Skip to content

Instantly share code, notes, and snippets.

@catchdave
Last active October 22, 2024 15:41
Show Gist options
  • Save catchdave/3f6f412bbf0f0cec32469fb0c9747295 to your computer and use it in GitHub Desktop.
Save catchdave/3f6f412bbf0f0cec32469fb0c9747295 to your computer and use it in GitHub Desktop.
This is my companion script for synology scripts https://gist.github.com/catchdave/69854624a21ac75194706ec20ca61327
# This is a anonymized version of the script I use to renew all my SSL certs
# across my servers. This will not work out of the box for anyone as your network will be
# different. But may be useful starting place for others.
#
# I use a cronjob that runs this every week. It only replaces certificates when a certificate has been renewed.
# Renews/creates cert from letsencrypt & places it where it needs to be.
# Currently, that is:
# * Nginx (local for plex)
# * Plex Media Server
# * DSM/Synology
# * Unifi Protect
# * Home Assistant
DOMAIN=example.com # Change to your domain
PLEX_CERTIFICATE=/var/lib/plexmediaserver/certificate.pfx
CERT_DIRECTORY="/etc/letsencrypt/live/$DOMAIN"
ME=$(basename "$0")
ONLY=
FORCE=false
CREATE_NEW_CERT=false
SERVERS=(plex synology homeassistant protect) # Whatever your server names are
ssl_user=ssl_updater # User for remote servers that can update certs
# Get args
# ================================
POSITIONAL_ARGS=()
while [[ $# -gt 0 ]]; do
case $1 in
-o|--only)
if [[ ! " ${SERVERS[*]} " =~ " ${2} " ]]; then
echo "[$ME] Unknown servername: $2. Use one of the known servers: $SERVERS"
exit 1
fi
ONLY="$2"
shift # past argument
shift # past value
;;
--force)
FORCE=true
shift # past argument
;;
--create)
CREATE_NEW_CERT=true
shift # past argument
;;
-*|--*)
echo "[$ME] Unknown option $1"
exit 1
;;
*)
POSITIONAL_ARGS+=("$1") # save positional arg
shift # past argument
;;
esac
done
set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
# ================================
# Use certbot to renew certificate
# ================================
echo "Running certbot..."
if [ "$CREATE_NEW_CERT" == "true" ]; then
echo "[$ME] Creating a new certificate from scratch"
cert_flags="--insert-your-flags --creds etc *.$DOMAIN" # Modify this line for the parameters you use to create your cert
{ CERTBOT_ERROR=$(sudo certbot certonly $cert_flags 2>&1 >&3 3>&-); } 3>&1
errcode=$?
else
echo "[$ME] Renewing certificate"
{ CERTBOT_ERROR=$(sudo certbot renew 2>&1 >&3 3>&-); } 3>&1
errcode=$?
fi
if [ "$errcode" != "0" ]; then
echo "$CERTBOT_ERROR"
echo "[$ME] Error encountered with certbot. Halting."
echo "[$ME] Error code: $errcode"
exit
fi
# ================================
# Exit or continue if certificate not renewed, depending on flags
# ================================
if echo "$CERTBOT_ERROR" | grep 'Cert not yet due for renewal'; then
if [ "$FORCE" != "true" ]; then
echo "[$ME] Certbot not due for renewal--halting."
echo "[$ME] To continue anyway (to sync the existing cert), use flag --force"
exit 0
else
echo "[$ME] --force specified--continuing to sync certs"
fi
fi
if [ "$ONLY" != "" ]; then
echo "--only specified. Will only sync certs to: $ONLY"
fi
# ================================
# Synology (NAS)
# This script used here is referenced in this companion gist:
# https://gist.github.com/catchdave/69854624a21ac75194706ec20ca61327
# ================================
if [[ -z "$ONLY" || "$ONLY" == "synology" ]]; then
server=synology.$DOMAIN
echo ""
echo "[$ME] Copying certificates to synology"
sudo scp ${CERT_DIRECTORY}/{privkey,fullchain,cert}.pem $ssl_user@$server:/tmp/
if [ "$?" = "0" ]; then
echo "[$ME] > Replacing certs on $server...."
ssh $ssl_user@$server 'sudo ./replace_certs.sh'
if [ "$?" != "0" ]; then
echo "[$ME] > ERROR replacing certs to $server"
fi
else
echo "[$ME] > Error occurred copying files to $server"
fi
fi
# ================================
# Home Assistant
# ================================
if [[ -z "$ONLY" || "$ONLY" == "homeassistant" ]]; then
server=homeassistant.$DOMAIN
echo ""
echo "[$ME] Copying certificates to home assistant"
sudo scp ${CERT_DIRECTORY}/{privkey,fullchain,cert}.pem $ssl_user@$server:/usr/share/hassio/ssl/
if [ "$?" = "0" ]; then
echo "[$ME] > Restarting NGINX SSL Proxy...."
ssh $ssl_user@$server 'sudo ha addons restart core_nginx_proxy'
else
echo "[$ME] > Error occurred copying files to $server"
fi
fi
# ================================
# Create certificate for plex (local to script)
# ================================
if [[ -z "$ONLY" || "$ONLY" == "plex" ]]; then
echo ""
# backup plex cert
date_created=`/usr/bin/stat -f "%Sm" -t "%Y-%m-%d" $PLEX_CERTIFICATE`
sudo cp "$PLEX_CERTIFICATE" "$PLEX_CERTIFICATE.$date_created"
# move plex cert over
echo "=============="
sudo openssl pkcs12 -export -out "$PLEX_CERTIFICATE" -inkey ${CERT_DIRECTORY}/privkey.pem -in ${CERT_DIRECTORY}/cert.pem -certfile ${CERT_DIRECTORY}/chain.pem -passout pass:YOUR_PASSWORD_HERE
sudo chown plex "$PLEX_CERTIFICATE"
echo "[$ME] Killing and re-opening Plex Media Server"
killall "Plex Media Server" -9
sudo -u plex open /Applications/Plex\ Media\ Server.app
echo "[$ME] Reloading NGINX..."
sudo nginx -s reload
fi
# ================================
# Unifi Protect
# ================================
if [[ -z "$ONLY" || "$ONLY" == "protect" ]]; then
server="protect.$DOMAIN"
echo ""
echo "[$ME] Copying certificates to $server"
sudo scp ${CERT_DIRECTORY}/{privkey,fullchain}.pem $ssl_user@$server:/tmp/
if [ "$?" = "0" ]; then
echo "[$ME] > Restarting services on Unifi Protect...."
ssh $ssl_user@$server 'sudo /root/replace_certs_protect.sh'
if [ "$?" != "0" ]; then
echo "[$ME] > ERROR restarting services on Unifi protect"
fi
else
echo "[$ME] > Error occurred copying files to Unifi Protect"
fi
fi
# ================================
@DJGauthier
Copy link

DJGauthier commented Jun 21, 2023 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment