#!/bin/bash

####################################################################################################
#### author: SlickStack ############################################################################
#### link: https://slickstack.io ###################################################################
#### mirror: https://mirrors.slickstack.io/bash/ss-encrypt-certbot.txt #############################
#### path: /var/www/ss-encrypt-certbot #############################################################
#### destination: n/a (not a boilerplate) ##########################################################
#### purpose: Regenerates Letsencrypt certs and relevant symlinks ##################################
#### module version: Certbot 1.21.x ################################################################
#### sourced by: ss-install-nginx-config ###########################################################
#### bash aliases: ss certbot, ss encrypt certbot|letsencrypt, ss letsencrypt ######################
####################################################################################################

## SS-ENCRYPT-CERTBOT WILL ALWAYS ACTIVATE OPENSSL BEFORE REQUESTING LETSENCRYPT CERTS ##
## IT ONLY REQUESTS LETSENCRYPT CERTS BUT DOES NOT ACTIVATE THEM ON SLICKSTACK ##

## source ss-config ##
source /var/www/ss-config

## source ss-functions ##
source /var/www/ss-functions

## BELOW THIS RELIES ON SS-CONFIG AND SS-FUNCTIONS

####################################################################################################
#### TABLE OF CONTENTS (SS-Encrypt-Certbot) ########################################################
####################################################################################################

## this is a brief summary of the different code snippets you will find in this script ##
## each section should be commented so you understand what is being accomplished ##

## A. Touch Timestamp File
## B. Message (Begin Script)
## C. Temporarily Activate OpenSSL
## D. Request Certificates From Lets Encrypt Servers
## E. Create Lets Encrypt Symlinks
## F. Reset Permissions (Nginx SSL)
## G. Restart Modules (Nginx)

####################################################################################################
#### A. SS-Encrypt-Certbot: Touch Timestamp File ###################################################
####################################################################################################

## this is a dummy timestamp file that will remember the last time this script was run ##
## it can be useful for developer reference and is sometimes used by SlickStack ##

ss_touch "${TIMESTAMP_SS_ENCRYPT_CERTBOT}"

####################################################################################################
#### B. SS-Encrypt-Certbot: Message (Begin Script) #################################################
####################################################################################################

## this is a simple message that announces to the shell the purpose of this bash script ##
## it will only be seen by sudo users who manually run this script in the shell ##

ss_echo "${COLOR_INFO}Running ss-encrypt-certbot... ${COLOR_RESET}"

####################################################################################################
#### C. SS-Encrypt-Certbot: Temporarily Activate OpenSSL ###########################################
####################################################################################################

## this should work fine even for live sites tha enabled certbot but might want to change it later to avoid potential broken frontends ##

## here we must temporarily activate OpenSSL in order to avoid fatal errors in Nginx ##
## the next step will be running Certbot which requires OpenSSL to be activated ##

if [[ ! -f "${PATH_THIRDPARTY_CONF}" ]]; then 
    source "${PATH_SS_INSTALL_NGINX_OPENSSL}"
fi

####################################################################################################
#### D. SS-Encrypt-Certbot: Request Certificates From Lets Encrypt Servers #########################
####################################################################################################

## NOTICE: SLICKSTACK DOES NOT SUPPORT SUB-SUBDOMAINS LIKE WWW.BLOG.EXAMPLE.COM ##

## SlickStack deletes old Lets Encrypt certs and requests new ones to avoid dir-stacking ##
## this approach also allows you to change your server to a different CMS or TLD ##

## SINGLE SITE CERTS + STAGING ENABLED / DEV ENABLED ##

## if site domain contains www (and is therefore a subdomain) e.g. www.example.com or www.example.co.uk ##
if [[ "${WP_MULTISITE}" != "true" ]] && [[ "${SITE_DOMAIN}" == www.* ]] && [[ "${STAGING_SITE}" != "false" ]] && [[ "${DEV_SITE}" != "false" ]]; then
    ss_certbot -d dev.${SITE_DOMAIN_EXCLUDING_WWW} -d staging.${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW}

