ss-encrypt-certbot.txt

#!/bin/bash

####################################################################################################
#### author: SlickStack ############################################################################
#### link: https://slickstack.io ###################################################################
#### mirror: littlebizzy/slickstack/blob/master/bash/ss-encrypt-certbot.txt ########################
#### path: /var/www/ss-encrypt-certbot #############################################################
#### destination: n/a (not a boilerplate) ##########################################################
#### purpose: Regenerates Lets Encrypt certs via Certbot and configures relevant symlinks ##########
#### module version: Certbot 2.9.x #################################################################
#### sourced by: ss-install-nginx-config ###########################################################
#### bash aliases: ss certbot, ss encrypt certbot|letsencrypt ######################################
####################################################################################################

## SS-ENCRYPT-CERTBOT WILL ALWAYS ACTIVATE OPENSSL BEFORE REQUESTING LETSENCRYPT CERTS ##
## IT ONLY REQUESTS LETSENCRYPT CERTS BUT DOES NOT ACTIVATE THEM ON SLICKSTACK ##

####################################################################################################
#### TABLE OF CONTENTS (SS-Encrypt-Certbot) ########################################################
####################################################################################################

## this is a brief summary of the different code snippets you will find in this script ##
## each section should be commented so you understand what is being accomplished ##

## A. Source SS-Config + SS-Functions
## B. Touch Timestamp File
## C. Message (Begin Script)
## D. Run SS-Perms-Nginx-Config
## E. Generate Cloudflare.ini (Conditional)
## F. Temporarily Activate OpenSSL.conf (Conditional)
## G. Request Certs From Lets Encrypt Servers
## H. Configure Lets Encrypt Symlinks
## I. Run SS-Perms-Nginx-Config
## J. Reload Nginx

####################################################################################################
#### A. SS-Encrypt-Certbot: Source SS-Config + SS-Functions ########################################
####################################################################################################

## before anything else we must source the critical variables that power this script ##
## ss-config is setup during ss-install wizard but ss-functions is hardcoded ##

## source ss-config ##
source /var/www/ss-config

## source ss-functions ##
source /var/www/ss-functions

## BELOW THIS RELIES ON SS-CONFIG AND SS-FUNCTIONS

####################################################################################################
#### B. SS-Encrypt-Certbot: Touch Timestamp File ###################################################
####################################################################################################

## this is a dummy timestamp file that will remember the last time this script was run ##
## it can be useful for developer reference and is sometimes used by SlickStack ##

ss_touch "${TIMESTAMP_SS_ENCRYPT_CERTBOT}"

####################################################################################################
#### C. SS-Encrypt-Certbot: Message (Begin Script) #################################################
####################################################################################################

## this is a simple message that announces to the shell the purpose of this bash script ##
## it will only be seen by sudo users who manually run this script in the shell ##

ss_echo "${COLOR_INFO}Running ss-encrypt-certbot... ${COLOR_RESET}"

####################################################################################################
#### D. SS-Encrypt-Certbot: Run SS-Perms-Nginx-Config ##############################################
####################################################################################################

source "${PATH_SS_PERMS_NGINX_CONFIG}"

####################################################################################################
#### E. SS-Encrypt-Certbot: Generate Cloudflare.ini (Conditional) ##################################
####################################################################################################

## check if Cloudflare creds are set in ss-config and force regenerate cloudflare.ini ##

if [[ -n "${CLOUDFLARE_EMAIL}" && -n "${CLOUDFLARE_API_KEY}" ]]; then
    cat <<EOF > /var/www/meta/cloudflare.ini
dns_cloudflare_email = ${CLOUDFLARE_EMAIL}
dns_cloudflare_api_key = ${CLOUDFLARE_API_KEY}
EOF
    ## set required perms (must be exactly 600) ##
    chmod 600 /var/www/meta/cloudflare.ini
    chown root:root /var/www/meta/cloudflare.ini

    ss_echo "${COLOR_INFO}Cloudflare credentials file created successfully at /var/www/meta/cloudflare.ini${COLOR_RESET}"
else
    ss_echo "${COLOR_WARNING}Cloudflare credentials are missing in ss-config. Please ensure CLOUDFLARE_EMAIL and CLOUDFLARE_API_KEY are set.${COLOR_RESET}"
fi

####################################################################################################
#### F. SS-Encrypt-Certbot: Temporarily Activate OpenSSL.conf (Conditional) ########################
####################################################################################################

