Last active
December 18, 2025 02:12
-
-
Save bharatvaj/72afb19aeef18ba0744b24561e4f112e to your computer and use it in GitHub Desktop.
"Config" based certificate installer for acme.sh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # apit - acme.sh post install tool | |
| # | |
| # You issued certs from acme.sh, now where do they go? | |
| # apit solves this problem by giving you a "configuration file", | |
| # | |
| # Two problems are solved here, | |
| # * Prevent typing exorbitantly long commands and making common mistakes | |
| # * Properly specify user/group for the certs | |
| # | |
| # =EXAMPLE= | |
| # $ cat apit.conf | |
| # --dir /etc/lighttpd/ssl --domain saikrupagas.com | |
| # --dir /etc/prosody/ssl --domain im.saikrupagas.com | |
| # --dir /etc/openldap/ssl -u ldap -g ldap --domain ldap.saikrupagas.com | |
| # --dir /etc/prosody/ssl -u prosody -g prosody --domain im.saikrupagas.com | |
| # --domain mail.saikrupagas.com | |
| # | |
| # You can consume this with, | |
| # $ apit $(cat apit.conf) | |
| # | |
| # There are two actions: install and remove (install being the default) | |
| # To remove files mentioned in the "configuration file" | |
| # $ apit --action remove $(cat apit.conf) | |
| # | |
| # The script is very simple, and whipped into existence on a | |
| # frustrating server maintainence routine. | |
| # | |
| # =BUGS= | |
| # Does not support --arg='option' syntax, use as --arg 'option' | |
| # | |
| # =LICENSE= | |
| # apit is in the public domain. | |
| # | |
| # To the extent possible under law, Bharatvaj Hemanth <bharatvaj@nply.org> | |
| # has waived all copyright and related or neighboring rights to this work. | |
| # | |
| # http://creativecommons.org/publicdomain/zero/1.0/ | |
| set -e | |
| APIT_VERSION=0.1 | |
| # initial values | |
| : ${default_cert_dir:=/etc/ssl/live} | |
| : ${acmesh_bin:=/root/.acme.sh/acme.sh} | |
| op_action=install | |
| panic() { echo "apit: ERR: $@"; exit 1; } | |
| usage() { | |
| echo "apit - acme.sh post install tool | |
| $1 | |
| Usage: apit [options] | |
| --action install / remove (default: ${op_action}) | |
| --dir The path to install the certificates | |
| (default: ${cert_dir}) | |
| -u user (default: current user) | |
| -g group (default: current group) | |
| -h print this message | |
| --domain Name of the domain to install / remove | |
| (caution: This should be given at last) | |
| " | |
| exit 0 | |
| } | |
| _apit_remove() { | |
| for key in cert.pem fullchain.pem privkey.pem; do | |
| [ -f "${domain_cert_dir}/${key}" ] && rm -v "${domain_cert_dir}/${key}"; | |
| done | |
| [ -d "${domain_cert_dir}" ] && rmdir "${domain_cert_dir}" | |
| } | |
| _apit_install() { | |
| if [ ! -d "$domain_cert_dir" ]; then | |
| (set -x; mkdir -p "$domain_cert_dir") | |
| fi | |
| "${acmesh_bin}" --install-cert -d "$1" \ | |
| --key-file "${domain_cert_dir}/privkey.pem" \ | |
| --cert-file "${domain_cert_dir}/cert.pem" \ | |
| --fullchain-file "${domain_cert_dir}/fullchain.pem" | |
| [ -z "$op_group" ] && op_group="$op_user" | |
| if [ -n "$op_user" ]; then | |
| (set -x; chown "$op_user:$op_group" -R "${domain_cert_dir}") | |
| fi | |
| } | |
| [ -f "${acmesh_bin}" ] || panic "Cannot find acme.sh in PATH" | |
| while [ $# -ne 0 ]; do | |
| case $1 in | |
| --action) op_action="$2" ;; | |
| --dir) cert_dir="$2" ;; | |
| -u) op_user="$2" ;; | |
| -g) op_group="$2" ;; | |
| --domain) | |
| [ -z "$1" ] && usage "Error: no domain given" | |
| domain_cert_dir="$cert_dir/$2" | |
| echo "==> ${op_action}: $2" | |
| _apit_${op_action} "$2" | |
| echo | |
| cert_dir="${default_cert_dir}" | |
| op_user= | |
| op_group= | |
| ;; | |
| -h) usage ;; | |
| -v) echo "${APIT_VERSION}" ;; | |
| esac | |
| shift | |
| done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment