From 92f72eb2a31d56075250a7887eff015b4636db76 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cristhian=20Mart=C3=ADnez=20Ochoa?= <cristhian@qrokes.com>
Date: Sun, 24 Jun 2018 12:39:30 -0600
Subject: [PATCH] certbot

Now we use certbot instead of letsencrypt.
- ocsp and must staple enabled.
- now we use the staging feature for debug.
- restart nginx after renew.
- now we revoke and delete cert instead just delete files.
---
 lib/install   | 13 +++++++------
 lib/site-ssl  | 25 ++++++++++++-------------
 plugins/stack |  3 ++-
 3 files changed, 21 insertions(+), 20 deletions(-)

diff --git a/lib/install b/lib/install
index a2aea0a..5f52059 100644
--- a/lib/install
+++ b/lib/install
@@ -378,13 +378,14 @@ nginx_tool() {
 	[[ $(conf_read php) == "true" ]] && nginx_tool_site
 	# in case php was installed before nginx
 	[[ $(conf_read php-tool) == "true" && ! -a /var/www/$(conf_read tools-port)/htdocs/php/index.php ]] && php_tool_site
-			
-	# Instalar Duply & Duplicity
-	pre_install
-	sudo apt-get -y install python-boto duplicity duply
-	
+
 	# Install LetsEncrypt
-	sudo apt-get -y install letsencrypt
+	echo | sudo add-apt-repository ppa:certbot/certbot
+	pre_install
+	sudo apt-get -y install certbot
+	
+	# Instalar Duply & Duplicity
+	sudo apt-get -y install python-boto duplicity duply
 	
 	conf_write nginx-tool true
 	api-events_update in10
diff --git a/lib/site-ssl b/lib/site-ssl
index a0c936c..e29d789 100644
--- a/lib/site-ssl
+++ b/lib/site-ssl
@@ -55,12 +55,13 @@ site_ssl_on() {
 		fi
 		echo "${end}"
 	done
-		
+	
 	# Create new certificate
-	if [[ ! -a /etc/letsencrypt/live/$domain/fullchain.pem && $subdomflag == 0 && $(conf_read debug) != "true" ]]; then
-		sudo letsencrypt certonly --webroot -w /var/www/$root/htdocs/ -d $domain -d www.$domain --email $cermail --agree-tos
-	elif [[ ! -a /etc/letsencrypt/live/$domain/fullchain.pem && $subdomflag == 1 && $(conf_read debug) != "true" ]]; then
-		sudo letsencrypt certonly --webroot -w /var/www/$root/htdocs/ -d $domain --email $cermail --agree-tos
+	[[ $(conf_read debug) == "true" ]] && param="--test-cert" || param=""
+	if [[ ! -a /etc/letsencrypt/live/$domain/fullchain.pem && $subdomflag == 0 ]]; then
+		sudo certbot certonly --webroot -w /var/www/$root/htdocs/ -d $domain -d www.$domain --email $cermail --no-eff-email --agree-tos --staple-ocsp --must-staple $param
+	elif [[ ! -a /etc/letsencrypt/live/$domain/fullchain.pem && $subdomflag == 1 ]]; then
+		sudo certbot certonly --webroot -w /var/www/$root/htdocs/ -d $domain --email $cermail --no-eff-email --agree-tos --staple-ocsp --must-staple $param
 	fi
 	
 	# SSL Nginx Conf
@@ -85,9 +86,9 @@ site_ssl_on() {
 		fi
 		
 		cronmail=$( sudo grep -F "MAILTO=" /var/spool/cron/crontabs/root )
-		cronrene=$( sudo grep -F "letsencrypt renew" /var/spool/cron/crontabs/root )
+		cronrene=$( sudo grep -F "certbot renew" /var/spool/cron/crontabs/root )
 		[[ -z $cronmail && -n $cermail && -z $cronrene ]] && echo "MAILTO=${cermail}" | sudo tee -a /var/spool/cron/crontabs/root
-		[[ -z $cronrene ]] && echo "15 3 * * 7 letsencrypt renew" | sudo tee -a /var/spool/cron/crontabs/root
+		[[ -z $cronrene ]] && echo '15 3 * * 7 certbot renew --post-hook "service nginx restart"' | sudo tee -a /var/spool/cron/crontabs/root
 		echo "${gre}SSL have been successfully enabled for site $domain!${end}"
 	else
 		echo "${red}"
@@ -108,7 +109,7 @@ site_ssl_off() {
 		answer=="N"
 	else
 		echo "${blu}"
-		echo "Do you want to delete your certificate files [y/N]? "
+		echo "Do you want to delete and revoke this certificate [y/N]? "
 		while read -r -n 1 -s answer; do
 		  answer=${answer:-n}
 		  [[ $answer = [YyNn] ]] && break
@@ -116,13 +117,11 @@ site_ssl_off() {
 		echo "${end}"
 	fi
 	if [[ $answer == [Yy] ]]; then
-		#sudo letsencrypt delete --cert-name $domain
-		rm -rf /etc/letsencrypt/live/${domain}
-		rm -rf /etc/letsencrypt/renewal/${domain}.conf
-		rm -rf /etc/letsencrypt/archive/${domain}
+		[[ $(conf_read debug) == "true" ]] && param="--test-cert" || param=""
+		sudo certbot revoke --cert-path /etc/letsencrypt/live/$domain/cert.pem --delete-after-revoke $param
 		echo "${gre}"
 		echo "Certificate for your site $domain has been completely removed!"
 		echo "${end}"
 	fi
-	echo "${gre}SSL have been successfully disabled for site $domain!${end}"
+	echo "${gre}SSL has been successfully disabled for site -${blu} $domain!${end}"
 }
diff --git a/plugins/stack b/plugins/stack
index 5f27337..c1bbecd 100644
--- a/plugins/stack
+++ b/plugins/stack
@@ -98,7 +98,8 @@ elif [[ $arg == "-purge" && ( $opt == "-html" || $opt == "-nginx" ) ]]; then
 		[[ $(conf_read nginx-ppa) == "mainline" ]] && echo | sudo add-apt-repository --remove 'ppa:nginx/development' || echo | sudo add-apt-repository --remove 'ppa:nginx/stable'
 		api-events_update pn4
 		api-events_update pn5
-		sudo apt-get -y purge letsencrypt python-boto duplicity duply
+		sudo apt-get -y purge certbot python-boto duplicity duply
+		echo | sudo add-apt-repository --remove 'ppa:certbot/certbot'
 		sudo apt-get -y autoremove
 		sudo rm $HOME/www
 		sudo rm $HOME/sites-available