## here we must temporarily activate OpenSSL in order to avoid fatal errors in Nginx ##
## the next step will be running Certbot which requires OpenSSL to be activated ##

if [[ ! -f "${PATH_LETSENCRYPT_CERT_CERT}" ]]; then 

    if [[ ! -f "${PATH_OPENSSL_CERT}" ]]; then 
        source "${PATH_SS_ENCRYPT_OPENSSL}"
    fi

    ss_wget "${TMP_OPENSSL_CONF}" "${GITHUB_OPENSSL_CONF}"
    VALIDATE_TMP_OPENSSL_CONF=$(grep 'SS_EOF' "${TMP_OPENSSL_CONF}" 2> /dev/null)
    if [[ -z "${VALIDATE_TMP_OPENSSL_CONF}" ]]; then
        ss_wget "${TMP_OPENSSL_CONF}" "${GITLAB_OPENSSL_CONF}"
    fi

## SEARCH AND REPLACE SSL SETTINGS ## 

## SSL protocols ##
if [[ -z "${SSL_PROTOCOLS}" ]]; then 
    ss_sed "s/@SSL_PROTOCOLS/TLSv1.2 TLSv1.3/g" "${TMP_OPENSSL_CONF}"
else 
    ss_sed "s/@SSL_PROTOCOLS/${SSL_PROTOCOLS}/g" "${TMP_OPENSSL_CONF}"
fi

## SSL ciphers ##
if [[ -z "${SSL_CIPHERS}" ]]; then 
    ss_sed "s/@SSL_CIPHERS/ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384/g" "${TMP_OPENSSL_CONF}"
else 
    ss_sed "s/@SSL_CIPHERS/${SSL_CIPHERS}/g" "${TMP_OPENSSL_CONF}"
fi

## SSL session timeout ##
if [[ -z "${SSL_SESSION_TIMEOUT}" ]]; then 
    ss_sed "s/@SSL_SESSION_TIMEOUT/1d/g" "${TMP_OPENSSL_CONF}"
else 
    ss_sed "s/@SSL_SESSION_TIMEOUT/${SSL_SESSION_TIMEOUT}/g" "${TMP_OPENSSL_CONF}"
fi

## SSL session cache ##
if [[ -z "${SSL_SESSION_CACHE}" ]]; then 
    ss_sed "s/@SSL_SESSION_CACHE/shared:SSL:64m/g" "${TMP_OPENSSL_CONF}"
else 
    ss_sed "s/@SSL_SESSION_CACHE/${SSL_SESSION_CACHE}/g" "${TMP_OPENSSL_CONF}"
fi

## SSL buffer size ##
if [[ -z "${SSL_BUFFER_SIZE}" ]]; then 
    ss_sed "s/@SSL_BUFFER_SIZE/16k/g" "${TMP_OPENSSL_CONF}"
else 
    ss_sed "s/@SSL_BUFFER_SIZE/${SSL_BUFFER_SIZE}/g" "${TMP_OPENSSL_CONF}"
fi

## here we modify the live Nginx configuration files to activate Lets Encrypt certificates ##
## this snippet will only be executed if Lets Encrypt certs appear to be successful ##

## enable openssl submodule ##
ss_mv "${TMP_OPENSSL_CONF}" "${PATH_OPENSSL_CONF}"
ss_rm "${PATH_LETSENCRYPT_CONF}"
ss_rm "${PATH_THIRDPARTY_CONF}"
ss_echo "lets encrypt cert file not found during ss-encrypt-certbot so installing openssl.conf instead before attempting certbot request"

fi

####################################################################################################
#### G. SS-Encrypt-Certbot: Request Certs From Lets Encrypt Servers ################################
####################################################################################################

## NOTICE: SLICKSTACK DOES NOT SUPPORT SUB-SUBDOMAINS LIKE WWW.BLOG.EXAMPLE.COM ##

## SlickStack deletes old Lets Encrypt certs and requests new ones to avoid dir-stacking ##
## this approach also allows you to change your server to a different CMS or TLD ##

## SINGLE SITE CERTS + STAGING ENABLED / DEV ENABLED ##

## if site domain contains www (and is therefore a subdomain) e.g. www.example.com or www.example.co.uk ##
if [[ "${WP_MULTISITE}" != "true" ]] && [[ "${SITE_FULL_DOMAIN}" == www.* ]] && [[ "${STAGING_SITE}" != "false" ]] && [[ "${DEV_SITE}" != "false" ]]; then
    ss_certbot -d dev.${SITE_DOMAIN_EXCLUDING_WWW} -d staging.${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW}

