Coding

#!/bin/bash
# Author:	Markus Neubauer (at) std - service . com

# Purpose:	Setup a valid certificate in Zentyal for official services.
#		This script is a FAF technic (i.e. Fire And Forget technic), 
#		so call it once interactive on a Zentyal 5 server.
# Version:	1.02 / 2018-03-07
# Modified:	1.03 / 2018-03-27 (honor /etc/ssl/private for apache)

# License:	de: https://www.gnu.org/licenses/gpl-3.0.de.html
#		en: https://www.gnu.org/licenses/gpl-3.0.en.html
#		es: https://www.gnu.org/licenses/gpl-3.0.ca.html

#		YOU HAVE TO CHANGE THE VARIABLE "THIS_DOMAIN" BELOW
#		and choose your favorite day for the re-checks.

# MODIFY THESE TWO LINES
THIS_DOMAIN='your.domain.here'
FAVORITE_DAY=3  # cert renewal will occur on wednesdays only if neeeded

# renewal task
AUTO_UPDATER=/etc/cron.daily/letsencrypt-check

declare -A CRT_TARGET
CRT_TARGET['apache']=/etc/ssl/certs/ssl-cert-snakeoil
CRT_TARGET['postfix']=/etc/postfix/sasl/postfix
CRT_TARGET['dovecot']=/etc/dovecot/private/dovecot

# SANITIZE SCRIPT PRESEEDINGS
if [ 'your.domain.here' == "${THIS_DOMAIN}" ]; then
	echo "
Modify THIS_DOMAIN ~ '${THIS_DOMAIN}' in script and recall $0" >&2
	exit 99
fi

EXE=`which letsencrypt`
if [ -z "${EXE}" ]; then
	EXE=`which certbot`
fi
if [ -z "${EXE}" ]; then
	apt install letsencrypt -y
	EXE=`which letsencrypt`
fi
if [ -z "${EXE}" ]; then
	cat << END_OF_ERROR >&2
ERROR: no LETSENCRYPT functionality found

# Check your installation and manually try:
	apt install letsencrypt
# then return and call ${0}
END_OF_ERROR
	exit 97
fi

# CHECK CERTIFICATE STATUS
# Before using the renew function get a new one:
if [ ! -d /etc/letsencrypt/live/${THIS_DOMAIN} ]; then
	${EXE} certonly -a webroot --webroot-path=/var/www/html -d ${THIS_DOMAIN}

elif [ "`date +'%w'`" == "${FAVORITE_DAY}" ]; then # it's wednesday
	# check once a month for renewal
	${EXE} renew -n
fi
MD5SUM="`md5sum /etc/letsencrypt/live/${THIS_DOMAIN}/fullchain.pem`"
if [ -z "${MD5SUM}" ]; then
	cat << END_OF_ERROR >&2
ERROR: No official certificate found, check your setup!

# Check your router to forward http traffic on Port 80.
# Goto to http://${THIS_DOMAIN} from an external Browser.
# Check finally using a manual call and watch errors:
${EXE} certonly -a webroot --webroot-path=/var/www/html -d ${THIS_DOMAIN}
END_OF_ERROR
	exit 98
fi

# SET APACHE CERT
function apache_cert() {
	cp /etc/letsencrypt/live/${THIS_DOMAIN}/fullchain.pem ${TARGET}.pem
	md5sum ${TARGET}.pem > ${TARGET}.pem.md5sum
	echo "${MD5SUM}" > ${TARGET}.le.md5sum
	# swap to private dir
	TARGET=`echo ${TARGET} | sed "s#/certs/#/private/#"`
	cp /etc/letsencrypt/live/${THIS_DOMAIN}/privkey.pem ${TARGET}.key
	apachectl graceful && echo "Apache reloaded ..."
	# SET NGINX CERT SAME WAY
	nginx -s reload && echo "Nginx reloaded ..."
}

# SET POSTFIX CERT
function postfix_cert() {
	cp /etc/letsencrypt/live/${THIS_DOMAIN}/fullchain.pem ${TARGET}.pem
	cat /etc/letsencrypt/live/${THIS_DOMAIN}/privkey.pem >> ${TARGET}.pem
	md5sum ${TARGET}.pem > ${TARGET}.pem.md5sum
	echo "${MD5SUM}" > ${TARGET}.le.md5sum
	postfix reload && echo "Postfix reloaded ..."
}

# SET DOVECOT CERT
function dovecot_cert() {
	cp /etc/letsencrypt/live/${THIS_DOMAIN}/fullchain.pem ${TARGET}.pem
	cat /etc/letsencrypt/live/${THIS_DOMAIN}/privkey.pem >> ${TARGET}.pem
	md5sum ${TARGET}.pem > ${TARGET}.pem.md5sum
	echo "${MD5SUM}" > ${TARGET}.le.md5sum
	doveadm reload && echo "Dovecot reloaded ..."
}

# MAIN LOOP - CERT STATUS CHECK
for DEST in "${!CRT_TARGET[@]}"
do
	echo -n "Checking ${DEST} cert status - "
	TARGET=${CRT_TARGET[$DEST]}

	CRTSUM="`md5sum ${TARGET}.pem`"
	if [ -f ${TARGET}.pem.md5sum ]; then
		CHKSUM="`cat ${TARGET}.pem.md5sum`"
	else
		${DEST}_cert ${TARGET}
		continue
	fi
	if [ -f ${TARGET}.le.md5sum ]; then
		LE_SUM="`cat ${TARGET}.le.md5sum`"
	else
		${DEST}_cert ${TARGET}
		continue
	fi
	if [ "${LE_SUM}" != "${MD5SUM}" ] || [ "${CHKSUM}" != "${CRTSUM}" ]; then
		${DEST}_cert ${TARGET}
		continue
	fi
	echo "${DEST} cert status ok."
done

# SETUP/CHECK CRON JOB ENTRY TO CONTINUE THE CHAIN
# Sanitizer again
if [ ! -f ${AUTO_UPDATER} ]; then
	cat << END_OF_SCRIPT > ${AUTO_UPDATER}
#!/bin/sh
#
# letsencrypt renewal task
#
# This script updates certificates if due for renewal
#

test -x $0 || exit 0
${0}
## eof
END_OF_SCRIPT
	chmod 750 ${AUTO_UPDATER}
	echo "Update script installed at ${AUTO_UPDATER}"
fi

## eof