Maintain cert_id in INFO file on each run.

It was reported in #11 that in some circumstances the cert_id reference
could be missing in /usr/syno/etc/certificate/_archive/INFO.
Before this change the INFO file was only maintained on first run.
Now the the INFO file will be checked on each run and updated if the
cert_id is missing.

README.md

@@ -30,7 +30,7 @@ export SIMPLY_PROPAGATION_TIMEOUT=1800
 export SIMPLY_POLLING_INTERVAL=30
 
 # Should you need it; additional options can be passed directly to lego
-#LEGO_OPTIONS=(--key-type "rsa4096")
+#LEGO_OPTIONS=(--key-type "rsa4096" --server "https://acme-staging-v02.api.letsencrypt.org/directory")
 ```
 
 Note: If you are generating a wildcard certificate, you must include the base domain next to the wildcard domain. For example, if you want to create a certificate for `*.example.com`, you must also include `example.com` in the `DOMAINS` value.

install.sh

@@ -35,7 +35,7 @@ install_lego() {
     )"
 
     if [[ -z $url ]]; then
-        echo "Could not find lego download URL! Try a different architecture maybe? See '$0 -h'" >&2
+        echo "Could not find lego download URL for architecture '$ARCH'! Try a different architecture maybe? See '$0 -h'" >&2
         exit 1
     fi
 

synology-letsencrypt-make-cert-id.sh

@@ -2,21 +2,36 @@
 
 [[ $EUID == 0 ]] || { echo >&2 "This script must be run as root"; exit 1; }
 
-archive_path="/usr/syno/etc/certificate/_archive"
-info="$archive_path/INFO"
+CERT_ID_PATH="$1"
+ARCHIVE_PATH="$2"
 
-mkdir -p "$archive_path"
-cert_path=$(mktemp -d "$archive_path"/XXXXXX)
-cert_id="${cert_path##*/}"
+cert_id=""
+if [[ -s $CERT_ID_PATH ]]; then
+    source "$CERT_ID_PATH"
+fi
 
+mkdir -p "$ARCHIVE_PATH"
+
+if [[ -z $cert_id ]]; then
+    archive_cert_path=$(mktemp -d "$ARCHIVE_PATH"/XXXXXX)
+    cert_id="${archive_cert_path##*/}"
+    printf 'cert_id=%s' "$cert_id" > "$CERT_ID_PATH"
+fi
+
+mkdir -p "$ARCHIVE_PATH/$cert_id"
+
+info="$ARCHIVE_PATH/INFO"
 if [[ -s $info ]]; then
-    # append
-    tmp_info=$(mktemp)
-    jq --arg cert_id "$cert_id" '.[$cert_id] = { desc: "", services: [] }' < "$info" > "$tmp_info" \
-        && \mv "$tmp_info" "$info"
+    has_cert_id="$(jq --arg cert_id "$cert_id" 'has($cert_id)' "$info")"
+
+    if [[ $has_cert_id != true ]]; then
+        # append
+        tmp_info=$(mktemp)
+        jq --arg cert_id "$cert_id" '.[$cert_id] = { desc: "", services: [] }' < "$info" > "$tmp_info" \
+            && \mv "$tmp_info" "$info"
+    fi
 else
   # create
   jq -n --arg cert_id "$cert_id" '{ ($cert_id) : { desc: "", services: [] } }' > "$info"
 fi
 
-echo "cert_id=$cert_id"

synology-letsencrypt-reload-services.sh

@@ -1,5 +1,7 @@
 #!/bin/bash
 
+[[ $EUID == 0 ]] || { echo >&2 "This script must be run as root"; exit 1; }
+
 # Reload services assigned to the certificate with the key `cert_id` in the INFO file.
 # Inspired by https://github.com/bartowl/synology-stuff/blob/master/reload-certs.sh
 

synology-letsencrypt.sh

@@ -1,5 +1,7 @@
 #!/bin/bash -e
 
+[[ $EUID == 0 ]] || { echo >&2 "This script must be run as root"; exit 1; }
+
 while getopts ":p:ch" opt; do
     case $opt in
         p) LEGO_PATH="$OPTARG" ;;
@@ -18,41 +20,40 @@ done
 LEGO_PATH=${LEGO_PATH:-/usr/local/etc/synology-letsencrypt}
 CREATE_HOOK=${CREATE_HOOK:-true}
 
-[[ $EUID == 0 ]] || {
-    echo >&2 "This script must be run as root"
-    exit 1
-}
-
 source "$LEGO_PATH/env"
 
 export LEGO_PATH
 
+archive_path="/usr/syno/etc/certificate/_archive"
 cert_path="$LEGO_PATH/certificates"
 cert_domain="${DOMAINS[1]#\*.}"
 hook_path="$LEGO_PATH/hook"
+mkdir -p "$cert_path"
 
 ## cert_id
 cert_id_path="$cert_path/$cert_domain.cert_id"
-if [[ ! -s $cert_id_path ]]; then
-    mkdir -p "$cert_path"
-    /usr/local/bin/synology-letsencrypt-make-cert-id.sh >"$cert_id_path"
-fi
+/usr/local/bin/synology-letsencrypt-make-cert-id.sh "$cert_id_path" "$archive_path"
 source "$cert_id_path"
 
+if [[ -z $cert_id ]]; then
+    echo >&2 "ID not found in $cert_id_path"
+    exit 1
+fi
+
 ## install hook
-archive_path="/usr/syno/etc/certificate/_archive/$cert_id"
-if [[ ! -d $archive_path ]]; then
-    mkdir -p "$archive_path"
+archive_cert_path="$archive_path/$cert_id"
+if [[ ! -d $archive_cert_path ]]; then
+    mkdir -p "$archive_cert_path"
 fi
 
 if [[ ${CREATE_HOOK} == true ]]; then
     cat >"$hook_path" <<EOF
 #!/bin/bash
 
-cp "${cert_path}/${cert_domain}.crt" "${archive_path}/cert.pem"
-cp "${cert_path}/${cert_domain}.crt" "${archive_path}/fullchain.pem"
-cp "${cert_path}/${cert_domain}.issuer.crt" "${archive_path}/chain.pem"
-cp "${cert_path}/${cert_domain}.key" "${archive_path}/privkey.pem"
+cp "${cert_path}/${cert_domain}.crt" "${archive_cert_path}/cert.pem"
+cp "${cert_path}/${cert_domain}.crt" "${archive_cert_path}/fullchain.pem"
+cp "${cert_path}/${cert_domain}.issuer.crt" "${archive_cert_path}/chain.pem"
+cp "${cert_path}/${cert_domain}.key" "${archive_cert_path}/privkey.pem"
 
 /usr/local/bin/synology-letsencrypt-reload-services.sh "$cert_id"
 EOF
@@ -76,3 +77,4 @@ fi
     "${DOMAINS[@]}" \
     "${LEGO_OPTIONS[@]}" \
     "${CMD[@]}" "$hook_path"
+