Tags: letsencrypt, encryption, devops
Letsencrypt certificates are valid for 90 days only. Thus an automatic renewal is desirable. The following script
is checking for remaining validity of at least 30 days, further it is checked if all domains are included in the certificate:
#!/bin/bash
FIRST_CERT=$1
for DOMAIN in "$@"
do
openssl x509 -in /etc/letsencrypt/live/$1/cert.pem -noout -text | grep DNS:${DOMAIN} > /dev/null || exit 1
done
CERT=$(date -d "$(openssl x509 -in /etc/letsencrypt/live/$1/cert.pem -enddate -noout | cut -d'=' -f2)" "+%s")
CURRENT=$(date "+%s")
REMAINING=$((($CERT - $CURRENT) / 60 / 60 / 24))
[ "$REMAINING" -gt "30" ] || exit 1
echo Domains $@ are in cert and cert is valid for $REMAINING days
It only requires bash and openssl and can be used in a daily cronjob / crontab entry as follows:
6 20 * * * /usr/local/bin/check_letsencrypt_cert.sh domain.de www.domain.de > /dev/null ||/opt/letsencrypt/letsencrypt-auto -d domain.de -d www.domain.de certonly
A complete solution for setting up letsencrypt via salt can be found in my letsencrypt-formula.