## if site domain does not contain www (and is not any other type of subdomain) e.g. example.com or example.co.uk ##
elif [[ "${WP_MULTISITE}" != "true" ]] && [[ "${SITE_DOMAIN}" != www.* ]] && [[ "${SITE_TLD}" == "${SITE_DOMAIN}" ]] && [[ "${STAGING_SITE}" != "false" ]] && [[ "${DEV_SITE}" != "false" ]]; then
    ss_certbot -d dev.${SITE_DOMAIN_EXCLUDING_WWW} -d staging.${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW}

## if site domain is a non-www type of subdomain e.g. blog.example.com or blog.example.co.uk ##
elif [[ "${WP_MULTISITE}" != "true" ]] && [[ "${SITE_DOMAIN}" != www.* ]] && [[ "${SITE_TLD}" != "${SITE_DOMAIN}" ]] && [[ "${STAGING_SITE}" != "false" ]] && [[ "${DEV_SITE}" != "false" ]]; then
    ss_certbot -d dev.${SITE_DOMAIN_EXCLUDING_WWW} -d staging.${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN}


## SINGLE SITE CERTS + STAGING ENABLED / DEV DISABLED ##

## if site domain contains www (and is therefore a subdomain) e.g. www.example.com or www.example.co.uk ##
elif [[ "${WP_MULTISITE}" != "true" ]] && [[ "${SITE_DOMAIN}" == www.* ]] && [[ "${STAGING_SITE}" != "false" ]] && [[ "${DEV_SITE}" == "false" ]]; then
    ss_certbot -d staging.${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW}

## if site domain does not contain www (and is not any other type of subdomain) e.g. example.com or example.co.uk ##
elif [[ "${WP_MULTISITE}" != "true" ]] && [[ "${SITE_DOMAIN}" != www.* ]] && [[ "${SITE_TLD}" == "${SITE_DOMAIN}" ]] && [[ "${STAGING_SITE}" != "false" ]] && [[ "${DEV_SITE}" == "false" ]]; then
    ss_certbot -d staging.${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW}

## if site domain is a non-www type of subdomain e.g. blog.example.com or blog.example.co.uk ##
elif [[ "${WP_MULTISITE}" != "true" ]] && [[ "${SITE_DOMAIN}" != www.* ]] && [[ "${SITE_TLD}" != "${SITE_DOMAIN}" ]] && [[ "${STAGING_SITE}" != "false" ]] && [[ "${DEV_SITE}" == "false" ]]; then
    ss_certbot -d staging.${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN}


## SINGLE SITE CERTS + STAGING DISABLED / DEV ENABLED ##

## if site domain contains www (and is therefore a subdomain) e.g. www.example.com or www.example.co.uk ##
elif [[ "${WP_MULTISITE}" != "true" ]] && [[ "${SITE_DOMAIN}" == www.* ]] && [[ "${STAGING_SITE}" == "false" ]] && [[ "${DEV_SITE}" != "false" ]]; then
    ss_certbot -d dev.${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW}

## if site domain does not contain www (and is not any other type of subdomain) e.g. example.com or example.co.uk ##
elif [[ "${WP_MULTISITE}" != "true" ]] && [[ "${SITE_DOMAIN}" != www.* ]] && [[ "${SITE_TLD}" == "${SITE_DOMAIN}" ]] && [[ "${STAGING_SITE}" == "false" ]] && [[ "${DEV_SITE}" != "false" ]]; then
    ss_certbot -d dev.${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW}

## if site domain is a non-www type of subdomain e.g. blog.example.com or blog.example.co.uk ##
elif [[ "${WP_MULTISITE}" != "true" ]] && [[ "${SITE_DOMAIN}" != www.* ]] && [[ "${SITE_TLD}" != "${SITE_DOMAIN}" ]] && [[ "${STAGING_SITE}" == "false" ]] && [[ "${DEV_SITE}" != "false" ]]; then
    ss_certbot -d dev.${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN}


