scripts/sysadmin/le_lan_reload_services.sh

#!/bin/bash

LE_DOMAIN="DOMAIN"
LDAP_SHORTNAME="HOSTNAME"
UPDATE_MIKROTIK=0
MIKROTIK_HOST="mikrotik"

# Re-add the private key in LDAP *IMPORTANT*

/usr/sbin/dsctl "${LDAP_SHORTNAME}" tls import-server-key-cert /etc/letsencrypt/live/"${LE_DOMAIN}"/fullchain.pem \
            /etc/letsencrypt/live/"${LE_DOMAIN}"/privkey.pem

# Re-import the certificate in the LDAP store

/usr/sbin/dsconf -v -D "cn=Directory Manager" "${LDAP_SHORTNAME}" security certificate add \
    --file /etc/letsencrypt/live/"${LE_DOMAIN}"/cert.pem \
        --primary-cert \
        --name "LE"

systemctl restart dirsrv@${LDAP_SHORTNAME}

# Reload services

systemctl reload nginx
systemctl restart sssd

# Push the certificates to a Mikrotik AP
#NOTE: This assumes you have set up SSH for a user with public key auth

if [[ $UPDATE_MIKROTIK ]];
then

scp "/etc/letsencrypt/${LE_DOMAIN}/privkey.pem" "${MIKROTIK_HOST}":
scp "/etc/letsencrypt/${LE_DOMAIN}/fullchain.pem" "${MIKROTIK_HOST}":

ssh mikrotik -T <<EOF
/certificate remove fullchain.pem_0
/certificate import file-name=fullchain.pem passphrase=""
/certificate import file-name=privkey.pem passphrase=""
/file remove fullchain.pem
/file remove privkey.pem
EOF

# Do it twice or somehow the installation of the certificates goes wonky
ssh mikrotik -T <<EOF
/ip service set www-ssl certificate=fullchain.pem_0
/ip service set api-ssl certificate=fullchain.pem_0
EOF

fi