attempt renewal on start if expired

Author: aptalca

README.md

@@ -282,6 +282,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 
 ## Versions
 
+* **06.03.20:** - Implement cert renewal attempt during container start (only if the cert is already expired or will expire within the next 24 hours, otherwise it will be attempted at 2:08am).
 * **05.03.20:** - Use port and proto upstream variables for ldap and default sample confs.
 * **24.02.20:** - Remove world/group read permissions in dns-conf.
 * **23.02.20:** - Add aliyun dns validation plugin.

readme-vars.yml

@@ -125,6 +125,7 @@ app_setup_nginx_reverse_proxy_block: ""
 
 # changelog
 changelogs:
+  - { date: "06.03.20:", desc: "Implement cert renewal attempt during container start (only if the cert is already expired or will expire within the next 24 hours, otherwise it will be attempted at 2:08am)." }
   - { date: "05.03.20:", desc: "Use port and proto upstream variables for ldap and default sample confs." }
   - { date: "24.02.20:", desc: "Remove world/group read permissions in dns-conf." }
   - { date: "23.02.20:", desc: "Add aliyun dns validation plugin." }

root/etc/cont-init.d/60-renew

@@ -0,0 +1,9 @@
+#!/usr/bin/with-contenv bash
+
+# Check if the cert is expired or expires within a day, if so, renew
+if openssl x509 -in /config/keys/letsencrypt/fullchain.pem -noout -checkend 86400 >/dev/null; then 
+    echo "The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am)."
+else
+    echo "The cert is either expired or it expires within the next day. Attempting to renew. This could take up to 10 minutes."
+    /app/le-renew.sh
+fi