## SINGLE SITE CERTS + STAGING DISABLED / DEV DISABLED ##

## if site domain contains www (and is therefore a subdomain) e.g. www.example.com or www.example.co.uk ##
elif [[ "${WP_MULTISITE}" != "true" ]] && [[ "${SITE_DOMAIN}" == www.* ]] && [[ "${STAGING_SITE}" == "false" ]] && [[ "${DEV_SITE}" == "false" ]]; then
    ss_certbot -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW}

## if site domain does not contain www (and is not any other type of subdomain) e.g. example.com or example.co.uk ##
elif [[ "${WP_MULTISITE}" != "true" ]] && [[ "${SITE_DOMAIN}" != www.* ]] && [[ "${SITE_TLD}" == "${SITE_DOMAIN}" ]] && [[ "${STAGING_SITE}" == "false" ]] && [[ "${DEV_SITE}" == "false" ]]; then
    ss_certbot -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW}

## if site domain is a non-www type of subdomain e.g. blog.example.com or blog.example.co.uk ##
elif [[ "${WP_MULTISITE}" != "true" ]] && [[ "${SITE_DOMAIN}" != www.* ]] && [[ "${SITE_TLD}" != "${SITE_DOMAIN}" ]] && [[ "${STAGING_SITE}" == "false" ]] && [[ "${DEV_SITE}" == "false" ]]; then
    ss_certbot -d ${SITE_DOMAIN}


## MULTISITE SUBDOMAINS + EITHER STAGING/DEV ENABLED (PART OF WILDCARD) ##

elif [[ "${WP_MULTISITE}" == "true" ]] && [[ "${WP_MULTISITE_SUBDOMAINS}" != "false" ]]; then
    certbot certonly --manual --agree-tos --register-unsafely-without-email --cert-name slickstack --preferred-challenges=dns -d ${SITE_DOMAIN_EXCLUDING_WWW} -d *.${SITE_DOMAIN_EXCLUDING_WWW}


## MULTISITE SUBDOMAINS + BOTH STAGING/DEV DISABLED (STILL REQUIRES WILDCARD) ##
## n/a (same as above)


### ALL THESE STILL NEED FIXING RE: WEBROOT SYNTAX SAME AS SINGLE SITES ABOVE ###
## MULTISITE SUBDIRECTORIES + STAGING ENABLED / DEV ENABLED ##

## if site domain contains www (and is therefore a subdomain) e.g. www.example.com or www.example.co.uk ##
elif [[ "${WP_MULTISITE}" == "true" ]] && [[ "${WP_MULTISITE_SUBDOMAINS}" == "false" ]] && [[ "${SITE_DOMAIN}" == www.* ]] && [[ "${STAGING_SITE}" != "false" ]] && [[ "${STAGING_SITE_SUBDOMAIN}" != "false" ]] && [[ "${DEV_SITE}" != "false" ]] && [[ "${DEV_SITE_SUBDOMAIN}" != "false" ]]; then
    certbot certonly --noninteractive --agree-tos --cert-name slickstack -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW} -d dev.${SITE_DOMAIN_EXCLUDING_WWW} -d staging.${SITE_DOMAIN_EXCLUDING_WWW} --register-unsafely-without-email --webroot -w /var/www/html/

## if site domain does not contain www (and is not any other type of subdomain) e.g. example.com or example.co.uk ##
elif [[ "${WP_MULTISITE}" == "true" ]] && [[ "${WP_MULTISITE_SUBDOMAINS}" == "false" ]] && [[ "${SITE_DOMAIN}" != www.* ]] && [[ "${SITE_TLD}" == "${SITE_DOMAIN}" ]] && [[ "${STAGING_SITE}" != "false" ]] && [[ "${STAGING_SITE_SUBDOMAIN}" != "false" ]] && [[ "${DEV_SITE}" != "false" ]] && [[ "${DEV_SITE_SUBDOMAIN}" != "false" ]]; then
    certbot certonly --noninteractive --agree-tos --cert-name slickstack -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW} -d dev.${SITE_DOMAIN_EXCLUDING_WWW} -d staging.${SITE_DOMAIN_EXCLUDING_WWW} --register-unsafely-without-email --webroot -w /var/www/html/