## if site domain does not contain www (and is not any other type of subdomain) e.g. example.com or example.co.uk ##
elif [[ "${WP_MULTISITE}" != "true" ]] && [[ "${SITE_FULL_DOMAIN}" != www.* ]] && [[ "${SITE_ROOT_DOMAIN}" == "${SITE_FULL_DOMAIN}" ]] && [[ "${STAGING_SITE}" != "false" ]] && [[ "${DEV_SITE}" != "false" ]]; then
    ss_certbot -d dev.${SITE_DOMAIN_EXCLUDING_WWW} -d staging.${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW}

## if site domain is a non-www type of subdomain e.g. blog.example.com or blog.example.co.uk ##
elif [[ "${WP_MULTISITE}" != "true" ]] && [[ "${SITE_FULL_DOMAIN}" != www.* ]] && [[ "${SITE_ROOT_DOMAIN}" != "${SITE_FULL_DOMAIN}" ]] && [[ "${STAGING_SITE}" != "false" ]] && [[ "${DEV_SITE}" != "false" ]]; then
    ss_certbot -d dev.${SITE_DOMAIN_EXCLUDING_WWW} -d staging.${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_FULL_DOMAIN}


## SINGLE SITE CERTS + STAGING ENABLED / DEV DISABLED ##

## if site domain contains www (and is therefore a subdomain) e.g. www.example.com or www.example.co.uk ##
elif [[ "${WP_MULTISITE}" != "true" ]] && [[ "${SITE_FULL_DOMAIN}" == www.* ]] && [[ "${STAGING_SITE}" != "false" ]] && [[ "${DEV_SITE}" == "false" ]]; then
    ss_certbot -d staging.${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW}

## if site domain does not contain www (and is not any other type of subdomain) e.g. example.com or example.co.uk ##
elif [[ "${WP_MULTISITE}" != "true" ]] && [[ "${SITE_FULL_DOMAIN}" != www.* ]] && [[ "${SITE_ROOT_DOMAIN}" == "${SITE_FULL_DOMAIN}" ]] && [[ "${STAGING_SITE}" != "false" ]] && [[ "${DEV_SITE}" == "false" ]]; then
    ss_certbot -d staging.${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW}

## if site domain is a non-www type of subdomain e.g. blog.example.com or blog.example.co.uk ##
elif [[ "${WP_MULTISITE}" != "true" ]] && [[ "${SITE_FULL_DOMAIN}" != www.* ]] && [[ "${SITE_ROOT_DOMAIN}" != "${SITE_FULL_DOMAIN}" ]] && [[ "${STAGING_SITE}" != "false" ]] && [[ "${DEV_SITE}" == "false" ]]; then
    ss_certbot -d staging.${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_FULL_DOMAIN}


## SINGLE SITE CERTS + STAGING DISABLED / DEV ENABLED ##

## if site domain contains www (and is therefore a subdomain) e.g. www.example.com or www.example.co.uk ##
elif [[ "${WP_MULTISITE}" != "true" ]] && [[ "${SITE_FULL_DOMAIN}" == www.* ]] && [[ "${STAGING_SITE}" == "false" ]] && [[ "${DEV_SITE}" != "false" ]]; then
    ss_certbot -d dev.${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW}

## if site domain does not contain www (and is not any other type of subdomain) e.g. example.com or example.co.uk ##
elif [[ "${WP_MULTISITE}" != "true" ]] && [[ "${SITE_FULL_DOMAIN}" != www.* ]] && [[ "${SITE_ROOT_DOMAIN}" == "${SITE_FULL_DOMAIN}" ]] && [[ "${STAGING_SITE}" == "false" ]] && [[ "${DEV_SITE}" != "false" ]]; then
    ss_certbot -d dev.${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW}

## if site domain is a non-www type of subdomain e.g. blog.example.com or blog.example.co.uk ##
elif [[ "${WP_MULTISITE}" != "true" ]] && [[ "${SITE_FULL_DOMAIN}" != www.* ]] && [[ "${SITE_ROOT_DOMAIN}" != "${SITE_FULL_DOMAIN}" ]] && [[ "${STAGING_SITE}" == "false" ]] && [[ "${DEV_SITE}" != "false" ]]; then
    ss_certbot -d dev.${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_FULL_DOMAIN}


## SINGLE SITE CERTS + STAGING DISABLED / DEV DISABLED ##

## if site domain contains www (and is therefore a subdomain) e.g. www.example.com or www.example.co.uk ##
elif [[ "${WP_MULTISITE}" != "true" ]] && [[ "${SITE_FULL_DOMAIN}" == www.* ]] && [[ "${STAGING_SITE}" == "false" ]] && [[ "${DEV_SITE}" == "false" ]]; then
    ss_certbot -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW}

