# ssl-update

automation for cert renewal with local hooks

given a service:

	* start letsencrypt's certbot "manually", getting ownership proof data
	* turn up a custom nginx site for the proof
	* log into the firewall, allow http to the given service
	* enable http for the given service in nginx
	* instruct let's encrypt to check the proof
	* new expiration date on certs
	* disable http for the service
	* log into firewall, block http for the given service
	* perform service specific hooks
		* jellyfin/plex: generate a pkcs12 key and
		                 put it in the right place
	* set permissions and ownership on new keys

All secrets are GPG encrypted and one password prompt allows for script access
to all secrets necessary.

State:
	* running for all services, no known bugs at this time