-
Notifications
You must be signed in to change notification settings - Fork 10
/
cw-docker.sh
69 lines (54 loc) · 2.23 KB
/
cw-docker.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
#!/bin/bash
# Updates the cert files on the docker host and then restarts the
# container(s) (which should have cert storage mapped to them as an
# ro partition)
## Set VARs in accord with environment
cert_apikey=<cert API key>
key_apikey=<key API key>
# server hosting key/cert
server=certdp.local:port
# name of the key/cert (as it is on server)
cert_name=plex.example.com
# URL paths
api_cert_path=certwarden/api/v1/download/certificates/$cert_name
api_key_path=certwarden/api/v1/download/privatekeys/$cert_name
# local user who will own certs
cert_owner=root
# local cert storage
local_certs=/opt/certwarden/certs
# path to store a timestamp to easily see when script last ran
time_stamp=/opt/certwarden/timestamp.txt
# temp folder
temp_certs=$local_certs/temp
## Script
if [[ $(/usr/bin/id -u) -ne 0 ]]; then
echo "Not running as root"
exit
fi
# stop / fail on any error
set -e
mkdir -p $temp_certs
mkdir -p $local_certs
chown root:root $local_certs
chmod 0700 $local_certs
# Fetch certs, if curl returns anything other than 200 success, abort
http_statuscode=$(curl -L https://$server/$api_cert_path -H "apiKey: $cert_apikey" --output $temp_certs/certchain.pem --write-out "%{http_code}")
if test $http_statuscode -ne 200; then exit "$http_statuscode"; fi
http_statuscode=$(curl -L https://$server/$api_key_path -H "apiKey: $key_apikey" --output $temp_certs/key.pem --write-out "%{http_code}")
if test $http_statuscode -ne 200; then exit "$http_statuscode"; fi
if ( ! cmp -s "$temp_certs/certchain.pem" "$local_certs/certchain.pem" ) || ( ! cmp -s "$temp_certs/key.pem" "$local_certs/key.pem" ) ; then
# make plex compatible key/certificate
sudo openssl pkcs12 -inkey $temp_certs/key.pem -in $temp_certs/certchain.pem -export -out $temp_certs/certchain_key.pfx -passout pass:""
## stop whatever services (that run the containers)
systemctl stop mycontainer1
systemctl stop mycontainer2
cp -rf $temp_certs/* $local_certs/
chown $cert_owner:$cert_owner $local_certs/*
chmod 600 $local_certs/key.pem
chmod 644 $local_certs/certchain.pem
## start whatever services (that run the containers)
systemctl start mycontainer1
systemctl start mycontainer2
fi
rm -rf $temp_certs
echo "Last Run: $(date)" > $time_stamp