## if site domain does not contain www (and is not any other type of subdomain) e.g. example.com or example.co.uk ##
elif [[ "${WP_MULTISITE}" != "true" ]] && [[ "${SITE_FULL_DOMAIN}" != www.* ]] && [[ "${SITE_ROOT_DOMAIN}" == "${SITE_FULL_DOMAIN}" ]] && [[ "${STAGING_SITE}" == "false" ]] && [[ "${DEV_SITE}" == "false" ]]; then
    ss_certbot -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW}

## if site domain is a non-www type of subdomain e.g. blog.example.com or blog.example.co.uk ##
elif [[ "${WP_MULTISITE}" != "true" ]] && [[ "${SITE_FULL_DOMAIN}" != www.* ]] && [[ "${SITE_ROOT_DOMAIN}" != "${SITE_FULL_DOMAIN}" ]] && [[ "${STAGING_SITE}" == "false" ]] && [[ "${DEV_SITE}" == "false" ]]; then
    ss_certbot -d ${SITE_FULL_DOMAIN}


## MULTISITE SUBDOMAINS + STAGING/DEV NOT SUPPORTED (WILDCARD CERTIFICATE) ##

elif [[ "${WP_MULTISITE}" == "true" ]] && [[ "${WP_MULTISITE_SUBDOMAINS}" != "false" ]]; then
    if [[ -f "/var/www/meta/cloudflare.ini" ]]; then
        ss_certbot_dns -d "${SITE_DOMAIN_EXCLUDING_WWW}" -d "*.${SITE_DOMAIN_EXCLUDING_WWW}"
    else
        ss_echo "${COLOR_WARNING}Cloudflare credentials file is missing. Cannot issue wildcard SSL...${COLOR_RESET}"
    fi


## MULTISITE SUBDOMAINS + BOTH STAGING/DEV DISABLED (STILL REQUIRES WILDCARD) ##
## n/a (same as above)


### ALL THESE STILL NEED FIXING RE: WEBROOT SYNTAX SAME AS SINGLE SITES ABOVE ###
## MULTISITE SUBDIRECTORIES + STAGING ENABLED / DEV ENABLED ##

## if site domain contains www (and is therefore a subdomain) e.g. www.example.com or www.example.co.uk ##
elif [[ "${WP_MULTISITE}" == "true" ]] && [[ "${WP_MULTISITE_SUBDOMAINS}" == "false" ]] && [[ "${SITE_FULL_DOMAIN}" == www.* ]] && [[ "${STAGING_SITE}" != "false" ]] && [[ "${STAGING_SITE_SUBDOMAIN}" != "false" ]] && [[ "${DEV_SITE}" != "false" ]] && [[ "${DEV_SITE_SUBDOMAIN}" != "false" ]]; then
    ss_certbot -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW} -d dev.${SITE_DOMAIN_EXCLUDING_WWW} -d staging.${SITE_DOMAIN_EXCLUDING_WWW}

## if site domain does not contain www (and is not any other type of subdomain) e.g. example.com or example.co.uk ##
elif [[ "${WP_MULTISITE}" == "true" ]] && [[ "${WP_MULTISITE_SUBDOMAINS}" == "false" ]] && [[ "${SITE_FULL_DOMAIN}" != www.* ]] && [[ "${SITE_ROOT_DOMAIN}" == "${SITE_FULL_DOMAIN}" ]] && [[ "${STAGING_SITE}" != "false" ]] && [[ "${STAGING_SITE_SUBDOMAIN}" != "false" ]] && [[ "${DEV_SITE}" != "false" ]] && [[ "${DEV_SITE_SUBDOMAIN}" != "false" ]]; then
    ss_certbot -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW} -d dev.${SITE_DOMAIN_EXCLUDING_WWW} -d staging.${SITE_DOMAIN_EXCLUDING_WWW}

## if site domain is a non-www type of subdomain e.g. blog.example.com or blog.example.co.uk ##
elif [[ "${WP_MULTISITE}" == "true" ]] && [[ "${WP_MULTISITE_SUBDOMAINS}" == "false" ]] && [[ "${SITE_FULL_DOMAIN}" != www.* ]] && [[ "${SITE_ROOT_DOMAIN}" != "${SITE_FULL_DOMAIN}" ]] && [[ "${STAGING_SITE}" != "false" ]] && [[ "${STAGING_SITE_SUBDOMAIN}" != "false" ]] && [[ "${DEV_SITE}" != "false" ]] && [[ "${DEV_SITE_SUBDOMAIN}" != "false" ]]; then
    ss_certbot -d ${SITE_FULL_DOMAIN} -d dev.${SITE_DOMAIN_EXCLUDING_WWW} -d staging.${SITE_DOMAIN_EXCLUDING_WWW}


