bash - 在共享主机上自动生成和更新 SSL

shell 通过在空格上拆分将每一行解析为标记。[[内置 with的语法=~要求每一侧都有一个标记。您可以通过在每个不是标记分隔符的空白字符前面放置反斜杠或引用应该是单个标记的序列来防止在空格上拆分。

  if [[ $certificate =~ (.*)"Certificate will expire" ]]; then

除此之外，您在这里真的不需要正则表达式。（如果你确实使用了一个，那么括号.*是多余的。事实上，整体.*是多余的。）

  if [[ $certificate = *"Certificate will expire"* ]]; then

除此之外，您尝试复制的脚本还有许多其他问题，尽管问题更小。可能只是尝试找到一个更好的博客来复制/粘贴。

这是一个快速重构，希望使脚本更惯用，但我可能错过了一些问题，并且没有任何方法来测试它。

#!/bin/bash

# Don't use uppercase for private variables
renew=22

# For diagnostic messages
me=${0##*/}

# Parametrize domain name
dom="yourserver.com"
email="email@example.org"

# Don't echo so much junk
# (I will silently drop the other junk output without comment)
# echo "======================================="
# Fix date formatting, print diagnostic to stderr
date "+$me: %c START" >&2
# Use a unique temp file to avoid symlink attacks and concurrency problems
t=$(mktemp -t letsencryptCA.XXXXXXXXXX.crt) || exit
# Clean it up when we are done
trap 'rm -f "$t"' ERR EXIT
wget -O "$t" https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt

# Avoid obsolete $[ ... ] math syntax
# Avoid superfluous echo |
# Don't write stderr to a junk file
# Maybe add 2>/dev/null on the first openssl if this is too noisy
certificate=$(openssl s_client -servername "$dom" -connect "$dom":443 </dev/null | 
              openssl x509 -checkend $((86400 * $renew)) -enddate)
# Indentation fixes
if [ "$certificate" == "" ]; then
    # Error messages indicate script's name, and go to standard error
    # Include domain name in error message
    # Fixed throughout below
    echo "$me: Error: unable to check $dom certificate" >&2
    # Exit with an error, too
    exit 123
else
    # Quote string
    # Move this outside the conditional, to avoid repeated code
    echo "$certificate"

    # Fix comparison
    if [[ $certificate = *"Certificate will expire"* ]]; then

        echo "$me: $dom certificate needs to be renewed" >&2
    
        # No idea here, assume this is okay
        # Wrap horribly long command though
        certbot certonly --non-interactive --staple-ocsp \
            --email "$email" -d "$dom" -d "www.$dom" \
            --agree-tos --manual \
            --manual-auth-hook /path/toyour/scripts/letsencryptauth.sh \
            --manual-cleanup-hook /path/toyour/scripts/letsencryptclean.sh
        echo "$me: $dom cert process completed, now uploading it to CPanel" >&2
    
        # Weird indentation fixed again
        USER='cpanel username' PASS='cpanelpassword' EMAIL="$email" \
        /usr/bin/php /path/toyour/scripts/sslic.php "$dom" \
            /etc/letsencrypt/live/"$dom"/cert.pem \
            /etc/letsencrypt/live/"$dom"/privkey.pem "$t"
        echo "$me: $dom upload to cpanel process complete" >&2
    
    else
        echo "$me: $dom cert does not need to be renewed" >&2
    fi
fi
# Fix date formatting, print diagnostic to stderr
date "+$me: %c END" >&2

的%c格式说明符date包括年份，原始代码省略了它。我认为这个改变是一个特性而不是一个错误。

仍然有很多硬编码路径等可能应该更好地参数化。

来自的 stderr 输出openssl足够适中，我认为我们绝对不需要丢弃它；另一方面，将其转储到临时文件中几乎肯定会在实际出现问题时隐藏有用的诊断信息（网络关闭或其他）。

tripleee$ openssl s_client -servername www.stackoverflow.com \
>   -connect www.stackoverflow.com:443 </dev/null >/dev/null
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = *.stackexchange.com
verify return:1