#!/bin/sh set -eu domain="${LETSENCRYPT_DOMAIN:-azionelab.org}" email="${LETSENCRYPT_EMAIL:-}" staging="${LETSENCRYPT_STAGING:-1}" renew_interval="${LETSENCRYPT_RENEW_INTERVAL_SECONDS:-43200}" retry_interval="${LETSENCRYPT_RETRY_SECONDS:-300}" renewal_config="/etc/letsencrypt/renewal/${domain}.conf" case "$domain" in "" | *[!A-Za-z0-9.-]* | .* | *. | *..*) echo "Invalid LETSENCRYPT_DOMAIN." >&2; exit 1 ;; esac [ -n "$email" ] || { echo "LETSENCRYPT_EMAIL is required when Let's Encrypt is enabled." >&2; exit 1; } case "$staging" in 0 | 1) ;; *) echo "LETSENCRYPT_STAGING must be 0 or 1." >&2; exit 1 ;; esac case "$renew_interval:$retry_interval" in *[!0-9:]* | :* | *:) echo "Certbot intervals must be positive integers." >&2; exit 1 ;; esac [ "$renew_interval" -gt 0 ] && [ "$retry_interval" -gt 0 ] || { echo "Certbot intervals must be positive." >&2; exit 1; } staging_argument="" [ "$staging" = 0 ] || staging_argument="--staging" trap 'exit 0' TERM INT if [ "$staging" = 0 ] && [ -f "$renewal_config" ] && grep -qi 'acme-staging' "$renewal_config"; then echo "Removing existing Let's Encrypt staging certificate for ${domain} before requesting a production certificate." certbot delete --cert-name "$domain" --non-interactive fi while :; do if certbot certonly --webroot --webroot-path /var/www/certbot --preferred-challenges http \ --cert-name "$domain" --domain "$domain" --email "$email" --agree-tos --non-interactive \ --keep-until-expiring $staging_argument; then delay="$renew_interval" else echo "Certificate request failed; retrying after ${retry_interval}s." >&2 delay="$retry_interval" fi sleep "$delay" & wait $! || true done