#!/bin/bash # info: adding letsencrypt ssl cetificate for domain # options: USER DOMAIN [ALIASES] [RESTART] [NOTIFY] # # The function turns on SSL support for a domain. Parameter ssl_dir is a path # to directory where 2 or 3 ssl files can be found. Certificate file # domain.tld.crt and its key domain.tld.key are mandatory. Certificate # authority domain.tld.ca file is optional. If home directory parameter # (ssl_home) is not set, https domain uses public_shtml as separate # documentroot directory. #----------------------------------------------------------# # Variable&Function # #----------------------------------------------------------# # Argument definition user=$1 domain=$2 aliases=$3 restart=$4 notify=$5 # Includes source $VESTA/func/main.sh source $VESTA/func/domain.sh source $VESTA/conf/vesta.conf #----------------------------------------------------------# # Verifications # #----------------------------------------------------------# check_args '2' "$#" 'USER DOMAIN [ALIASES] [RESTART] [NOTIFY]' is_format_valid 'user' 'domain' is_system_enabled "$WEB_SYSTEM" 'WEB_SYSTEM' is_system_enabled "$WEB_SSL" 'SSL_SUPPORT' is_object_valid 'user' 'USER' "$user" is_object_unsuspended 'user' 'USER' "$user" is_object_valid 'web' 'DOMAIN' "$domain" is_object_unsuspended 'web' 'DOMAIN' "$domain" #----------------------------------------------------------# # Action # #----------------------------------------------------------# # Parsing domain data get_domain_values 'web' # Registering LetsEncrypt user account $BIN/v-add-letsencrypt-user $user if [ "$?" -ne 0 ]; then touch $VESTA/data/queue/letsencrypt.pipe sed -i "/ $domain /d" $VESTA/data/queue/letsencrypt.pipe send_notice "LETSENCRYPT" "Account registration failed" check_result $E_CONNECT "LE account registration" >/dev/null fi # Parsing LetsEncrypt account data source $USER_DATA/ssl/le.conf email=$EMAIL # Validating domain and aliases i=1 for alias in $(echo $domain,$aliases |tr ',' '\n' |sort -u); do $BIN/v-check-letsencrypt-domain $user $alias if [ "$?" -ne 0 ]; then touch $VESTA/data/queue/letsencrypt.pipe sed -i "/ $domain /d" $VESTA/data/queue/letsencrypt.pipe send_notice "LETSENCRYPT" "$alias validation failed" check_result $E_INVALID "LE domain validation" >/dev/null fi # Checking LE limits per account if [ "$i" -gt 100 ]; then touch $VESTA/data/queue/letsencrypt.pipe sed -i "/ $domain /d" $VESTA/data/queue/letsencrypt.pipe send_notice 'LETSENCRYPT' 'Limit of domains per account is reached' check_result $E_LIMIT "LE can't sign more than 100 domains" fi i=$((i++)) done # Generating CSR ssl_dir=$($BIN/v-generate-ssl-cert "$domain" "$email" "US" "California" \ "San Francisco" "Vesta" "IT" "$aliases" |tail -n1 |awk '{print $2}') # Signing CSR crt=$($BIN/v-sign-letsencrypt-csr $user $domain $ssl_dir) if [ "$?" -ne 0 ]; then touch $VESTA/data/queue/letsencrypt.pipe sed -i "/ $domain /d" $VESTA/data/queue/letsencrypt.pipe send_notice "LETSENCRYPT" "$alias validation failed" check_result "$E_INVALID" "LE $domain validation" fi echo "$crt" > $ssl_dir/$domain.crt # Dowloading CA certificate le_certs='https://letsencrypt.org/certs' x1='lets-encrypt-x1-cross-signed.pem.txt' x3='lets-encrypt-x3-cross-signed.pem.txt' issuer=$(openssl x509 -text -in $ssl_dir/$domain.crt |grep "Issuer:") if [ -z "$(echo $issuer|grep X3)" ]; then curl -s $le_certs/$x1 > $ssl_dir/$domain.ca else curl -s $le_certs/$x3 > $ssl_dir/$domain.ca fi # Adding SSL $BIN/v-delete-web-domain-ssl $user $domain >/dev/null 2>&1 $BIN/v-add-web-domain-ssl $user $domain $ssl_dir if [ "$?" -ne '0' ]; then touch $VESTA/data/queue/letsencrypt.pipe sed -i "/ $domain /d" $VESTA/data/queue/letsencrypt.pipe send_notice 'LETSENCRYPT' "$domain certificate installation failed" check_result $? "SSL install" >/dev/null fi # Adding LE autorenew cronjob if [ -z "$(grep v-update-lets $VESTA/data/users/admin/cron.conf)" ]; then min=$(generate_password '012345' '2') hour=$(generate_password '1234567' '1') cmd="sudo $BIN/v-update-letsencrypt-ssl" $BIN/v-add-cron-job admin "$min" "$hour" '*' '*' '*' "$cmd" > /dev/null fi # Updating letsencrypt key if [ -z "$LETSENCRYPT" ]; then add_object_key "web" 'DOMAIN' "$domain" 'LETSENCRYPT' 'FTP_USER' fi update_object_value 'web' 'DOMAIN' "$domain" '$LETSENCRYPT' 'yes' #----------------------------------------------------------# # Vesta # #----------------------------------------------------------# # Restarting web $BIN/v-restart-web $restart if [ "$?" -ne 0 ]; then send_notice 'LETSENCRYPT' "web server needs to be restarted manually" fi # Notifying user send_notice 'LETSENCRYPT' "$domain SSL has been installed successfully" # Deleteing task from queue touch $VESTA/data/queue/letsencrypt.pipe sed -i "/ $domain /d" $VESTA/data/queue/letsencrypt.pipe # Logging log_event "$OK" "$ARGUMENTS" exit