ubyssey.ca/scripts/certbot-renewal-with-nginx-reload.sh at b5661d0ca4006508f9bb0d3721cb4141f562755f · ubyssey/ubyssey.ca · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
#!/bin/sh

# Certbot service with automatic nginx reload
# This script runs continuously, checking for certificate renewals every 12 hours.
# Uses --deploy-hook to reload nginx only when certificates are actually renewed.

set -e

echo "Starting certbot service with nginx auto-reload..."

# Install docker CLI (needed to communicate with nginx container)
echo "Installing docker-cli..."
apk add --no-cache docker-cli > /dev/null 2>&1
echo "docker-cli installed successfully"

# Set up signal trap for clean shutdown
trap exit TERM

# Main loop - runs forever
while :; do
  echo "Running certbot renew at $(date)..."

  # Attempt certificate renewal with --deploy-hook
  # The hook only runs when a certificate is actually renewed
  if certbot renew --deploy-hook "
    echo 'Certificate renewed, reloading nginx...'
    NGINX_ID=\$(docker ps -q -f 'name=nginx' | head -1)
    if [ -n \"\$NGINX_ID\" ]; then
      if docker exec \"\$NGINX_ID\" nginx -s reload; then
        echo 'nginx reloaded successfully'
      else
        echo 'ERROR: Failed to reload nginx' >&2
      fi
    else
      echo 'WARNING: Could not find nginx container' >&2
    fi
  "; then
    echo "certbot renewal check completed at $(date)"
  else
    echo "ERROR: certbot renewal FAILED at $(date)" >&2
  fi

  echo "Next check in 12 hours..."
  echo "---"

  sleep 12h & wait ${!}
done