-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add workflow and script for running cron check certs
- Loading branch information
1 parent
9e08e84
commit 5157e1b
Showing
2 changed files
with
93 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
name: Update cron script when changes are made | ||
|
||
on: | ||
push: | ||
branches: | ||
- main | ||
- add-cron-to-check-certs | ||
paths: | ||
- 'scripts/ci_check_certs.sh' | ||
- '.github/workflows/update_cron_script.yml' | ||
workflow_dispatch: | ||
|
||
jobs: | ||
check-certs-expiry: | ||
name: Update cron script when changes are made | ||
strategy: | ||
fail-fast: false | ||
matrix: | ||
domain: | ||
[ | ||
"backend.captn.ai", | ||
"staging.backend.captn.ai", | ||
"auth.captn.ai", | ||
"staging.auth.captn.ai", | ||
] | ||
runs-on: ubuntu-22.04 | ||
defaults: | ||
run: | ||
shell: bash | ||
container: | ||
image: ubuntu:22.04 | ||
env: | ||
PROD_SSH_KEY: ${{ secrets.PROD_SSH_KEY }} | ||
STAGING_SSH_KEY: ${{ secrets.STAGING_SSH_KEY }} | ||
steps: | ||
- uses: actions/checkout@v3 | ||
# This is to fix GIT not liking owner of the checkout dir - https://github.com/actions/runner/issues/2033#issuecomment-1204205989 | ||
- run: chown -R $(id -u):$(id -g) $PWD | ||
|
||
- run: echo "PATH=$PATH:/github/home/.local/bin" >> $GITHUB_ENV | ||
- run: "which ssh-agent || ( apt-get update -y && apt-get install openssh-client git -y )" | ||
- run: apt-get update -y && apt-get install sshpass -y | ||
- run: eval $(ssh-agent -s) | ||
- run: mkdir -p ~/.ssh | ||
- run: chmod 700 ~/.ssh | ||
|
||
- run: echo "DOMAIN=${{ matrix.domain }}" >> $GITHUB_ENV | ||
|
||
- run: ssh-keyscan "$DOMAIN" >> ~/.ssh/known_hosts | ||
- run: chmod 644 ~/.ssh/known_hosts | ||
|
||
- run: if [[ $DOMAIN == *"staging"* ]]; then echo "$STAGING_SSH_KEY" | base64 --decode > key.pem ; else echo "$PROD_SSH_KEY" | base64 --decode > key.pem ; fi; | ||
- run: chmod 600 key.pem | ||
|
||
- run: ssh -o StrictHostKeyChecking=no -i key.pem azureuser@"$DOMAIN" "ls -la" | ||
|
||
- run: envsubst '${DOMAIN}' < scripts/cron_check_certs.sh > tmp.sh | ||
- run: chmod +x tmp.sh | ||
- run: cat tmp.sh | ||
- run: scp -i key.pem tmp.sh azureuser@"$DOMAIN":/home/azureuser/cron_check_certs.sh | ||
|
||
- run: rm key.pem |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
#!/bin/bash | ||
|
||
# Set the threshold for certificate expiration (in days) | ||
THRESHOLD=30 | ||
|
||
# List of domains for which to check and renew certificates | ||
DOMAINS=("$DOMAIN") | ||
|
||
sudo service nginx stop | ||
|
||
for domain in "${DOMAINS[@]}"; do | ||
# Check if certificate is expiring within the threshold | ||
expiration_date=$(date -d "$(sudo openssl x509 -in /etc/letsencrypt/live/$domain/fullchain.pem -noout -enddate | cut -d= -f2)" +%s) | ||
current_date=$(date +%s) | ||
days_until_expiry=$(( (expiration_date - current_date) / 86400 )) | ||
|
||
if [ "$days_until_expiry" -lt "$THRESHOLD" ]; then | ||
echo "Certificate for $domain is expiring in $days_until_expiry days. Renewing..." | ||
# sudo certbot renew --force-renewal | ||
sudo certbot renew --cert-name "$domain" | ||
if [ $? -eq 0 ]; then | ||
echo "Certificate renewed successfully for $domain." | ||
else | ||
echo "Certificate renewal failed for $domain." | ||
fi | ||
else | ||
echo "Certificate for $domain is not expiring within the next $THRESHOLD days. No action needed." | ||
fi | ||
done | ||
|
||
sudo service nginx restart |