#!/usr/bin/bash

# Restart on change:
#31 2 * * * acme /usr/libexec/acme-tiny/sign 21
#50 2 * * * root /usr/bin/salpack-acme-tiny --reload

if [ -z "$1" ]; then
  echo "$0 domain [alternate_names ...]"
  exit
elif [ "$1" = "--reload" ]; then
  if [ "`find /var/lib/acme/certs -type f -mmin -60`" ]; then
    if [ -x /etc/init.d/httpd ]; then
      /etc/init.d/httpd reload
    else
      systemctl reload httpd
    fi
  fi
  exit
fi

DOMAIN="$1"
shift
if [ "$1" ]; then
  #EXT_CFG="-extensions SAN"
  EXT_CFG="-addext subjectAltName=DNS:${1/ /,DNS:}"
else
  EXT_CFG=""
fi

if [ -x /usr/bin/openssl11 ]; then
  OPENSSL=openssl11
else
  OPENSSL=openssl
fi

set -x
$OPENSSL req -new -nodes \
  -keyout /etc/pki/httpd/"$DOMAIN".key \
  -out /var/lib/acme/csr/"$DOMAIN".csr \
  -subj "/CN=$DOMAIN" $EXT_CFG
set +x

su - acme -s /bin/bash -c /usr/libexec/acme-tiny/sign

cat << EOF
Apache httpd configuration:
<VirtualHost *:443>
	ServerName $DOMAIN
	SSLEngine on
	SSLCertificateKeyFile /etc/pki/httpd/$DOMAIN.key
	SSLCertificateFile /var/lib/acme/certs/$DOMAIN.crt
</VirtualHost>
EOF

ls -la /var/lib/acme/certs/"$DOMAIN".crt
