Convert script to use acme.sh hooks/commands and built-in --cron

README.md

@@ -10,7 +10,7 @@ to generate a valid SSL certificate for the EdgeRouter.
 
 * Connect via ssh to your EdgeRouter and execute the following command.
 ```
-curl https://raw.githubusercontent.com/j-c-m/ubnt-letsencrypt/master/install.sh | sudo bash
+curl https://raw.githubusercontent.com/dotsam/ubnt-letsencrypt/use-hooks/install.sh | sudo bash
 ```
 
 ## Configuration
@@ -21,41 +21,38 @@ curl https://raw.githubusercontent.com/j-c-m/ubnt-letsencrypt/master/install.sh
 * Configure DNS record for subdomain.example.com to your public WAN IP.
 * Connect via ssh to your EdgeRouter and enter configuration mode.
 
-1. Setup static host mapping for FQDN to the LAN IP.
+1. Initialize your certificate.
 
     ```
-    set system static-host-mapping host-name subdomain.example.com inet 192.168.1.1
+    sudo /config/scripts/acme/setup.sh -d subdomain.example.com
     ```
 
-2. Configure cert-file location for gui.
-
+    You can include additional common names for your certificate, so long as they resolve to the same WAN address:
+    
     ```
-    set service gui cert-file /config/ssl/server.pem
-    set service gui ca-file /config/ssl/ca.pem
+    sudo /config/scripts/acme/setup.sh -d subdomain.example.com -d subdomain2.example.com
     ```
 
-3. Configure task scheduler to renew certificate automatically.
-
-    ```
-    set system task-scheduler task renew.acme executable path /config/scripts/renew.acme.sh
-    set system task-scheduler task renew.acme interval 1d
-    set system task-scheduler task renew.acme executable arguments '-d subdomain.example.com'
-    ```
+    The script will issue a certificate and prepare it for use, and then output a set of configuration commands.
 
-    You can include additional common names for your certificate, so long as they resolve to the same WAN address:
+3. Enter congiguration commands
 
+    Enter configuration mode
+
     ```
-    set system task-scheduler task renew.acme executable arguments '-d subdomain.example.com -d subdomain2.example.com'
+    configure
     ```
+
+    And copy and paste the commands that were output by the setup script
+
+2. Setup static host mapping for FQDN to the LAN IP.
 
-4. Initialize your certificate.
+    If you (wisely) haven't exposed your web interface to the internet at large, you'll need to set a static host mapping so you can access the GUI internally using this domain name
 
     ```
-    sudo /config/scripts/renew.acme.sh -d subdomain.example.com
+    set system static-host-mapping host-name subdomain.example.com inet 192.168.1.1
     ```
 
-    If you included multiple names in step 4, you'll need to include any additional names here as well.
-
 5. Commit and save your configuration.
 
     ```
@@ -67,6 +64,7 @@ curl https://raw.githubusercontent.com/j-c-m/ubnt-letsencrypt/master/install.sh
 
 ## Changelog
 
+    20180915 - Convert script to use acme.sh hooks/commands and built-in --cron command so GUI isn't stopped/started when certs aren't being renewed (dotsam)
     20180609 - Install script
     20180605 - IPv6 support
     20180213 - Deprecate -i <wandev> option

common.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+ACMEHOME=/config/.acme.sh
+SSL_DIR=/config/ssl
+SCRIPTPATH="$( cd "$(dirname "$0")" ; pwd -P )"
+
+kill_and_wait() {
+    local pid=$1
+    [ -z $pid ] && return
+
+    kill -s INT $pid 2> /dev/null
+    while kill -s 0 $pid 2> /dev/null; do
+        sleep 1
+    done
+}
+
+log() {
+    if [ -z "$2" ]
+    then
+        printf -- "%s %s\n" "[$(date)]" "$1"
+    fi
+}

install.sh

@@ -1,6 +1,12 @@
 #!/bin/bash
 
-mkdir -p /config/.acme.sh /config/scripts
+mkdir -p /config/.acme.sh /config/scripts/ubnt-letsencrypt
+
 curl -o /config/.acme.sh/acme.sh https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh
-curl -o /config/scripts/renew.acme.sh https://raw.githubusercontent.com/j-c-m/ubnt-letsencrypt/master/renew.acme.sh
-chmod 755 /config/.acme.sh/acme.sh /config/scripts/renew.acme.sh
+chmod 755 /config/.acme.sh/acme.sh
+
+for file in common.sh setup.sh pre-hook.sh post-hook.sh reloadcmd.sh
+do
+    curl -o "/config/scripts/ubnt-letsencrypt/$file" "https://raw.githubusercontent.com/dotsam/ubnt-letsencrypt/use-hooks/$file"
+    chmod 755 /config/scripts/ubnt-letsencrypt/$file
+done

