Monit ssl cert renewal script

Discussion in 'Tips/Tricks/Mods' started by Poliman, Sep 17, 2018.

  1. Poliman

    Poliman Member

    I did some script used to renew ssl cert attached to Monit (and another services) from @ahrasis Securing ISP tutorial:
    Code:
    #!/bin/bash
    
    #This script is developed for renewing cert used by Monit and other applications,
    #which will have provided Let's Encrypt certs
    #add to cronjob i.e.  each midnight
    #useful converter https://www.epochconverter.com/
    
    
    #epoch format of the cert file
    cert="/etc/letsencrypt/live/s1.poliman.net/cert.pem"
    expire_date=$(openssl x509 -enddate -noout -in $cert | awk -F'=' '{print $2}')
    epoch_expire_date=$(date -d "$expire_date" +%s)
    
    #get current date of ispserver.pem and convert to epoch format
    isppem="/usr/local/ispconfig/interface/ssl/ispserver.pem"
    ispcrt_date_current=$(stat -c "%y" $isppem)
    epoch_ispcrt_current=$(date -d "$ispcrt_date_current" +%s)
    
    cd /usr/local/ispconfig/interface/ssl
    
    if [ $epoch_expire_date -gt $epoch_ispcrt_current ]
    then
            if [ -f "ispserver.pem" ]
            then
                    #remove older ispserver.pem files and create the newest copy
                    rm ispserver.pem-*.bak
                    mv ispserver.pem ispserver.pem-$(date +"%y-%m-%d-%H:%M:%S").bak
            fi
    
            #create new ispserver.pem file and set right permissions
            cat ispserver.{key,crt} > ispserver.pem
            chmod 600 ispserver.pem
    
            #restarting required services, add more if you use more services with specific cert
            service monit restart
    
            #logging events to file in path /usr/local/ispconfig/interface/ssl
            echo "$(date +%y-%m-%d-%H:%M:%S) File ispserver.pem changed, so script refresh it and restarted services." >> log_file.log
    else
            #log_file.log will be created in path /usr/local/ispconfig/interface/ssl
            echo "$(date +%y-%m-%d-%H:%M:%S) Script thinks that certificate files are not renewed, so we don't have to refresh ispserver.pem." >> log_file.log
    fi
    
     
    Last edited: Sep 17, 2018
    concept21 likes this.
  2. concept21

    concept21 Member

    Do you mean "refreshing" ispconfig letsencrypt SSL cert? :rolleyes:
     
  3. Poliman

    Poliman Member

    Yes, exactly. ;) Each time, when LE SSL cert renew, the .pem file is not refreshed. ;)
     
  4. concept21

    concept21 Member

    For Monit, reloading is enough. Also refreshing the other 2:
    systemctl reload monit.service
    systemctl reload postfix.service
    systemctl restart pure-ftpd-mysql.service

    :cool:
     
  5. ahrasis

    ahrasis Active Member

    Not sure what you mean by "refreshing' but normally we restart nginx or apache for a web server to ensure new certs are applied, just like monit in your script.

    Unfortunately, you did not describe how you secure monit at the first place, leaving readers in the dark on how that suppose to "refresh" the new certs for monit.

    If you followed my tips, then you must know that not only it is set to use pure-ftpd.pem i.e. symlinks to ispconfig.pem but it will also need to be chmod 600 on its own, i.e. even after you have chmod ispconfig.pem to 600.

    At least that how it works in my tutorial.
     
  6. Poliman

    Poliman Member

    Where should I describe it?
    Do you mean I should add chmod 600 also for symlinked .pem file used for specific services like Monit, Pure-ftpd etc?
     
  7. concept21

    concept21 Member

    I guess your program works because Letsencrypt will reload apache after it has renewed the SSL certificate. We only renew those services which have not been restarted.
     
  8. Poliman

    Poliman Member

    Yes, exactly as you said. I only use monit, so I only restart monit service. Of course somebody can add more. ;) Each line has own comment. ;)
     

Share This Page