• If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Announcement

Collapse
No announcement yet.

[BASH Script] Let's Encrypt Auto-Renew

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • [BASH Script] Let's Encrypt Auto-Renew

    So, I've been trying a few different methods to use Let's Encrypt with Axigen. Unfortunately, when renewing the domains certbot can not bind to port 80. I could try using CLI to stop the port to do this, but for now.. this works for me. Downtime is a matter of a few seconds and it only needs bash to work.

    This will check your current certificate to validate when the cert will expire.
    It will compare that with the current date and validate the amount of days left.
    If there are less than 5 days left, it will: Stop axigen, remove old certificate, renew certificate, build the new certchain, update permissions, and then start Axigen.

    If you haven't already you'll need to create a certificate to use with this script.
    Replace MAIL.DOMAIN.COM with your main domain/sub-domain you are using for your server.
    Follow the setup for certbot.
    Code:
    sudo yum install certbot
    cerbot certonly --standalone -d MAIL.DOMAIN.COM
    Multiple domains
    If you want to use multiple domains, follow the above to create your main domain that will be used for the script and then you can extend the certificate with multiple domains/sub-domains. Example:
    Code:
    certbot certonly --standalone -d MAIL.DOMAIN.COM -d ALT.DOMAIN.COM -d MAIL.OTHERDOMAIN.COM
    Create the ssl directory to store your certificate for axigen to use.
    Code:
    sudo mkdir /var/opt/axigen/ssl
    sudo chown -R axigen:axigen /var/opt/axigen/ssl
    Create your bash script and edit mail.domain.com with your main domain.
    Code:
    sudo nano ~/cert_autogen.sh
    Code:
    #!/bin/bash
    domain="mail.domain.com"
    rawLastDay=`openssl x509 -noout -dates -in /etc/letsencrypt/live/"$domain"/cert.pem | grep notAfter | sed -e "s/^notAfter=//" -e ""| sed -e "s/GMT//" -e "" | awk -F' ' '{print $1 (NF>1? FS $2 : "") " " $4}'`
    daysLeft=`echo $(( ($(date --date="$rawLastDay" +%s) - $(date +%s) )/(60*60*24) ))`
    if (( "$daysLeft" > 5 )); then
            echo There are "$daysLeft" days left until the certificate expires!
    else
            echo There are less than 5 days left in the cert expiration, attempting to renew.
            echo :Stopping Axigen Server
            service axigen stop
            echo :Removing old certchain
            rm -f /var/opt/axigen/ssl/"$domain".pem
            echo :Attempting to renew certificate
            certbot renew
            echo :Merging new certificate into certchain
            cat /etc/letsencrypt/live/"$domain"/cert.pem /etc/letsencrypt/live/"$domain"/privkey.pem > /var/opt/axigen/ssl/"$domain".pem
            echo :Updating permissions on certchain
            chown axigen:axigen /var/opt/axigen/ssl/"$domain".pem
            echo :Starting Axigen Server
            service axigen start
            echo :Certificates have been updated! Enjoy your next 3 months of SSL!!
    fi
    Set permissions to allow the file to be executed.
    Code:
    sudo chmod +x ~/cert_autogen.sh
    I suggest setting the crontab to run once every 24 hours.
    Code:
    export EDITOR=nano; sudo crontab -e
    Code:
    @daily ~/cert_autogen.sh
    You'll need to update where your certificate points to in each of axigen's SSL listeners.
    Replace MAIL.DOMAIN.COM with your certificate's domain that you've set in the bash script.
    Code:
    /var/opt/axigen/ssl/MAIL.DOMAIN.COM.pem
    -----------------------------
    Sources
    Let'sEncrypt Days Left
    BASH Variables
    BASH SED
    BASH String Formatting
    BASH Compare Numbers
    Certificate Merge: I forgot where I originally found this bit of code to build the certificate chain. If anyone knows, I will be happy to give notice.
    -----------------------------

    Thank you Axigen & Community!
    I'm so grateful for what you've provided, I just want to help out the community as much as possible
    If someone has a way to stop port 80 and 443 over CLI (probably using curl) then I'll update the script to keep the server from having to restart.

  • #2
    Hello,

    Thanks for sharing here your work.

    Please know that starting from Axigen X2 (which is used to label version 10.2) we include CLI support for generate (and renew) Let'sEncrypt certificates - more details are included here.

    HTH,
    Ioan

    Comment


    • #3
      Thanks so much for the above post - i can finally see the light of day after trying numerous times
      The include CLI support for generate (and renew) Let'sEncrypt certificates always gave an error that letsencrypt could not connect to server

      Comment

      Working...
      X