yosoyhendrix
/
hestiacp


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194
							#!/bin/bash
# info: update letsencrypt ssl certificates
# options: NONE
#
# example: v-update-letsencrypt-ssl
#
# This function for renew letsencrypt expired ssl certificate for all users

#----------------------------------------------------------#
#                Variables & Functions                     #
#----------------------------------------------------------#

# Includes
# shellcheck source=/etc/hestiacp/hestia.conf
source /etc/hestiacp/hestia.conf
# shellcheck source=/usr/local/hestia/func/main.sh
source $HESTIA/func/main.sh
# shellcheck source=/usr/local/hestia/func/syshealth.sh
source $HESTIA/func/syshealth.sh
# load config file
source_conf "$HESTIA/conf/hestia.conf"

# Perform verification if read-only mode is enabled
check_hestia_demo_mode

#----------------------------------------------------------#
#                       Action                             #
#----------------------------------------------------------#

# Set LE counter
lecounter=0
max_LE_failures=30
days_valid_setting=31
if [ "$LE_STAGING" = "yes" ]; then 
    # Overwrite setting to allow testing for renewal to be done easier
    days_valid_setting=181
fi

# Checking user certificates
for user in $($HESTIA/bin/v-list-sys-users plain); do
    USER_DATA=$HESTIA/data/users/$user

    for domain in $(search_objects 'web' 'LETSENCRYPT' 'yes' 'DOMAIN'); do
        # Clear any keys related to web domains
        sanitize_config_file "web"
        domain_suspended="$(get_object_value 'web' 'DOMAIN' "$domain" '$SUSPENDED')"
        if [ "$domain_suspended" = "yes" ]; then
            continue
        fi

        fail_counter="$(get_object_value 'web' 'DOMAIN' "$domain" '$LETSENCRYPT_FAIL_COUNT')"
        if [[ "$fail_counter" -gt "$max_LE_failures" ]]; then
            continue
        fi

        crt_data=$(openssl x509 -text -in $USER_DATA/ssl/$domain.crt)
        not_after=$(echo "$crt_data" |grep "Not After" |cut -f 2,3,4 -d :)
        expiration=$(date -d "$not_after" +%s)
        now=$(date +%s)
        seconds_valid=$((expiration - now))
        days_valid=$((seconds_valid / 86400))
        if [[ "$days_valid" -lt "$days_valid_setting" ]]; then
            if [ $lecounter -gt 0 ]; then
                sleep 10
            fi
            ((lecounter++))
            aliases=$(echo "$crt_data" |grep DNS:)
            aliases=$(echo "$aliases" |sed -e "s/DNS://g" -e "s/,//g")
            aliases=$(echo "$aliases" |tr ' ' '\n' |sed "/^$/d")
            aliases=$(echo "$aliases" |egrep -v "^$domain,?$")
            aliases=$(echo "$aliases" |sed -e ':a;N;$!ba;s/\n/,/g')

            # Parsing domain
            parse_object_kv_list $(grep "DOMAIN='$domain'" $USER_DATA/web.conf)

            # Split aliases into array
            IFS=',' read -r -a ALIASES <<< "$ALIAS"

            # Unset f_aliases
            f_aliases=''
            
            # Loop through all crt aliases
            for alias in ${aliases//,/ } ; do
                # Validate if the alias still exists in web.conf
                if [[ "$ALIAS" =~ $alias ]]; then
                    f_aliases+="$alias,"
                fi
            done

