From c36ae7f6a4669ebd89e742cde0c4f29980325c1e Mon Sep 17 00:00:00 2001
From: Beth <ejparker@actcur.com>
Date: Sat, 22 Mar 2025 19:31:01 -0500
Subject: [PATCH 1/6] Added renewal scripts and such

---
 files/certbot-renewal.service | 10 ++++++++++
 files/certbot-renewal.sh      | 27 +++++++++++++++++++++++++++
 files/certbot-renewal.timer   | 12 ++++++++++++
 tasks/deploy_renewal.yml      | 26 ++++++++++++++++++++++++++
 tasks/main.yml                |  2 ++
 5 files changed, 77 insertions(+)
 create mode 100644 files/certbot-renewal.service
 create mode 100644 files/certbot-renewal.sh
 create mode 100644 files/certbot-renewal.timer
 create mode 100644 tasks/deploy_renewal.yml

diff --git a/files/certbot-renewal.service b/files/certbot-renewal.service
new file mode 100644
index 0000000..a55309e
--- /dev/null
+++ b/files/certbot-renewal.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=Runs certbot renew
+
+[Service]
+Type=oneshot
+RemainAfterExit=no
+ExecStart=/scripts/certbot-renewal.sh
+
+[Install]
+WantedBy=multi-user.target
\ No newline at end of file
diff --git a/files/certbot-renewal.sh b/files/certbot-renewal.sh
new file mode 100644
index 0000000..8cdc30e
--- /dev/null
+++ b/files/certbot-renewal.sh
@@ -0,0 +1,27 @@
+#! /bin/bash
+dom=`date +%d`
+today=`date +%Y%m%d`
+for f in `ls /etc/letsencrypt/live/ --ignore "README"`
+do
+    echo Checking $f
+    #check if cert has already expired or will expire within the next two days and renew if applicable
+    expires=`echo `openssl x509 -enddate -noout -in /etc/letsencrypt/live/$f/cert.pem` " - 2 day" | grep -Po "(?<=notAfter=).*" | date +%Y%m%d -f -`
+    if [[ $today > $expires ]]
+    then
+        echo Certificate for $f is expired, renewing
+        certbot renew --cert-name $f --dry-run >> /var/log/certbot-renewal.log
+    fi
+    #convert hostname into day of month between 0 and 28 to renew on specific day of month (reduce chance of running out of cert renewals)
+    hash=$(echo $f| md5sum)
+    num=$((0x${hash%% *}))
+    for d in {0..2}
+    do 
+        rdate=$(((${num#-}+$d)%28+1))
+        if [[ $dom -eq $rdate ]]
+        then
+            echo Date falls within renewal window for $f, attempting renewal
+            certbot renew --cert-name $f --dry-run >> /var/log/certbot-renewal.log
+            break
+        fi
+    done
+done
\ No newline at end of file
diff --git a/files/certbot-renewal.timer b/files/certbot-renewal.timer
new file mode 100644
index 0000000..0d3c949
--- /dev/null
+++ b/files/certbot-renewal.timer
@@ -0,0 +1,12 @@
+[Unit]
+Description=Runs certbot-renewal once per day
+
+[Timer]
+# Time to wait after booting before we run first time
+OnBootSec=10min
+# Time between running each consecutive time
+OnUnitActiveSec=1d
+Unit=certbot-renewal.service
+
+[Install]
+WantedBy=multi-user.target
diff --git a/tasks/deploy_renewal.yml b/tasks/deploy_renewal.yml
new file mode 100644
index 0000000..c471c80
--- /dev/null
+++ b/tasks/deploy_renewal.yml
@@ -0,0 +1,26 @@
+# deploy_renewal.yml
+---
+- name: deploy certbot renewal script
+  ansible.builtin.copy:
+    src: files/certbot-renewal.sh
+    dest: /scripts/certbot-renewal.sh
+    mode: '0754'
+
+- name: deploy certbot renewal service
+  ansible.builtin.copy:
+    src: files/certbot-renewal.service
+    dest: /usr/lib/systemd/system/certbot-renewal.service
+    mode: '0644'
+
+- name: deploy certbot renewal timer
+  ansible.builtin.copy:
+    src: files/certbot-renewal.timer
+    dest: /usr/lib/systemd/system/certbot-renewal.timer
+    mode: '0644'
+
+- name: ensure certbot renewal script is running
+  service:
+    name: certbot-renewal.timer
+    state: started
+    daemon_reload: true
+    enabled: yes
diff --git a/tasks/main.yml b/tasks/main.yml
index ad4f4f4..c6e063c 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -9,3 +9,5 @@
 - include_tasks: generate_cert.yml
   loop: "{{ domains }}"
 
