From 360bd6c4a68de2625d6d09b117bf7b6cffd6cb78 Mon Sep 17 00:00:00 2001
From: Andrew DeFaria <A.DeFaria@cpanel.net>
Date: Sat, 24 Dec 2022 11:20:40 -0800
Subject: [PATCH] Hopefully final adjustments to certbot

A few problems with this latest cert renewal. While the renewal happened it put
the certs in /System/Data/Certificates whereas other references were to
/System/Certificates. This has been fixed.

Additionally, certbot_deploy.sh was never called! Added it to
certbot_cleanup.sh.

An additional problem was that the crontab entry had "*/3" for month and while
that says "every 3 months" it doesn't say which month it starts on. So I changed
this to explicitedly state "Jan,Apr,Jul,Oct".

Finally, the cert generated on 12/23/2022 said it was valid until 01/22/2023.
Not sure why this was one month so we may have a failure in certs come February.
If so we'll need to check why were are only getting 30 day certs issued by LetsEncrypt.
---
 bin/certbot_authentication.sh | 12 +++++++-----
 bin/certbot_cleanup.sh        | 12 ++++++++++--
 bin/certbot_deploy.sh         | 11 ++++++++---
 3 files changed, 25 insertions(+), 10 deletions(-)

diff --git a/bin/certbot_authentication.sh b/bin/certbot_authentication.sh
index 0cf53d4..5bec2d4 100755
--- a/bin/certbot_authentication.sh
+++ b/bin/certbot_authentication.sh
@@ -14,7 +14,7 @@
 #
 # See also:     https://help.dreamhost.com/hc/en-us/articles/217555707-DNS-API-commands
 #
-# Crontab:      0 0 20 */3 * certbot renew
+# Crontab:      0 0 20 Jan,Apr,Jul,Oct * certbot renew
 #
 # Note:         If you symlink /etc/letsencrypt/renewal-hooks/{pre|post|deploy}
 #               to the proper scripts then all you need is certbox renew. Also
@@ -29,7 +29,12 @@
 # (c) Copyright 2021, ClearSCM, Inc., all rights reserved
 #
 ################################################################################
-logfile="/tmp/$(basename $0).log"
+certdir=/System/Certificates
+
+mkdir -p $certdir
+
+logfile="$certdir/$(basename $0).log"
+
 rm -f $logfile
 
 function log {
@@ -115,9 +120,6 @@ verifyPropagation
 # If we get here then new certs are produced but need to be made available
 # for importation to the Synology. $certdir is a directory that is on the
 # Synology mounted via NFS.
-certdir=/System/Data/Certificates
-
-mkdir -p $certdir
 cp /etc/letsencrypt/live/$CERTBOT_DOMAIN/privkey.pem     $certdir && chmod 444 $certdir/privkey.pem
 cp /etc/letsencrypt/live/$CERTBOT_DOMAIN/cert.pem        $certdir && chmod 444 $certdir/cert.pem
 cp /etc/letsencrypt/live/$CERTBOT_DOMAIN/chain.pem       $certdir && chmod 444 $certdir/chain.pem
diff --git a/bin/certbot_cleanup.sh b/bin/certbot_cleanup.sh
index 958f578..400c9a2 100755
--- a/bin/certbot_cleanup.sh
+++ b/bin/certbot_cleanup.sh
@@ -12,7 +12,7 @@
 #
 # See also:     https://help.dreamhost.com/hc/en-us/articles/217555707-DNS-API-commands
 #
-# Crontab:      0 0 20 */3 * certbot renew
+# Crontab:      0 0 20 Jan,Apr,Jul,Oct * certbot renew
 #
 # Author:       Andrew@DeFaria.com
 # Created:      Fri 04 Jun 2021 11:20:16 PDT
@@ -22,7 +22,12 @@
 # (c) Copyright 2021, ClearSCM, Inc., all rights reserved
 #
 ################################################################################
-logfile="/tmp/$(basename $0).log"
+certdir="/System/Certificates"
+
+mkdir -p $certdir
+
+logfile="$certdir/$(basename $0).log"
+
 rm -f $logfile
 
 function log {
@@ -75,3 +80,6 @@ removeTXT
 
 # Removal is instanteous but propagation will take some time. No need to wait
 # around though...
+
+# Now deploy new certs
+/opt/clearscm/bin/certbot_deploy.sh
diff --git a/bin/certbot_deploy.sh b/bin/certbot_deploy.sh
index cc03926..582c3b9 100755
--- a/bin/certbot_deploy.sh
+++ b/bin/certbot_deploy.sh
@@ -7,7 +7,7 @@
 #               onto the Synology. We should have already obtained new Let's
 #               Encrypt certs and have placed them into /System/Certificates.
 #               Now we just need to restart nginx on the Synology. This works
-#               because /usr/syno/etc/certificates/_archive already has been
+#               because /usr/syno/etc/certificate/_archive already has been
 #               configured to look at /System/Certificates for new certs.
 #
 #               The restarting of nginx on Synology is large and takes time. You
@@ -17,7 +17,7 @@
 #
 # See also:     https://help.dreamhost.com/hc/en-us/articles/217555707-DNS-API-commands
 #
-# Crontab:      0 0 20 */3 * certbot renew
+# Crontab:      0 0 20 Jan,Apr,Jul,Oct * certbot renew
 #
 # Author:       Andrew@DeFaria.com
 # Created:      Mon Oct 24 11:53:38 AM PDT 2022
@@ -27,7 +27,12 @@
 # (c) Copyright 2021, ClearSCM, Inc., all rights reserved
 #
 ################################################################################
-logfile="/tmp/$(basename $0).log"
+certdir="/System/Certificates"
+
+mkdir -p $certdir
+
+logfile="$certdir/$(basename $0).log"
+
 rm -f $logfile
 
 function log {
-- 
2.17.1