## MULTISITE SUBDIRECTORIES + STAGING ENABLED / DEV DISABLED ##

## if site domain contains www (and is therefore a subdomain) e.g. www.example.com or www.example.co.uk ##
elif [[ "${WP_MULTISITE}" == "true" ]] && [[ "${WP_MULTISITE_SUBDOMAINS}" == "false" ]] && [[ "${SITE_FULL_DOMAIN}" == www.* ]] && [[ "${STAGING_SITE}" != "false" ]] && [[ "${STAGING_SITE_SUBDOMAIN}" != "false" ]] && [[ "${DEV_SITE}" == "false" || "${DEV_SITE_SUBDOMAIN}" == "false" ]]; then
    ss_certbot -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW} -d staging.${SITE_DOMAIN_EXCLUDING_WWW}

## if site domain does not contain www (and is not any other type of subdomain) e.g. example.com or example.co.uk ##
elif [[ "${WP_MULTISITE}" == "true" ]] && [[ "${WP_MULTISITE_SUBDOMAINS}" == "false" ]] && [[ "${SITE_FULL_DOMAIN}" != www.* ]] && [[ "${SITE_ROOT_DOMAIN}" == "${SITE_FULL_DOMAIN}" ]] && [[ "${STAGING_SITE}" != "false" ]] && [[ "${STAGING_SITE_SUBDOMAIN}" != "false" ]] && [[ "${DEV_SITE}" == "false" || "${DEV_SITE_SUBDOMAIN}" == "false" ]]; then
    ss_certbot -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW} -d staging.${SITE_DOMAIN_EXCLUDING_WWW}

## if site domain is a non-www type of subdomain e.g. blog.example.com or blog.example.co.uk ##
elif [[ "${WP_MULTISITE}" == "true" ]] && [[ "${WP_MULTISITE_SUBDOMAINS}" == "false" ]] && [[ "${SITE_FULL_DOMAIN}" != www.* ]] && [[ "${SITE_ROOT_DOMAIN}" != "${SITE_FULL_DOMAIN}" ]] && [[ "${STAGING_SITE}" != "false" ]] && [[ "${STAGING_SITE_SUBDOMAIN}" != "false" ]] && [[ "${DEV_SITE}" == "false" || "${DEV_SITE_SUBDOMAIN}" == "false" ]]; then
    ss_certbot -d ${SITE_FULL_DOMAIN} -d staging.${SITE_DOMAIN_EXCLUDING_WWW}


## MULTISITE SUBDIRECTORIES + STAGING DISABLED / DEV ENABLED ##

## if site domain contains www (and is therefore a subdomain) e.g. www.example.com or www.example.co.uk ##
elif [[ "${WP_MULTISITE}" == "true" ]] && [[ "${WP_MULTISITE_SUBDOMAINS}" == "false" ]] && [[ "${SITE_FULL_DOMAIN}" == www.* ]] && [[ "${STAGING_SITE}" == "false" || "${STAGING_SITE_SUBDOMAIN}" == "false" ]] && [[ "${DEV_SITE}" != "false" ]] && [[ "${DEV_SITE_SUBDOMAIN}" != "false" ]]; then
    ss_certbot -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW} -d dev.${SITE_DOMAIN_EXCLUDING_WWW}

## if site domain does not contain www (and is not any other type of subdomain) e.g. example.com or example.co.uk ##
elif [[ "${WP_MULTISITE}" == "true" ]] && [[ "${WP_MULTISITE_SUBDOMAINS}" == "false" ]] && [[ "${SITE_FULL_DOMAIN}" != www.* ]] && [[ "${SITE_ROOT_DOMAIN}" == "${SITE_FULL_DOMAIN}" ]] && [[ "${STAGING_SITE}" == "false" || "${STAGING_SITE_SUBDOMAIN}" == "false" ]] && [[ "${DEV_SITE}" != "false" ]] && [[ "${DEV_SITE_SUBDOMAIN}" != "false" ]]; then
    ss_certbot -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW} -d dev.${SITE_DOMAIN_EXCLUDING_WWW}

## if site domain is a non-www type of subdomain e.g. blog.example.com or blog.example.co.uk ##
elif [[ "${WP_MULTISITE}" == "true" ]] && [[ "${WP_MULTISITE_SUBDOMAINS}" == "false" ]] && [[ "${SITE_FULL_DOMAIN}" != www.* ]] && [[ "${SITE_ROOT_DOMAIN}" != "${SITE_FULL_DOMAIN}" ]] && [[ "${STAGING_SITE}" == "false" || "${STAGING_SITE_SUBDOMAIN}" == "false" ]] && [[ "${DEV_SITE}" != "false" ]] && [[ "${DEV_SITE_SUBDOMAIN}" != "false" ]]; then
    ss_certbot -d ${SITE_FULL_DOMAIN} -d dev.${SITE_DOMAIN_EXCLUDING_WWW}


