94 lines
2.8 KiB
Bash
Executable File
94 lines
2.8 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# Let's Encrypt SSL Certificate Installation Script for xmpp.guschin.info
|
|
# This script installs SSL certificates via Let's Encrypt (certbot)
|
|
|
|
set -e
|
|
|
|
DOMAIN="xmpp.guschin.info"
|
|
CERT_PATH="/etc/letsencrypt/live/${DOMAIN}"
|
|
EMAIL="${EMAIL:-admin@mguschin.info}" # Default email or use EMAIL env var
|
|
WEBROOT="/var/www/letsencrypt"
|
|
|
|
echo "========================================"
|
|
echo "Let's Encrypt Certificate Installation"
|
|
echo "========================================"
|
|
echo "Domain: $DOMAIN"
|
|
echo "Email: $EMAIL"
|
|
echo "Certificate Path: $CERT_PATH"
|
|
echo ""
|
|
|
|
# Check if certbot is installed
|
|
if ! command -v certbot &> /dev/null; then
|
|
echo "Installing certbot..."
|
|
apt-get update
|
|
apt-get install -y certbot
|
|
fi
|
|
|
|
# Create webroot directory for ACME challenges
|
|
if [ ! -d "$WEBROOT" ]; then
|
|
echo "Creating webroot directory: $WEBROOT"
|
|
mkdir -p "$WEBROOT"
|
|
chmod 755 "$WEBROOT"
|
|
fi
|
|
|
|
# Check if certificate already exists
|
|
if [ -d "$CERT_PATH" ]; then
|
|
echo "Certificate already exists at $CERT_PATH"
|
|
read -p "Do you want to renew it? (y/n) " -n 1 -r
|
|
echo
|
|
if [[ $REPLY =~ ^[Yy]$ ]]; then
|
|
echo "Renewing certificate..."
|
|
certbot renew --force-renewal --non-interactive
|
|
else
|
|
echo "Skipping certificate installation."
|
|
exit 0
|
|
fi
|
|
else
|
|
echo "Generating new certificate for $DOMAIN..."
|
|
|
|
# Install certificate using webroot authenticator
|
|
# Nginx must be configured to serve $WEBROOT/.well-known/acme-challenge/
|
|
certbot certonly \
|
|
--webroot \
|
|
--webroot-path "$WEBROOT" \
|
|
--non-interactive \
|
|
--agree-tos \
|
|
--email "$EMAIL" \
|
|
-d "$DOMAIN"
|
|
|
|
echo ""
|
|
echo "✓ Certificate installed successfully!"
|
|
echo " Fullchain: $CERT_PATH/fullchain.pem"
|
|
echo " Private Key: $CERT_PATH/privkey.pem"
|
|
fi
|
|
|
|
# Set proper permissions for nginx
|
|
if id "www-data" &>/dev/null; then
|
|
chmod 755 $CERT_PATH
|
|
chmod 755 $CERT_PATH/..
|
|
fi
|
|
|
|
# Optional: Set up automatic renewal via cron
|
|
echo ""
|
|
echo "Setting up automatic renewal (optional)..."
|
|
if ! grep -q "certbot renew" /etc/cron.d/certbot 2>/dev/null; then
|
|
echo "Configuring automatic certificate renewal..."
|
|
# Certbot automatically installs cron job on most systems
|
|
# But you can manually add it:
|
|
# (crontab -l 2>/dev/null; echo "0 3 * * * certbot renew --quiet") | crontab -
|
|
fi
|
|
|
|
echo ""
|
|
echo "========================================"
|
|
echo "Certificate installation complete!"
|
|
echo "========================================"
|
|
echo ""
|
|
echo "Next steps:"
|
|
echo "1. Ensure your nginx config points to:"
|
|
echo " - ssl_certificate: $CERT_PATH/fullchain.pem"
|
|
echo " - ssl_certificate_key: $CERT_PATH/privkey.pem"
|
|
echo "2. Reload nginx: nginx -s reload"
|
|
echo "3. Test your SSL setup: https://www.ssllabs.com/ssltest/"
|
|
echo ""
|