-if $ssl; then
- f=$cert_dir/fullchain.pem
- if [[ ! -e $f ]] || openssl x509 -checkend 86400 -noout -in $f; then
- $0 -p 80 $t $h
- # adds every security option
- certbot certonly -n --hsts --staple-ocsp --uir --must-staple --email $email --staple-ocsp --no-self-upgrade --agree-tos --apache -d $h
- rm $vhost_file
+if [[ ! $oob_cert_dir ]] && $ssl; then
+
+ $this_dir/certbot-setup $t
+
+ f=$cert_dir/fullchain.pem
+ threedays=259200 # in seconds
+ if [[ ! -e $f ]] || ! openssl x509 -checkend $threedays -noout -in $f >/dev/null; then
+ # cerbot needs an existing virtualhost.
+ $0 -p 80 $t $h
+ # when generating an example config, add all relevant security options:
+ # --hsts --staple-ocsp --uir --must-staple
+ certbot certonly -n --email $email --no-self-upgrade \
+ --agree-tos --${t%2} -d $h
+ # cleanup the call to ourselves a short bit ago
+ rm $se/$h.conf
+ fi
+ # these scripts only run on renew, that is kinda dumb.
+ export RENEWED_LINEAGE=/etc/letsencrypt/live/$h
+ for script in /etc/letsencrypt/renewal-hooks/deploy/*; do
+ if [[ -x $script ]]; then
+ "$script"