install-certs.sh

#!/bin/bash

# Let's Encrypt SSL Certificate Installation Script for xmpp.guschin.info
# This script installs SSL certificates via Let's Encrypt (certbot)

set -e

DOMAIN="xmpp.guschin.info"
CERT_PATH="/etc/letsencrypt/live/${DOMAIN}"
EMAIL="${EMAIL:-admin@mguschin.info}"  # Default email or use EMAIL env var
WEBROOT="/var/www/letsencrypt"

echo "========================================"
echo "Let's Encrypt Certificate Installation"
echo "========================================"
echo "Domain: $DOMAIN"
echo "Email: $EMAIL"
echo "Certificate Path: $CERT_PATH"
echo ""

# Check if certbot is installed
if ! command -v certbot &> /dev/null; then
    echo "Installing certbot..."
    apt-get update
    apt-get install -y certbot
fi

# Create webroot directory for ACME challenges
if [ ! -d "$WEBROOT" ]; then
    echo "Creating webroot directory: $WEBROOT"
    mkdir -p "$WEBROOT"
    chmod 755 "$WEBROOT"
fi

# Check if certificate already exists
if [ -d "$CERT_PATH" ]; then
    echo "Certificate already exists at $CERT_PATH"
    read -p "Do you want to renew it? (y/n) " -n 1 -r
    echo
    if [[ $REPLY =~ ^[Yy]$ ]]; then
        echo "Renewing certificate..."
        certbot renew --force-renewal --non-interactive
    else
        echo "Skipping certificate installation."
        exit 0
    fi
else
    echo "Generating new certificate for $DOMAIN..."
    
    # Install certificate using webroot authenticator
    # Nginx must be configured to serve $WEBROOT/.well-known/acme-challenge/
    certbot certonly \
        --webroot \
        --webroot-path "$WEBROOT" \
        --non-interactive \
        --agree-tos \
        --email "$EMAIL" \
        -d "$DOMAIN"
    
    echo ""
    echo "✓ Certificate installed successfully!"
    echo "  Fullchain: $CERT_PATH/fullchain.pem"
    echo "  Private Key: $CERT_PATH/privkey.pem"
fi

# Set proper permissions for nginx
if id "www-data" &>/dev/null; then
    chmod 755 $CERT_PATH
    chmod 755 $CERT_PATH/..
fi

# Optional: Set up automatic renewal via cron
echo ""
echo "Setting up automatic renewal (optional)..."
if ! grep -q "certbot renew" /etc/cron.d/certbot 2>/dev/null; then
    echo "Configuring automatic certificate renewal..."
    # Certbot automatically installs cron job on most systems
    # But you can manually add it:
    # (crontab -l 2>/dev/null; echo "0 3 * * * certbot renew --quiet") | crontab -
fi

echo ""
echo "========================================"
echo "Certificate installation complete!"
echo "========================================"
echo ""
echo "Next steps:"
echo "1. Ensure your nginx config points to:"
echo "   - ssl_certificate: $CERT_PATH/fullchain.pem"
echo "   - ssl_certificate_key: $CERT_PATH/privkey.pem"
echo "2. Reload nginx: nginx -s reload"
echo "3. Test your SSL setup: https://www.ssllabs.com/ssltest/"
echo ""
Init. 2026-02-02 20:12:50 +03:00			`#!/bin/bash`

			`# Let's Encrypt SSL Certificate Installation Script for xmpp.guschin.info`
			`# This script installs SSL certificates via Let's Encrypt (certbot)`

			`set -e`

			`DOMAIN="xmpp.guschin.info"`
			`CERT_PATH="/etc/letsencrypt/live/${DOMAIN}"`
			`EMAIL="${EMAIL:-admin@mguschin.info}" # Default email or use EMAIL env var`
			`WEBROOT="/var/www/letsencrypt"`

			`echo "========================================"`
			`echo "Let's Encrypt Certificate Installation"`
			`echo "========================================"`
			`echo "Domain: $DOMAIN"`
			`echo "Email: $EMAIL"`
			`echo "Certificate Path: $CERT_PATH"`
			`echo ""`

			`# Check if certbot is installed`
			`if ! command -v certbot &> /dev/null; then`
			`echo "Installing certbot..."`
			`apt-get update`
			`apt-get install -y certbot`
			`fi`

			`# Create webroot directory for ACME challenges`
			`if [ ! -d "$WEBROOT" ]; then`
			`echo "Creating webroot directory: $WEBROOT"`
			`mkdir -p "$WEBROOT"`
			`chmod 755 "$WEBROOT"`
			`fi`

			`# Check if certificate already exists`
			`if [ -d "$CERT_PATH" ]; then`
			`echo "Certificate already exists at $CERT_PATH"`
			`read -p "Do you want to renew it? (y/n) " -n 1 -r`
			`echo`
			`if [[ $REPLY =~ ^[Yy]$ ]]; then`
			`echo "Renewing certificate..."`
			`certbot renew --force-renewal --non-interactive`
			`else`
			`echo "Skipping certificate installation."`
			`exit 0`
			`fi`
			`else`
			`echo "Generating new certificate for $DOMAIN..."`

			`# Install certificate using webroot authenticator`
			`# Nginx must be configured to serve $WEBROOT/.well-known/acme-challenge/`
			`certbot certonly \`
			`--webroot \`
			`--webroot-path "$WEBROOT" \`
			`--non-interactive \`
			`--agree-tos \`
			`--email "$EMAIL" \`
			`-d "$DOMAIN"`

			`echo ""`
			`echo "✓ Certificate installed successfully!"`
			`echo " Fullchain: $CERT_PATH/fullchain.pem"`
			`echo " Private Key: $CERT_PATH/privkey.pem"`
			`fi`

			`# Set proper permissions for nginx`
			`if id "www-data" &>/dev/null; then`
			`chmod 755 $CERT_PATH`
			`chmod 755 $CERT_PATH/..`
			`fi`

			`# Optional: Set up automatic renewal via cron`
			`echo ""`
			`echo "Setting up automatic renewal (optional)..."`
			`if ! grep -q "certbot renew" /etc/cron.d/certbot 2>/dev/null; then`
			`echo "Configuring automatic certificate renewal..."`
			`# Certbot automatically installs cron job on most systems`
			`# But you can manually add it:`
			`# (crontab -l 2>/dev/null; echo "0 3 * * * certbot renew --quiet") \| crontab -`
			`fi`

			`echo ""`
			`echo "========================================"`
			`echo "Certificate installation complete!"`
			`echo "========================================"`
			`echo ""`
			`echo "Next steps:"`
			`echo "1. Ensure your nginx config points to:"`
			`echo " - ssl_certificate: $CERT_PATH/fullchain.pem"`
			`echo " - ssl_certificate_key: $CERT_PATH/privkey.pem"`
			`echo "2. Reload nginx: nginx -s reload"`
			`echo "3. Test your SSL setup: https://www.ssllabs.com/ssltest/"`
			`echo ""`