nginx_docker-swag/root/defaults/deploy/01_deploy-certs.sh

#!/usr/bin/with-contenv bash
# convert to fullchain.pem and privkey.pem to tls.crt and tls.key

# Deploy hooks are commands to be run in a shell once for each successfully issued certificate.
# For this command, the shell variable $RENEWED_LINEAGE will point to the
# config live subdirectory (for example, "/etc/letsencrypt/live/example.com") containing the
# new certificates and keys; the shell variable $RENEWED_DOMAINS will contain a space-delimited list
# of renewed certificate domains (for example, "example.com www.example.com" (default: None)

echo "Running deploy script ..."

# Figure out cert path
. /config/.donoteditthisfile.conf
if [ "${ORIGONLY_SUBDOMAINS}" = "true" ] && [ ! "${ORIGSUBDOMAINS}" = "wildcard" ]; then
  ORIGDOMAIN="$(echo "${ORIGSUBDOMAINS}" | tr ',' ' ' | awk '{print $1}').${ORIGTLD}"
  LINEAGE="/etc/letsencrypt/live/${ORIGDOMAIN}"
else
  ORIGDOMAIN="${ORIGTLD}"
  LINEAGE="/etc/letsencrypt/live/${ORIGTLD}"
fi

RENEWED_LINEAGE=${RENEWED_LINEAGE:-$LINEAGE}
KEYPATH="/letsencrypt"
echo "LINEAGE is ${RENEWED_LINEAGE}; KEYPATH is ${KEYPATH}"

# Clean current KEYPATH contents
echo "Clearing expired certs ..."
rm -f ${KEYPATH}/*

# Copy certs to keypath dest
echo "Copying current certs ..."
cp -L ${RENEWED_LINEAGE}/* ${KEYPATH}
# for CERTNAME in $(ls ${RENEWED_LINEAGE}); do
#     cat crt >> ${KEYPATH}/${CERTNAME}
# done

# Convert pems to cert and key
echo "Converting to tls.crt and tls.key ..."
openssl crl2pkcs7 -nocrl \
    -certfile "${KEYPATH}"/fullchain.pem | openssl pkcs7 -print_certs \
    -out "${KEYPATH}"/tls.crt
# openssl x509 -outform der -in fullchain.pem -out tls.crt
# openssl pkey -outform der -in privkey.pem -out tls.key
openssl rsa \
    -in "${KEYPATH}"/privkey.pem \
    -out "${KEYPATH}"/tls.key

sleep 1

# Convert to pfx and priv-fullchain-bundle
echo "Converting to pfx and priv-fullchain-bundle.pem ..."
openssl pkcs12 -export \
    -certfile "${KEYPATH}"/chain.pem \
    -in "${KEYPATH}"/cert.pem \
    -inkey "${KEYPATH}"/privkey.pem \
    -out "${KEYPATH}"/privkey.pfx \
    -passout pass:
sleep 1

cat "${KEYPATH}"/{privkey,fullchain}.pem > "${KEYPATH}"/priv-fullchain-bundle.pem
sleep 1

# Allow read access to certs
chmod 644 "${KEYPATH}"/*.pem
chmod 644 "${KEYPATH}"/*.pfx
chmod 644 "${KEYPATH}"/tls.*
echo "Success."