latest home

ngp_le/app/cert_status

@@ -0,0 +1,74 @@
+#!/bin/bash
+function print_cert_info {
+  local enddate
+  local subject
+  local san_str
+
+  # Get the wanted informations with OpenSSL.
+  issuer="$(openssl x509 -noout -issuer -in "$1" | sed -n 's/.*CN = \(.*\)/\1/p')"
+  enddate="$(openssl x509 -noout -enddate -in "$1" | sed -n 's/notAfter=\(.*$\)/\1/p')"
+  subject="$(openssl x509 -noout -subject -in "$1" | sed -n 's/.*CN = \([a-z0-9.-]*\)/- \1/p')"
+  san_str="$(openssl x509 -text -in "$1" | grep 'DNS:')"
+
+  echo "Certificate was issued by $issuer"
+  if [[ "$2" == "expired" ]]; then
+      echo "Certificate was valid until $enddate"
+  else
+      echo "Certificate is valid until $enddate"
+  fi
+  echo "Subject Name:"
+  echo "$subject"
+
+  # Display the SAN info only if there is more than one SAN domain.
+  while IFS=',' read -ra SAN; do
+      if [[ ${#SAN[@]} -gt 1 ]]; then
+          echo "Subject Alternative Name:"
+          for domain in "${SAN[@]}"; do
+              echo "$domain" | sed -n 's/.*DNS:\([a-z0-9.-]*\)/- \1/p'
+          done
+      fi
+  done <<< "$san_str"
+}
+
+echo '##### Certificate status #####'
+for cert in /etc/nginx/certs/*/fullchain.pem; do
+    [[ -e "$cert" ]] || continue
+    if [[ -e "${cert%fullchain.pem}chain.pem" ]]; then
+        # Verify the certificate with OpenSSL.
+        verify=$(openssl verify -CAfile "${cert%fullchain.pem}chain.pem" "$cert" 2>&1)
+        if [[ $? -eq 0 ]]; then
+            echo $verify
+            # Print certificate info.
+            print_cert_info "$cert"
+        else
+            echo "${cert}: EXPIRED"
+            # Print certificate info.
+            print_cert_info "$cert" "expired"
+        fi
+    else
+        echo "${cert}: no corresponding chain.pem file, unable to verify certificate"
+        # Print certificate info.
+        print_cert_info "$cert"
+    fi
+
+    # Find the .crt files in /etc/nginx/certs which are
+    # symlinks pointing to the current certificate.
+    unset symlinked_domains
+    for symlink in /etc/nginx/certs/*.crt; do
+        [[ -e "$symlink" ]] || continue
+        if [[ "$(readlink -f "$symlink")" == "$cert" ]]; then
+            domain="$(echo "${symlink%.crt}" | sed 's#/etc/nginx/certs/##g')"
+            symlinked_domains+=("$domain")
+        fi
+    done
+
+    # Display symlinks pointing to the current cert if there is any.
+    if [[ ${#symlinked_domains[@]} -gt 0 ]]; then
+        echo "Certificate is used by the following domain(s):"
+        for domain in "${symlinked_domains[@]}"; do
+          echo "- $domain"
+        done
+    fi
+
+    echo '##############################'
+done

ngp_le/app/dhparam.pem.default

@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEAwpR+yYapElMV4DiO+BwKK2N8Ur4giZtga+dslyDMuhY+U4t/97Eq
+gdFg2RD5nqrgWCRWEYcbh1kPBOAPWXZ4+N8mZL8pJXaNi2XFA8IxQex283Sz7CX+
+qr/zb+piJLx+/6JB/NNTZtKurM3ZQgwdGqSHqeWgvRIgCQAykC1oz7muCsev1IMc
+rLig1kyvhg3L1t+uKYV0OtiXONmPglPm9pXRqMQ53Rg/D3CpUpyyTSugOFjVhLrP
+Ow+kO6qXBQSDhrL2L0UjprbcVMPHv9bFmWNoTCtC8OYA1OuiA368PWhgeH/76Yu8
+4an6/vt3HowDZHKfB3Vb1VwTI+k6hzwhkwIBAg==
+-----END DH PARAMETERS-----

ngp_le/app/force_renew

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+source /app/letsencrypt_service --source-only
+
+update_certs --force-renew

ngp_le/app/signal_le_service

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# Using busybox pkill
+pkill -USR1 -f /app/letsencrypt_service