renew ssl certs automatically and clear out expired
Letsencrypt used to auto fix your expired certs. This no longer happens. Here's a script to do it.
Flags:
--delete : remove expired certs
--renew: renew soon-to-expire certs (3< days)
#!/bin/bash
# check-certs.sh
base="/etc/letsencrypt/archive"
delete_mode=0
renew_mode=0
if [ "$1" == "--delete" ]; then
delete_mode=1
elif [ "$1" == "--renew" ]; then
renew_mode=1
fi
# First: find all current certs in archive
declare -A cert_status
find "$base" -type f -name "cert*.pem" | while read cert; do
domain=$(echo "$cert" | sed -E "s|$base/([^/]+)/cert[0-9]+\.pem|\1|")
expiry=$(openssl x509 -enddate -noout -in "$cert" | cut -d= -f2)
exp_epoch=$(date -d "$expiry" +%s)
now_epoch=$(date +%s)
days_left=$(( (exp_epoch - now_epoch) / 86400 ))
echo "$domain: $expiry ($days_left days left)"
if [ $delete_mode -eq 1 ] && [ $days_left -lt 0 ]; then
echo "Deleting expired cert: $cert"
rm -f "$cert"
fi
if [ $renew_mode -eq 1 ] && [ $days_left -le 3 ]; then
echo "Renewing cert for $domain..."
certbot certonly --webroot -w "/var/www/$domain" -d "$domain" -d "www.$domain" -m my@email.co.za --agree-tos --no-eff-email --non-interactive --quiet
fi
cert_status["$domain"]=1
done
if [ $renew_mode -eq 1 ]; then
# Check apache configs for missing certs
grep -h -R "ServerName" /etc/apache2/sites-enabled/ | awk '{print $2}' | while read domain; do
if [ -z "${cert_status[$domain]}" ]; then
echo "No cert found for $domain. Creating new cert..."
certbot certonly --webroot -w "/var/www/$domain" -d "$domain" -d "www.$domain" -m my@email.co.za --agree-tos --no-eff-email --non-interactive --quiet
fi
done
fi
# check-certs.sh
base="/etc/letsencrypt/archive"
delete_mode=0
renew_mode=0
if [ "$1" == "--delete" ]; then
delete_mode=1
elif [ "$1" == "--renew" ]; then
renew_mode=1
fi
# First: find all current certs in archive
declare -A cert_status
find "$base" -type f -name "cert*.pem" | while read cert; do
domain=$(echo "$cert" | sed -E "s|$base/([^/]+)/cert[0-9]+\.pem|\1|")
expiry=$(openssl x509 -enddate -noout -in "$cert" | cut -d= -f2)
exp_epoch=$(date -d "$expiry" +%s)
now_epoch=$(date +%s)
days_left=$(( (exp_epoch - now_epoch) / 86400 ))
echo "$domain: $expiry ($days_left days left)"
if [ $delete_mode -eq 1 ] && [ $days_left -lt 0 ]; then
echo "Deleting expired cert: $cert"
rm -f "$cert"
fi
if [ $renew_mode -eq 1 ] && [ $days_left -le 3 ]; then
echo "Renewing cert for $domain..."
certbot certonly --webroot -w "/var/www/$domain" -d "$domain" -d "www.$domain" -m my@email.co.za --agree-tos --no-eff-email --non-interactive --quiet
fi
cert_status["$domain"]=1
done
if [ $renew_mode -eq 1 ]; then
# Check apache configs for missing certs
grep -h -R "ServerName" /etc/apache2/sites-enabled/ | awk '{print $2}' | while read domain; do
if [ -z "${cert_status[$domain]}" ]; then
echo "No cert found for $domain. Creating new cert..."
certbot certonly --webroot -w "/var/www/$domain" -d "$domain" -d "www.$domain" -m my@email.co.za --agree-tos --no-eff-email --non-interactive --quiet
fi
done
fi