#!/bin/bash # This is a library for Site Manager Plugin # Functions for SSL On/Off source /opt/webinoly/lib/general site_ssl_on() { local cermail=$(conf_read mail) local root="$domain" if [[ $cache == "-root" && -n $value && -a /etc/nginx/sites-available/$value ]]; then root="$value" elif [[ $cache == "-root" && -n $value && ! -a /etc/nginx/sites-available/$value ]]; then echo "${red}Root path domain is not a valid domain or is not found/hosted in this server!${end}" exit 1 elif [[ $cache == "-root" && -z $value ]]; then echo "${red}Please, enter a valid root path domain!${end}" exit 1 fi if [[ ! -d /var/www/$root/htdocs ]]; then echo "${red}Seems like you are trying to request an SSL Certificate for a Parked/Mapped Domain.!${end}" echo "${red}Please, use the '-root=domain.com' parameter to include the main domain path.${end}" exit 1 fi # Check if Letsencrypt is installed if [[ $(conf_read nginx-tool) != "true" || ! -a /usr/bin/letsencrypt ]]; then echo "${red}[ERROR] Seems like Let's Encrypt tool is not installed!${end}" exit 1 fi echo "${gre}" echo "*************************************************************************************************" echo "** Please, be careful with the number of intents or certificates you try to get. **" echo "** Let’s Encrypt provides rate limits to ensure fair usage by as many people as possible. **" echo "** **" echo "** If you are getting errors or having issues when trying to get a new certificate **" echo "** read about the Let's Encrypt rate limit - https://letsencrypt.org/docs/rate-limits/ **" echo "** **" echo "** Please, be sure your domain and www subdomain are currently pointing (DNS) to this server **" echo "*************************************************************************************************${end}" # We need an email to notify each renew intent (cron) while [[ -z $cermail ]] do echo "${blu}" read -p "Please, enter an email to register your new certificate: ${end}" cermail if [[ "$cermail" =~ ^[a-z0-9_\+-]+(\.[a-z0-9_\+-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*\.([a-z]{2,4})$ ]]; then conf_write mail $cermail echo "${gre} Email address has been successfuly validated and saved! ${end}" else cermail="" echo "${red} Please enter a valid email address!" fi echo "${end}" done # Create new certificate [[ $(conf_read debug) == "true" ]] && param="--test-cert" || param="" if [[ ! -a /etc/letsencrypt/live/$domain/fullchain.pem && $cache == "-wildcard" ]]; then sudo certbot certonly --manual --preferred-challenges=dns --no-eff-email --manual-public-ip-logging-ok --agree-tos --staple-ocsp --must-staple --email $cermail -d $domain -d *.$domain $param elif [[ ! -a /etc/letsencrypt/live/$domain/fullchain.pem && $subdomflag == 0 ]]; then sudo certbot certonly --webroot -w /var/www/$root/htdocs/ -d $domain -d www.$domain --email $cermail --no-eff-email --agree-tos --staple-ocsp --must-staple $param elif [[ ! -a /etc/letsencrypt/live/$domain/fullchain.pem && $subdomflag == 1 ]]; then sudo certbot certonly --webroot -w /var/www/$root/htdocs/ -d $domain --email $cermail --no-eff-email --agree-tos --staple-ocsp --must-staple $param fi # SSL Nginx Conf if [[ -a /etc/letsencrypt/live/$root/fullchain.pem ]]; then sudo sed -i '/listen 80/c \ listen 443 ssl http2;' /etc/nginx/sites-available/$domain sudo sed -i '/listen \[::\]:80/c \ listen [::]:443 ssl http2;' /etc/nginx/sites-available/$domain sudo sed -i '/headers-http.conf/a \ include common/headers-https.conf;' /etc/nginx/sites-available/$domain sudo sed -i '/server_name /r /opt/webinoly/templates/template-site-ssl' /etc/nginx/sites-available/$domain sudo sed -i "/WebinolySSLstart/,/WebinolySSLend/{s/domain.com/$domain/}" /etc/nginx/sites-available/$domain # HTTP to HTTPS Redirection local sername="server_name $domain www.$domain;" [[ $subdomflag == 1 ]] && sername="server_name $domain;" sudo sed -i '1r /opt/webinoly/templates/template-site-sslredirect' /etc/nginx/sites-available/$domain sudo sed -i "/#server_name;/c \ $sername" /etc/nginx/sites-available/$domain # Auto-Renew Certificate if [[ ! -a /var/spool/cron/crontabs/root ]]; then sudo touch /var/spool/cron/crontabs/root sudo chmod 600 /var/spool/cron/crontabs/root sudo chown root:crontab /var/spool/cron/crontabs/root fi cronmail=$( sudo grep -F "MAILTO=" /var/spool/cron/crontabs/root ) cronrene=$( sudo grep -F "certbot renew" /var/spool/cron/crontabs/root ) [[ -z $cronmail && -n $cermail && -z $cronrene ]] && echo "MAILTO=${cermail}" | sudo tee -a /var/spool/cron/crontabs/root [[ -z $cronrene ]] && echo '15 3 * * 7 certbot renew --post-hook "service nginx restart"' | sudo tee -a /var/spool/cron/crontabs/root echo "${gre}SSL have been successfully enabled for site $domain!${end}" else echo "${red}" echo " [ERROR] Certified not created!" echo "${end}" fi } site_ssl_off() { sudo sed -i '/listen 443/c \ listen 80;' /etc/nginx/sites-available/$domain sudo sed -i '/listen \[::\]:443/c \ listen [::]:80;' /etc/nginx/sites-available/$domain sudo sed -i '/headers-https.conf/d' /etc/nginx/sites-available/$domain sudo sed -i '/WebinolySSLstart/,/WebinolySSLend/{/.*/d}' /etc/nginx/sites-available/$domain sudo sed -i '/WebinolySSLredirectStart/,/WebinolySSLredirectEnd/{/.*/d}' /etc/nginx/sites-available/$domain if [[ -n $value && $value == "force" ]]; then answer=="N" else echo "${blu}" echo "Do you want to delete and revoke this certificate [y/N]? " while read -r -n 1 -s answer; do answer=${answer:-n} [[ $answer = [YyNn] ]] && break done echo "${end}" fi if [[ $answer == [Yy] ]]; then [[ $(conf_read debug) == "true" ]] && param="--test-cert" || param="" sudo certbot revoke --cert-path /etc/letsencrypt/live/$domain/cert.pem --delete-after-revoke $param echo "${gre}" echo "Certificate for your site $domain has been completely removed!" echo "${end}" fi echo "${gre}SSL has been successfully disabled for site -${blu} $domain!${end}" }