Automatically manage certificates

Hello.

So, I've installed certbot some time ago and I'm trying to find a bash script to copy fullchain.pem and privkey.pem to another location, chown them and reload the application running it, but only when the renewed domain/subdomain matches, like when I renew sub.domain.tld

I've searched a bit on the internet but I don't seem to find what I'm looking for

Any help would be greatly appreciated

Thanks in advance

1 Like

See the certbot documentation about renewing for information about the --deploy-hook command. That's what you're looking for.

You'd still need to script the copy/chowning yourself, bt that shouldn't be too hard.

You'll find more info about --deploy-hook at the end of the documentation page (command line options), such as the $RENEWED_LINEAGE variable. Why that information isn't available in the general text earlier on in the documentation is a mystery to me though.

1 Like

I'm looking for a script of some sort to put inside the deploy folder and it would be executed after each successful renewal. Is that possible?

I'm not very familiar with bash and all of that, so if someone could point me an example of a script, I'd be very grateful.

I'll try to explain the steps I need with more detail:

  1. The renewal of irc.ptirc.org is successful
  2. Copy /etc/letsencrypt/live/irc.ptirc.org/fullchain.pem and /etc/letsencrypt/live/irc.ptirc.org/privkey.pem to /home/ircd/unrealircd/tls/
  3. Execute chown unrealircd:unrealircd /home/ircd/unrealircd/tls/fullchain.pem and chown unrealircd:unrealircd /home/ircd/unrealircd/tls/privkey.pem
  4. Execute the commands /home/ircd/unrealircd/unrealircd reloadtls and /home/ircd/unrealircd/unrealircd rehash

TIA

1 Like

Hello @Exterminador,

Create the script deploy-irc in dir /etc/letsencrypt/renewal-hooks/deploy/ with the following content:

#!/usr/bin/env bash
domain="irc.ptirc.org"

if grep "${domain}" <<< "$RENEWED_LINEAGE" ; then
    cp /etc/letsencrypt/live/${domain}/{fullchain,privkey}.pem /home/ircd/unrealircd/tls/
    chown unrealircd:unrealircd /home/ircd/unrealircd/tls/{fullchain,privkey}.pem
    /home/ircd/unrealircd/unrealircd reloadtls
    /home/ircd/unrealircd/unrealircd rehash
fi

and once saved, give it execution perms:

chmod 750 /etc/letsencrypt/renewal-hooks/deploy/deploy-irc

I didn't test the script so use it at your own risk :stuck_out_tongue:

Cheers,
sahsanu

3 Likes

Would a symbolic link work for you?

1 Like

Although I'm a bit new to bash and all of that, I was wondering if we could check if the domain is the one being renewed in some other way?
something like:

SUBDOMAIN="irc.ptirc.org"
if [[$RENEWED_LINEAGE == *"$SUBDOMAIN"*]]; then
....
1 Like

What do you mean by symlink?
Something like:

ln -s /etc/letsencrypt/live/irc.ptirc.org/fullchain.pem /home/ircd/unrealircd/tls/fullchain.pem

You can write the script in very different ways, I always try to avoid the use of wildcards because could complicate things but if you want to use it remember to write a space after [ and before ]

SUBDOMAIN="irc.ptirc.org"
if [[ "$RENEWED_LINEAGE" = *"$SUBDOMAIN"* ]]; then
1 Like

I should thank @sahsanu for all the help.

Since I'm pretty "green" in things related to bash scripts, with his tips I've came with the following deploy_irc script:

#!/usr/bin/env bash
SUBDOMAIN="irc.ptirc.org"
TLS="/home/ircd/unrealircd/conf/tls/"

if [[ $RENEWED_LINEAGE == *"$SUBDOMAIN"* ]]; then
	cp "${RENEWED_LINEAGE}/fullchain.pem" "$TLS"
    cp "${RENEWED_LINEAGE}/privkey.pem" "$TLS"
	chown ircd:ircd "${TLS}/fullchain.pem"
	chown ircd:ircd "${TLS}/privkey.pem"
	/home/unrealircd/unrealircd/unrealircd reloadtls
	/home/unrealircd/unrealircd/unrealircd rehash
fi

This worked like a charm! Thanks a lot for all the help!

5 Likes

After discussing my shell script with some bash gurus on IRC, I've made a better script, that should run anywhere POSIX shells are available.

#!/bin/sh

# NOTE: This scripts was made to work with certbot. I don't guarantee it will
#       work with other ACME clients.
#
#       This was tested in Ubuntu 20.04. This should work as it is on
#       Debian/Ubuntu based distros. For other distros please check Certbot
#       documentation.
#
#       Place this script inside /etc/letsencrypt/renewal-hooks/deploy/ and
#       name it `deploy_irc'
#
#       Make the script executable with:
#
#           chmod +x /etc/letsencrypt/renewal-hooks/deploy/deploy_irc
#
#       Edit the subdomain, user and paths to fit your setup.
#       Enjoy!

# What's your subdomain?
subdomain=irc.domain.tld

# What is the shell user running UnrealIRCd?
user=ircd

# What is the shell group of the user running UnrealIRCd?
# Usually it's the same as the user specified above.
# You shouldn't have to edit this unless you've added the user to another group
group=$user

# Path to UnrealIRCd executable folder
# Usually "/home/<user>/unrealircd/" when installed normally
execdir=/home/$user/unrealircd

# Path to the UnrealIRCd tls folder
# Usually `/home/<user>/unrealircd/conf/tls' when installed normally
# You shouldn't have to edit this unless you've customised your installation
tlsdir=$execdir/conf/tls

# Don't edit anything below unless you know exactly what you're doing.
# If you touch the code below and then complain the script "suddenly stopped working" I'll touch you at night.

case $RENEWED_LINEAGE in
	*/"$subdomain")
        cp -f -- "$RENEWED_LINEAGE"/fullchain.pem "$RENEWED_LINEAGE"/privkey.pem "$tlsdir" &&
        chown -- "$user":"$group" "$tlsdir"/fullchain.pem "$tlsdir"/privkey.pem &&
        "$execdir"/unrealircd reloadtls &&
        "$execdir"/unrealircd rehash
esac

GitHub gist

Hope this helps anyone else. :grinning:

3 Likes

Nice script!

Do note though that your search parameter *"$subdomain"* will match all lineages containing your hostname.

So if you, for some reason, would develop an IRC statistics site with the hostname stats.irc.domain.tld, it would be matched and overwrite the files in $tlsdir.

I'm not sure what the best matching method is other than what you're using now, as the path in $RENEWED_LINEAGE can be customised by the user. So just removing the /etc/letsencrypt/live/ part isn't enough. Unless you accept that the script is only useful for certificates from within the default certbot paths.

1 Like

In this case, this is exactly for one specific subdomain, like the one I have which is irc.ptirc.org.

I'm not a specialist in shell scripting and therefore I don't know if we can change *"$subdomain"* to "$subdomain".

Cheers

1 Like

You can't but you could change it to */"$subdomain"

2 Likes

Or in this case, to the more appropriate */"$subdomain"* string :stuck_out_tongue:
I've edited the script in the topic and also my GitHub gist

If you aren't duplicating certificates you shouldn't need the last wildcard.

1 Like

Edited accordingly :smiley:

2 Likes