#!/bin/bash
# refreshes self-signed certificates which are expired,
# or will expire in less than 3 days

ASCEDSETCDIR='/etc/asceds'
ASCEDSHOMEDIR="${ASCEDSETCDIR}/home"
GREP='grep -a'

# is it using self-signed certs?
if [ -r "${ASCEDSETCDIR}/asceds-certbot.conf" ] ; then
   . ${ASCEDSETCDIR}/asceds-certbot.conf
fi
if [ -z "${SELFSIGNED}" ] || [ ! -x "${CERTBOTBIN}" ] ; then
   # if not self-signed, just exit
   exit
fi

# if any clients
if [ "$( echo ${ASCEDSHOMEDIR}/*_cert.conf )" != \
     "${ASCEDSHOMEDIR}/*_cert.conf" ] ; then

   # time now
   TIMENOW=$( date +"%s" )
   # move forward 3 days
   TIMENOW3=$( expr ${TIMENOW} + 259200 )
   echo "Time to compare is ${TIMENOW3}"

   # find hostname of client
   for HSTCONF in ${ASCEDSHOMEDIR}/*_cert.conf ; do
      if [ -r "${HSTCONF}" ] ; then
         HST=$( basename ${HSTCONF} )
         HST=${HST%%_*}
         if [ -r "${ASCEDSHOMEDIR}/${HST}/cert.pem" ] ; then
            CERTFILE=${ASCEDSHOMEDIR}/${HST}/cert.pem
            # figure out the expiration
            CERTEXPLINE=$( openssl x509 -dates -noout < ${CERTFILE} | \
               ${GREP} "notAfter=" | sed -e "s/notAfter=//" )
            TIMEEXP=$( date --date="${CERTEXPLINE}" +"%s" )            
            echo "Expiration time for client ${HST} is ${TIMEEXP}"
            # renew if older than 3 days before expiration
            if [ "${TIMENOW3}" -gt "${TIMEEXP}" ] ; then
               . ${HSTCONF}
               CERTBOTOPTS="certonly -cert-name ${HST} --domain ${HST}"
               if [ -n "${CLIENT_SANS_LIST}" ] ; then
                  CERTBOTOPTS="${CERTBOTOPTS} -d ${CLIENT_SANS_LIST} "
               fi
               # renew
               eval ${CERTBOTBIN} ${CERTBOTOPTS}
            fi
         fi
      fi
   done
fi            


