#!/bin/bash #################################################################################################### #### author: SlickStack ############################################################################ #### link: https://slickstack.io ################################################################### #### mirror: https://mirrors.slickstack.io/bash/ss-encrypt-certbot.txt ############################# #### path: /var/www/ss-encrypt-certbot ############################################################# #### destination: n/a (not a boilerplate) ########################################################## #### purpose: Regenerates Letsencrypt certs and relevant symlinks ################################## #### module version: Certbot 1.21.x ################################################################ #### sourced by: ss-install-nginx-config ########################################################### #### bash aliases: ss certbot, ss encrypt certbot|letsencrypt, ss letsencrypt ###################### #################################################################################################### ## SS-ENCRYPT-CERTBOT WILL ALWAYS ACTIVATE OPENSSL BEFORE REQUESTING LETSENCRYPT CERTS ## ## IT ONLY REQUESTS LETSENCRYPT CERTS BUT DOES NOT ACTIVATE THEM ON SLICKSTACK ## ## source ss-config ## source /var/www/ss-config ## source ss-functions ## source /var/www/ss-functions ## BELOW THIS RELIES ON SS-CONFIG AND SS-FUNCTIONS #################################################################################################### #### TABLE OF CONTENTS (SS-Encrypt-Certbot) ######################################################## #################################################################################################### ## this is a brief summary of the different code snippets you will find in this script ## ## each section should be commented so you understand what is being accomplished ## ## A. Touch Timestamp File ## B. Message (Begin Script) ## C. Temporarily Activate OpenSSL ## D. Request Certificates From Lets Encrypt Servers ## E. Create Lets Encrypt Symlinks ## F. Reset Permissions (Nginx SSL) ## G. Restart Modules (Nginx) #################################################################################################### #### A. SS-Encrypt-Certbot: Touch Timestamp File ################################################### #################################################################################################### ## this is a dummy timestamp file that will remember the last time this script was run ## ## it can be useful for developer reference and is sometimes used by SlickStack ## ss_touch "${TIMESTAMP_SS_ENCRYPT_CERTBOT}" #################################################################################################### #### B. SS-Encrypt-Certbot: Message (Begin Script) ################################################# #################################################################################################### ## this is a simple message that announces to the shell the purpose of this bash script ## ## it will only be seen by sudo users who manually run this script in the shell ## ss_echo "${COLOR_INFO}Running ss-encrypt-certbot... ${COLOR_RESET}" #################################################################################################### #### C. SS-Encrypt-Certbot: Temporarily Activate OpenSSL ########################################### #################################################################################################### ## this should work fine even for live sites tha enabled certbot but might want to change it later to avoid potential broken frontends ## ## here we must temporarily activate OpenSSL in order to avoid fatal errors in Nginx ## ## the next step will be running Certbot which requires OpenSSL to be activated ## if [[ ! -f "${PATH_THIRDPARTY_CONF}" ]]; then source "${PATH_SS_INSTALL_NGINX_OPENSSL}" fi #################################################################################################### #### D. SS-Encrypt-Certbot: Request Certificates From Lets Encrypt Servers ######################### #################################################################################################### ## NOTICE: SLICKSTACK DOES NOT SUPPORT SUB-SUBDOMAINS LIKE WWW.BLOG.EXAMPLE.COM ## ## SlickStack deletes old Lets Encrypt certs and requests new ones to avoid dir-stacking ## ## this approach also allows you to change your server to a different CMS or TLD ## ## SINGLE SITE CERTS + STAGING ENABLED / DEV ENABLED ## ## if site domain contains www (and is therefore a subdomain) e.g. www.example.com or www.example.co.uk ## if [[ "${WP_MULTISITE}" != "true" ]] && [[ "${SITE_DOMAIN}" == www.* ]] && [[ "${STAGING_SITE}" != "false" ]] && [[ "${DEV_SITE}" != "false" ]]; then ss_certbot -d dev.${SITE_DOMAIN_EXCLUDING_WWW} -d staging.${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW} ## if site domain does not contain www (and is not any other type of subdomain) e.g. example.com or example.co.uk ## elif [[ "${WP_MULTISITE}" != "true" ]] && [[ "${SITE_DOMAIN}" != www.* ]] && [[ "${SITE_TLD}" == "${SITE_DOMAIN}" ]] && [[ "${STAGING_SITE}" != "false" ]] && [[ "${DEV_SITE}" != "false" ]]; then ss_certbot -d dev.${SITE_DOMAIN_EXCLUDING_WWW} -d staging.${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW} ## if site domain is a non-www type of subdomain e.g. blog.example.com or blog.example.co.uk ## elif [[ "${WP_MULTISITE}" != "true" ]] && [[ "${SITE_DOMAIN}" != www.* ]] && [[ "${SITE_TLD}" != "${SITE_DOMAIN}" ]] && [[ "${STAGING_SITE}" != "false" ]] && [[ "${DEV_SITE}" != "false" ]]; then ss_certbot -d dev.${SITE_DOMAIN_EXCLUDING_WWW} -d staging.${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN} ## SINGLE SITE CERTS + STAGING ENABLED / DEV DISABLED ## ## if site domain contains www (and is therefore a subdomain) e.g. www.example.com or www.example.co.uk ## elif [[ "${WP_MULTISITE}" != "true" ]] && [[ "${SITE_DOMAIN}" == www.* ]] && [[ "${STAGING_SITE}" != "false" ]] && [[ "${DEV_SITE}" == "false" ]]; then ss_certbot -d staging.${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW} ## if site domain does not contain www (and is not any other type of subdomain) e.g. example.com or example.co.uk ## elif [[ "${WP_MULTISITE}" != "true" ]] && [[ "${SITE_DOMAIN}" != www.* ]] && [[ "${SITE_TLD}" == "${SITE_DOMAIN}" ]] && [[ "${STAGING_SITE}" != "false" ]] && [[ "${DEV_SITE}" == "false" ]]; then ss_certbot -d staging.${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW} ## if site domain is a non-www type of subdomain e.g. blog.example.com or blog.example.co.uk ## elif [[ "${WP_MULTISITE}" != "true" ]] && [[ "${SITE_DOMAIN}" != www.* ]] && [[ "${SITE_TLD}" != "${SITE_DOMAIN}" ]] && [[ "${STAGING_SITE}" != "false" ]] && [[ "${DEV_SITE}" == "false" ]]; then ss_certbot -d staging.