Certbot update hook and Tigase API

For greater automation it’s possible to automate updating certificate obtained with certbot in Tigase XMPP Server. You should use following deploy hook - either add it to /etc/letsencrypt/renewal-hooks/deploy/ or use it directly in certboot commandline with --deploy-hook parameter (in the latter case, it will be added to particular domain configuration so it’s not necessary to specify UPDATE_DOMAINS).

Note

Please adjust account credentials used for deployment (USER, PASS, DOMAIN) as well as paths to Let’s Encrypt certificates (ISRG Root X1 named isrgrootx1.pem and Let’s Encrypt Authority X3 named letsencryptauthorityx3.pem) 

#!/bin/bash

set -e

## Configuration START

USER="admin_username"
PASS="admin_password"
DOMAIN="my_domain.tld"
HOST=${DOMAIN}
#UPDATE_DOMAINS=(${DOMAIN})
# PORT=":8080"
# APIKEY="?api-key=mySecretKey"
LE_CERTS_PATH="/path/to/letsencrypt/CA/certificates/"

## Configuration END

fail_count=0

for domain in ${RENEWED_DOMAINS[@]}; do
	if [[ $domain == "*."* ]]; then
		CERT_DOMAIN=${domain#*\*.}
	else
		CERT_DOMAIN=${domain}
	fi

    if [[ ! -z "${UPDATE_DOMAINS}" ]] ; then
        match=0
        for dn in "${UPDATE_DOMAINS[@]}"; do
            if [[ $dn = "$CERT_DOMAIN" ]]; then
                match=1
                break
            fi
        done
        if [[ $match = 0 ]]; then
            echo "Skipping updating ${domain} because it's not in the list of supported domains: ${UPDATE_DOMAINS[@]}"
            continue
        fi
    fi

    CERT=`cat "$RENEWED_LINEAGE/cert.pem" "$RENEWED_LINEAGE/privkey.pem" ${LE_CERTS_PATH}/isrgrootx1.pem ${LE_CERTS_PATH}/letsencryptauthorityx3.pem`

	REQUEST="
	<command>
	  <node>ssl-certificate-add</node>
	  <fields>
		<item>
		  <var>Certificate in PEM format</var>
		  <value>${CERT}</value>
		</item>
		<item>
		  <var>command-marker</var>
		  <value>command-marker</value>
		</item>
		<item>
		  <var>VHost</var>
		  <value>${CERT_DOMAIN}</value>
		</item>
		<item>
		  <var>Save to disk</var>
		  <value>true</value>
		</item>
	  </fields>
	</command>"

	response=`curl -s -L -H "Content-Type: text/xml" -X POST  http://${USER}%40${DOMAIN}:${PASS}@${HOST}${PORT}/rest/adhoc/vhost-man@${DOMAIN}${APIKEY} -d "${REQUEST}"`

    if [[ ! ${response} = *"loaded successfully"* ]] ; then
        echo -e "Server returned error while updating   ${domain}   certificate:\n ${response}"
        fail_count=$((${fail_count}+1))
    else
        echo "Correctly updated ${domain} certificate"
    fi
done

exit ${fail_count}

Note

If you are not using wildcard certificate when you have to provide certificate for main domain as well as certificates for subdomains that mach all components that you want to expose (muc, pubsub, push, etc…)

Prev  Up  Next
  Home