misc/certbot_znc_update.sh at master · NetworkJack2/misc · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
#!/usr/bin/env bash

help_and_exit(){
  cat 1>&2 << EOF
certbot_znc_update.sh

Runonce that runs certbot, and the updates znc with Lets Encrypt! certs, so
it works with LE certs.

    USAGE:
    ./certbot_znc_update.sh [firstrun|renew|help]
EOF
  exit 4
}
### VARIABLES
# Edit this before use. This is what email your LETS ENCRYPT! certs are registered to
readonly LETSENCRYPT_EMAIL="postmaster@example.com"

### /VARIABLES

### CONSTANTS
readonly FQDN="$(hostname)"
readonly ENCRYPTION_KEY="/etc/letsencrypt/live/${FQDN}/privkey.pem"
readonly ENCRYPTION_CERT="/etc/letsencrypt/live/${FQDN}/fullchain.pem"
readonly ZNC_CERT_FILE="/home/znc-admin/.znc/znc.pem"
readonly ZNC_HOME="/home/znc-admin/"
readonly ZNC_USER="znc-admin"
readonly DH_PARAM_FILE="/etc/ssl/private/dhparam.pem"
readonly DH_PARAM_BITS=2048
readonly TODAY=$(date +%Y%m%d) #Today's date in YYYYMMDD
readonly CERT_DATE=$(date -d "$(stat --format=%y ${ENCRYPTION_CERT})" +%Y%m%d) #Date of LE Certs in YYYYMMDD
### /CONSTANTS

message(){
  echo "certbot_znc_update.sh: ${@}"
  logger "certbot_znc_update.sh: ${@}"
}

submsg(){
  echo "[+] ${@}"
  logger "certbot_znc_update.sh: ${@}"
}

exit_with_error(){
  echo 1>&2 "certbot_znc_update.sh: ERROR: ${2}"
  logger "certbot_znc_update.sh: ERROR: ${2}"
  exit ${1}
}

init_certbot(){
  local -i errors=0
  local iptables_string="INPUT -m tcp -p tcp --dport 80 -j ACCEPT"

  iptables -I ${iptables_string} || return 9
  certbot certonly --standalone --domains "${FQDN}" -n --agree-tos --email "${LETSENCRYPT_EMAIL}" || errors+=1
  iptables -D ${iptables_string} || warn "IPTables rule for certbot left open. Please correct this mantually"

  # Generating DH parms is a one time thing. Technically we have some in znc.pem, but we need a stand alone file. Easiest way
  # to do this in shell is just make a new one
  openssl dhparam -out "${DH_PARAM_FILE}" ${DH_PARAM_BITS} || errors+=1
  chown 600 "${DH_PARAM_FILE}"
  return ${errors}
}

renew_certbot(){
  local -i error_code=0
  local iptables_string="INPUT -m tcp -p tcp --dport 80 -j ACCEPT"
  iptables -I ${iptables_string} || return 9

  /usr/bin/certbot -q renew || error_code=${?}
  iptables -D ${iptables_string} || warn "IPTables rule for certbot left open. Please correct this mantually"

  return ${error_code}
}

gen_znc_pem(){
  # ZNC puts everything in a single file.
  local -i errors=0
  cat "${ENCRYPTION_KEY}" > "${ZNC_CERT_FILE}" || errors+=1
  cat "${ENCRYPTION_CERT}" >> "${ZNC_CERT_FILE}" || errors+=1
  cat "${DH_PARAM_FILE}">> "${ZNC_CERT_FILE}" || errors+=1
  chown "${ZNC_USER}":"${ZNC_USER}" "${ZNC_CERT_FILE}" || errors+=1
  chmod 600 "${ZNC_CERT_FILE}" || errors+=1
  return ${errors}
}

main(){
  declare -i ERRORS=0
  local command="${1}"
  [ -z "${FQDN}" ] && exit_with_error 2 "No Domain set, no qualified for a Lets Encrypt! cert"

  case ${command} in
    firstrun)
      message "Initializing..."
      submsg "Registering with Lets Encrypt via certbot"
      init_certbot || ERRORS+=1
      submsg "Generating ZNC cert file"
      gen_znc_pem || ERRORS+=1
      # set permissions for ZNC user
      chown -R "${ZNC_USER}":"${ZNC_USER}" "${ZNC_HOME}"
      submsg "Restarting ZNC" || ERRORS+=1
      systemctl restart znc
      ;;
    renew)
      message "Updating Certs"
      submsg "Updating Lets Encrypt via certbot"
      renew_certbot || ERRORS+=1
      submsg "Regenerating ZNC cert file"
      gen_znc_pem || ERRORS+=1
      # Only restart ZNC if the cert has recently been reset
      local cert_age=$(( ${TODAY} - ${CERT_DATE} )) #Lets Encrypt! cert age in days
      # If the age of the cert is more
      if [ ${cert_age} -eq 0 ];then
        submsg "Restarting ZNC"
        systemctl restart znc || ERRORS+=1
       else
        submsg "Certificate not renewed today, skipping reset"
      fi

      ;;
    *)
      help_and_exit
      ;;
  esac

  case ${ERRORS} in
    0)
     message "Done"
     exit 0
     ;;
    1)
     message "Done, but with 1 error"
     exit 1
     ;;
    *)
     message "Done, but with ${ERRORS} errors"
     exit 1
     ;;
  esac

}

main "${@}"