## if site domain is a non-www type of subdomain e.g. blog.example.com or blog.example.co.uk ##
elif [[ "${WP_MULTISITE}" == "true" ]] && [[ "${WP_MULTISITE_SUBDOMAINS}" == "false" ]] && [[ "${SITE_DOMAIN}" != www.* ]] && [[ "${SITE_TLD}" != "${SITE_DOMAIN}" ]] && [[ "${STAGING_SITE}" != "false" ]] && [[ "${STAGING_SITE_SUBDOMAIN}" != "false" ]] && [[ "${DEV_SITE}" != "false" ]] && [[ "${DEV_SITE_SUBDOMAIN}" != "false" ]]; then
    certbot certonly --noninteractive --agree-tos --cert-name slickstack -d ${SITE_DOMAIN} -d dev.${SITE_DOMAIN_EXCLUDING_WWW} -d staging.${SITE_DOMAIN_EXCLUDING_WWW} --register-unsafely-without-email --webroot -w /var/www/html/


## MULTISITE SUBDIRECTORIES + STAGING ENABLED / DEV DISABLED ##

## if site domain contains www (and is therefore a subdomain) e.g. www.example.com or www.example.co.uk ##
elif [[ "${WP_MULTISITE}" == "true" ]] && [[ "${WP_MULTISITE_SUBDOMAINS}" == "false" ]] && [[ "${SITE_DOMAIN}" == www.* ]] && [[ "${STAGING_SITE}" != "false" ]] && [[ "${STAGING_SITE_SUBDOMAIN}" != "false" ]] && [[ "${DEV_SITE}" == "false" || "${DEV_SITE_SUBDOMAIN}" == "false" ]]; then
    certbot certonly --noninteractive --agree-tos --cert-name slickstack -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW} -d staging.${SITE_DOMAIN_EXCLUDING_WWW} --register-unsafely-without-email --webroot -w /var/www/html/

## if site domain does not contain www (and is not any other type of subdomain) e.g. example.com or example.co.uk ##
elif [[ "${WP_MULTISITE}" == "true" ]] && [[ "${WP_MULTISITE_SUBDOMAINS}" == "false" ]] && [[ "${SITE_DOMAIN}" != www.* ]] && [[ "${SITE_TLD}" == "${SITE_DOMAIN}" ]] && [[ "${STAGING_SITE}" != "false" ]] && [[ "${STAGING_SITE_SUBDOMAIN}" != "false" ]] && [[ "${DEV_SITE}" == "false" || "${DEV_SITE_SUBDOMAIN}" == "false" ]]; then
    certbot certonly --noninteractive --agree-tos --cert-name slickstack -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW} -d staging.${SITE_DOMAIN_EXCLUDING_WWW} --register-unsafely-without-email --webroot -w /var/www/html/

## if site domain is a non-www type of subdomain e.g. blog.example.com or blog.example.co.uk ##
elif [[ "${WP_MULTISITE}" == "true" ]] && [[ "${WP_MULTISITE_SUBDOMAINS}" == "false" ]] && [[ "${SITE_DOMAIN}" != www.* ]] && [[ "${SITE_TLD}" != "${SITE_DOMAIN}" ]] && [[ "${STAGING_SITE}" != "false" ]] && [[ "${STAGING_SITE_SUBDOMAIN}" != "false" ]] && [[ "${DEV_SITE}" == "false" || "${DEV_SITE_SUBDOMAIN}" == "false" ]]; then
    certbot certonly --noninteractive --agree-tos --cert-name slickstack -d ${SITE_DOMAIN} -d staging.${SITE_DOMAIN_EXCLUDING_WWW} --register-unsafely-without-email --webroot -w /var/www/html/