${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN} ## SINGLE SITE CERTS + STAGING DISABLED / DEV ENABLED ## ## if site domain contains www (and is therefore a subdomain) e.g. www.example.com or www.example.co.uk ## elif [[ "${WP_MULTISITE}" != "true" ]] && [[ "${SITE_DOMAIN}" == www.* ]] && [[ "${STAGING_SITE}" == "false" ]] && [[ "${DEV_SITE}" != "false" ]]; then ss_certbot -d dev.${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW} ## if site domain does not contain www (and is not any other type of subdomain) e.g. example.com or example.co.uk ## elif [[ "${WP_MULTISITE}" != "true" ]] && [[ "${SITE_DOMAIN}" != www.* ]] && [[ "${SITE_TLD}" == "${SITE_DOMAIN}" ]] && [[ "${STAGING_SITE}" == "false" ]] && [[ "${DEV_SITE}" != "false" ]]; then ss_certbot -d dev.${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW} ## if site domain is a non-www type of subdomain e.g. blog.example.com or blog.example.co.uk ## elif [[ "${WP_MULTISITE}" != "true" ]] && [[ "${SITE_DOMAIN}" != www.* ]] && [[ "${SITE_TLD}" != "${SITE_DOMAIN}" ]] && [[ "${STAGING_SITE}" == "false" ]] && [[ "${DEV_SITE}" != "false" ]]; then ss_certbot -d dev.${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN} ## SINGLE SITE CERTS + STAGING DISABLED / DEV DISABLED ## ## if site domain contains www (and is therefore a subdomain) e.g. www.example.com or www.example.co.uk ## elif [[ "${WP_MULTISITE}" != "true" ]] && [[ "${SITE_DOMAIN}" == www.* ]] && [[ "${STAGING_SITE}" == "false" ]] && [[ "${DEV_SITE}" == "false" ]]; then ss_certbot -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW} ## if site domain does not contain www (and is not any other type of subdomain) e.g. example.com or example.co.uk ## elif [[ "${WP_MULTISITE}" != "true" ]] && [[ "${SITE_DOMAIN}" != www.* ]] && [[ "${SITE_TLD}" == "${SITE_DOMAIN}" ]] && [[ "${STAGING_SITE}" == "false" ]] && [[ "${DEV_SITE}" == "false" ]]; then ss_certbot -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW} ## if site domain is a non-www type of subdomain e.g. blog.example.com or blog.example.co.uk ## elif [[ "${WP_MULTISITE}" != "true" ]] && [[ "${SITE_DOMAIN}" != www.* ]] && [[ "${SITE_TLD}" != "${SITE_DOMAIN}" ]] && [[ "${STAGING_SITE}" == "false" ]] && [[ "${DEV_SITE}" == "false" ]]; then ss_certbot -d ${SITE_DOMAIN} ## MULTISITE SUBDOMAINS + EITHER STAGING/DEV ENABLED (PART OF WILDCARD) ## elif [[ "${WP_MULTISITE}" == "true" ]] && [[ "${WP_MULTISITE_SUBDOMAINS}" != "false" ]]; then certbot certonly --manual --agree-tos --register-unsafely-without-email --cert-name slickstack --preferred-challenges=dns -d ${SITE_DOMAIN_EXCLUDING_WWW} -d *.${SITE_DOMAIN_EXCLUDING_WWW} ## MULTISITE SUBDOMAINS + BOTH STAGING/DEV DISABLED (STILL REQUIRES WILDCARD) ## ## n/a (same as above) ### ALL THESE STILL NEED FIXING RE: WEBROOT SYNTAX SAME AS SINGLE SITES ABOVE ### ## MULTISITE SUBDIRECTORIES + STAGING ENABLED / DEV ENABLED ## ## if site domain contains www (and is therefore a subdomain) e.g. www.example.com or www.example.co.uk ## elif [[ "${WP_MULTISITE}" == "true" ]] && [[ "${WP_MULTISITE_SUBDOMAINS}" == "false" ]] && [[ "${SITE_DOMAIN}" == www.* ]] && [[ "${STAGING_SITE}" != "false" ]] && [[ "${STAGING_SITE_SUBDOMAIN}" != "false" ]] && [[ "${DEV_SITE}" != "false" ]] && [[ "${DEV_SITE_SUBDOMAIN}" != "false" ]]; then certbot certonly --noninteractive --agree-tos --cert-name slickstack -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW} -d dev.