## MULTISITE SUBDIRECTORIES + STAGING DISABLED / DEV DISABLED ##

## if site domain contains www (and is therefore a subdomain) e.g. www.example.com or www.example.co.uk ##
elif [[ "${WP_MULTISITE}" == "true" ]] && [[ "${WP_MULTISITE_SUBDOMAINS}" == "false" ]] && [[ "${SITE_FULL_DOMAIN}" == www.* ]] && [[ "${STAGING_SITE}" == "false" || "${STAGING_SITE_SUBDOMAIN}" == "false" ]] && [[ "${DEV_SITE}" == "false" || "${DEV_SITE_SUBDOMAIN}" == "false" ]]; then
    ss_certbot -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW}

## if site domain does not contain www (and is not any other type of subdomain) e.g. example.com or example.co.uk ##
elif [[ "${WP_MULTISITE}" == "true" ]] && [[ "${WP_MULTISITE_SUBDOMAINS}" == "false" ]] && [[ "${SITE_FULL_DOMAIN}" != www.* ]] && [[ "${SITE_ROOT_DOMAIN}" == "${SITE_FULL_DOMAIN}" ]] && [[ "${STAGING_SITE}" == "false" || "${STAGING_SITE_SUBDOMAIN}" == "false" ]] && [[ "${DEV_SITE}" == "false" || "${DEV_SITE_SUBDOMAIN}" == "false" ]]; then
    ss_certbot -d ${SITE_DOMAIN_EXCLUDING_WWW} -d ${SITE_DOMAIN_INCLUDING_WWW}

## if site domain is a non-www type of subdomain e.g. blog.example.com or blog.example.co.uk ##
elif [[ "${WP_MULTISITE}" == "true" ]] && [[ "${WP_MULTISITE_SUBDOMAINS}" == "false" ]] && [[ "${SITE_FULL_DOMAIN}" != www.* ]] && [[ "${SITE_ROOT_DOMAIN}" != "${SITE_FULL_DOMAIN}" ]] && [[ "${STAGING_SITE}" == "false" || "${STAGING_SITE_SUBDOMAIN}" == "false" ]] && [[ "${DEV_SITE}" == "false" || "${DEV_SITE_SUBDOMAIN}" == "false" ]]; then
    ss_certbot -d ${SITE_FULL_DOMAIN}


## OTHERWISE DISPLAY THIS ERROR MESSAGE ##

else
    ss_echo "${COLOR_WARNING}It seems required options are missing from ss-config so we dont know what Lets Encrypt cert to request for you... ${COLOR_RESET}"
fi

####################################################################################################
#### H. SS-Encrypt-Certbot: Configure Lets Encrypt Symlinks ########################################
####################################################################################################

## here we create symlinks in the /var/www/certs/ directory that point to Lets Encrypt ##
## this hardcode method simplifies our Nginx settings and makes it more stable ##

## https://stackoverflow.com/questions/4695241/does-creating-a-symbolic-link-to-another-symbolic-link-have-any-side-effects

ss_ln "${PATH_LETSENCRYPT_CERT_CERT}" "${SYMLINK_LETSENCRYPT_CERT}"
ss_ln "${PATH_LETSENCRYPT_CERT_CHAIN}" "${SYMLINK_LETSENCRYPT_CHAIN}"
ss_ln "${PATH_LETSENCRYPT_CERT_FULLCHAIN}" "${SYMLINK_LETSENCRYPT_FULLCHAIN}"
ss_ln "${PATH_LETSENCRYPT_CERT_PRIVKEY}" "${SYMLINK_LETSENCRYPT_PRIVKEY}"

####################################################################################################
#### I. SS-Encrypt-Certbot: Run SS-Perms-Nginx-Config ##############################################
####################################################################################################

source "${PATH_SS_PERMS_NGINX_CONFIG}"

####################################################################################################
#### J. SS-Encrypt-Certbot: Reload Nginx ###########################################################
####################################################################################################

## this is required because SlickStack cron jobs call ss-encrypt-certbot for renewals ##
## therefore we cannot use ss-install-nginx-config to restart Nginx as needed ##

ss_reload nginx

####################################################################################################
#### SlickStack: Reset Permissions (SlickStack Scripts) ############################################
####################################################################################################

