Move and adapt letsencrypt.sh → dehydrated.

3 files changed, 27 insertions, 0 deletions

diff --git a/dehydrated/conf.d/secp384r1.sh b/dehydrated/conf.d/secp384r1.sh
new file mode 100644
index 0000000..7969796
--- /dev/null
+++ b/dehydrated/conf.d/secp384r1.sh
@@ -0,0 +1,2 @@
+# Use NIST P-384 as public key algorithm
+KEY_ALGO=secp384r1
diff --git a/dehydrated/conf.d/staging.sh b/dehydrated/conf.d/staging.sh
new file mode 100644
index 0000000..edf55e9
--- /dev/null
+++ b/dehydrated/conf.d/staging.sh
@@ -0,0 +1,2 @@
+# Use staging service
+CA="https://acme-staging.api.letsencrypt.org/directory"
diff --git a/dehydrated/cron.weekly/local-dehydrated b/dehydrated/cron.weekly/local-dehydrated
new file mode 100755
index 0000000..e07e5d9
--- /dev/null
+++ b/dehydrated/cron.weekly/local-dehydrated
@@ -0,0 +1,23 @@
+#!/bin/sh
+#
+# Renew letsencrypt certificates
+
+set -eu
+
+# update certdomain certs
+dehydrated --cron
+
+# update non-EC maildomain cert if resolvable and not clashing with certdomain
+maildomain=$(cat /etc/local-REDPILL/$(cat /etc/local-ORG/realm)/mailhost)
+fqdn=$(hostname --fqdn)
+[ -z "$fqdn" ] \
+	|| [ "$maildomain" = "$fqdn" ] \
+	|| extradomains=${extradomains:+$extradomains }$fqdn
+domain=$(hostname --domain)
+[ -z "$domain" ] \
+	|| [ "$maildomain" = "$domain" ] \
+	|| [ "$fqdn" = "$domain" ] \
+	|| extradomains=${extradomains:+$extradomains }$domain
+[ -z "$maildomain" ] \
+	|| grep ^"$maildomain" /etc/dehydrated/domains.txt \
+	|| dehydrated --cron --domain "$maildomain $extradomains" --algo rsa