#!/bin/bash# letsencrypt-for-pure-ftpd.sh: compares the ssl certficate/key us

1. #!/bin/bash
2.  
3. # letsencrypt-for-pure-ftpd.sh: compares the ssl certficate/key used by pure-ftpd
4. # with the current certificate/key issued by letsencrypt and copy the latter
5. # to the former if they differ.
6.  
7. # this can be run as a cronjob to propogate letsencrypt certificate changes
8. # to pure-ftpd
9.  
10. PUREFTPD_CERT=/etc/ssl/private/pure-ftpd.pem
11. LE_DOMAIN=domain.tld
12. LE_DIR=/etc/letsencrypt/live/${LE_DOMAIN}
13. LE_CA=${LE_DIR}/chain.pem
14. LE_CERT=${LE_DIR}/cert.pem
15. LE_FULLCHAIN=${LE_DIR}/fullchain.pem
16. LE_KEY=${LE_DIR}/privkey.pem
17.  
18. OPENSSL=`which openssl 2>/dev/null | head -1`
19.  
20. # Check if letsencrypt has been setup
21. if [ ! -f ${LE_CA} -o ! -f ${LE_CERT} -o ! -f ${LE_FULLCHAIN} -o ! -f ${LE_KEY} ]
22. then
23. echo "Letsencrypt files not found. You must setup letsencrypt and issue a certificate first." 1>&2
24. exit 0
25. fi
26.  
27. # Check openssl binary exists
28. if [ ! -f ${OPENSSL} ]
29. then
30. echo "Cannot find openssl. Exiting." 1>&2
31. exit 1
32. fi
33.  
34. # setup_certs() copies/formats the letsencrypt files for pure-ftpd
35. function setup_cert() {
36. cat ${LE_KEY} ${LE_FULLCHAIN} > ${PUREFTPD_CERT}
37. chown root:ssl-cert ${PUREFTPD_CERT}
38. chmod 640 ${PUREFTPD_CERT}
39. }
40.  
41. # restart pureftpd if it is running
42. function restart_pureftpd_if_running() {
43. /etc/init.d/pure-ftpd-mysql status 2>/dev/null >/dev/null
44. if [ $? -eq 0 ]
45. then
46. service pure-ftpd-mysql restart >/dev/null
47. fi
48. }
49.  
50. if [ ! -f ${PUREFTPD_CERT} ]
51. then
52. setup_cert && restart_pureftpd_if_running
53. else # check if keys/certificates changed
54. le_modulus=`${OPENSSL} rsa -noout -modulus -in ${LE_KEY} | md5sum`
55. pureftpd_modulus=`${OPENSSL} rsa -noout -modulus -in ${PUREFTPD_CERT} | md5sum`
56.  
57. le_serial=`${OPENSSL} x509 -noout -serial -in ${LE_CERT}`
58. pureftpd_file_serial=`${OPENSSL} x509 -noout -serial -in ${PUREFTPD_CERT}`
59. pureftpd_running_serial=`${OPENSSL} s_client -connect localhost:21 -starttls ftp </dev/null 2>/dev/null | ${OPENSSL} x509 -serial -noout`
60.  
61.  
62. if [ "${le_modulus}" != "${pureftpd_modulus}" -o "${le_serial}" != "${pureftpd_file_serial}" -o "${le_serial}" != "${pureftpd_running_serial}" ]
63. then
64. setup_cert && restart_pureftpd_if_running
65. fi
66. fi
67.  
68. exit 0