mirror of
https://github.com/acmesh-official/acme.sh.git
synced 2025-05-09 09:32:44 +00:00
146 lines
4.9 KiB
Bash
146 lines
4.9 KiB
Bash
#!/usr/bin/env sh
|
|
|
|
##########################################################################
|
|
# This is a very simple deployment script to move certificates to a remote
|
|
# server. The deployment uses scp (the remote cp method of ssh) and simply
|
|
# drops certs into a target directory. Targets have the original scp format
|
|
# e.g. like:
|
|
#
|
|
# server.com:/var/spool/acme.sh/certs/
|
|
# user@server.com:/var/spool/acme.sh/certs/
|
|
# configuredserver:/var/spool/acme.sh/certs/
|
|
#
|
|
# You may use something like "configuredserver" which is the name of a host
|
|
# configuration in the ~/.ssh/config file. If you have a more complex setup
|
|
# like different ports, identity files, users or hostnames you are strongly
|
|
# encouraged to use an entry in your ~/.ssh/config file. This saves this
|
|
# little script from reimplementing every possible scp switch.
|
|
#
|
|
# You might wanto to configure ssh on the target server to use a special
|
|
# account with key based authentication and allow scp only. Have a further
|
|
# look at the rssh shell to allow scp only. You might as well put the user
|
|
# into a chroot.
|
|
#
|
|
# The main reason for this form of deployment is, that the acme.sh script
|
|
# can run in a safe and controlled environment. The acme.sh script needs
|
|
# detailed and sensitive information e.g. like your acme private keys or
|
|
# your dns providers credentials. Information like this you certainly don't
|
|
# want to have lying around on your public webserver.
|
|
#
|
|
# Further deployment of the certificates should be handled by a cron job on
|
|
# the remote server. That remote script could then move the new cert's to
|
|
# their proper position, set file owner and permissions and restart the
|
|
# belonging service.
|
|
#
|
|
# An example script for apache (on debian systems) might be:
|
|
#
|
|
# #!/usr/bin/env sh
|
|
# chown root:root /var/spool/acme.sh/certs/*
|
|
# mv /var/spool/acme.sh/certs/* /etc/apache2/ssl.crt/
|
|
# systemctl restart apache2
|
|
#
|
|
# To avoid misunderstandings, this script is NOT like other deployment
|
|
# scripts that target a specific type of server (apache/cyrus/exim/...)
|
|
# and do all ssl configuration for you. With this script YOU do all your
|
|
# ssl configuration on your target server yourself. Then, and only after
|
|
# the target server is properly configured, you use this script to deploy
|
|
# the forthcoming LE certificates.
|
|
|
|
# When called for the first time use the following env vars to setup the
|
|
# configuration. The vars will be stored on a per domain basis.
|
|
#DEPLOY_SCP_CA_TARGET="user@server.com:/etc/apache2/ssl.crt"
|
|
#DEPLOY_SCP_KEY_TARGET="user@server.com:/etc/apache2/ssl.key"
|
|
#DEPLOY_SCP_CERT_TARGET="user@server.com:/etc/apache2/ssl.crt"
|
|
#DEPLOY_SCP_FULLCHAIN_TARGET="user@server.com:/etc/apache2/ssl.crt"
|
|
|
|
######## public functions #####################
|
|
|
|
#domain keyfile certfile cafile fullchain
|
|
scp_deploy() {
|
|
_cdomain="$1"
|
|
_ckey="$2"
|
|
_ccert="$3"
|
|
_cca="$4"
|
|
_cfullchain="$5"
|
|
|
|
_SCP_check_params
|
|
if [ "$?" -ne 0 ]; then
|
|
_err "Please specify at least one scp target. For instance:"
|
|
_info "DEPLOY_SCP_CERT_TARGET=\"user@server.com:/etc/apache2/ssl.crt\""
|
|
_info "The target directory has to be writable by the user."
|
|
_info "See the header of this script for more information."
|
|
return 1
|
|
fi
|
|
|
|
_debug _cdomain "$_cdomain"
|
|
_debug _cca "$_cca"
|
|
_debug _ckey "$_ckey"
|
|
_debug _ccert "$_ccert"
|
|
_debug _cfullchain "$_cfullchain"
|
|
|
|
if [ ! -z "$DEPLOY_SCP_CA_TARGET" ]; then
|
|
scp "$_cca" "$DEPLOY_SCP_CA_TARGET"
|
|
if [ "$?" -ne 0 ]; then
|
|
_err "scp copy to server failed"
|
|
return 1
|
|
fi
|
|
fi
|
|
|
|
if [ ! -z "$DEPLOY_SCP_KEY_TARGET" ]; then
|
|
scp "$_ckey" "$DEPLOY_SCP_KEY_TARGET"
|
|
if [ "$?" -ne 0 ]; then
|
|
_err "scp copy to server failed"
|
|
return 1
|
|
fi
|
|
fi
|
|
|
|
if [ ! -z "$DEPLOY_SCP_CERT_TARGET" ]; then
|
|
scp "$_ccert" "$DEPLOY_SCP_CERT_TARGET"
|
|
if [ "$?" -ne 0 ]; then
|
|
_err "scp copy to server failed"
|
|
return 1
|
|
fi
|
|
fi
|
|
|
|
if [ ! -z "$DEPLOY_SCP_FULLCHAIN_TARGET" ]; then
|
|
scp "$_cfullchain" "$DEPLOY_SCP_FULLCHAIN_TARGET"
|
|
if [ "$?" -ne 0 ]; then
|
|
_err "scp copy to server failed"
|
|
return 1
|
|
fi
|
|
fi
|
|
|
|
return 0
|
|
}
|
|
|
|
#################### private functions below ##################################
|
|
|
|
_SCP_check_params() {
|
|
# at least one of key, cert or fullchain must be set
|
|
if [ -z "$DEPLOY_SCP_KEY_TARGET" ] && [ -z "$DEPLOY_SCP_CERT_TARGET" ] && [ -z "$DEPLOY_SCP_FULLCHAIN_TARGET" ]; then
|
|
DEPLOY_SCP_CA_TARGET=""
|
|
DEPLOY_SCP_KEY_TARGET=""
|
|
DEPLOY_SCP_CERT_TARGET=""
|
|
DEPLOY_SCP_FULLCHAIN_TARGET=""
|
|
return 1
|
|
fi
|
|
|
|
if [ ! -z "$DEPLOY_SCP_CA_TARGET" ]; then
|
|
_savedomainconf DEPLOY_SCP_CA_TARGET "${DEPLOY_SCP_CA_TARGET}"
|
|
fi
|
|
|
|
if [ ! -z "$DEPLOY_SCP_KEY_TARGET" ]; then
|
|
_savedomainconf DEPLOY_SCP_KEY_TARGET "${DEPLOY_SCP_KEY_TARGET}"
|
|
fi
|
|
|
|
if [ ! -z "$DEPLOY_SCP_CERT_TARGET" ]; then
|
|
_savedomainconf DEPLOY_SCP_CERT_TARGET "${DEPLOY_SCP_CERT_TARGET}"
|
|
fi
|
|
|
|
if [ ! -z "$DEPLOY_SCP_FULLCHAIN_TARGET" ]; then
|
|
_savedomainconf DEPLOY_SCP_FULLCHAIN_TARGET "${DEPLOY_SCP_FULLCHAIN_TARGET}"
|
|
fi
|
|
|
|
return 0
|
|
}
|