Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- #The MIT License (MIT)
- #Copyright (c) 2016 Simon Blandford
- #Letsencrypt and ISPConfig 3 integration script
- #######################################################################################################################
- #$REMOTE_USER_CONF file contains following entries...
- # DEBUG="no"
- # ADMINEMAIL="<email for letsencrypt registration>"
- # REMOTE_USER_USERNAME="<ispconfig remote_user name"
- # REMOTE_USER_PASSWORD="<ispconfig remote user password"
- # ISPCONFIG_CONF="<path to>/config.inc.php"
- #######################################################################################################################
- # /etc/cron.d/ispconfig_letsencrypt entries: (change 18 2 to any random minute/hour of the day)
- # Must run as root to be able to access letsencrypt directories
- # * * * * * root /usr/local/bin/ispconfig_letsencrypt minute >/dev/null
- # 18 2 * * * root /usr/local/bin/ispconfig_letsencrypt day >/dev/null
- #######################################################################################################################
- #How to use:
- # Insert one of three keywords in ISPConfig web domain SSL form "SSL key" and "SSK Certificate" files:
- # auto: Generates a new cert from letsencrypt
- # revoke: Revokes and delets a letsencrypt cert
- # refresh: Refreshes (re-establishes) ISPConfig with existing letsencrypt cert
- #Do not select and SSL action, just press Save. Then wait a few minute for the magic to happen
- #######################################################################################################################
- REMOTE_USER_CONF="/usr/local/etc/ispconfig_letsencrypt.conf"
- LETSENCRYPT="/usr/local/bin/certbot-auto"
- source "$REMOTE_USER_CONF"
- logecho () {
- echo "$1"
- logger -t "$this" "$1"
- }
- get_db_param () {
- grep -E "conf\['$1'\][[:space:]]*=" "$ISPCONFIG_CONF" | cut -f 2 -d "=" | tr -d "'\"; "
- }
- get_db_params () {
- db_database=$( get_db_param "db_database" )
- db_user=$( get_db_param "db_user" )
- db_password=$( get_db_param "db_password" )
- }
- get_db_field () {
- local domain key
- domain=$1
- key=$2
- echo "<?php \$link=mysql_connect('localhost','$db_user','$db_password');
- mysql_select_db('$db_database', \$link);
- echo mysql_fetch_assoc(mysql_query(\"select $key from web_domain where domain = '$domain'\"))['$key'];
- mysql_close(\$link);
- ?>" | php
- }
- get_db_domains () {
- local key value
- key=$1
- value=$2
- echo "<?php \$i=0; \$link=mysql_connect('localhost','$db_user','$db_password');
- mysql_select_db('$db_database', \$link); \$result=mysql_query(\"select domain from web_domain where $key = '$value'\");
- while ( \$domain=mysql_fetch_assoc(\$result)['domain']) { if (\$i++ >0) { echo \"\n\"; };
- echo \$domain;};
- mysql_close(\$link);
- ?>" | php
- }
- set_ssl () {
- local domain cert key enabled php_code webroot domain_id
- domain=$1
- cert=$2
- key=$3
- enabled=$4
- domain_id=$( get_db_field "$domain" "domain_id" )
- if [[ ! "$domain_id" =~ ^[0-9]+$ ]]; then
- echolog "Unable to find domain ID for $domain" >&2
- return 1
- fi
- php_code_db="<?php \$link=mysql_connect('localhost','$db_user','$db_password');
- mysql_select_db('dbispconfig', \$link);
- mysql_query(\"update web_domain set
- ssl_request = '',
- ssl_cert = '$cert',
- ssl_bundle = '',
- ssl_key = '$key',
- \`ssl\` = '$enabled'
- where domain = '$domain'\");
- mysql_close(\$link);
- ?>"
- php_code_api="<?php
- \$username = 'ssl';
- \$password = 'A9#VUrywSikF';
- \$soap_location = 'https://localhost:8443/remote/index.php';
- \$soap_uri = 'https://localhost:8443/remote/';
- \$client = new SoapClient(null, array('location' => \$soap_location,
- 'uri' => \$soap_uri,
- 'trace' => 1,
- 'exceptions' => 1));
- try {
- \$session_id = \$client->login(\$username, \$password);
- \$client_id = 0;
- \$domain_record = \$client->sites_web_domain_get(\$session_id, $domain_id);
- \$domain_record['ssl'] = 'y';
- \$domain_record['ssl_request'] = '';
- \$domain_record['ssl_cert'] = '$cert';
- \$domain_record['ssl_bundle'] = '';
- \$domain_record['ssl_key'] = '$key';
- \$domain_record['ssl'] = '$enabled';
- \$domain_record['ssl_action'] = 'save';
- \$client->sites_web_domain_update(\$session_id, \$client_id, $domain_id, \$domain_record);
- \$client->logout(\$session_id);
- } catch (SoapFault \$e) {
- echo \$client->__getLastResponse();
- die('SOAP Error: '.\$e->getMessage());
- } ?>"
- if [[ "$DEBUG" == "yes" ]]; then
- echo "$php_code_db"
- echo "$php_code_api"
- else
- #Paste in values into UI
- echo "$php_code_db" | php
- #Actually action values via API
- echo "$php_code_api" | php
- fi
- }
- scrub_domain () {
- local domain
- domain=$1
- if [[ "$DEBUG" == "yes" ]]; then
- echo "$LETSENCRYPT revoke --cert-path \"/etc/letsencrypt/live/""$domain""/cert.pem\" 2>&1 | logger -t \"$this\""
- else
- $LETSENCRYPT revoke --cert-path "/etc/letsencrypt/live/""$domain""/cert.pem" 2>&1 | logger -t "$this"
- rm -rf "/etc/letsencrypt/archive/""$domain"
- rm -rf "/etc/letsencrypt/live/""$domain"
- rm -f "/etc/letsencrypt/renewal/""$domain"".conf"
- fi
- }
- unset changes
- this=$( basename "$0" )
- mode=$1
- if [ ! -x "$LETSENCRYPT" ]; then
- logecho "Unable to find certbot-auto command: $ISPCONFIG" >&2
- exit 1
- fi
- if [ ! -f "$ISPCONFIG_CONF" ]; then
- logecho "Unable to find ISPConfig config file: $ISPCONFIG" >&2
- exit 1
- fi
- get_db_params
- if [[ "$mode" == "minute" ]]; then
- echo "Minute mode"
- #Find any auto SSL requests
- new_requests=$( ( get_db_domains "ssl_key" "auto"; echo; get_db_domains "ssl_cert" "auto" ) | sort | uniq )
- for domain in $( echo "$new_requests" ); do
- #Delete old domain if there is one
- if [ -d "/etc/letsencrypt/live/""$domain" ]; then
- scrub_domain "$domain"
- fi
- webroot=$( get_db_field "$domain" "document_root" )
- if [[ "$DEBUG" == "yes" ]]; then
- echo "$LETSENCRYPT certonly -m "$ADMINEMAIL" --webroot -w \"$webroot""/web\" -d \"$domain\" 2>&1 | logger -t \"$this\""
- else
- if $LETSENCRYPT certonly -m "$ADMINEMAIL" --webroot -w "$webroot""/web" -d "$domain" 2>&1 | logger -t "$this"; then
- logecho "Deploying new cert for $domain"
- set_ssl "$domain" "$( cat "/etc/letsencrypt/live/""$domain""/cert.pem" )" "$( cat "/etc/letsencrypt/live/""$domain""/privkey.pem" )" "y"
- else
- logecho "Cert deployment or $domain failed"
- set_ssl "$domain" "" "" "n"
- fi
- fi
- done
- #Find any auto SSL revokes
- new_revokes=$( ( get_db_domains "ssl_key" "revoke"; echo; get_db_domains "ssl_cert" "revoke" ) | sort | uniq )
- for domain in $( echo "$new_revokes" ); do
- logecho "Revoking cert for $domain"
- if [ -d "/etc/letsencrypt/live/""$domain" ]; then
- scrub_domain "$domain"
- fi
- set_ssl "$domain" "" "" "n"
- done
- #find any auto SSL refreshes
- new_refreshes=$( ( get_db_domains "ssl_key" "refresh"; echo; get_db_domains "ssl_cert" "refresh" ) | sort | uniq )
- for domain in $( echo "$new_refreshes" ); do
- if [ -d "/etc/letsencrypt/live/""$domain" ]; then
- logecho "Refreshing cert for $domain"
- set_ssl "$domain" "$( cat "/etc/letsencrypt/live/""$domain""/cert.pem" )" "$( cat "/etc/letsencrypt/live/""$domain""/privkey.pem" )" "y"
- else
- logecho "No cert found for $domain so clearing"
- set_ssl "$domain" "" "" "n"
- fi
- done
- fi
- if [[ "$mode" == "day" ]]; then
- #Renew any certs and report
- if [[ $DEBUG == "yes" ]]; then
- echo "Renewal check suppressed"
- else
- renew_report=$( $LETSENCRYPT renew --noninteractive 2>&1 )
- if ! echo "$renew_report" | grep -q "No renewals were attempted"; then
- echo "$renew_report" | logger -t "$this"
- changes=1
- fi
- fi
- #Enact any changes
- domain_list=$( ls -d /etc/letsencrypt/live/* | grep -Eo "[^\/]+$" )
- for domain in $( echo "$domain_list" ); do
- #Remove domains of sites that have disappeared
- if [ ! -d "/var/www/""$domain""/ssl" ]; then
- logecho "$domain is removed so revoking old cert"
- scrub_domain "$domain"
- continue
- fi
- #Rewrite
- if [ $changes ]; then
- old_cert=$( get_db_field "$domain" "ssl_cert" )
- old_key=$( get_db_field "$domain" "ssl_key" )
- if ! echo "$old_cert" | cmp -s "/etc/letsencrypt/live/""$domain""/cert.pem" || ! echo "$old_key" | cmp -s "/etc/letsencrypt/live/""$domain""/privkey.pem"; then
- logecho "Updating $domain with new cert"
- set_ssl "$domain" "$( cat "/etc/letsencrypt/live/""$domain""/cert.pem" )" "$( cat "/etc/letsencrypt/live/""$domain""/privkey.pem" )" "y"
- fi
- fi
- done
- fi
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement