sh with the required parameters. This way, the "latest" folder is always up-to-date.
  • If you have a letsencrypt-update.sh add letslink.sh /etc/letsencrypt/archive /etc/letsencrypt/latest at the end, before reloading apache/ngix etc.

Examples

letslink.sh /etc/letsencrypt/archive /etc/letsencrypt/latest

Result:

/etc/letsencrypt/latest/domain.com/$ ls -lah
lrwxrwxrwx  1 root root       34 Dec 31 19:10 cert.pem -> /etc/letsencrypt/archive/domain.com/cert2.pem
lrwxrwxrwx  1 root root       35 Dec 31 19:10 chain.pem -> /etc/letsencrypt/archive/domain.com/chain2.pem
lrwxrwxrwx  1 root root       39 Dec 31 19:10 fullchain.pem -> /etc/letsencrypt/archive/domain.com/fullchain2.pem
lrwxrwxrwx  1 root root       37 Dec 31 19:10 privkey.pem -> /etc/letsencrypt/archive/domain.com/privkey2.pem

Requirements

  • Shell (bash compatible)
  • OpenSSL (to read the existing certificates)

Comments, Improvements, Ideas

Always welcome! Just drop a comment or raise an issue on https://github.com/h0l0gram/letsencrypt-utils. Thanks

About

Utils for managing letsencrypt certificates and its infrastructure

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages