233 lines
7.9 KiB
Bash
Executable File
233 lines
7.9 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# This script uses acme.sh to issue and deploy SSL certificates from Let's Encrypt for a list of domains
|
|
# using the webroot or dns methods
|
|
#
|
|
# See README.md for more details
|
|
#
|
|
# Copyright 2020 Bryan Roessler <bryanroessler@gmail.com>
|
|
#
|
|
# USAGE
|
|
# ./acme-cpanel.sh [OPTIONS] [FILES...]
|
|
#
|
|
# EXAMPLES
|
|
# TESTING: ./acme-cpanel-webroot.sh --debug -e me@gmail.com multisites/flatwhitedesign.pw multisites/greengingermultisite.website
|
|
# PRODUCTION: ./acme-cpanel-webroot.sh --force -e me@gmail.com multisites/flatwhitedesign.pw multisites/greengingermultisite.website
|
|
#
|
|
# TESTING: ./acme-cpanel-webroot.sh --debug -s multisites
|
|
# PRODUCTION: ./acme-cpanel-webroot.sh --force -s multisites
|
|
#
|
|
# FILES is a list of files containing first-level DOMAIN names (see domains.txt) on newlines
|
|
# Certificates will automatically be issued and deployed for DOMAIN and www.DOMAIN using the webroot method
|
|
#
|
|
# NOTE: The webroot method does NOT support wildcard domains, Let's Encrypt requires wildcard domains to
|
|
# use DNS challenges, which the cPanel uapi does not support (use dns method instead)
|
|
|
|
unset SITES_DIR USEREMAIL DOMAIN_FILES DOMAIN_GROUPS DEPLOY_CMD_PREFIX ISSUE_CMD_PREFIX DEBUG GROUP
|
|
|
|
DEBUG="true" # quote this line to stop DEBUG mode and issue certificates for real, or use --force in user options
|
|
METHOD="dns" # set the default method
|
|
|
|
parse_input() {
|
|
|
|
local input
|
|
declare -g USEREMAIL
|
|
declare -ag DOMAIN_FILES
|
|
|
|
if input=$(getopt -o +m:e:fgs:d -l method:,email:,force,group-by-file,sites-dir:,debug -- "$@"); then
|
|
eval set -- "$input"
|
|
while true; do
|
|
case "$1" in
|
|
--method|-m)
|
|
shift
|
|
METHOD="${1,,}"
|
|
;;
|
|
--email|-e)
|
|
shift
|
|
USEREMAIL="$1"
|
|
;;
|
|
--force|-f)
|
|
unset DEBUG
|
|
;;
|
|
--group-by-file|-g)
|
|
GROUP="true"
|
|
;;
|
|
--sites-dir|-s)
|
|
shift
|
|
SITES_DIR="$1"
|
|
;;
|
|
--debug|-d)
|
|
DEBUG="true"
|
|
;;
|
|
--)
|
|
shift
|
|
break
|
|
;;
|
|
esac
|
|
shift
|
|
done
|
|
else
|
|
echo "Incorrect options provided"
|
|
exit 1
|
|
fi
|
|
|
|
# Load domain files from remaining arguments
|
|
if [[ $# -lt 1 ]]; then
|
|
[[ -v SITES_DIR && -d "$SITES_DIR" ]] && return 0
|
|
if [[ -f "domains.txt" ]]; then
|
|
echo "You have not supplied any domain files, using domains.txt by default"
|
|
DOMAIN_FILES=("domains.txt")
|
|
else
|
|
echo "You must specify a domain list or use domains.txt by default"
|
|
exit 1
|
|
fi
|
|
else
|
|
DOMAIN_FILES=("$@")
|
|
fi
|
|
}
|
|
|
|
|
|
interactive_dns() {
|
|
local conf="$HOME/.acme.sh/account.conf"
|
|
if [[ -f "$conf" ]] && grep -q "CPANELDNS_AUTH_PASSWORD" "$conf"; then
|
|
echo "cPanel credentials already present, skipping configuration..."