post-hook.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+source /config/scripts/ubnt-letsencrypt/common.sh
+
+/sbin/iptables -D INPUT -p tcp -m comment --comment TEMP_LETSENCRYPT -m tcp --dport 80 -j ACCEPT
+/sbin/ip6tables -D INPUT -p tcp -m comment --comment TEMP_LETSENCRYPT -m tcp --dport 80 -j ACCEPT
+/sbin/iptables -t nat -D PREROUTING 1
+
+log "Stopping temporary ACME challenge service."
+if [ -e "$ACMEHOME/lighttpd.pid" ]
+then
+    kill_and_wait $(cat $ACMEHOME/lighttpd.pid)
+fi
+
+log "Starting GUI service."
+/usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf

pre-hook.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+
+source /config/scripts/ubnt-letsencrypt/common.sh
+
+mkdir -p $ACMEHOME/webroot
+mkdir -p $SSL_DIR
+
+(
+cat <<EOF
+server.modules = ( "mod_accesslog" )
+server.document-root = "$ACMEHOME/webroot"
+server.port = 80
+server.bind = "0.0.0.0"
+\$SERVER["socket"] == "[::]:80" {  }
+server.pid-file = "$ACMEHOME/lighttpd.pid"
+server.errorlog = "/dev/null"
+accesslog.filename = "$ACMEHOME/lighttpd.log"
+EOF
+) >$ACMEHOME/lighttpd.conf
+
+log "Stopping GUI service."
+if [ -e "/var/run/lighttpd.pid" ]
+then
+    kill_and_wait $(cat /var/run/lighttpd.pid)
+fi
+
+log "Starting temporary ACME challenge service."
+/usr/sbin/lighttpd -f $ACMEHOME/lighttpd.conf
+
+/sbin/iptables -I INPUT 1 -p tcp -m comment --comment TEMP_LETSENCRYPT -m tcp --dport 80 -j ACCEPT
+/sbin/ip6tables -I INPUT 1 -p tcp -m comment --comment TEMP_LETSENCRYPT -m tcp --dport 80 -j ACCEPT
+/sbin/iptables -t nat -I PREROUTING 1 -p tcp -m comment --comment TEMP_LETSENCRYPT -m tcp --dport 80 -j ACCEPT

reloadcmd.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+source /config/scripts/ubnt-letsencrypt/common.sh
+
+cat $CERT_PATH $CERT_KEY_PATH > $SSL_DIR/server.pem; cp $CA_CERT_PATH $SSL_DIR/ca.pem

setup.sh

@@ -0,0 +1,50 @@
+#!/bin/bash
+
+source /config/scripts/ubnt-letsencrypt/common.sh
+
+usage() {
+    echo "Usage: $0 -d <mydomain.com> [-d <additionaldomain.com>]" 1>&2; exit 1;
+}
+
+# first parse our options
+while getopts "hd:i:" opt; do
+    case $opt in
+        d) DOMAIN+=("$OPTARG");;
+        i) ;;
+        *)
+          usage
+          ;;
+    esac
+done
+shift $((OPTIND -1))
+
+# check for required parameters
+if [ ${#DOMAIN[@]} -eq 0 ]; then
+    usage
+fi
+
+# prepare our domain flags for acme.sh
+for val in "${DOMAIN[@]}"; do
+     DOMAINARG+="-d $val "
+done
+
+$ACMEHOME/acme.sh --home $ACMEHOME --webroot $ACMEHOME/webroot --issue $DOMAINARG \
+--pre-hook "$SCRIPTPATH/pre-hook.sh" \
+--post-hook "$SCRIPTPATH/post-hook.sh" \
+--reloadcmd "$SCRIPTPATH/reloadcmd.sh"
+
+if [ $? -eq 0 ]; then
+    printf "Successfully issued and configured certificates for domain(s):\n"
+    for val in "${DOMAIN[@]}"; do
+         printf "\t$val\n"
+    done
+    printf "To use these certificates, please issue the following commands:\n"
+    printf "\tset service gui cert-file $SSL_DIR/server.pem\n"
+    printf "\tset service gui ca-file $SSL_DIR/ca.pem\n"
+    printf "\tset system task-scheduler task renew.acme executable path $ACMEHOME/acme.sh\n"
+    printf "\tset system task-scheduler task renew.acme executable arguments '--cron --home $ACMEHOME'\n"
+    printf "\tset system task-scheduler task renew.acme interval 1d\n"
+else
+    log "Something went wrong issuing/installing certificates"
+    exit $?
+fi