## we include this permissions reset in all cron jobs and bash scripts for redundancy ##
## chmod 0700 means only the root/sudo users can execute any SlickStack scripts ##

## THIS SNIPPET DOES NOT RELY ON SS-CONFIG OR SS-FUNCTIONS
## SNIPPET: ss bash scripts, ss cron jobs
## UPDATED: 02JUL2022

chown root:root /var/www/ss* ## must be root:root
chown root:root /var/www/crons/*cron* ## must be root:root
chown root:root /var/www/crons/custom/*cron* ## must be root:root
chmod 0700 /var/www/ss* ## 0700 means only root/sudo can execute
chmod 0700 /var/www/crons/*cron* ## 0700 means only root/sudo can execute
chmod 0700 /var/www/crons/custom/*cron* ## 0700 means only root/sudo can execute

####################################################################################################
#### SlickStack: External References Used To Improve This Script (Thanks, Interwebz) ###############
####################################################################################################

## Ref: ChatGPT
## Ref: https://certbot-dns-cloudflare.readthedocs.io/en/stable/
## Ref: https://linuxize.com/post/secure-apache-with-let-s-encrypt-on-ubuntu-18-04/
## Ref: https://stackoverflow.com/questions/49172841/install-certbot-letsencrypt-without-interaction/57019299#57019299
## Ref: https://matthewlehner.net/lets-encrypt-with-nginx
## Ref: https://community.letsencrypt.org/t/how-often-should-i-run-the-cerbot-cron-job-to-update-the-certificates/18851
## Ref: https://community.letsencrypt.org/t/how-to-get-crt-and-key-files-from-i-just-have-pem-files/7348/2
## Ref: https://community.letsencrypt.org/t/certificate-path/24227
## Ref: https://www.cyberciti.biz/tips/linux-unix-pause-command.html
## Ref: https://stackoverflow.com/questions/9483633/how-to-use-bash-read-with-a-timeout/9483693#9483693
## Ref: https://stackoverflow.com/questions/229551/how-to-check-if-a-string-contains-a-substring-in-bash
## Ref: https://unix.stackexchange.com/questions/311758/remove-specific-word-in-variable
## Ref: https://stackoverflow.com/questions/13210880/replace-one-substring-for-another-string-in-shell-script
## Ref: https://github.com/certbot/certbot/issues/3039
## Ref: https://superuser.com/questions/1056183/using-a-wildcard-in-a-condition-to-match-the-beginning-of-a-string
## Ref: https://stackoverflow.com/questions/18730509/bash-substring-regex-matching-wildcard
## Ref: https://linuxize.com/post/how-to-create-symbolic-links-in-linux-using-the-ln-command/
## Ref: https://superuser.com/questions/81164/why-create-a-link-like-this-ln-nsf/81168
## Ref: https://support.cloudflare.com/hc/en-us/articles/214820528-Validating-a-Let-s-Encrypt-Certificate-on-a-Site-Already-Active-on-Cloudflare
## Ref: https://serverfault.com/questions/788220/lets-encrypt-certbot-validation-over-https
## Ref: https://certbot-dns-cloudflare.readthedocs.io/en/stable/
## Ref: https://dev.to/michaeldscherr/lets-encrypt-ssl-certificate-via-dns-challenge-8dd
## Ref: https://letsencrypt.org/docs/challenge-types/
## Ref: https://serverfault.com/questions/750902/how-to-use-lets-encrypt-dns-challenge-validation
## Ref: https://community.letsencrypt.org/t/do-i-need-copy-dhparam-pem-file-when-i-move-certificates-to-a-new-server/47346
## Ref: https://weakdh.org/sysadmin.html
## Ref: https://security.stackexchange.com/questions/38206/can-someone-explain-what-exactly-is-accomplished-by-generation-of-dh-parameters
## Ref: https://security.stackexchange.com/questions/94390/whats-the-purpose-of-dh-parameters
## Ref: https://wiki.mozilla.org/Security/Server_Side_TLS
## Ref: https://stackoverflow.com/questions/21251714/bash-script-countdown-timer-needs-to-detect-any-key-to-continue
## Ref: https://stackoverflow.com/questions/33614865/bash-countdown-to-execution-if-no-key-pressed
## Ref: https://unix.stackexchange.com/questions/293940/bash-how-can-i-make-press-any-key-to-continue
## Ref: https://serverfault.com/questions/532559/bash-script-count-down-5-minutes-display-on-single-line
## Ref: https://community.letsencrypt.org/t/confusing-on-root-domain-with-wildcard-cert/56113/2
## Ref: