Created
February 20, 2017 19:47
-
-
Save peledies/2b7ef3a4f63d03f8b662a68b21152fb5 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
######################################################## | |
# letsEncrypt.sh -- Script to set up SSL encryption on # | |
# your server and configure your apache virtualhost to # | |
# accomodate SSL encryption via letsencrypt # | |
# # | |
# Author: Deac Karns # | |
# Email: peledies@gmail.com # | |
# # | |
# Configure: Change the variable in the top of script # | |
# # | |
# Requirements: Apache2, Ubuntu >= 16 # | |
# # | |
# # | |
# Usage: sudo ./letsEncrypt.sh # | |
# # | |
######################################################## | |
pushd $(dirname $0) > /dev/null; SCRIPTPATH=$(pwd); popd > /dev/null | |
####################### | |
# SET THESE VARIABLES # | |
####################### | |
URL='example.com' | |
WEBROOT='/var/www/html/example.com/public/' | |
PROJECTROOT='/var/www/html/example.com/' | |
ADMIN_EMAIL='admin@example.com' | |
####################### | |
# DO NOT MODIFY BELOW # | |
####################### | |
green=$(tput setaf 2) | |
gold=$(tput setaf 3) | |
magenta=$(tput setaf 5) | |
cyan=$(tput setaf 6) | |
red=$(tput setaf 1) | |
default=$(tput sgr0) | |
BOOTUP=color | |
RES_COL=0 | |
RES_COL_B=20 | |
MOVE_TO_COL_B="echo -en \\033[${RES_COL_B}G" | |
MOVE_TO_COL="echo -en \\033[${RES_COL}G" | |
SETCOLOR_SUCCESS="echo -en \\033[1;32m" | |
SETCOLOR_FAILURE="echo -en \\033[1;31m" | |
SETCOLOR_WARNING="echo -en \\033[1;33m" | |
SETCOLOR_NORMAL="echo -en \\033[0;39m" | |
echo_start() { | |
[ "$BOOTUP" = "color" ] && $MOVE_TO_COL | |
echo -n "[" | |
[ "$BOOTUP" = "color" ] && $SETCOLOR_SUCCESS | |
echo -n $"..." | |
[ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL | |
echo -n "]" | |
$MOVE_TO_COL_B | |
return 0 | |
} | |
echo_success() { | |
[ "$BOOTUP" = "color" ] && $MOVE_TO_COL | |
echo -n "[" | |
[ "$BOOTUP" = "color" ] && $SETCOLOR_SUCCESS | |
echo -n $" OK " | |
[ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL | |
echo -n "]" | |
echo -ne "\n" | |
return 0 | |
} | |
echo_done() { | |
[ "$BOOTUP" = "color" ] && $MOVE_TO_COL | |
echo -n "[" | |
[ "$BOOTUP" = "color" ] && $SETCOLOR_SUCCESS | |
echo -n $" DONE " | |
[ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL | |
echo -n "]" | |
echo -ne "\n" | |
return 0 | |
} | |
echo_failure() { | |
[ "$BOOTUP" = "color" ] && $MOVE_TO_COL | |
echo -n "[" | |
[ "$BOOTUP" = "color" ] && $SETCOLOR_FAILURE | |
echo -n $"FAILED" | |
[ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL | |
echo -n "]" | |
echo -ne "\n" | |
return 1 | |
} | |
test_for_success() { | |
rc=$1 | |
if [[ $rc -eq 0 ]]; then | |
echo_success | |
elif [ "$2" = "allow" ]; then | |
echo_failure | |
else | |
echo_failure | |
exit $rc | |
fi | |
} | |
########################## | |
# Ensure Root privileges # | |
########################## | |
if [ "$(whoami)" != "root" ]; then | |
echo "${gold} !- You will need to run this with root, or sudo. -!" | |
exit 1 | |
fi | |
echo_start | |
echo -n "${gold}Updating aptitude${default}" | |
sudo apt update > /dev/null 2>&1 | |
test_for_success $? | |
echo_start | |
echo -n "${gold}Installing LetsEncrypt${default}" | |
sudo apt install python-letsencrypt-apache -y > /dev/null 2>&1 | |
