From: Lukas Schauer Date: Mon, 7 Dec 2015 12:21:12 +0000 (+0100) Subject: added import script (allows import of existing certificates from the original letsenc... X-Git-Tag: v0.1.0~182 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=067d7ee4ba2d4fe28b9e01369a685150f8b1e2c1;p=thirdparty%2Fdehydrated.git added import script (allows import of existing certificates from the original letsencrypt client) --- diff --git a/import.sh b/import.sh new file mode 100755 index 0000000..1bfcbe0 --- /dev/null +++ b/import.sh @@ -0,0 +1,82 @@ +#!/bin/bash + +set -e +set -u +set -o pipefail + +SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" +BASEDIR="${SCRIPTDIR}" +LETSENCRYPT="/etc/letsencrypt" + +. "${SCRIPTDIR}/config.sh" + +if [[ -e "${BASEDIR}/domains.txt" ]]; then + DOMAINS_TXT="${BASEDIR}/domains.txt" +elif [[ -e "${SCRIPTDIR}/domains.txt" ]]; then + DOMAINS_TXT="${SCRIPTDIR}/domains.txt" +else + echo "You have to create a domains.txt file listing the domains you want certificates for. Have a look at domains.txt.example." + echo "For the purpose of this import script the file can be empty, but it has to exist." + exit 1 +fi + +for certdir in "${LETSENCRYPT}/live/"*; do + domain="$(basename "${certdir}")" + echo "Processing ${domain}" + + # Check if we already have a certificate for the same (main) domain + if [ -e "${BASEDIR}/certs/${domain}" ]; then + echo " + Skipping: Found existing certificate directory, don't want to delete anything." + continue + fi + + # Check if private-key, certificate and fullchain exist + if [[ ! -e "${certdir}/privkey.pem" ]]; then + echo " + Skipping: Private key is missing." + continue + fi + if [[ ! -e "${certdir}/cert.pem" ]]; then + echo " + Skipping: Certificate is missing." + continue + fi + if [[ ! -e "${certdir}/fullchain.pem" ]]; then + echo " + Skipping: Chain is missing." + continue + fi + + # Check if certificate still valid + set +e; openssl x509 -checkend 0 -noout -in "${certdir}/cert.pem" > /dev/null 2> /dev/null; expired="${?}"; set -e + if [[ "${expired}" = "1" ]]; then + echo " + Skipping: Certificate is expired." + continue + fi + + # Import certificate + timestamp="$(date +%s)" + + echo " + Adding list of domains to ${DOMAINS_TXT}" + SAN="$(openssl x509 -in "${certdir}/cert.pem" -noout -text | grep -A1 "Subject Alternative Name" | grep "DNS")" + SAN="${SAN//DNS:/}" + SAN="${SAN//, / }" + altnames="${domain}" + for altname in ${SAN}; do + if [[ ! "${altname}" = "${domain}" ]]; then + altnames="${altnames} ${altname}" + fi + done + echo "${altnames}" >> "${DOMAINS_TXT}" + + mkdir -p "${BASEDIR}/certs/${domain}" + + echo " + Importing private key" + cat "${certdir}/privkey.pem" > "${BASEDIR}/certs/${domain}/privkey-${timestamp}.pem" + ln -s "privkey-${timestamp}.pem" "${BASEDIR}/certs/${domain}/privkey.pem" + + echo " + Importing certificate" + cat "${certdir}/cert.pem" > "${BASEDIR}/certs/${domain}/cert-${timestamp}.pem" + ln -s "cert-${timestamp}.pem" "${BASEDIR}/certs/${domain}/cert.pem" + + echo " + Importing chain" + cat "${certdir}/fullchain.pem" > "${BASEDIR}/certs/${domain}/fullchain-${timestamp}.pem" + ln -s "fullchain-${timestamp}.pem" "${BASEDIR}/certs/${domain}/fullchain.pem" +done