#!/bin/bash

PATH=/usr/local/bin:/usr/local/sbin:/bin:/sbin:/usr/bin:/usr/sbin

date
echo

# it's important to do that before talking to LE
if [[ -z `pgrep ntpd` ]]; then
	echo TIME SYNC
	echo

	echo reaching out to ntp.obspm.fr
	ntpdate ntp.obspm.fr

	# otherwise done daily while running ntpd
	echo -n hardware clock...
	hwclock --utc --systohc && echo done || echo FAIL

	echo
fi

echo RE-NEWING RSA CERTIFICATES
echo
#dehydrated --cron --keep-going
dehydrated --cron --config /etc/dehydrated/config-dns01
echo

echo RE-NEWING ECDSA CERTIFICATES
echo
#dehydrated --cron --keep-going --algo prime256v1 --out /etc/dehydrated/certs/ECC
dehydrated --cron --config /etc/dehydrated/config-dns01 --algo secp384r1 --out /etc/dehydrated/certs/ECC
echo

echo RELOADING DAEMONS
echo
/root/RELOAD-SSL
echo

echo CLEANING-UP UNUSED CERTS
echo
dehydrated --cleanup --config /etc/dehydrated/config-dns01
echo

echo ACTIVE CERTIFICATES
echo
#vhosts="DOMAIN.TLD VHOST.DOMAIN.TLD OTHERDOMAIN.TLD"
#vhosts=`grep -vE '^#|^$' /etc/dehydrated/domains.txt`
vhosts=`cut -f1 -d ' ' /etc/dehydrated/domains-dns01.txt | sed -r 's/\*/wildcard/'`
for vhost in $vhosts; do
	echo certificate for $vhost
	tmp=`echo Q | openssl s_client -connect $vhost:443 -servername $vhost 2>/dev/null`
	echo "$tmp" | openssl x509 -noout -text | grep -A2 Validity
	echo "$tmp" | openssl x509 -noout -text | grep DNS:
	echo
	unset tmp
done; unset vhost
echo

echo RE-SIGNING DNS ZONES
echo
# CWD is already /root/
for zone in `cat /root/domains.lst`; do
	echo zone $zone
	./sign.ksh $zone.db
	echo
done; unset zone

date