test_for_success $? | |
echo_start | |
echo -n "${gold}Enable Apache ssl module${default}" | |
sudo a2enmod ssl > /dev/null 2>&1 | |
test_for_success $? | |
echo_start | |
echo -n "${gold}Restart Apache${default}" | |
sudo systemctl restart apache2 > /dev/null 2>&1 | |
test_for_success $? | |
# Write access rule to allow letsencrypt to verify certs | |
echo_start | |
echo -n "${gold}Creating allow rule for letsencrypt to check cert${default}" | |
cat <<EOF > $WEBROOT.well-known/.htaccess | |
order allow,deny | |
allow from all | |
EOF | |
test_for_success $? | |
if [ ! -d "$WEBROOT/.well-known/acme-challenge" ]; then | |
sudo letsencrypt certonly \ | |
--agree-tos \ | |
--keep-until-expiring \ | |
--email $ADMIN_EMAIL | |
-d $URL \ | |
-a webroot \ | |
--webroot-path $WEBROOT | |
fi | |
#disable the existing virtual host | |
echo_start | |
echo -n "${gold}Disable existing Virtualhost $URL ${default}" | |
a2dissite $URL > /dev/null 2>&1 | |
test_for_success $? | |
echo_start | |
echo -n "${gold}Writing new Virtualhost file with SSL redirect${default}" | |
cat <<EOF > /etc/apache2/sites-available/$URL.conf | |
<VirtualHost *:80> | |
ServerAdmin $ADMIN_EMAIL | |
ServerName $URL | |
Redirect permanent / https://$URL | |
</VirtualHost> | |
<VirtualHost *:443> | |
ServerName $URL | |
DocumentRoot $WEBROOT | |
UseCanonicalName Off | |
<Directory $PROJECTROOT> | |
Options FollowSymLinks | |
AllowOverride All | |
Require all granted | |
</Directory> | |
ErrorLog /var/log/apache2/$URL-error_log | |
CustomLog /var/log/apache2/$URL-access_log common | |
SSLEngine on | |
SSLCertificateFile /etc/letsencrypt/live/$URL/fullchain.pem | |
SSLCertificateKeyFile /etc/letsencrypt/live/$URL/privkey.pem | |
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown | |
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript | |
DeflateCompressionLevel 9 | |
</VirtualHost> | |
EOF | |
test_for_success $? | |
#enable the new virtual host | |
echo_start | |
echo -n "${gold}Enabling new SSL configuration for $URL ${default}" | |
a2ensite $URL > /dev/null 2>&1 | |
test_for_success $? | |
echo_start | |
echo -n "${gold}Reloading Apache Virtualhost files${default}" | |
service apache2 reload > /dev/null 2>&1 | |
test_for_success $? | |
echo_start | |
echo -n "${gold}Creating LestEncrypt renew log at /var/log/le-renew.log${default}" | |
sudo touch /var/log/le-renew.log && sudo chmod 666 /var/log/le-renew.log | |
test_for_success $? | |
if grep -Fxq "30 2 * * 1 echo -- \$(date) -- >> /var/log/le-renew.log && /usr/bin/letsencrypt renew >> /var/log/le-renew.log" /var/spool/cron/crontabs/root | |
then | |
echo_start | |
echo -n "${gold}Skipping LetsEncrypt Renewal crontab addition, line exists ${default}" | |
test_for_success $? | |
else | |
echo_start | |
echo -n "${gold}Adding LetsEncrypt Renewal line to root crontab ${default}" | |
#write out current crontab | |
crontab -l > ohmycron | |
#echo new cron into cron file | |
echo "30 2 * * 1 echo -- \$(date) -- >> /var/log/le-renew.log && /usr/bin/letsencrypt renew >> /var/log/le-renew.log" >> ohmycron | |
#install new cron file | |
crontab ohmycron | |
rm ohmycron | |
test_for_success $? | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment