ptrcports/acme-update/acme-update

#!/bin/sh -eu
exec &> >(tee -a /var/log/acme.log) 2>&1
echo "[acme-update] starting cert renewal at: $(date)"

. /etc/uacme/config.sh

export UACME_CHALLENGE_PATH=/var/www/acme/.well-known/acme-challenge

expiry_date() {
	openssl x509 -enddate -noout -in "$1" | cut -d= -f2 | sed 's/ GMT//'
}

actually_did_something=false

for domain in $domains; do
    acme_domain="$domain"
    if [ "${domain:0:1}" = "*" ]; then
			acme_domain="${domain/\*./} $domain"
			domain="${domain/\*./}"
    fi
    cert="/etc/ssl/uacme/$domain/cert.pem"

	echo
	if [ -f "$cert" ]; then
		date_exp=$(date -d "$(expiry_date "$cert")" "+%s" || true)
		date_now=$(date "+%s")
		# if more than 1 month
		if [ "$(( date_exp - date_now ))" -gt 2592000 ]; then
			echo "[acme-update] cert for $domain expires in more than a month, skipping"
			continue
		fi
	fi
    echo "[acme-update] getting cert for $domain"

    hook=/usr/libexec/uacme-hook

    /usr/bin/uacme -v --hook $hook -b 384 --type EC issue $acme_domain || true
    cp -fv /etc/ssl/uacme/private/$domain/key.pem /etc/ssl/uacme/$domain/cert.pem.key
    chown acme:acme /etc/ssl/uacme/$domain/cert.pem.key
    chmod 440 /etc/ssl/uacme/$domain/cert.pem.key

    cp -fv /etc/ssl/uacme/$domain/cert.pem /etc/ssl/uacme/all/$domain.pem
    cp -fv /etc/ssl/uacme/$domain/cert.pem.key /etc/ssl/uacme/all/$domain.pem.key

    cert="/etc/ssl/uacme/$domain/cert.pem"
    if ! [ -e "$cert" ]; then
        echo "[acme-update] warning: cert $cert does not exist"
        continue
    fi
    expiration="$(expiry_date "$cert")"
    actually_did_something=true

    echo "[acme-update] certificate expiration for $domain: $expiration"
done

if $actually_did_something; then
	doas service haproxy reload
	doas service soju reload
	doas service maddy restart
	doas service mosquitto restart
fi

echo info: cert renewal completed successfully at: $(date)

exit 0