SessionZeroWasm/init-letsencrypt.sh

#!/bin/bash

domains=(web.sessionzero.app)
domain=${domains[0]} # Get the first domain for file paths
email="chrisbell@bellsworne.com" # Replace with your actual email
rsa_key_size=4096

data_path="/etc/letsencrypt"
stagingflag="" # Using production certificates

echo "### Debugging info..."
echo "Domain: $domain"
echo "Email: $email"
echo "Data path: $data_path"
echo "Staging flag: [$stagingflag]"

echo "### Cleaning ANY existing certificate data (including potential staging)..."
rm -rf "$data_path/live"
rm -rf "$data_path/archive"
rm -rf "$data_path/renewal"

echo "### Creating certificate directories..."
mkdir -p "$data_path/www"
mkdir -p "$data_path/live/$domain"

echo "### Starting temporary nginx server for webroot challenge..."
cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
cat > /etc/nginx/nginx.conf << EOF
events { worker_connections 1024; }
http {
  server {
    listen 80;
    server_name ${domains[*]};
    location /.well-known/acme-challenge/ { root /var/www/certbot; }
  }
}
EOF

nginx

echo "### Obtaining SSL certificate..."
# Once you're confident the setup works, remove the --staging flag
# First run with --staging to verify everything works
certbot certonly --webroot -w /var/www/certbot \
  $stagingflag \
  --email $email \
  --agree-tos \
  --no-eff-email \
  --force-renewal \
  -d ${domains[0]} \
  --rsa-key-size $rsa_key_size

# Once verified, run without staging flag
if [ -d "/etc/letsencrypt/live/$domain" ]; then
  echo "### Certificate obtained successfully. Stopping temporary nginx..."
  nginx -s stop
  cp /etc/nginx/nginx.conf.bak /etc/nginx/nginx.conf
  echo "### Verifying certificates are not staging..."
  if grep -q "STAGING" "/etc/letsencrypt/live/$domain/cert.pem"; then
    echo "WARNING: Still using STAGING certificates. Please check your configuration."
  else
    echo "SUCCESS: Production certificates obtained."
  fi
  echo "### Setup completed successfully."
fi