https://gist.github.com/joepie91/7e5cad8c0726fd6a5e90360a754fc568
## Ref: https://ma.ttias.be/how-to-read-ssl-certificate-info-from-the-cli/
## Ref: http://nginx.org/en/docs/http/configuring_https_servers.html#certificate_with_several_names
## Ref: https://dev.to/nabbisen/let-s-encrypt-wildcard-certificate-with-certbot-plo
## Ref: https://community.letsencrypt.org/t/wildcard-certificate-does-not-work/79041
## Ref: https://letsencrypt.org/docs/rate-limits/
## Ref: https://github.com/certbot/certbot/issues/2071
## Ref: https://community.letsencrypt.org/t/how-to-prevent-creation-of-etc-letsencrypt-live-domain-tld-0001-when-removing-domains-from-a-domain-tld-multidomain-certificate/8135/14
## Ref: https://community.letsencrypt.org/t/letsencrypt-webroot-verification-follows-http-to-https-redirect-for-self-signed-cert/19917
## Ref: https://stackoverflow.com/questions/205666/what-is-the-best-way-to-perform-timestamp-comparison-in-bash
## Ref: https://stackoverflow.com/questions/552724/how-do-i-check-in-bash-whether-a-file-was-created-more-than-x-time-ago
## Ref: https://unix.stackexchange.com/questions/145313/find-a-file-which-is-30-minutes-old
## Ref: https://easyengine.io/wordpress-nginx/tutorials/ssl/multidomain-ssl-subject-alternative-names/
## Ref: https://www.getpagespeed.com/server-setup/ssl-directory
## Ref: https://superuser.com/questions/556493/permissions-for-ssl-key
## Ref: https://fbcs.co.uk/self-signed-multiple-domain-ssl-certificates/
## Ref: https://serverfault.com/questions/259302/best-location-for-ssl-certificate-and-private-keys-on-ubuntu
## Ref: https://community.letsencrypt.org/t/error-creating-new-cert-too-many-certificates-already-issued-for-exact-set-of-domains/41542
## Ref: https://community.letsencrypt.org/t/correct-way-to-completely-remove-issued-certificate-s-for-a-domain/7409
## Ref: https://unix.stackexchange.com/questions/78376/in-linux-how-to-delete-all-files-except-the-pattern-txt
## Ref: https://unix.stackexchange.com/questions/417737/how-to-use-find-command-with-variables
## Ref: https://serverfault.com/questions/751057/which-permissions-should-i-set-to-dhparam-pem
## Ref: https://medium.com/@saurabh6790/generate-wildcard-ssl-certificate-using-lets-encrypt-certbot-273e432794d7
## Ref: https://levelup.gitconnected.com/obtaining-wildcard-ssl-from-lets-encrypt-fee9ea6ef2b3
## Ref: https://community.letsencrypt.org/t/you-may-need-to-use-a-different-authenticator-plugin/115026
## Ref: https://community.letsencrypt.org/t/how-to-expand-certificate-with-a-wildcard-subdomain/133925/4
## Ref: https://wordpress.org/support/topic/wp-multisite-404-not-found-error/
## Ref: https://community.letsencrypt.org/t/resolved-certbot-how-to-specify-webroot-for-unmatched-domains/23147/2
## Ref: https://community.letsencrypt.org/t/multiple-domains-webroot-paths-using-webroot-plugin/7982
## Ref: https://serverfault.com/questions/790772/cron-job-for-lets-encrypt-renewal
## Ref: https://stackoverflow.com/questions/4695241/does-creating-a-symbolic-link-to-another-symbolic-link-have-any-side-effects

## WP Multisite research:

## Ref: https://stackoverflow.com/questions/34143059/how-to-get-list-of-all-sites-in-wordpress-multisite-network
## Ref: https://developer.wordpress.org/reference/functions/get_sites/
## Ref: https://community.letsencrypt.org/t/wordpress-multisite-possible-to-configure-letsencrypt-without-separate-apache-files/51916
## Ref: https://community.letsencrypt.org/t/wordpress-multi-site-apache-configuration-for-use-w-lets-encrypt/46185/5?source_topic_id=51916
## Ref: https://wordpress.org/support/topic/new-multisite-domain-features-and-installing-letsencrypt-oddities/
## Ref: https://www.digitalocean.com/community/questions/how-to-use-ssl-with-domain-mapping-in-multisite-wordpress
## Ref: https://community.letsencrypt.org/t/best-practice-for-multiple-domains-on-single-server/123262
## Ref: https://community.letsencrypt.org/t/multiple-domains-with-certbot/51064
## Ref: https://www.digitalocean.com/community/questions/let-s-encrypt-for-multiple-sites-with-different-domains-on-same-droplet

## SS_EOF