From 882963c178f003bed2cc06e383d85f74a65fc855 Mon Sep 17 00:00:00 2001
From: fro <committer@tuxwarrior.xyz>
Date: Tue, 28 Oct 2025 14:41:19 -0500
Subject: [PATCH] + 5_https.sh

---
 scr/5_https.sh | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100755 scr/5_https.sh

diff --git a/scr/5_https.sh b/scr/5_https.sh
new file mode 100755
index 0000000..6fcdd1b
--- /dev/null
+++ b/scr/5_https.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# install ssl cert for a specific domain / frode klevstul / oct 2025
+#
+# documentation
+#   list of supported providers: https://github.com/acmesh-official/acme.sh/wiki/dnsapi
+#       digitalocean  = dns_dgon
+#       hetzner       = dns_hetzner
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+if [ "$EUID" -ne 0 ]
+  then echo "error: run as 'root'"
+  exit
+fi
+
+this_file_name=`basename "$0"`
+
+if [ $# -ne 3 ]; then
+    echo usage: ${this_file_name} [TOKEN] [DNS_PROVIDER] [BARE_DOMAIN]
+    exit 1
+fi
+
+token=$1
+dns_provider=$2
+domain=$3
+
+# it's easier setting values for both digitalocean and hetzner, even though one value will become redundant.
+# an alternative would be checking the dns_provider input value and doing an export accordingly.
+export DO_API_KEY="${token}"
+export HETZNER_Token="${token}"
+
+/root/.acme.sh/acme.sh --debug 2 --issue --dns ${dns_provider} -d ${domain} -d *.${domain} --keylength ec-384
+mkdir -p /etc/nginx/acme.sh/${domain}
+/root/.acme.sh/acme.sh --debug 2 --install-cert -d ${domain} --ecc --cert-file /etc/nginx/acme.sh/${domain}/cert.pem --key-file /etc/nginx/acme.sh/${domain}/key.pem --fullchain-file /etc/nginx/acme.sh/${domain}/fullchain.pem --reloadcmd "systemctl reload nginx.service"