#!/bin/bash

# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# install ssl cert for a specific domain / frode klevstul / oct 2025
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

# documentation
#   list of supported providers: https://github.com/acmesh-official/acme.sh/wiki/dnsapi
#       digitalocean  = dns_dgon
#       hetzner       = dns_hetzner

if [ "$EUID" -ne 0 ]
  then echo "error: run as 'root'"
  exit
fi

this_file_name=`basename "$0"`

if [ $# -ne 3 ]; then
    echo usage: ${this_file_name} [TOKEN] [DNS_PROVIDER] [BARE_DOMAIN]
    exit 1
fi

token=$1
dns_provider=$2
domain=$3

# it's easier setting values for both digitalocean and hetzner, even though one value will become redundant.
# an alternative would be checking the dns_provider input value and doing an export accordingly.
export DO_API_KEY="${token}"
export HETZNER_Token="${token}"

/root/.acme.sh/acme.sh --debug 2 --issue --dns ${dns_provider} -d ${domain} -d *.${domain} --keylength ec-384
mkdir -p /etc/nginx/acme.sh/${domain}
/root/.acme.sh/acme.sh --debug 2 --install-cert -d ${domain} --ecc --cert-file /etc/nginx/acme.sh/${domain}/cert.pem --key-file /etc/nginx/acme.sh/${domain}/key.pem --fullchain-file /etc/nginx/acme.sh/${domain}/fullchain.pem --reloadcmd "systemctl reload nginx.service"