remove --sign in favor of two options "--force" and "--domain" (try 2)

.travis.yml

@@ -30,7 +30,7 @@ script:
 
   # move config out of the way and try signing certificate by using temporary config location
   - mv config.sh tmp_config.sh
-  - ./letsencrypt.sh --sign "${TMP_URL}" -f tmp_config.sh
+  - ./letsencrypt.sh --domain "${TMP_URL}" -f tmp_config.sh
   - mv tmp_config.sh config.sh
 
   # run in cron mode (should find a non-expiring certificate) + check running without given mode (should default to cron mode)

README.md

@@ -26,12 +26,13 @@ Default command: cron
 
 Commands:
  --cron (-c)                      Sign/renew non-existant/changed(TODO)/expiring certificates.
- --sign (-s) domain.tld           Force-sign specific certificate from domains.txt, even if not yet expiring or changed.
  --revoke (-r) path/to/cert.pem   Revoke specified certificate
  --help (-h)                      Show help text
  --env (-e)                       Output configuration variables for use in other scripts
 
 Parameters:
+ --domain (-d) domain.tld         Use specified domain name instead of domains.txt, use multiple times for certificate with SAN names
+ --force (-x)                     force renew of certificate even if it is longer valid than value in RENEW_DAYS
  --config (-f) path/to/config.sh  Use specified config file
  --privkey (-p) path/to/key.pem   Use specified private key instead of account key (useful for revocation)
 ```

letsencrypt.sh

@@ -222,6 +222,11 @@ _request() {
       ${HOOK} "clean_challenge" '' "${challenge_token}" "${keyauth}"
     fi
 
+    # remove temporary domains.txt file if used
+    if [[ -n "${PARAM_DOMAIN:-}" ]]; then
+      rm "${DOMAINS_TXT}"
+    fi
+
     exit 1
   fi
 
@@ -395,13 +400,24 @@ sign_domain() {
 
 # Usage: --cron (-c)
 # Description: Sign/renew non-existant/changed(TODO)/expiring certificates.
-command_cron() {
+command_sign_domains() {
+  if [[ -n "${PARAM_DOMAIN:-}" ]]; then
+    # we are using a temporary domains.txt file so we don't need to duplicate any code
+    DOMAINS_TXT="$(mktemp)"
+    echo "${PARAM_DOMAIN}" > "${DOMAINS_TXT}"
+  fi
   # Generate certificates for all domains found in domains.txt. Check if existing certificate are about to expire
   <"${DOMAINS_TXT}" sed 's/^\s*//g;s/\s*$//g' | grep -v '^#' | grep -v '^$' | while read -r line; do
     domain="$(printf '%s\n' "${line}" | cut -d' ' -f1)"
+    morenames="$(printf '%s\n' "${line}" | cut -s -d' ' -f2-)"
     cert="${BASEDIR}/certs/${domain}/cert.pem"
 
-    echo "Processing ${domain}"
+    if [[ -z "${morenames}" ]];then
+      echo "Processing ${domain}"
+    else
+      echo "Processing ${domain} with SAN: ${morenames}"
+    fi
+
     if [[ -e "${cert}" ]]; then
       echo " + Found existing cert..."
 
@@ -409,33 +425,26 @@ command_cron() {
 
       echo -n " + Valid till ${valid} "
       if openssl x509 -checkend $((RENEW_DAYS * 86400)) -noout -in "${cert}"; then
-        echo "(Longer than ${RENEW_DAYS} days). Skipping!"
-        continue
+        echo -n "(Longer than ${RENEW_DAYS} days). "
+        if [[ "${PARAM_FORCE:-}" = "yes" ]]; then
+          echo "Ignoring because --force was specified!"
+        else
+          echo "Skipping!"
+          continue
+        fi
+      else
+        echo "(Less than ${RENEW_DAYS} days). Renewing!"
       fi
-      echo "(Less than ${RENEW_DAYS} days). Renewing!"
     fi
 
     # shellcheck disable=SC2086
     sign_domain $line
   done
-}
 
-# Usage: --sign (-s) domain.tld
-# Description: Force-sign specific certificate from domains.txt, even if not yet expiring or changed.
-command_sign() {
-  # Generate certificates for all domains found in domains.txt. Check if existing certificate are about to expire
-  <"${DOMAINS_TXT}" sed 's/^\s*//g;s/\s*$//g' | grep -E "^${1}($|\s)" | head -1 | while read -r line; do
-    domain="$(printf '%s\n' "${line}" | cut -d' ' -f1)"
-    cert="${BASEDIR}/certs/${domain}/cert.pem"
-
-    echo "Processing ${domain}"
-    if [[ -e "${cert}" ]]; then
-      echo " + Found existing cert... ignoring."
-    fi
-
-    # shellcheck disable=SC2086
-    sign_domain $line
-  done || (echo "No entry for ${1} found in ${DOMAINS_TXT}."; exit 1)
+  # remove temporary domains.txt file if used
+  if [[ -n "${PARAM_DOMAIN:-}" ]]; then
+    rm "${DOMAINS_TXT}"
+  fi
 }
 
 # Usage: --revoke (-r) path/to/cert.pem
@@ -509,7 +518,8 @@ for arg; do
   case "${arg}" in
     --help)    args="${args}-h ";;
     --cron)    args="${args}-c ";;
-    --sign)    args="${args}-s ";;
+    --domain)  args="${args}-d ";;
+    --force )  args="${args}-x ";;
     --revoke)  args="${args}-r ";;
     --privkey) args="${args}-p ";;
     --config)  args="${args}-f ";;
@@ -547,7 +557,7 @@ check_parameters() {
   fi
 }
 
-while getopts ":hcer:s:f:p:" option; do
+while getopts ":hcer:d:xf:p:" option; do
   case "${option}" in
     h)
       command_help
@@ -564,10 +574,20 @@ while getopts ":hcer:s:f:p:" option; do
       check_parameters "${OPTARG:-}"
       revoke_me="${OPTARG}"
       ;;
-    s)
-      set_command sign
+    d)
+      # PARAM_Usage: --domain (-d) domain.tld
+      # PARAM_Description: Use specified domain name instead of domains.txt, use multiple times for certificate with SAN names
       check_parameters "${OPTARG:-}"
-      sign_me="${OPTARG}"
+      if [[ -z "${PARAM_DOMAIN:-}" ]]; then
+        PARAM_DOMAIN="${OPTARG}"
+      else
+        PARAM_DOMAIN="${PARAM_DOMAIN} ${OPTARG}"
+       fi
+      ;;
+    x)
+      # PARAM_Usage: --force (-x)
+      # PARAM_Description: force renew of certificate even if it is longer valid than value in RENEW_DAYS
+      PARAM_FORCE="yes"
       ;;
     f)
       # PARAM_Usage: --config (-f) path/to/config.sh
@@ -598,14 +618,11 @@ init_system
 
 case "${COMMAND}" in
   cron)
-    command_cron
+    command_sign_domains
     ;;
   env)
     command_env
     ;;
-  sign)
-    command_sign "${sign_me}"
-    ;;
   revoke)
     command_revoke "${revoke_me}"
     ;;