Add workflow and script for running cron check certs

airtai · Apr 1, 2024 · 5157e1b · 5157e1b
1 parent 9e08e84
commit 5157e1b
Show file tree

Hide file tree

Showing 2 changed files with 93 additions and 0 deletions.
diff --git a/.github/workflows/update_cron_script.yml b/.github/workflows/update_cron_script.yml
@@ -0,0 +1,62 @@
+name: Update cron script when changes are made
+
+on:
+  push:
+    branches:
+      - main
+      - add-cron-to-check-certs
+    paths:
+      - 'scripts/ci_check_certs.sh'
+      - '.github/workflows/update_cron_script.yml'
+  workflow_dispatch:
+
+jobs:
+  check-certs-expiry:
+    name: Update cron script when changes are made
+    strategy:
+      fail-fast: false
+      matrix:
+        domain:
+          [
+            "backend.captn.ai",
+            "staging.backend.captn.ai",
+            "auth.captn.ai",
+            "staging.auth.captn.ai",
+          ]
+    runs-on: ubuntu-22.04
+    defaults:
+      run:
+        shell: bash
+    container:
+      image: ubuntu:22.04
+    env:
+      PROD_SSH_KEY: ${{ secrets.PROD_SSH_KEY }}
+      STAGING_SSH_KEY: ${{ secrets.STAGING_SSH_KEY }}
+    steps:
+      - uses: actions/checkout@v3
+      # This is to fix GIT not liking owner of the checkout dir - https://github.com/actions/runner/issues/2033#issuecomment-1204205989
+      - run: chown -R $(id -u):$(id -g) $PWD
+
+      - run: echo "PATH=$PATH:/github/home/.local/bin" >> $GITHUB_ENV
+      - run: "which ssh-agent || ( apt-get update -y && apt-get install openssh-client git -y )"
+      - run: apt-get update -y && apt-get install sshpass -y
+      - run: eval $(ssh-agent -s)
+      - run: mkdir -p ~/.ssh
+      - run: chmod 700 ~/.ssh
+
+      - run: echo "DOMAIN=${{ matrix.domain }}" >> $GITHUB_ENV
+
+      - run: ssh-keyscan "$DOMAIN" >> ~/.ssh/known_hosts
+      - run: chmod 644 ~/.ssh/known_hosts
+
+      - run: if [[ $DOMAIN == *"staging"* ]]; then echo "$STAGING_SSH_KEY" | base64 --decode > key.pem ; else echo "$PROD_SSH_KEY" | base64 --decode > key.pem ; fi;
+      - run: chmod 600 key.pem
+
+      - run: ssh -o StrictHostKeyChecking=no -i key.pem azureuser@"$DOMAIN" "ls -la"
+
+      - run: envsubst '${DOMAIN}' < scripts/cron_check_certs.sh > tmp.sh
+      - run: chmod +x tmp.sh
+      - run: cat tmp.sh
+      - run: scp -i key.pem tmp.sh azureuser@"$DOMAIN":/home/azureuser/cron_check_certs.sh
+
+      - run: rm key.pem
diff --git a/scripts/cron_check_certs.sh b/scripts/cron_check_certs.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+# Set the threshold for certificate expiration (in days)
+THRESHOLD=30
+
+# List of domains for which to check and renew certificates
+DOMAINS=("$DOMAIN")
+
+sudo service nginx stop
+
+for domain in "${DOMAINS[@]}"; do
+    # Check if certificate is expiring within the threshold
+    expiration_date=$(date -d "$(sudo openssl x509 -in /etc/letsencrypt/live/$domain/fullchain.pem -noout -enddate | cut -d= -f2)" +%s)
+    current_date=$(date +%s)
+    days_until_expiry=$(( (expiration_date - current_date) / 86400 ))
+
+    if [ "$days_until_expiry" -lt "$THRESHOLD" ]; then
+        echo "Certificate for $domain is expiring in $days_until_expiry days. Renewing..."
+        # sudo certbot renew --force-renewal
+        sudo certbot renew --cert-name "$domain"
+        if [ $? -eq 0 ]; then
+            echo "Certificate renewed successfully for $domain."
+        else
+            echo "Certificate renewal failed for $domain."
+        fi
+    else
+        echo "Certificate for $domain is not expiring within the next $THRESHOLD days. No action needed."
+    fi
+done
+
+sudo service nginx restart