${SITE_DOMAIN_EXCLUDING_WWW} -d staging.${SITE_DOMAIN_EXCLUDING_WWW} --register-unsafely-without-email --webroot -w /var/www/html/ ## if site domain does not contain www (and is not any other type of subdomain) e.g. example.com or example.co.uk ## elif [[ "${WP_MULTISITE}" == "true" ]] && [[ "${WP_MULTISITE_SUBDOMAINS}" == "false" ]] && [[ "${SITE_DOMAIN}" != www.* ]] && [[ "${SITE_TLD}" == "${SITE_DOMAIN}" ]] && [[ "${STAGING_SITE}" != "false" ]] && [[ "${STAGING_SITE_SUBDOMAIN}" != "false" ]] && [[ "${DEV_SITE}" != "false" ]] && [[ "${DEV_SITE_SUBDOMAIN}" != "false" ]]; then certbot certonly --noninteractive --agree-tos --cert-name slickstack -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW} -d dev.${SITE_DOMAIN_EXCLUDING_WWW} -d staging.${SITE_DOMAIN_EXCLUDING_WWW} --register-unsafely-without-email --webroot -w /var/www/html/ ## if site domain is a non-www type of subdomain e.g. blog.example.com or blog.example.co.uk ## elif [[ "${WP_MULTISITE}" == "true" ]] && [[ "${WP_MULTISITE_SUBDOMAINS}" == "false" ]] && [[ "${SITE_DOMAIN}" != www.* ]] && [[ "${SITE_TLD}" != "${SITE_DOMAIN}" ]] && [[ "${STAGING_SITE}" != "false" ]] && [[ "${STAGING_SITE_SUBDOMAIN}" != "false" ]] && [[ "${DEV_SITE}" != "false" ]] && [[ "${DEV_SITE_SUBDOMAIN}" != "false" ]]; then certbot certonly --noninteractive --agree-tos --cert-name slickstack -d ${SITE_DOMAIN} -d dev.${SITE_DOMAIN_EXCLUDING_WWW} -d staging.${SITE_DOMAIN_EXCLUDING_WWW} --register-unsafely-without-email --webroot -w /var/www/html/ ## MULTISITE SUBDIRECTORIES + STAGING ENABLED / DEV DISABLED ## ## if site domain contains www (and is therefore a subdomain) e.g. www.example.com or www.example.co.uk ## elif [[ "${WP_MULTISITE}" == "true" ]] && [[ "${WP_MULTISITE_SUBDOMAINS}" == "false" ]] && [[ "${SITE_DOMAIN}" == www.* ]] && [[ "${STAGING_SITE}" != "false" ]] && [[ "${STAGING_SITE_SUBDOMAIN}" != "false" ]] && [[ "${DEV_SITE}" == "false" || "${DEV_SITE_SUBDOMAIN}" == "false" ]]; then certbot certonly --noninteractive --agree-tos --cert-name slickstack -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW} -d staging.${SITE_DOMAIN_EXCLUDING_WWW} --register-unsafely-without-email --webroot -w /var/www/html/ ## if site domain does not contain www (and is not any other type of subdomain) e.g. example.com or example.co.uk ## elif [[ "${WP_MULTISITE}" == "true" ]] && [[ "${WP_MULTISITE_SUBDOMAINS}" == "false" ]] && [[ "${SITE_DOMAIN}" != www.* ]] && [[ "${SITE_TLD}" == "${SITE_DOMAIN}" ]] && [[ "${STAGING_SITE}" != "false" ]] && [[ "${STAGING_SITE_SUBDOMAIN}" != "false" ]] && [[ "${DEV_SITE}" == "false" || "${DEV_SITE_SUBDOMAIN}" == "false" ]]; then certbot certonly --noninteractive --agree-tos --cert-name slickstack -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW} -d staging.${SITE_DOMAIN_EXCLUDING_WWW} --register-unsafely-without-email --webroot -w /var/www/html/ ## if site domain is a non-www type of subdomain e.g. blog.example.com or blog.example.co.uk ## elif [[ "${WP_MULTISITE}" == "true" ]] && [[ "${WP_MULTISITE_SUBDOMAINS}" == "false" ]] && [[ "${SITE_DOMAIN}" != www.* ]] && [[ "${SITE_TLD}" != "${SITE_DOMAIN}" ]] && [[ "${STAGING_SITE}" != "false" ]] && [[ "${STAGING_SITE_SUBDOMAIN}" != "false" ]] && [[ "${DEV_SITE}" == "false" || "${DEV_SITE_SUBDOMAIN}" == "false" ]]; then certbot certonly --noninteractive --agree-tos --cert-name slickstack -d ${SITE_DOMAIN} -d staging.