## MULTISITE SUBDIRECTORIES + STAGING DISABLED / DEV ENABLED ##

## if site domain contains www (and is therefore a subdomain) e.g. www.example.com or www.example.co.uk ##
elif [[ "${WP_MULTISITE}" == "true" ]] && [[ "${WP_MULTISITE_SUBDOMAINS}" == "false" ]] && [[ "${SITE_DOMAIN}" == www.* ]] && [[ "${STAGING_SITE}" == "false" || "${STAGING_SITE_SUBDOMAIN}" == "false" ]] && [[ "${DEV_SITE}" != "false" ]] && [[ "${DEV_SITE_SUBDOMAIN}" != "false" ]]; then
    certbot certonly --noninteractive --agree-tos --cert-name slickstack -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW} -d dev.${SITE_DOMAIN_EXCLUDING_WWW} --register-unsafely-without-email --webroot -w /var/www/html/

## if site domain does not contain www (and is not any other type of subdomain) e.g. example.com or example.co.uk ##
elif [[ "${WP_MULTISITE}" == "true" ]] && [[ "${WP_MULTISITE_SUBDOMAINS}" == "false" ]] && [[ "${SITE_DOMAIN}" != www.* ]] && [[ "${SITE_TLD}" == "${SITE_DOMAIN}" ]] && [[ "${STAGING_SITE}" == "false" || "${STAGING_SITE_SUBDOMAIN}" == "false" ]] && [[ "${DEV_SITE}" != "false" ]] && [[ "${DEV_SITE_SUBDOMAIN}" != "false" ]]; then
    certbot certonly --noninteractive --agree-tos --cert-name slickstack -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW} -d dev.${SITE_DOMAIN_EXCLUDING_WWW} --register-unsafely-without-email --webroot -w /var/www/html/

## if site domain is a non-www type of subdomain e.g. blog.example.com or blog.example.co.uk ##
elif [[ "${WP_MULTISITE}" == "true" ]] && [[ "${WP_MULTISITE_SUBDOMAINS}" == "false" ]] && [[ "${SITE_DOMAIN}" != www.* ]] && [[ "${SITE_TLD}" != "${SITE_DOMAIN}" ]] && [[ "${STAGING_SITE}" == "false" || "${STAGING_SITE_SUBDOMAIN}" == "false" ]] && [[ "${DEV_SITE}" != "false" ]] && [[ "${DEV_SITE_SUBDOMAIN}" != "false" ]]; then
    certbot certonly --noninteractive --agree-tos --cert-name slickstack -d ${SITE_DOMAIN} -d dev.${SITE_DOMAIN_EXCLUDING_WWW} --register-unsafely-without-email --webroot -w /var/www/html/


## MULTISITE SUBDIRECTORIES + STAGING DISABLED / DEV DISABLED ##

## if site domain contains www (and is therefore a subdomain) e.g. www.example.com or www.example.co.uk ##
elif [[ "${WP_MULTISITE}" == "true" ]] && [[ "${WP_MULTISITE_SUBDOMAINS}" == "false" ]] && [[ "${SITE_DOMAIN}" == www.* ]] && [[ "${STAGING_SITE}" == "false" || "${STAGING_SITE_SUBDOMAIN}" == "false" ]] && [[ "${DEV_SITE}" == "false" || "${DEV_SITE_SUBDOMAIN}" == "false" ]]; then
    certbot certonly --noninteractive --agree-tos --cert-name slickstack -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW} --register-unsafely-without-email --webroot -w /var/www/html/

## if site domain does not contain www (and is not any other type of subdomain) e.g. example.com or example.co.uk ##
elif [[ "${WP_MULTISITE}" == "true" ]] && [[ "${WP_MULTISITE_SUBDOMAINS}" == "false" ]] && [[ "${SITE_DOMAIN}" != www.* ]] && [[ "${SITE_TLD}" == "${SITE_DOMAIN}" ]] && [[ "${STAGING_SITE}" == "false" || "${STAGING_SITE_SUBDOMAIN}" == "false" ]] && [[ "${DEV_SITE}" == "false" || "${DEV_SITE_SUBDOMAIN}" == "false" ]]; then
    certbot certonly --noninteractive --agree-tos --cert-name slickstack -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW} --register-unsafely-without-email --webroot -w /var/www/html/

## if site domain is a non-www type of subdomain e.g. blog.example.com or blog.example.co.uk ##
elif [[ "${WP_MULTISITE}" == "true" ]] && [[ "${WP_MULTISITE_SUBDOMAINS}" == "false" ]] && [[ "${SITE_DOMAIN}" != www.* ]] && [[ "${SITE_TLD}" != "${SITE_DOMAIN}" ]] && [[ "${STAGING_SITE}" == "false" || "${STAGING_SITE_SUBDOMAIN}" == "false" ]] && [[ "${DEV_SITE}" == "false" || "${DEV_SITE_SUBDOMAIN}" == "false" ]]; then
    certbot certonly --noninteractive --agree-tos --cert-name slickstack -d ${SITE_DOMAIN} --register-unsafely-without-email --webroot -w /var/www/html/


## OTHERWISE DISPLAY THIS ERROR MESSAGE ##

else
    ss_echo "${COLOR_WARNING}It seems required options are missing from ss-config so we dont know what Lets Encrypt cert to request for you... ${COLOR_RESET}"
fi

####################################################################################################
#### E. SS-Encrypt-Certbot: Create Lets Encrypt Symlinks ###########################################
####################################################################################################

## here we create symlinks in the /var/www/certs/ directory that point to Lets Encrypt ##
## this hardcode method simplifies our Nginx settings and makes it more stable ##

ss_ln "${PATH_LETSENCRYPT_CERT_CERT}" "${SYMLINK_LETSENCRYPT_CERT}"
ss_ln "${PATH_LETSENCRYPT_CERT_CHAIN}" "${SYMLINK_LETSENCRYPT_CHAIN}"
ss_ln "${PATH_LETSENCRYPT_CERT_FULLCHAIN}" "${SYMLINK_LETSENCRYPT_FULLCHAIN}"
ss_ln "${PATH_LETSENCRYPT_CERT_PRIVKEY}" "${SYMLINK_LETSENCRYPT_PRIVKEY}"

####################################################################################################
#### F. SS-Encrypt-Certbot: Reset Permissions (Nginx SSL) ##########################################
####################################################################################################

## source "${PATH_SS_PERMS_NGINX_SSL}"

####################################################################################################
#### G. SS-Encrypt-Certbot: Restart Modules (Nginx) ################################################
####################################################################################################

## source "${PATH_SS_RESTART_NGINX}"

####################################################################################################
#### SlickStack: Reset Permissions (SlickStack Scripts) ############################################
####################################################################################################

## we include this permissions reset in all cron jobs and bash scripts for redundancy ##
## chmod 0700 means only the root/sudo users can execute any SlickStack scripts ##

## THIS SNIPPET DOES NOT RELY ON SS-CONFIG OR SS-FUNCTIONS
## SNIPPET: ss bash scripts, ss cron jobs
## UPDATED: 02JUL2022

chown root:root /var/www/ss* ## must be root:root
chown root:root /var/www/crons/*cron* ## must be root:root
chown root:root /var/www/crons/custom/*cron* ## must be root:root
chmod 0700 /var/www/ss* ## 0700 means only root/sudo can execute
chmod 0700 /var/www/crons/*cron* ## 0700 means only root/sudo can execute
chmod 0700 /var/www/crons/custom/*cron* ## 0700 means only root/sudo can execute

####################################################################################################
#### SlickStack: External References Used To Improve This Script (Thanks, Interwebz) ###############
####################################################################################################

