forked from gregtwallace/certificate-scripts
-
Notifications
You must be signed in to change notification settings - Fork 0
/
cw-media-server-plex.sh
98 lines (76 loc) · 2.95 KB
/
cw-media-server-plex.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
#!/bin/bash
# Script converts key/cert into pfx and then updates the plex
# certificate and the neginx certificate. It also restarts the
# plex and nginx services.
# This script should be securely placed with limited access
# (e.g. owned by root with permissions of 700) to avoid
# compromising the API Keys
# ECDSA Keys ARE supported
## Recommended cron -- run at boot (in case system was powered off
# during a renewal, and run weekly)
# Pick any time you like. This time was arbitrarily selected.
# sudo crontab -e
# @reboot sleep 15 && /script/path/here
# 5 4 * * 2 /script/path/here
## Set VARs in accord with environment
cert_apikey=<cert API key>
key_apikey=<key API key>
# server hosting key/cert
server=certdp.local:port
# name of the key/cert (as it is on server)
cert_name=plex.example.com
# URL paths
api_cert_path=certwarden/api/v1/download/certificates/$cert_name
api_key_path=certwarden/api/v1/download/privatekeys/$cert_name
# local user who will own the plex cert
plex_user=plex
# local cert storage
plex_certs=/home/plex/certs
nginx_certs=/etc/nginx/certs
# path to store a timestamp to easily see when script last ran
time_stamp=/home/plex/cert_timestamp.txt
# temp folder
temp_certs=/tmp/tempcerts
## Script
# stop / fail on any error
set -e
rm -rf $temp_certs
mkdir -p $temp_certs
mkdir -p $plex_certs
chown $plex_user:$plex_user $plex_certs
chmod 0755 $plex_certs
mkdir -p $nginx_certs
chown root:root $nginx_certs
chmod 0755 $nginx_certs
# Fetch certs, if curl returns anything other than 200 success, abort
http_statuscode=$(curl -L https://$server/$api_cert_path -H "apiKey: $cert_apikey" --output $temp_certs/certchain.pem --write-out "%{http_code}")
if test $http_statuscode -ne 200; then exit "$http_statuscode"; fi
http_statuscode=$(curl -L https://$server/$api_key_path -H "apiKey: $key_apikey" --output $temp_certs/key.pem --write-out "%{http_code}")
if test $http_statuscode -ne 200; then exit "$http_statuscode"; fi
# Update plex
# if different
if ( ! cmp -s "$temp_certs/certchain.pem" "$plex_certs/certchain.pem" ) || ( ! cmp -s "$temp_certs/key.pem" "$plex_certs/key.pem" ) ; then
service plexmediaserver stop
cp -rf $temp_certs/* $plex_certs/
openssl pkcs12 -export -out $temp_certs/certchain_key.p12 \
-certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256 \
-inkey $temp_certs/key.pem -in $temp_certs/certchain.pem \
-passout pass:
chown $plex_user:$plex_user $plex_certs/*
chmod 600 $plex_certs/key.pem
chmod 644 $plex_certs/certchain.pem
chmod 600 $plex_certs/certchain_key.pfx
service plexmediaserver start
fi
# Update nginx (reverse proxy)
# if different
if ( ! cmp -s "$temp_certs/certchain.pem" "$nginx_certs/certchain.pem" ) || ( ! cmp -s "$temp_certs/key.pem" "$nginx_certs/key.pem" ) ; then
service nginx stop
cp -rf $temp_certs/* $nginx_certs/
chown root:root $nginx_certs/*
chmod 600 $nginx_certs/key.pem
chmod 644 $nginx_certs/certchain.pem
service nginx start
fi
rm -rf $temp_certs
echo "Last Run: $(date)" > $time_stamp