|
| 1 | +<?php |
| 2 | +// Lescript automatic updating script. |
| 3 | +// |
| 4 | +// This is an example of how Lescript can be used to automatically update |
| 5 | +// expiring certificates. |
| 6 | +// |
| 7 | +// This code is based on FreePBX's LetsEncrypt integration |
| 8 | +// |
| 9 | +// Copyright (c) 2016 Rob Thomas <rthomas@sangoma.com> |
| 10 | +// Licence: AGPLv3. |
| 11 | +// |
| 12 | +// In addition, Stanislav Humplik <sh@analogic.cz> is explicitly granted permission |
| 13 | +// to relicence this code under the open source licence of their choice. |
| 14 | + |
| 15 | +if(!defined("PHP_VERSION_ID") || PHP_VERSION_ID < 50300 || !extension_loaded('openssl') || !extension_loaded('curl')) { |
| 16 | + die("You need at least PHP 5.3.0 with OpenSSL and curl extension\n"); |
| 17 | +} |
| 18 | + |
| 19 | +// Configuration: |
| 20 | +$domains = array('test.example.com', 'example.com'); |
| 21 | +$webroot = "/var/www/html"; |
| 22 | +$certlocation = "/usr/local/lescript"; |
| 23 | + |
| 24 | +require 'Lescript.php'; |
| 25 | + |
| 26 | +// Always use UTC |
| 27 | +date_default_timezone_set("UTC"); |
| 28 | + |
| 29 | +// you can use any logger according to Psr\Log\LoggerInterface |
| 30 | +class Logger { function __call($name, $arguments) { echo date('Y-m-d H:i:s')." [$name] ${arguments[0]}\n"; }} |
| 31 | +$logger = new Logger(); |
| 32 | + |
| 33 | +// Make sure our cert location exists |
| 34 | +if (!is_dir($certlocation)) { |
| 35 | + // Make sure nothing is already there. |
| 36 | + if (file_exists($certlocation)) { |
| 37 | + unlink($certlocation); |
| 38 | + } |
| 39 | + mkdir ($certlocation); |
| 40 | +} |
| 41 | + |
| 42 | +// Do we need to create or upgrade our cert? Assume no to start with. |
| 43 | +$needsgen = false; |
| 44 | + |
| 45 | +// Do we HAVE a certificate for all our domains? |
| 46 | +foreach ($domains as $d) { |
| 47 | + $certfile = "$certlocation/$d/cert.pem"; |
| 48 | + |
| 49 | + if (!file_exists($certfile)) { |
| 50 | + // We don't have a cert, so we need to request one. |
| 51 | + $needsgen = true; |
| 52 | + } else { |
| 53 | + // We DO have a certificate. |
| 54 | + $certdata = openssl_x509_parse(file_get_contents($certfile)); |
| 55 | + |
| 56 | + // If it expires in less than a month, we want to renew it. |
| 57 | + $renewafter = $certdata['validTo_time_t']-(86400*30); |
| 58 | + if (time() > $renewafter) { |
| 59 | + // Less than a month left, we need to renew. |
| 60 | + $needsgen = true; |
| 61 | + } |
| 62 | + } |
| 63 | +} |
| 64 | + |
| 65 | +// Do we need to generate a certificate? |
| 66 | +if ($needsgen) { |
| 67 | + try { |
| 68 | + $le = new Analogic\ACME\Lescript($certlocation, $webroot, $logger); |
| 69 | + # or without logger: |
| 70 | + # $le = new Analogic\ACME\Lescript($certlocation, $webroot); |
| 71 | + $le->initAccount(); |
| 72 | + $le->signDomains($domains); |
| 73 | + |
| 74 | + } catch (\Exception $e) { |
| 75 | + $logger->error($e->getMessage()); |
| 76 | + $logger->error($e->getTraceAsString()); |
| 77 | + // Exit with an error code, something went wrong. |
| 78 | + exit(1); |
| 79 | + } |
| 80 | +} |
| 81 | + |
| 82 | +// Create a complete .pem file for use with haproxy or apache 2.4, |
| 83 | +// and save it as domain.name.pem for easy reference. It doesn't |
| 84 | +// matter that this is updated each time, as it'll be exactly |
| 85 | +// the same. |
| 86 | +foreach ($domains as $d) { |
| 87 | + $pem = file_get_contents("$certlocation/$d/fullchain.pem")."\n".file_get_contents("$certlocation/$d/private.pem"); |
| 88 | + file_put_contents("$certlocation/$d.pem", $pem); |
| 89 | +} |
| 90 | + |
| 91 | + |
0 commit comments