+# deploy renewal script, service and timer for host
+- include_tasks: deploy_renewal.yml
-- 
2.49.0


From 23fb4cec182916085621b9c46beb380375fca5f0 Mon Sep 17 00:00:00 2001
From: Beth <ejparker@actcur.com>
Date: Sat, 22 Mar 2025 19:40:20 -0500
Subject: [PATCH 2/6] improved logging

---
 files/certbot-renewal.sh | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/files/certbot-renewal.sh b/files/certbot-renewal.sh
index 8cdc30e..52dff70 100644
--- a/files/certbot-renewal.sh
+++ b/files/certbot-renewal.sh
@@ -1,14 +1,16 @@
 #! /bin/bash
 dom=`date +%d`
 today=`date +%Y%m%d`
+log=/var/log/certbot-renewal.log
+echo Renewal attempt for $today >> $log
 for f in `ls /etc/letsencrypt/live/ --ignore "README"`
 do
-    echo Checking $f
+    echo Checking $f >> $log
     #check if cert has already expired or will expire within the next two days and renew if applicable
     expires=`echo `openssl x509 -enddate -noout -in /etc/letsencrypt/live/$f/cert.pem` " - 2 day" | grep -Po "(?<=notAfter=).*" | date +%Y%m%d -f -`
     if [[ $today > $expires ]]
     then
-        echo Certificate for $f is expired, renewing
+        echo Certificate for $f is expired, renewing >> $log
         certbot renew --cert-name $f --dry-run >> /var/log/certbot-renewal.log
     fi
     #convert hostname into day of month between 0 and 28 to renew on specific day of month (reduce chance of running out of cert renewals)
@@ -19,8 +21,8 @@ do
         rdate=$(((${num#-}+$d)%28+1))
         if [[ $dom -eq $rdate ]]
         then
-            echo Date falls within renewal window for $f, attempting renewal
-            certbot renew --cert-name $f --dry-run >> /var/log/certbot-renewal.log
+            echo Date falls within renewal window for $f, attempting renewal >> $log
+            certbot renew --cert-name $f --dry-run >> $log
             break
         fi
     done
-- 
2.49.0


From abfbe7318629f1453dbc9e4245adabbbe89a2e22 Mon Sep 17 00:00:00 2001
From: Beth <ejparker@actcur.com>
Date: Sat, 22 Mar 2025 19:51:05 -0500
Subject: [PATCH 3/6] fixed expires variable

---
 files/certbot-renewal.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/files/certbot-renewal.sh b/files/certbot-renewal.sh
index 52dff70..a5d87fb 100644
--- a/files/certbot-renewal.sh
+++ b/files/certbot-renewal.sh
@@ -7,7 +7,7 @@ for f in `ls /etc/letsencrypt/live/ --ignore "README"`
 do
     echo Checking $f >> $log
     #check if cert has already expired or will expire within the next two days and renew if applicable
-    expires=`echo `openssl x509 -enddate -noout -in /etc/letsencrypt/live/$f/cert.pem` " - 2 day" | grep -Po "(?<=notAfter=).*" | date +%Y%m%d -f -`
+    expires=$(echo `openssl x509 -enddate -noout -in /etc/letsencrypt/live/$f/cert.pem` " - 2 day" | grep -Po "(?<=notAfter=).*" | date +%Y%m%d -f -)
     if [[ $today > $expires ]]
     then
         echo Certificate for $f is expired, renewing >> $log
-- 
2.49.0


