freshcerts-client

#!/bin/sh
# Freshcerts client
# https://github.com/valpackett/freshcerts
#
# Run this via cron every day for each domain
#
# You can comment out the genrsa if you don't want to rotate the private key
# and, really, customize the script however you want
# (e.g. add DANE records generation for your DNS server)

: ${FRESHCERTS_HOST:="localhost:9292"}
: ${KEYS_DIRECTORY:="/usr/local/etc/certs"}

DOMAIN="$1"
SUBJ="$2"
PORTS="$3"
RELOAD_CMD="$4"
AUTH_TOKEN="$5"

KEY_PATH="${KEYS_DIRECTORY}/${DOMAIN}.key.pem"

curl -f "${FRESHCERTS_HOST}/v1/cert/${DOMAIN}/should_reissue" 2>/dev/null && \
	openssl genrsa -out "$KEY_PATH.new" 2048 2>/dev/null && \
	chmod 0400 "$KEY_PATH.new" && \
	openssl req -new -batch -subj "$SUBJ" -key "$KEY_PATH.new" -out /dev/stdout | \
	curl -s -X POST "${FRESHCERTS_HOST}/v1/cert/${DOMAIN}/issue" \
		-F "csr=@-" -F "ports=$PORTS" -F "domain=$DOMAIN" -F "token=$AUTH_TOKEN" | \
	tar -C "$KEYS_DIRECTORY" -xf - && \
	mv "$KEY_PATH.new" "$KEY_PATH" && \
	sh -c "$RELOAD_CMD"