-
Notifications
You must be signed in to change notification settings - Fork 10
/
letsencrypt-to-vault
executable file
·146 lines (126 loc) · 3.52 KB
/
letsencrypt-to-vault
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
#!/bin/bash
set -eo pipefail
echoerr() {
>&2 echo "$@"
}
process_args() {
# Default
if [[ -z $VAULT_CERT_PATH ]]; then
VAULT_CERT_PATH="certs"
fi
if [[ -z $CERTBOT_FLAGS ]]; then
CERTBOT_FLAGS="--webroot --webroot-path /webroot-dir --agree-tos --renew-by-default"
fi
while [[ $# -gt 0 ]]
do
key="$1"
case $key in
certonly|renew)
COMMAND="$1"
shift
continue
;;
-h|--help)
show_help
exit 0
;;
-t|--vault-token)
VAULT_TOKEN="$2"
shift 2
continue
;;
-a|--vault-addr)
VAULT_ADDR="$2"
shift 2
continue
;;
-p|--vault-cert-path)
VAULT_CERT_PATH="$2"
shift 2
continue
;;
-f|--certbot-flags)
CERTBOT_FLAGS="$2"
shift 2
continue
;;
-*|--*)
echo "letsencrypt-to-vault: unknown flag: $2"
show_help
exit 1
;;
*)
if [[ "$COMMAND" == "certonly" ]]; then
DOMAINS="$@"
fi
return
esac
done
if [[ -z "$COMMAND" ]]; then
echoerr "Command wasn't passed to script"
echo
show_help
exit 1
fi
}
show_help() {
echo "Let's encrypt to Hashicorp Vault"
echo
echo "Renew or get Let's Encrypt certificates and send it to Hashicorp Vault"
echo
echo "Usage:"
echo " letsencrypt-to-vault command [-flags] [sitesnames]"
echo
echo " Some flags can be set by env vars."
echo " Var names for this flags are in parens in flags description below"
echo
echo "Flags:"
echo " -a, --vaul-addr Address of vault server (VAULT_ADDR)"
echo " -f, --certbot-flags Options that are passed to certbot. Overrides default (CERTBOT_FLAGS)"
echo " -h, --help Show help"
echo " -p, --vault-cert-path Path where certs will be stored (VAULT_CERT_PATH)"
echo " -t, --vault-token Vault token (VAULT_TOKEN)"
}
cert_renew() {
local certbot_domains=""
for domain in $DOMAINS
do
certbot_domains+="-d $domain "
done
echo "Trying to get or renew certificates..."
certbot $COMMAND $CERTBOT_FLAGS $certbot_domains || true
echo "Certificates were renewed"
}
send_to_vault() {
local certs_dir="/etc/letsencrypt/live"
echo "Sending certs to vault..."
echo
if [[ $COMMAND == "certonly" ]]; then
local sitesnames="$DOMAINS"
else
local sitesnames=$(find $certs_dir -maxdepth 1 -mindepth 1 -type d -exec basename {} \;)
fi
for sitename in $sitesnames
do
local cert=$(sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/\\n/g' $certs_dir/$sitename/fullchain.pem)
local privkey=$(sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/\\n/g' $certs_dir/$sitename/privkey.pem)
if [[ -z "$cert" || -z "$privkey" ]]; then
echoerr "Error: can't find cert for $sitename"
exit 1
fi
curl \
-s \
-H "X-Vault-Token: $VAULT_TOKEN" \
-H "Content-Type: application/json" \
-X POST \
-d "{\"key\":\"$privkey\", \"cert\": \"$cert\"}" \
"$VAULT_ADDR/v1/$VAULT_CERT_PATH/$sitename"
done
echo "Done. Certificates were sent"
}
main() {
process_args "$@"
cert_renew
send_to_vault
}
main "$@"