            # Remove leading comma
            if [[ ${f_aliases: -1} = ',' ]] ; then f_aliases=${f_aliases::-1}; fi

            # Write the filtered alias list to the default var
            aliases=$f_aliases    

            domain_redirect="$REDIRECT"
            if [[ -n "$domain_redirect"  ]] ; then
            	domain_redirect_code="$REDIRECT_CODE"
                $BIN/v-delete-web-domain-redirect $user $domain
            fi

            domain_forcessl="$SSL_FORCE"
            if [[ "$domain_forcessl" == 'yes' ]] ; then
                $BIN/v-delete-web-domain-ssl-force $user $domain
            fi

            msg=$($BIN/v-add-letsencrypt-domain "$user" "$domain" "$aliases")
            if [ $? -ne 0 ]; then
                echo "$msg"
                log_event "$E_INVALID" "$domain $msg"
                $BIN/v-log-action "$user" "Error" "Web" "Let's Encrypt SSL certificate update failed (Domain: $domain)."
                if [ -z "$fail_counter" ]; then
                    add_object_key "web" 'DOMAIN' "$domain" 'LETSENCRYPT_FAIL_COUNT' 'LETSENCRYPT'
                fi
                ((fail_counter++))
                update_object_value 'web' 'DOMAIN' "$domain" '$LETSENCRYPT_FAIL_COUNT' "$fail_counter"
            else
                $BIN/v-log-action "$user" "Info" "Web" "Let's Encrypt SSL certificate renewed (Domain: $domain)."
            fi
            if [[ "$domain_forcessl" == 'yes' ]] ; then
                $BIN/v-add-web-domain-ssl-force $user $domain
            fi
            if [[ -n "$domain_redirect" ]] ; then
                $BIN/v-add-web-domain-redirect $user $domain $domain_redirect $domain_redirect_code
            fi
            
            if [ -n "$UPDATE_HOSTNAME_SSL" ] && [ "$UPDATE_HOSTNAME_SSL" = "yes" ]; then
                hostname=$(hostname -f)
                if [ "$hostname" = "$domain" ]; then
                    $BIN/v-update-host-certificate "$user" "$domain"
                fi
            fi

        fi
    done

    for domain in $(search_objects 'mail' 'LETSENCRYPT' 'yes' 'DOMAIN'); do

        domain_suspended="$(get_object_value 'mail' 'DOMAIN' "$domain" '$SUSPENDED')"
        if [ "$domain_suspended" = "yes" ]; then
            continue
        fi

        fail_counter="$(get_object_value 'mail' 'DOMAIN' "$domain" '$LETSENCRYPT_FAIL_COUNT')"
        if [[ "$fail_counter" -gt "$max_LE_failures" ]]; then
            continue
        fi

        crt_data=$(openssl x509 -text -in $USER_DATA/ssl/mail.$domain.crt)
        not_after=$(echo "$crt_data" |grep "Not After" |cut -f 2,3,4 -d :)
        expiration=$(date -d "$not_after" +%s)
        now=$(date +%s)
        seconds_valid=$((expiration - now))
        days_valid=$((seconds_valid / 86400))
        if [[ "$days_valid" -lt 31 ]]; then
            if [ $lecounter -gt 0 ]; then
                sleep 10
            fi
            ((lecounter++))
            msg=$($BIN/v-add-letsencrypt-domain "$user" "$domain" "" "yes")
            if [ $? -ne 0 ]; then
                echo "$msg"
                $BIN/v-log-action "$user" "Error" "Web" "Let's Encrypt SSL certificate update failed (Domain: $domain)."
                log_event "$E_INVALID" "$domain $msg"
                if [ -z "$fail_counter" ]; then
                    add_object_key "mail" 'DOMAIN' "$domain" 'LETSENCRYPT_FAIL_COUNT' 'LETSENCRYPT'
                fi
                ((fail_counter++))
                update_object_value 'mail' 'DOMAIN' "$domain" '$LETSENCRYPT_FAIL_COUNT' "$fail_counter"
            else
                $BIN/v-log-action "$user" "Info" "Web" "Let's Encrypt SSL certificate renewed (Domain: $domain)."
            fi
        fi
    done

done

# Restart related services
$HESTIA/bin/v-restart-web yes
$HESTIA/bin/v-restart-mail yes

if [ -n "$PROXY_SYSTEM" ]; then
    $HESTIA/bin/v-restart-proxy yes
fi


#----------------------------------------------------------#
#                        Hestia                            #
#----------------------------------------------------------#

# No Logging
#log_event "$OK" "$EVENT"

exit