mirror of
https://github.com/nginx-proxy/docker-letsencrypt-nginx-proxy-companion
synced 2024-09-26 22:10:55 +02:00
Add cert_status script
Displays useful informations about the existing certificates.
This commit is contained in:
parent
0312525a27
commit
fa837ba143
10
README.md
10
README.md
@ -168,13 +168,21 @@ If you want to create test certificates that don't have the 5 certs/week/domain
|
||||
Every hour (3600 seconds) the certificates are checked and every certificate that will expire in the next [30 days](https://github.com/kuba/simp_le/blob/ecf4290c4f7863bb5427b50cdd78bc3a5df79176/simp_le.py#L72) (90 days / 3) are renewed.
|
||||
|
||||
##### Force certificates renewal
|
||||
|
||||
If needed, you can force a running letsencrypt-nginx-proxy-companion container to renew all certificates that are currently in use. Replace `nginx-letsencrypt` with the name of your letsencrypt-nginx-proxy-companion container in the following command:
|
||||
|
||||
```bash
|
||||
$ docker exec nginx-letsencrypt /app/force_renew
|
||||
```
|
||||
|
||||
##### Force certificates renewal
|
||||
To display informations about your existing certificates, use the following command:
|
||||
|
||||
```bash
|
||||
$ docker exec nginx-letsencrypt /app/cert_status
|
||||
```
|
||||
|
||||
As for the forced renewal command, replace `nginx-letsencrypt` with the name of your letsencrypt-nginx-proxy-companion container.
|
||||
|
||||
##### ACME account keys
|
||||
By default the container will save the first ACME account key created for each ACME API endpoint used, and will reuse it for all subsequent authorizations and issuances requests made to this endpoint. This behavior is enabled by default to avoid running into Let's Encrypt account [rate limits](https://letsencrypt.org/docs/rate-limits/).
|
||||
|
||||
|
58
app/cert_status
Executable file
58
app/cert_status
Executable file
@ -0,0 +1,58 @@
|
||||
#!/bin/bash
|
||||
function print_cert_info {
|
||||
local enddate
|
||||
local subject
|
||||
local san_str
|
||||
|
||||
# Get the wanted informations with OpenSSL.
|
||||
issuer="$(openssl x509 -noout -issuer -in "$1" | sed -n 's/.*CN=\(.*\)/\1/p')"
|
||||
enddate="$(openssl x509 -noout -enddate -in "$1" | sed -n 's/notAfter=\(.*$\)/\1/p')"
|
||||
subject="$(openssl x509 -noout -subject -in "$1" | sed -n 's/.*CN=\([a-z0-9.-]*\)/- \1/p')"
|
||||
san_str="$(openssl x509 -text -in "$1" | grep 'DNS:')"
|
||||
|
||||
echo "Certificate was issued by $issuer"
|
||||
echo "Certificate is valid until $enddate"
|
||||
echo "Subject Name:"
|
||||
echo "$subject"
|
||||
|
||||
# Display the SAN info only if there is more than one SAN domain.
|
||||
while IFS=',' read -ra SAN; do
|
||||
if [[ ${#SAN[@]} -gt 1 ]]; then
|
||||
echo "Subject Alternative Name:"
|
||||
for domain in "${SAN[@]}"; do
|
||||
echo "$domain" | sed -n 's/.*DNS:\([a-z0-9.-]*\)/- \1/p'
|
||||
done
|
||||
fi
|
||||
done <<< "$san_str"
|
||||
}
|
||||
|
||||
echo '##### Certificate status #####'
|
||||
for cert in /etc/nginx/certs/*/fullchain.pem; do
|
||||
[[ -e "$cert" ]] || continue
|
||||
# Verify the certificate with OpenSSL.
|
||||
openssl verify -CAfile "${cert%fullchain.pem}chain.pem" "$cert"
|
||||
|
||||
# Print certificate info.
|
||||
print_cert_info "$cert"
|
||||
|
||||
# Find the .crt files in /etc/nginx/certs which are
|
||||
# symlinks pointing to the current certificate.
|
||||
unset symlinked_domains
|
||||
for symlink in /etc/nginx/certs/*.crt; do
|
||||
[[ -e "$symlink" ]] || continue
|
||||
if [[ "$(readlink -f "$symlink")" == "$cert" ]]; then
|
||||
domain="$(echo "${symlink%.crt}" | sed 's#/etc/nginx/certs/##g')"
|
||||
symlinked_domains+=("$domain")
|
||||
fi
|
||||
done
|
||||
|
||||
# Display symlinks pointing to the current cert if there is any.
|
||||
if [[ ${#symlinked_domains[@]} -gt 0 ]]; then
|
||||
echo "Certificate is used by the following domain(s):"
|
||||
for domain in "${symlinked_domains[@]}"; do
|
||||
echo "- $domain"
|
||||
done
|
||||
fi
|
||||
|
||||
echo '##############################'
|
||||
done
|
Loading…
Reference in New Issue
Block a user