From fb0b269d0853e4fce2e8148f9048544a6ca335a5 Mon Sep 17 00:00:00 2001 From: srvrco Date: Sun, 17 Apr 2016 19:52:33 +0100 Subject: [PATCH] Improving the wording in a couple of comments and info statements. (0.30) --- README.md | 23 ++++++++++++++--------- getssl | 13 +++++++------ 2 files changed, 21 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index c4c5a6a..49bbb54 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ Obtain SSL certificates from the letsencrypt.org ACME server. Suitable for auto This was written in standard bash ( so can be run on a server, a desktop computer, or even virtualbox) and add the checks, and certificates to a remote server ( providing you have an ssh key on the remote server with access). ``` -getssl ver. 0.28 +getssl ver. 0.30 Obtain SSL certificates from the letsencrypt.org ACME server Usage: getssl [-h|--help] [-d|--debug] [-c|--create] [-f|--force] [-a|--all] [-q|--quiet] [-w working_dir] domain @@ -83,22 +83,27 @@ SANS=www.example.org,example.edu,example.net,example.org,www.example.com,www.exa # Acme Challenge Location. The first line for the domain, the following ones for each additional domain. # If these start with ssh: then the next variable is assumed to be the hostname and the rest the location. # An ssh key will be needed to provide you with access to the remote server. -#ACL=('/var/www/example.com/web/.well-known/acme-challenge' -# 'ssh:server5:/var/www/example.com/web/.well-known/acme-challenge') +ACL=('/var/www/example.com/web/.well-known/acme-challenge' + 'ssh:server5:/var/www/example.com/web/.well-known/acme-challenge') # Location for all your certs, these can either be on the server (so full path name) or using ssh as for the ACL -#DOMAIN_CERT_LOCATION="ssh:server5:/etc/ssl/domain.crt" -#DOMAIN_KEY_LOCATION="ssh:server5:/etc/ssl/domain.key" +DOMAIN_CERT_LOCATION="ssh:server5:/etc/ssl/domain.crt" +DOMAIN_KEY_LOCATION="ssh:server5:/etc/ssl/domain.key" #CA_CERT_LOCATION="/etc/ssl/chain.crt" -#DOMAIN_PEM_LOCATION="" +#DOMAIN_CHAIN_LOCATION="" this is the domain cert and CA cert +#DOMAIN_PEM_LOCATION="" this is the domain_key. domain cert and CA cert + # The command needed to reload apache / nginx or whatever you use -#RELOAD_CMD="" +RELOAD_CMD="service apache2 reload" # The time period within which you want to allow renewal of a certificate - this prevents hitting some of the rate limits. #RENEW_ALLOW="30" -# Define the server type. If it's a "webserver" then the main website will be checked for certificate expiry -# and also will be checked after an update to confirm correct certificate is running. + +# Define the server type. The can either webserver, ldaps or a port number which +# will be checked for certificate expiry and also will be checked after +# an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true #SERVER_TYPE="webserver" +#CHECK_REMOTE="true" # Use the following 3 variables if you want to validate via DNS #VALIDATE_VIA_DNS="true" diff --git a/getssl b/getssl index 00a2e67..0fe22b0 100755 --- a/getssl +++ b/getssl @@ -45,10 +45,11 @@ # 2016-02-17 fix sed -E issue, and reduce length of renew check to 365 days for older systems (v0.27) # 2016-04-05 Ensure DNS cleanup on error exit. (0.28) - pecigonzalo # 2016-04-15 Remove NS Lookup of A record when using dns validation (0.29) - pecigonzalo +# 2016-04-17 Improving the wording in a couple of comments and info statements. (0.30) # --------------------------------------------------------------------------- PROGNAME=${0##*/} -VERSION="0.29" +VERSION="0.30" # defaults CA="https://acme-staging.api.letsencrypt.org" @@ -173,7 +174,7 @@ write_getssl_template() { # write out the main template file # this prevents hitting some of the rate limits. RENEW_ALLOW="30" - # Define the server type. The can either webserver, ldaps or a port number which + # Define the server type. This can either be a webserver, ldaps or a port number which # will be checked for certificate expiry and also will be checked after # an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true SERVER_TYPE="webserver" @@ -229,7 +230,7 @@ write_domain_template() { # write out a template file for a domain. # this prevents hitting some of the rate limits. RENEW_ALLOW="30" - # Define the server type. The can either webserver, ldaps or a port number which + # Define the server type. This can either be a webserver, ldaps or a port number which # will be checked for certificate expiry and also will be checked after # an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true #SERVER_TYPE="webserver" @@ -611,7 +612,7 @@ else error_exit "unknown server type" fi -# if check)remote is true then connect and obtain the current certificate (if not forceing renewal) +# if check_remote is true then connect and obtain the current certificate (if not forcing renewal) if [[ "${CHECK_REMOTE}" == "true" ]] && [ $_FORCE_RENEW -eq 0 ]; then debug "getting certificate for $DOMAIN from remote server" EX_CERT=$(echo | openssl s_client -servername "${DOMAIN}" -connect "${DOMAIN}:${REMOTE_PORT}" 2>/dev/null | openssl x509 2>/dev/null) @@ -672,7 +673,7 @@ if [ -f "$CERT_FILE" ]; then debug "enddate is $enddate" if [[ "$enddate" != "-" ]]; then if [[ $(date -d "${RENEW_ALLOW} days" +%s) -lt $(date -d "$enddate" +%s) ]]; then - info "certificate for $DOMAIN is still valid for more than $RENEW_ALLOW days" + info "certificate for $DOMAIN is still valid for more than $RENEW_ALLOW days (until $enddate)" # everything is OK, so exit. graceful_exit else @@ -928,7 +929,7 @@ if [[ $VALIDATE_VIA_DNS == "true" ]]; then else if [[ $ntries -lt 100 ]]; then ntries=$(( ntries + 1 )) - info "testing DNS for ${d}. Attempt $ntries/100 completed. waiting 10 secs before testing verify again" + info "checking DNS for ${d}. Attempt $ntries/100 gave wrong result, waiting 10 secs before checking again" sleep 10 else debug "dns check failed - removing existing value"