## Ref: https://linuxize.com/post/secure-apache-with-let-s-encrypt-on-ubuntu-18-04/
## Ref: https://stackoverflow.com/questions/49172841/install-certbot-letsencrypt-without-interaction/57019299#57019299
## Ref: https://matthewlehner.net/lets-encrypt-with-nginx
## Ref: https://community.letsencrypt.org/t/how-often-should-i-run-the-cerbot-cron-job-to-update-the-certificates/18851
## Ref: https://community.letsencrypt.org/t/how-to-get-crt-and-key-files-from-i-just-have-pem-files/7348/2
## Ref: https://community.letsencrypt.org/t/certificate-path/24227
## Ref: https://www.cyberciti.biz/tips/linux-unix-pause-command.html
## Ref: https://stackoverflow.com/questions/9483633/how-to-use-bash-read-with-a-timeout/9483693#9483693
## Ref: https://stackoverflow.com/questions/229551/how-to-check-if-a-string-contains-a-substring-in-bash
## Ref: https://unix.stackexchange.com/questions/311758/remove-specific-word-in-variable
## Ref: https://stackoverflow.com/questions/13210880/replace-one-substring-for-another-string-in-shell-script
## Ref: https://github.com/certbot/certbot/issues/3039
## Ref: https://superuser.com/questions/1056183/using-a-wildcard-in-a-condition-to-match-the-beginning-of-a-string
## Ref: https://stackoverflow.com/questions/18730509/bash-substring-regex-matching-wildcard
## Ref: https://linuxize.com/post/how-to-create-symbolic-links-in-linux-using-the-ln-command/
## Ref: https://superuser.com/questions/81164/why-create-a-link-like-this-ln-nsf/81168
## Ref: https://support.cloudflare.com/hc/en-us/articles/214820528-Validating-a-Let-s-Encrypt-Certificate-on-a-Site-Already-Active-on-Cloudflare
## Ref: https://serverfault.com/questions/788220/lets-encrypt-certbot-validation-over-https
## Ref: https://certbot-dns-cloudflare.readthedocs.io/en/stable/
## Ref: https://dev.to/michaeldscherr/lets-encrypt-ssl-certificate-via-dns-challenge-8dd
## Ref: https://letsencrypt.org/docs/challenge-types/
## Ref: https://serverfault.com/questions/750902/how-to-use-lets-encrypt-dns-challenge-validation
## Ref: https://community.letsencrypt.org/t/do-i-need-copy-dhparam-pem-file-when-i-move-certificates-to-a-new-server/47346
## Ref: https://weakdh.org/sysadmin.html
## Ref: https://security.stackexchange.com/questions/38206/can-someone-explain-what-exactly-is-accomplished-by-generation-of-dh-parameters
## Ref: https://security.stackexchange.com/questions/94390/whats-the-purpose-of-dh-parameters
## Ref: https://wiki.mozilla.org/Security/Server_Side_TLS
## Ref: https://stackoverflow.com/questions/21251714/bash-script-countdown-timer-needs-to-detect-any-key-to-continue
## Ref: https://stackoverflow.com/questions/33614865/bash-countdown-to-execution-if-no-key-pressed
## Ref: https://unix.stackexchange.com/questions/293940/bash-how-can-i-make-press-any-key-to-continue
## Ref: https://serverfault.com/questions/532559/bash-script-count-down-5-minutes-display-on-single-line
## Ref: https://community.letsencrypt.org/t/confusing-on-root-domain-with-wildcard-cert/56113/2
## Ref: https://gist.github.com/joepie91/7e5cad8c0726fd6a5e90360a754fc568
## Ref: https://ma.ttias.be/how-to-read-ssl-certificate-info-from-the-cli/
## Ref: http://nginx.org/en/docs/http/configuring_https_servers.html#certificate_with_several_names
## Ref: https://dev.to/nabbisen/let-s-encrypt-wildcard-certificate-with-certbot-plo
## Ref: https://community.letsencrypt.org/t/wildcard-certificate-does-not-work/79041
## Ref: https://letsencrypt.org/docs/rate-limits/
## Ref: