letsencrypt: notify of renewals

nextcloud · Jun 21, 2018 · 9983b7c · 9983b7c
1 parent a0a31b4
commit 9983b7c
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 2 deletions.
diff --git a/etc/ncp-config.d/letsencrypt.sh b/etc/ncp-config.d/letsencrypt.sh
@@ -9,6 +9,7 @@
 
 DOMAIN_=mycloud.ownyourbits.com
 EMAIL_=mycloud@ownyourbits.com
+NOTIFYUSER_=ncp
 
 NCDIR=/var/www/nextcloud
 OCC="$NCDIR/occ"
@@ -53,32 +54,51 @@ configure()
 {
   local DOMAIN_LOWERCASE="${DOMAIN_,,}"
 
+  # Configure Apache
   grep -q ServerName $VHOSTCFG && \
     sed -i "s|ServerName .*|ServerName $DOMAIN_|" $VHOSTCFG || \
     sed -i "/DocumentRoot/aServerName $DOMAIN_" $VHOSTCFG 
 
+  # Do it
   letsencrypt certonly -n --no-self-upgrade --webroot -w $NCDIR --hsts --agree-tos -m $EMAIL_ -d $DOMAIN_ && {
+
+    # Set up auto-renewal
     cat > /etc/cron.weekly/letsencrypt-ncp <<EOF
 #!/bin/bash
-/usr/bin/certbot renew --quiet
+
+# renew and notify
+/usr/bin/certbot renew --quiet --renew-hook '
+  sudo -u www-data php $OCC notification:generate \
+                            $NOTIFYUSER_ "SSL renewal" \
+                            -l "Your SSL certificate(s) \$RENEWED_DOMAINS has been renewed for another 90 days"
+  '
+
+# notify if fails
+[[ \$? -ne 0 ]] && sudo -u www-data php $OCC notification:generate \
+                                             $NOTIFYUSER_ "SSL renewal error" \
+                                             -l "SSL certificate renewal failed. See /var/log/letsencrypt/letsencrypt.log"
+
+# cleanup
 rm -rf $NCDIR/.well-known
 EOF
     chmod +x /etc/cron.weekly/letsencrypt-ncp
 
+    # Configure Apache
     sed -i "s|SSLCertificateFile.*|SSLCertificateFile /etc/letsencrypt/live/$DOMAIN_LOWERCASE/fullchain.pem|" $VHOSTCFG
     sed -i "s|SSLCertificateKeyFile.*|SSLCertificateKeyFile /etc/letsencrypt/live/$DOMAIN_LOWERCASE/privkey.pem|" $VHOSTCFG
 
     sed -i "s|SSLCertificateFile.*|SSLCertificateFile /etc/letsencrypt/live/$DOMAIN_LOWERCASE/fullchain.pem|" $VHOSTCFG2
     sed -i "s|SSLCertificateKeyFile.*|SSLCertificateKeyFile /etc/letsencrypt/live/$DOMAIN_LOWERCASE/privkey.pem|" $VHOSTCFG2
 
+    # Configure Nextcloud
     sudo -u www-data php $OCC config:system:set trusted_domains 4 --value=$DOMAIN_
     sudo -u www-data php $OCC config:system:set overwrite.cli.url --value=https://$DOMAIN_
 
     # delayed in bg so it does not kill the connection, and we get AJAX response
     bash -c "sleep 2 && service apache2 reload" &>/dev/null &
     rm -rf $NCDIR/.well-known
 
-    # update configuration
+    # Update configuration
     [[ "$DOCKERBUILD" == 1 ]] && update-rc.d letsencrypt enable
 
     return 0

diff --git a/update.sh b/update.sh
@@ -252,6 +252,32 @@ cd /var/www/nextcloud
 sudo -u www-data php occ config:system:set trusted_domains 1 --value=$IP
 EOF
 
+    # letsencrypt: notify of renewals
+    [[ -f /etc/cron.weekly/letsencrypt-ncp ]] && ! grep -q SSL /etc/cron.weekly/letsencrypt-ncp && {
+      NCDIR=/var/www/nextcloud
+      OCC="$NCDIR"/occ
+      NOTIFYUSER_=ncp
+      cat > /etc/cron.weekly/letsencrypt-ncp <<EOF
+#!/bin/bash
+
+# renew and notify
+/usr/bin/certbot renew --quiet --renew-hook '
+  sudo -u www-data php $OCC notification:generate \
+                            $NOTIFYUSER_ "SSL renewal" \
+                            -l "Your SSL certificate(s) \$RENEWED_DOMAINS has been renewed for another 90 days"
+  '
+
+# notify if fails
+[[ \$? -ne 0 ]] && sudo -u www-data php $OCC notification:generate \
+                                             $NOTIFYUSER_ "SSL renewal error" \
+                                             -l "SSL certificate renewal failed. See /var/log/letsencrypt/letsencrypt.log"
+
+# cleanup
+rm -rf $NCDIR/.well-known
+EOF
+      chmod +x /etc/cron.weekly/letsencrypt-ncp
+    }
+
 } # end - only live updates
 
 exit 0