#!/bin/bash # Remove old let's encrypt certs # Files and dirs # Source dir SRCDIR="/var/lib/dehydrated/certs/sput.nl" # Time stamps TSTMPDIR="/var/local/lib/certs" NEWTSFILE="${TSTMPDIR}/new-timestamp" CURTSFILE="${TSTMPDIR}/current-timestamp" OLDTSFILE="${TSTMPDIR}/old-timestamp" # Imapd cert hashes NEWHSFILE="${TSTMPDIR}/new-hash" CURHSFILE="${TSTMPDIR}/current-hash" OLDHSFILE="${TSTMPDIR}/old-hash" # Set later CERTDIR="" CERT="" CURIMAPDHASH="" KEY="" NEWIMAPDHASH="" # Time stamps OLDTS=0 TIMESTAMP=0 remove_certs() { if [ -d "${CERTDIR}/" ] then if [ -f "${CERTDIR}/${CERT}" ] then rm "${CERTDIR}/${CERT}" else echo "File ${CERT} not found" fi if [ -f "${CERTDIR}/${KEY}" ] then rm "${CERTDIR}/${KEY}" else echo "File ${KEY} not found" fi else echo "Directory ${CERTDIR}/ not found" fi } # Basic checks if ! [ -d "${TSTMPDIR}/" ] then echo "Directory ${TSTMPDIR}/ not found" echo "Old cert not removed" exit 1 fi if ! [ -f "${NEWTSFILE}" ] then echo "New timestamp file not found" echo "Old cert not removed" exit 1 fi # Current timestamp if [ -f "${CURTSFILE}" ] then TIMESTAMP=$( cat "${CURTSFILE}" ) else echo "Old timestamp file not found" echo "Old cert not removed" # Probably first time; Prepare for next time mv "${NEWTSFILE}" "${CURTSFILE}" if [ -f "${NEWHSFILE}" ] then mv "${NEWHSFILE}" "${CURHSFILE}" else echo "New imapd hash file not found" fi exit 1 fi # If we got this far there are indeed old certs # Current and new imapd cert hashes if [ -f "${CURHSFILE}" ] then CURIMAPDHASH=$( cat "${CURHSFILE}" ) else echo "Old imapd hash file not found" fi if [ -f "${NEWHSFILE}" ] then NEWIMAPDHASH=$( cat "${NEWHSFILE}" ) else echo "New imapd hash file not found" fi # Current cert files CERT="fullchain-${TIMESTAMP}.pem" KEY="privkey-${TIMESTAMP}.pem" # Notification echo -n "Removing files from: " date -d "@${TIMESTAMP}" # Apache CERTDIR="/etc/apache2/ssl" remove_certs # Asterisk CERTDIR="/etc/asterisk" remove_certs # Exim CERTDIR="/etc/exim4" remove_certs # Imapd cert CERTDIR="/etc/ssl/certs" IMAPDCERT="imapd-${TIMESTAMP}.pem" if [ -f "${CERTDIR}/${IMAPDCERT}" ] then rm "${CERTDIR}/${IMAPDCERT}" else echo "File ${IMAPDCERT} not found" fi # Imapd cert hash if [ -n "${CURIMAPDHASH}" ] && [ -n "${NEWIMAPDHASH}" ] then # Both current and new hashes are set if [ "${CURIMAPDHASH}" == "${NEWIMAPDHASH}" ] then echo "Imapd cert hash not changed" else if [ -L "${CERTDIR}/${CURIMAPDHASH}" ] then rm "${CERTDIR}/${CURIMAPDHASH}" else echo "Link ${CURIMAPDHASH} not found" fi fi fi # Done; Update timestamp files if [ -f "${OLDTSFILE}" ] then OLDTS=$( cat "${OLDTSFILE}" ) rm "${OLDTSFILE}" fi mv "${CURTSFILE}" "${OLDTSFILE}" mv "${NEWTSFILE}" "${CURTSFILE}" # Update hash files if [ -f "${OLDHSFILE}" ] then rm "${OLDHSFILE}" fi if [ -f "${CURHSFILE}" ] then mv "${CURHSFILE}" "${OLDHSFILE}" fi if [ -f "${NEWHSFILE}" ] then mv "${NEWHSFILE}" "${CURHSFILE}" fi # Remove the next line when fully tested; exit 0 # Remove old files if [ "${OLDTS}" -ne 0 ] && [ -d "${SRCDIR}/" ] then cd "${SRCDIR}/" rm "cert-${OLDTS}.csr" rm "cert-${OLDTS}.pem" rm "chain-${OLDTS}.pem" rm "fullchain-${OLDTS}.pem" rm "privkey-${OLDTS}.pem" fi