https://github.com/certbot/certbot/issues/2071
## Ref: https://community.letsencrypt.org/t/how-to-prevent-creation-of-etc-letsencrypt-live-domain-tld-0001-when-removing-domains-from-a-domain-tld-multidomain-certificate/8135/14
## Ref: https://community.letsencrypt.org/t/letsencrypt-webroot-verification-follows-http-to-https-redirect-for-self-signed-cert/19917
## Ref: https://stackoverflow.com/questions/205666/what-is-the-best-way-to-perform-timestamp-comparison-in-bash
## Ref: https://stackoverflow.com/questions/552724/how-do-i-check-in-bash-whether-a-file-was-created-more-than-x-time-ago
## Ref: https://unix.stackexchange.com/questions/145313/find-a-file-which-is-30-minutes-old
## Ref: https://easyengine.io/wordpress-nginx/tutorials/ssl/multidomain-ssl-subject-alternative-names/
## Ref: https://www.getpagespeed.com/server-setup/ssl-directory
## Ref: https://superuser.com/questions/556493/permissions-for-ssl-key
## Ref: https://fbcs.co.uk/self-signed-multiple-domain-ssl-certificates/
## Ref: https://serverfault.com/questions/259302/best-location-for-ssl-certificate-and-private-keys-on-ubuntu
## Ref: https://community.letsencrypt.org/t/error-creating-new-cert-too-many-certificates-already-issued-for-exact-set-of-domains/41542
## Ref: https://community.letsencrypt.org/t/correct-way-to-completely-remove-issued-certificate-s-for-a-domain/7409
## Ref: https://unix.stackexchange.com/questions/78376/in-linux-how-to-delete-all-files-except-the-pattern-txt
## Ref: https://unix.stackexchange.com/questions/417737/how-to-use-find-command-with-variables
## Ref: https://serverfault.com/questions/751057/which-permissions-should-i-set-to-dhparam-pem
## Ref: https://medium.com/@saurabh6790/generate-wildcard-ssl-certificate-using-lets-encrypt-certbot-273e432794d7
## Ref: https://levelup.gitconnected.com/obtaining-wildcard-ssl-from-lets-encrypt-fee9ea6ef2b3
## Ref: https://community.letsencrypt.org/t/you-may-need-to-use-a-different-authenticator-plugin/115026
## Ref: https://community.letsencrypt.org/t/how-to-expand-certificate-with-a-wildcard-subdomain/133925/4
## Ref: https://wordpress.org/support/topic/wp-multisite-404-not-found-error/
## Ref: https://community.letsencrypt.org/t/resolved-certbot-how-to-specify-webroot-for-unmatched-domains/23147/2
## Ref: https://community.letsencrypt.org/t/multiple-domains-webroot-paths-using-webroot-plugin/7982
## Ref: https://serverfault.com/questions/790772/cron-job-for-lets-encrypt-renewal

## WP Multisite research:

## Ref: https://stackoverflow.com/questions/34143059/how-to-get-list-of-all-sites-in-wordpress-multisite-network
## Ref: https://developer.wordpress.org/reference/functions/get_sites/
## Ref: https://community.letsencrypt.org/t/wordpress-multisite-possible-to-configure-letsencrypt-without-separate-apache-files/51916
## Ref: https://community.letsencrypt.org/t/wordpress-multi-site-apache-configuration-for-use-w-lets-encrypt/46185/5?source_topic_id=51916
## Ref: https://wordpress.org/support/topic/new-multisite-domain-features-and-installing-letsencrypt-oddities/
## Ref: https://www.digitalocean.com/community/questions/how-to-use-ssl-with-domain-mapping-in-multisite-wordpress
## Ref: https://community.letsencrypt.org/t/best-practice-for-multiple-domains-on-single-server/123262
## Ref: https://community.letsencrypt.org/t/multiple-domains-with-certbot/51064
## Ref: https://www.digitalocean.com/community/questions/let-s-encrypt-for-multiple-sites-with-different-domains-on-same-droplet

## SS_EOF