From 4a4275cb0c117863b647aa408da8fa1f37a9971d Mon Sep 17 00:00:00 2001
From: Beth <ejparker@actcur.com>
Date: Sat, 22 Mar 2025 19:58:34 -0500
Subject: [PATCH 4/6] remove dry-run

---
 files/certbot-renewal.sh | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/files/certbot-renewal.sh b/files/certbot-renewal.sh
index a5d87fb..c2ecb69 100644
--- a/files/certbot-renewal.sh
+++ b/files/certbot-renewal.sh
@@ -11,7 +11,8 @@ do
     if [[ $today > $expires ]]
     then
         echo Certificate for $f is expired, renewing >> $log
-        certbot renew --cert-name $f --dry-run >> /var/log/certbot-renewal.log
+        certbot renew --cert-name $f >> /var/log/certbot-renewal.log
+        continue
     fi
     #convert hostname into day of month between 0 and 28 to renew on specific day of month (reduce chance of running out of cert renewals)
     hash=$(echo $f| md5sum)
@@ -22,7 +23,7 @@ do
         if [[ $dom -eq $rdate ]]
         then
             echo Date falls within renewal window for $f, attempting renewal >> $log
-            certbot renew --cert-name $f --dry-run >> $log
+            certbot renew --cert-name $f >> $log
             break
         fi
     done
-- 
2.49.0


From fb45d990e190f04f796995772ff9c5e9a3ca8874 Mon Sep 17 00:00:00 2001
From: Beth <ejparker@actcur.com>
Date: Sat, 22 Mar 2025 20:00:26 -0500
Subject: [PATCH 5/6] add log file rotation

---
 files/certbot-renewal.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/files/certbot-renewal.sh b/files/certbot-renewal.sh
index c2ecb69..463881e 100644
--- a/files/certbot-renewal.sh
+++ b/files/certbot-renewal.sh
@@ -3,6 +3,8 @@ dom=`date +%d`
 today=`date +%Y%m%d`
 log=/var/log/certbot-renewal.log
 echo Renewal attempt for $today >> $log
+#rotate log file every month
+if [[ $dom = 1 ]];then mv $log $log.bak;fi
 for f in `ls /etc/letsencrypt/live/ --ignore "README"`
 do
     echo Checking $f >> $log
-- 
2.49.0


From aa02ee6103bdae1c09815d9979b9a8baf80ab524 Mon Sep 17 00:00:00 2001
From: Beth <ejparker@actcur.com>
Date: Sat, 22 Mar 2025 20:14:26 -0500
Subject: [PATCH 6/6] reload nginx when cert tries to renew

---
 files/certbot-renewal.sh | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/files/certbot-renewal.sh b/files/certbot-renewal.sh
index 463881e..f035826 100644
--- a/files/certbot-renewal.sh
+++ b/files/certbot-renewal.sh
@@ -1,4 +1,12 @@
 #! /bin/bash
+function reload() {
+    #reload/restart relevant services
+    if [ -d /etc/nginx/certs/ ]
+    then
+        systemctl reload nginx
+    fi
+}
+
 dom=`date +%d`
 today=`date +%Y%m%d`
 log=/var/log/certbot-renewal.log
@@ -14,6 +22,7 @@ do
     then
         echo Certificate for $f is expired, renewing >> $log
         certbot renew --cert-name $f >> /var/log/certbot-renewal.log
+        reload()
         continue
     fi
     #convert hostname into day of month between 0 and 28 to renew on specific day of month (reduce chance of running out of cert renewals)
@@ -26,6 +35,7 @@ do
         then
             echo Date falls within renewal window for $f, attempting renewal >> $log
             certbot renew --cert-name $f >> $log
+            reload()
             break
         fi
     done
-- 
2.49.0