${SITE_DOMAIN_EXCLUDING_WWW} --register-unsafely-without-email --webroot -w /var/www/html/ ## MULTISITE SUBDIRECTORIES + STAGING DISABLED / DEV ENABLED ## ## if site domain contains www (and is therefore a subdomain) e.g. www.example.com or www.example.co.uk ## elif [[ "${WP_MULTISITE}" == "true" ]] && [[ "${WP_MULTISITE_SUBDOMAINS}" == "false" ]] && [[ "${SITE_DOMAIN}" == www.* ]] && [[ "${STAGING_SITE}" == "false" || "${STAGING_SITE_SUBDOMAIN}" == "false" ]] && [[ "${DEV_SITE}" != "false" ]] && [[ "${DEV_SITE_SUBDOMAIN}" != "false" ]]; then certbot certonly --noninteractive --agree-tos --cert-name slickstack -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW} -d dev.${SITE_DOMAIN_EXCLUDING_WWW} --register-unsafely-without-email --webroot -w /var/www/html/ ## if site domain does not contain www (and is not any other type of subdomain) e.g. example.com or example.co.uk ## elif [[ "${WP_MULTISITE}" == "true" ]] && [[ "${WP_MULTISITE_SUBDOMAINS}" == "false" ]] && [[ "${SITE_DOMAIN}" != www.* ]] && [[ "${SITE_TLD}" == "${SITE_DOMAIN}" ]] && [[ "${STAGING_SITE}" == "false" || "${STAGING_SITE_SUBDOMAIN}" == "false" ]] && [[ "${DEV_SITE}" != "false" ]] && [[ "${DEV_SITE_SUBDOMAIN}" != "false" ]]; then certbot certonly --noninteractive --agree-tos --cert-name slickstack -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW} -d dev.${SITE_DOMAIN_EXCLUDING_WWW} --register-unsafely-without-email --webroot -w /var/www/html/ ## if site domain is a non-www type of subdomain e.g. blog.example.com or blog.example.co.uk ## elif [[ "${WP_MULTISITE}" == "true" ]] && [[ "${WP_MULTISITE_SUBDOMAINS}" == "false" ]] && [[ "${SITE_DOMAIN}" != www.* ]] && [[ "${SITE_TLD}" != "${SITE_DOMAIN}" ]] && [[ "${STAGING_SITE}" == "false" || "${STAGING_SITE_SUBDOMAIN}" == "false" ]] && [[ "${DEV_SITE}" != "false" ]] && [[ "${DEV_SITE_SUBDOMAIN}" != "false" ]]; then certbot certonly --noninteractive --agree-tos --cert-name slickstack -d ${SITE_DOMAIN} -d dev.${SITE_DOMAIN_EXCLUDING_WWW} --register-unsafely-without-email --webroot -w /var/www/html/ ## MULTISITE SUBDIRECTORIES + STAGING DISABLED / DEV DISABLED ## ## if site domain contains www (and is therefore a subdomain) e.g. www.example.com or www.example.co.uk ## elif [[ "${WP_MULTISITE}" == "true" ]] && [[ "${WP_MULTISITE_SUBDOMAINS}" == "false" ]] && [[ "${SITE_DOMAIN}" == www.* ]] && [[ "${STAGING_SITE}" == "false" || "${STAGING_SITE_SUBDOMAIN}" == "false" ]] && [[ "${DEV_SITE}" == "false" || "${DEV_SITE_SUBDOMAIN}" == "false" ]]; then certbot certonly --noninteractive --agree-tos --cert-name slickstack -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW} --register-unsafely-without-email --webroot -w /var/www/html/ ## if site domain does not contain www (and is not any other type of subdomain) e.g. example.com or example.co.uk ## elif [[ "${WP_MULTISITE}" == "true" ]] && [[ "${WP_MULTISITE_SUBDOMAINS}" == "false" ]] && [[ "${SITE_DOMAIN}" != www.* ]] && [[ "${SITE_TLD}" == "${SITE_DOMAIN}" ]] && [[ "${STAGING_SITE}" == "false" || "${STAGING_SITE_SUBDOMAIN}" == "false" ]] && [[ "${DEV_SITE}" == "false" || "${DEV_SITE_SUBDOMAIN}" == "false" ]]; then certbot certonly --noninteractive --agree-tos --cert-name slickstack -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW} --register-unsafely-without-email --webroot -w /var/www/html/ ## if site domain is a non-www type of subdomain e.g. blog.example.com or blog.example.co.uk ## elif [[ "${WP_MULTISITE}" == "true" ]] && [[ "${WP_MULTISITE_SUBDOMAINS}" == "false" ]] && [[ "${SITE_DOMAIN}" != www.