|
|
echo "To rerun the configuration, first run 'rm $conf'"
|
|
else
|
|
read -rp 'Enter your cPanel username: ' CPANELDNS_AUTH_ID
|
|
echo
|
|
export CPANELDNS_AUTH_ID
|
|
read -rp 'Enter your cPanel password: ' CPANELDNS_AUTH_PASSWORD
|
|
echo
|
|
export CPANELDNS_AUTH_PASSWORD
|
|
read -rp 'Enter your cPanel address and port number (example: "https://www.example.com:2083/"): ' CPANELDNS_API
|
|
echo
|
|
export CPANELDNS_API
|
|
fi
|
|
}
|
|
|
|
|
|
get_acme() {
|
|
curl https://get.acme.sh | sh
|
|
source "$HOME/.bashrc"
|
|
"$HOME/.acme.sh/acme.sh" --upgrade --auto-upgrade
|
|
[[ "$METHOD" == "dns" ]] && \
|
|
curl -o "$HOME/.acme.sh/dnsapi/dns_cpaneldns.sh" https://raw.githubusercontent.com/cryobry/dns_cpaneldns/master/dns_cpaneldns.sh
|
|
}
|
|
|
|
|
|
update_email() { [[ -v USEREMAIL ]] && "$HOME/.acme.sh/acme.sh" --update-account --accountemail "${USEREMAIL}"; }
|
|
|
|
|
|
command_prefixes() {
|
|
declare -ag ISSUE_CMD_PREFIX DEPLOY_CMD_PREFIX
|
|
ISSUE_CMD_PREFIX=("$HOME/.acme.sh/acme.sh" "--issue")
|
|
[[ "$METHOD" == "dns" ]] && ISSUE_CMD_PREFIX=("${ISSUE_CMD_PREFIX[@]}" "--dns" "dns_cpaneldns")
|
|
[[ -v DEBUG ]] && ISSUE_CMD_PREFIX=("${ISSUE_CMD_PREFIX[@]}" "--staging") || ISSUE_CMD_PREFIX=("${ISSUE_CMD_PREFIX[@]}" "--force")
|
|
DEPLOY_CMD_PREFIX=("$HOME/.acme.sh/acme.sh" "--deploy" "--deploy-hook" "cpanel_uapi")
|
|
}
|
|
|
|
|
|
get_webroot() {
|
|
local webroot
|
|
if ! webroot=$(uapi DomainInfo single_domain_data domain="$1" | grep documentroot); then
|
|
echo "UAPI call failed" >&2
|
|
fi
|
|
if [[ ! -v webroot || "$webroot" == "" ]]; then
|
|
if [[ -v DEBUG ]]; then
|
|
webroot="/tmp" # set missing webroot in DEBUG mode for testing
|
|
else
|
|
echo "Could not find $1's webroot" >&2
|
|
exit 1
|
|
fi
|
|
fi
|
|
echo "$webroot"
|
|
}
|
|
|
|
|
|
# Either create a single array of all domains (DOMAINS) to issue one-by-one or create an array of array names to issue for a single webroot
|
|
load_domains() {
|
|
local domain_file
|
|
declare -ag DOMAIN_GROUPS=()
|
|
|
|
if [[ -v SITES_DIR ]]; then
|
|
for domain_file in "$SITES_DIR"/*; do
|
|
DOMAIN_GROUPS+=("$(<"$domain_file")")
|
|
done
|
|
fi
|
|
|
|
for domain_file in "${DOMAIN_FILES[@]}"; do
|
|
# Load list of domains as space-delimited strings in elements of the DOMAINS array
|
|
# We can keep these separate or combine them later
|
|
DOMAIN_GROUPS+=("$(<"$domain_file")")
|
|
done
|
|
}
|
|
|
|
|
|
issue_and_deploy_certs() {
|
|
|
|
local domain_root domain domain_group
|
|
local -a issue_cmd=()
|
|
local -a deploy_cmd=()
|
|
|
|
if [[ -v GROUP ]]; then
|
|
for domain_group in "${DOMAIN_GROUPS[@]}"; do
|
|
unset i
|
|
for domain in $domain_group; do # we want to split on whitespace
|
|
[[ "$domain" == "" ]] && continue
|
|
# Get the webroot from the first domain
|
|
if [[ ! -v i ]]; then
|
|
local i="set"
|
|
domain_root=$(get_webroot "$domain")
|
|
issue_cmd=("${ISSUE_CMD_PREFIX[@]}" "-w" "$domain_root")
|
|
fi
|
|
issue_cmd+=("-d" "$domain" "-d" "www.$domain")
|
|
done
|
|
|
|
# Issue certificate for entire domain group
|
|
echo "Running:" "${issue_cmd[@]}"
|
|
if ! "${issue_cmd[@]}"; then
|
|
echo "Failed to issue certificate"
|
|
fi
|
|
# Deploy certificates one by one
|
|
for domain in $domain_group; do
|
|
deploy_cmd=("${DEPLOY_CMD_PREFIX[@]}" "-w" "$domain_root" "-d" "$domain")
|
|
echo "Running:" "${deploy_cmd[@]}"
|
|
"${deploy_cmd[@]}"
|
|
done
|
|
done
|
|
else
|
|
for domain_group in "${DOMAIN_GROUPS[@]}"; do
|
|
# Issue and deploy certificates one by one
|
|
for domain in $domain_group; do # we want to split on whitespace
|
|
issue_cmd=("${ISSUE_CMD_PREFIX[@]}" "-d" "$domain" "-d" "www.$domain")
|
|
[[ "$METHOD" == "webroot" ]] && domain_root=$(get_webroot "$domain") && issue_cmd=("${issue_cmd[@]}" "-w" "$domain_root")
|
|
deploy_cmd=("${DEPLOY_CMD_PREFIX[@]}" "-d" "$domain") # I think we only need to deploy to the domain, not subdomains
|
|
[[ "$METHOD" == "webroot" ]] && deploy_cmd=("${deploy_cmd[@]}" "-w" "$domain_root")
|
|
echo "Running:" "${issue_cmd[@]}"
|
|
if ! "${issue_cmd[@]}"; then
|
|
echo "Failed to issue certificate for $domain"
|
|
err=1
|
|
fi
|
|
echo "Running:" "${deploy_cmd[@]}"
|
|
if ! "${deploy_cmd[@]}"; then
|
|
echo "Failed to deploy certificate for $domain"
|
|
err=1
|
|
fi
|
|
done
|
|
done
|
|
fi
|
|
}
|
|
|
|
|
|
main() {
|
|
parse_input "$@"
|
|
get_acme
|
|
update_email
|
|
command_prefixes
|
|
load_domains
|
|
[[ "$METHOD" == "dns" ]] && interactive_dns
|
|
issue_and_deploy_certs
|
|
}
|
|
|
|
|
|
main "$@"
|
|
exit "${err:-0}" |