Skip to main content

update-ssl-certs.sh

Purpose

This script is designed to run every 60 days and update SSL certificates for all apps and VM's which rely on them. The script is locat ed in /root/cron/. Some apps, like the docker registry may require restarting to load the new SSL certificate after is has been uploaded to the VM.

certbot-creds.ini

The file certbot-creds.ini is simply the “secret” that Certbot’s Cloudflare DNS‑01 plugin uses to authenticate against your Cloudflare account when creating or renewing DNS‑based challenges. It lives on your machine (in your script you’ve put it at /root/certbot-creds.ini) and contains your API credentials in a very simple INI‑style format.

Script

#!/bin/bash
# ==========================================
# A cron script which generates and stores lets encrypt certificates every 60 days
# Note: The user used in this script needs write access to /etc/ssl on the target machines.
# ==========================================

CERT_PATH="/etc/letsencrypt/live/abair.ie/"  # Path where certificates are generated
PRIVATE_KEY="/root/.ssh/id_ed25519"  # Path to the private key to access the

# ==========================================
# Generate the certificates
# ==========================================
certbot certonly \
    --dns-cloudflare \
    --force-renew \
    --dns-cloudflare-credentials /root/certbot-creds.ini \
    -d '*.abair.ie'

certbot certonly \
    --dns-cloudflare \
    --force-renew \
    --dns-cloudflare-credentials /root/certbot-creds.ini \
    -d 'abair.ie'

certbot certonly \
    --dns-cloudflare \
    --force-renew \
    --dns-cloudflare-credentials /root/certbot-creds.ini \
    -d '*.scealai.abair.ie'

certbot certonly \
    --dns-cloudflare \
    --force-renew \
    --dns-cloudflare-credentials /root/certbot-creds.ini \
    -d '*.geabaire.abair.ie'

# ==========================================
# Copy the certificate pair to services VM
# ==========================================
SERVICES_VM_IP="10.0.0.2"
SERVICES_VM_PORT="22102"
SERVICES_VM_USER="services"

# Copy certificate and key
scp -i "$PRIVATE_KEY" -P "$SERVICES_VM_PORT" "$CERT_PATH/fullchain.pem" "$SERVICES_VM_USER"@"$SERVICES_VM_IP":/etc/ssl/abair.ie
scp -i "$PRIVATE_KEY" -P "$SERVICES_VM_PORT" "$CERT_PATH/privkey.pem" "$SERVICES_VM_USER"@"$SERVICES_VM_IP":/etc/ssl/abair.ie

# Restart Docker Registry to update certificates within the container
ssh -i "$PRIVATE_KEY" -p "$SERVICES_VM_PORT" "$SERVICES_VM_USER"@"$SERVICES_VM_IP" \
    "docker compose -f /home/services/docker-registry/docker-compose.yml restart"

# Copy certificate into services' mailcow
scp -i "$PRIVATE_KEY" -P "$SERVICES_VM_PORT" "$CERT_PATH/fullchain.pem" "$SERVICES_VM_USER"@"$SERVICES_VM_IP":/home/services/mailcow-dockerized/data/assets/ssl/cert.pem
scp -i "$PRIVATE_KEY" -P "$SERVICES_VM_PORT" "$CERT_PATH/privkey.pem" "$SERVICES_VM_USER"@"$SERVICES_VM_IP":/home/services/mailcow-dockerized/data/assets/ssl/key.pem