* ]] && [[ "${SITE_TLD}" != "${SITE_DOMAIN}" ]] && [[ "${STAGING_SITE}" == "false" || "${STAGING_SITE_SUBDOMAIN}" == "false" ]] && [[ "${DEV_SITE}" == "false" || "${DEV_SITE_SUBDOMAIN}" == "false" ]]; then certbot certonly --noninteractive --agree-tos --cert-name slickstack -d ${SITE_DOMAIN} --register-unsafely-without-email --webroot -w /var/www/html/ ## OTHERWISE DISPLAY THIS ERROR MESSAGE ## else ss_echo "${COLOR_WARNING}It seems required options are missing from ss-config so we dont know what Lets Encrypt cert to request for you... ${COLOR_RESET}" fi #################################################################################################### #### E. SS-Encrypt-Certbot: Create Lets Encrypt Symlinks ########################################### #################################################################################################### ## here we create symlinks in the /var/www/certs/ directory that point to Lets Encrypt ## ## this hardcode method simplifies our Nginx settings and makes it more stable ## ss_ln "${PATH_LETSENCRYPT_CERT_CERT}" "${SYMLINK_LETSENCRYPT_CERT}" ss_ln "${PATH_LETSENCRYPT_CERT_CHAIN}" "${SYMLINK_LETSENCRYPT_CHAIN}" ss_ln "${PATH_LETSENCRYPT_CERT_FULLCHAIN}" "${SYMLINK_LETSENCRYPT_FULLCHAIN}" ss_ln "${PATH_LETSENCRYPT_CERT_PRIVKEY}" "${SYMLINK_LETSENCRYPT_PRIVKEY}" #################################################################################################### #### F. SS-Encrypt-Certbot: Reset Permissions (Nginx SSL) ########################################## #################################################################################################### ## source "${PATH_SS_PERMS_NGINX_SSL}" #################################################################################################### #### G. SS-Encrypt-Certbot: Restart Modules (Nginx) ################################################ #################################################################################################### ## source "${PATH_SS_RESTART_NGINX}" #################################################################################################### #### SlickStack: Reset Permissions (SlickStack Scripts) ############################################ #################################################################################################### ## we include this permissions reset in all cron jobs and bash scripts for redundancy ## ## chmod 0700 means only the root/sudo users can execute any SlickStack scripts ## ## THIS SNIPPET DOES NOT RELY ON SS-CONFIG OR SS-FUNCTIONS ## SNIPPET: ss bash scripts, ss cron jobs ## UPDATED: 02JUL2022 chown root:root /var/www/ss* ## must be root:root chown root:root /var/www/crons/*cron* ## must be root:root chown root:root /var/www/crons/custom/*cron* ## must be root:root chmod 0700 /var/www/ss* ## 0700 means only root/sudo can execute chmod 0700 /var/www/crons/*cron* ## 0700 means only root/sudo can execute chmod 0700 /var/www/crons/custom/*cron* ## 0700 means only root/sudo can execute #################################################################################################### #### SlickStack: External References Used To Improve This Script (Thanks, Interwebz) ############### #################################################################################################### ## Ref: https://linuxize.com/post/secure-apache-with-let-s-encrypt-on-ubuntu-18-04/ ## Ref: https://stackoverflow.com/questions/49172841/install-certbot-letsencrypt-without-interaction/57019299#57019299 ## Ref: https://matthewlehner.net/lets-encrypt-with-nginx ## Ref: https://community.letsencrypt.org/t/how-often-should-i-run-the-cerbot-cron-job-to-update-the-certificates/18851 ## Ref: https://community.letsencrypt.org/t/how-to-get-crt-and-key-files-from-i-just-have-pem-files/7348/2 ## Ref: https://community.letsencrypt.org/t/certificate-path/24227 ## Ref: https://www.cyberciti.biz/tips/linux-unix-pause-command.html ## Ref: https://stackoverflow.com/questions/9483633/how-to-use-bash-read-with-a-timeout/9483693#9483693 ## Ref: https://stackoverflow.com/questions/229551/how-to-check-if-a-string-contains-a-substring-in-bash ## Ref: https://unix.stackexchange.com/questions/311758/remove-specific-word-in-variable ## Ref: https://stackoverflow.com/questions/13210880/replace-one-substring-for-another-string-in-shell-script ## Ref: https://github.com/certbot/certbot/issues/3039 ## Ref: https://superuser.com/questions/1056183/using-a-wildcard-in-a-condition-to-match-the-beginning-of-a-string ## Ref: https://stackoverflow.com/questions/18730509/bash-substring-regex-matching-wildcard ## Ref: https://linuxize.com/post/how-to-create-symbolic-links-in-linux-using-the-ln-command/ ## Ref: https://superuser.com/questions/81164/why-create-a-link-like-this-ln-nsf/81168 ## Ref: https://support.cloudflare.com/hc/en-us/articles/214820528-Validating-a-Let-s-Encrypt-Certificate-on-a-Site-Already-Active-on-Cloudflare ## Ref: https://serverfault.com/questions/788220/lets-encrypt-certbot-validation-over-https ## Ref: https://certbot-dns-cloudflare.readthedocs.io/en/stable/ ## Ref: https://dev.to/michaeldscherr/lets-encrypt-ssl-certificate-via-dns-challenge-8dd ## Ref: https://letsencrypt.org/docs/challenge-types/ ## Ref: https://serverfault.com/questions/750902/how-to-use-lets-encrypt-dns-challenge-validation ## Ref: https://community.letsencrypt.org/t/do-i-need-copy-dhparam-pem-file-when-i-move-certificates-to-a-new-server/47346 ## Ref: https://weakdh.org/sysadmin.html ## Ref: https://security.stackexchange.com/questions/38206/can-someone-explain-what-exactly-is-accomplished-by-generation-of-dh-parameters ## Ref: https://security.stackexchange.com/questions/94390/whats-the-purpose-of-dh-parameters ## Ref: https://wiki.mozilla.org/Security/Server_Side_TLS ## Ref: https://stackoverflow.com/questions/21251714/bash-script-countdown-timer-needs-to-detect-any-key-to-continue ## Ref: https://stackoverflow.com/questions/33614865/bash-countdown-to-execution-if-no-key-pressed ## Ref: https://unix.stackexchange.com/questions/293940/bash-how-can-i-make-press-any-key-to-continue ## Ref: https://serverfault.com/questions/532559/bash-script-count-down-5-minutes-display-on-single-line ## Ref: https://community.letsencrypt.org/t/confusing-on-root-domain-with-wildcard-cert/56113/2 ## Ref: https://gist.github.com/joepie91/7e5cad8c0726fd6a5e90360a754fc568 ## Ref: https://ma.ttias.be/how-to-read-ssl-certificate-info-from-the-cli/ ## Ref: http://nginx.org/en/docs/http/configuring_https_servers.html#certificate_with_several_names ## Ref: https://dev.to/nabbisen/let-s-encrypt-wildcard-certificate-with-certbot-plo ## Ref: https://community.letsencrypt.org/t/wildcard-certificate-does-not-work/79041 ## Ref: https://letsencrypt.org/docs/rate-limits/ ## Ref: https://github.com/certbot/certbot/issues/2071 ## Ref: https://community.letsencrypt.org/t/how-to-prevent-creation-of-etc-letsencrypt-live-domain-tld-0001-when-removing-domains-from-a-domain-tld-multidomain-certificate/8135/14 ## Ref: https://community.letsencrypt.org/t/letsencrypt-webroot-verification-follows-http-to-https-redirect-for-self-signed-cert/19917 ## Ref: https://stackoverflow.com/questions/205666/what-is-the-best-way-to-perform-timestamp-comparison-in-bash ## Ref: https://stackoverflow.com/questions/552724/how-do-i-check-in-bash-whether-a-file-was-created-more-than-x-time-ago ## Ref: https://unix.stackexchange.com/questions/145313/find-a-file-which-is-30-minutes-old ## Ref: https://easyengine.io/wordpress-nginx/tutorials/ssl/multidomain-ssl-subject-alternative-names/ ## Ref: https://www.getpagespeed.com/server-setup/ssl-directory ## Ref: https://superuser.com/questions/556493/permissions-for-ssl-key ## Ref: https://fbcs.co.uk/self-signed-multiple-domain-ssl-certificates/ ## Ref: https://serverfault.com/questions/259302/best-location-for-ssl-certificate-and-private-keys-on-ubuntu ## Ref: https://community.letsencrypt.org/t/error-creating-new-cert-too-many-certificates-already-issued-for-exact-set-of-domains/41542 ## Ref: https://community.letsencrypt.org/t/correct-way-to-completely-remove-issued-certificate-s-for-a-domain/7409 ## Ref: https://unix.stackexchange.com/questions/78376/in-linux-how-to-delete-all-files-except-the-pattern-txt ## Ref: https://unix.stackexchange.com/questions/417737/how-to-use-find-command-with-variables ## Ref: https://serverfault.com/questions/751057/which-permissions-should-i-set-to-dhparam-pem ## Ref: https://medium.com/@saurabh6790/generate-wildcard-ssl-certificate-using-lets-encrypt-certbot-273e432794d7 ## Ref: https://levelup.gitconnected.com/obtaining-wildcard-ssl-from-lets-encrypt-fee9ea6ef2b3 ## Ref: https://community.letsencrypt.org/t/you-may-need-to-use-a-different-authenticator-plugin/115026 ## Ref: https://community.letsencrypt.org/t/how-to-expand-certificate-with-a-wildcard-subdomain/133925/4 ## Ref: https://wordpress.org/support/topic/wp-multisite-404-not-found-error/ ## Ref: https://community.letsencrypt.org/t/resolved-certbot-how-to-specify-webroot-for-unmatched-domains/23147/2 ## Ref: https://community.letsencrypt.org/t/multiple-domains-webroot-paths-using-webroot-plugin/7982 ## Ref: https://serverfault.com/questions/790772/cron-job-for-lets-encrypt-renewal ## WP Multisite research: ## Ref: https://stackoverflow.com/questions/34143059/how-to-get-list-of-all-sites-in-wordpress-multisite-network ## Ref: https://developer.wordpress.org/reference/functions/get_sites/ ## Ref: https://community.letsencrypt.org/t/wordpress-multisite-possible-to-configure-letsencrypt-without-separate-apache-files/51916 ## Ref: https://community.letsencrypt.org/t/wordpress-multi-site-apache-configuration-for-use-w-lets-encrypt/46185/5?source_topic_id=51916 ## Ref: https://wordpress.org/support/topic/new-multisite-domain-features-and-installing-letsencrypt-oddities/ ## Ref: https://www.digitalocean.com/community/questions/how-to-use-ssl-with-domain-mapping-in-multisite-wordpress ## Ref: https://community.letsencrypt.org/t/best-practice-for-multiple-domains-on-single-server/123262 ## Ref: https://community.letsencrypt.org/t/multiple-domains-with-certbot/51064 ## Ref: https://www.digitalocean.com/community/questions/let-s-encrypt-for-multiple-sites-with-different-domains-on-same-droplet ## SS_EOF