2 ################################################################################
4 # File: certbot_authentication.sh
6 # Description: Perform domain validation by creating a TXT record on the domain
7 # from certbot. This script is designed to work with
8 # Dreamhost.com's API and certbot running on Ubuntu 20.04. Note
9 # that it has not been extended to handle multiple domains.
11 # Domain validation is the process of validating you have control
12 # over a domain. Services like Let's Encrypt can then issue you
13 # domain validated TLS certificates for use to secure websites.
15 # See also: https://help.dreamhost.com/hc/en-us/articles/217555707-DNS-API-commands
17 # Crontab: 0 0 1 * * certbot renew --manual-auth-hook /path/to/certbot_authentication.sh --manual-cleanup-hook /path/to/certbot_cleanup.sh
19 # Author: Andrew@DeFaria.com
20 # Created: Fri 04 Jun 2021 11:20:16 PDT
24 # (c) Copyright 2021, ClearSCM, Inc., all rights reserved
26 ################################################################################
27 logfile="/tmp/$(basename $0).log"
36 # The following are environment variables that certbot passes to us
38 # CERTBOT_DOMAIN: Domain being authenticated.
39 # CERTBOT_VALIDATION: Validation string for domain.
41 # Check that CERTBOT_DOMAIN and CERTBOT_VALIDATION have been passed in properly:
42 if [ -z "$CERTBOT_DOMAIN"]; then
43 log "CERTBOT_DOMAIN not passed in!"
46 log "CERTBOT_DOMAIN = $CERTBOT_DOMAIN"
49 if [ -z "$CERTBOT_VALIDATION"]; then
50 log "CERTBOT_VALIDATION not passed in!"
53 log "CERTBOT_VALIDATION = $CERTBOT_VALIDATION"
56 # My DNS registar is Dreamhost. These variables are specific to their DNS API.
57 # Yours will probably be different.
59 # Dreamhost key - generate at https://panel.dreamhost.com/?tree=home.api
62 # URL where the REST endpoint is
63 url="https://api.dreamhost.com/?key=$key"
65 # Add a TXT record to domain
67 log "Adding TXT record $CERTBOT_DOMAIN = $CERTBOT_VALIDATION"
68 cmd="$url&unique_id=$(uuidgen)&cmd=dns-add_record&record=_acme-challenge.$CERTBOT_DOMAIN&type=TXT&value=$CERTBOT_VALIDATION"
72 response=$(wget -O- -q "$cmd")
74 log "Response = $response"
77 # Verifies that the TXT record has propogated.
78 function verifyPropagation {
79 log "Enter verifyPropagation"
81 # We will try 4 times waiting 5 minutes in between
83 time_between_attempts=300 # 5 minutes (we might be able to shorten this)
85 # Obviously it's not propagated immediately so first wait
87 while [ $attempt -lt 4 ]; do
88 log "Waiting $time_between_attempts seconds for TXT record $CERTBOT_DOMAIN to propagate..."
89 sleep $time_between_attempts
92 log "Attempt #$attempt: Validating of propagation of TXT record $CERTBOT_DOMAIN"
93 TXT=$(nslookup -type=TXT _acme-challenge.$CERTBOT_DOMAIN | grep -vi "can't find" | grep $CERTBOT_DOMAIN)
95 if [ -n "$TXT" ]; then
96 log "TXT record _acme-challenge.$CERTBOT_DOMAIN propagated"
99 log "TXT record _acme-challenge.$CERTBOT_DOMAIN not propagated yet"
103 log "ERROR: Unable to validate propagation"
105 } # verifyPropagation
110 # If we get here then new certs are produced but need to be made available
111 # for importation to the Synology. /System/tmp is a directory that is
112 # on the Synology mounted via NFS.
113 cp /etc/letsencrypt/live/$CERTBOT_DOMAIN/privkey.pem /System/tmp && chmod 444 /System/tmp/privkey.pem
114 cp /etc/letsencrypt/live/$CERTBOT_DOMAIN/cert.pem /System/tmp && chmod 444 /System/tmp/cert.pem
115 cp /etc/letsencrypt/live/$CERTBOT_DOMAIN/chain.pem /System/tmp && chmod 444 /System/tmp/chain.pem
117 echo "Now go to DSM > Control Panel > Security > Certificate, select $CERTBOT_DOMAIN"
118 echo "then Add, Replace an existing certificate for *.$CERTBOT_DOMAIN, Import"
119 echo "Certificate and supply privkey.pem, cert.pem, and chain.pem for Private Key"
120 echo "Certificate, and Intermediate certificate."