production-openbsd/scripts/cert-renew-check.sh

#!/bin/sh
# cert-renew-check.sh — weekly via cron; renew LE certs near expiry
# Logs to /var/log/cert-renew.log

LOG=/var/log/cert-renew.log
echo "[$(date -u +%FT%TZ)] cert-renew-check start" >>"$LOG"

DOMAINS="s8n.ru veilor.uk"
RC=0

for d in $DOMAINS; do
    if /usr/local/sbin/acme-client -v "$d" >>"$LOG" 2>&1; then
        echo "[$(date -u +%FT%TZ)] $d: renewed" >>"$LOG"
    else
        rc=$?
        echo "[$(date -u +%FT%TZ)] $d: acme-client exit=$rc (likely no renewal needed; harmless if >30d to expiry)" >>"$LOG"
        # Don't fail the script for "no renewal needed"
    fi
done

# Reload relayd if any cert files changed in last 5 minutes
if find /etc/ssl -name '*.fullchain.pem' -mmin -5 | grep -q .; then
    rcctl reload relayd
    echo "[$(date -u +%FT%TZ)] relayd reloaded for new certs" >>"$LOG"
fi

echo "[$(date -u +%FT%TZ)] cert-renew-check done" >>"$LOG"
exit $RC