2 ################################################################################
4 # File: certbot_authentication.sh
6 # Description: Perform domain validation by creating a TXT record on the domain
7 # from certbot. This script is designed to work with
8 # Dreamhost.com's API and certbot running on Ubuntu 20.04. Note
9 # that it has not been extended to handle multiple domains.
11 # Domain validation is the process of validating you have control
12 # over a domain. Services like Let's Encrypt can then issue you
13 # domain validated TLS certificates for use to secure websites.
15 # See also: https://help.dreamhost.com/hc/en-us/articles/217555707-DNS-API-commands
17 # Crontab: 0 0 20 Jan,Apr,Jul,Oct * certbot renew
19 # Note: If you symlink /etc/letsencrypt/renewal-hooks/{pre|post|deploy}
20 # to the proper scripts then all you need is certbox renew. Also
21 # if certbot doesn't think it's time to renew certs you can force it
22 # with --force-renewal
24 # Author: Andrew@DeFaria.com
25 # Created: Fri 04 Jun 2021 11:20:16 PDT
26 # Modified: Mon Oct 24 11:53:38 AM PDT 2022
29 # (c) Copyright 2021, ClearSCM, Inc., all rights reserved
31 ################################################################################
32 certdir=/System/Certificates
36 logfile="$certdir/$(basename $0).log"
46 # The following are environment variables that certbot passes to us
48 # CERTBOT_DOMAIN: Domain being authenticated.
49 # CERTBOT_VALIDATION: Validation string for domain.
51 # Check that CERTBOT_DOMAIN and CERTBOT_VALIDATION have been passed in properly:
52 if [ -z "$CERTBOT_DOMAIN"]; then
53 log "CERTBOT_DOMAIN not passed in!"
56 log "CERTBOT_DOMAIN = $CERTBOT_DOMAIN"
59 if [ -z "$CERTBOT_VALIDATION"]; then
60 log "CERTBOT_VALIDATION not passed in!"
63 log "CERTBOT_VALIDATION = $CERTBOT_VALIDATION"
66 # My DNS registar is Dreamhost. These variables are specific to their DNS API.
67 # Yours will probably be different.
69 # Dreamhost key - generate at https://panel.dreamhost.com/?tree=home.api
72 # URL where the REST endpoint is
73 url="https://api.dreamhost.com/?key=$key"
75 # Add a TXT record to domain
77 log "Adding TXT record $CERTBOT_DOMAIN = $CERTBOT_VALIDATION"
78 cmd="$url&unique_id=$(uuidgen)&cmd=dns-add_record&record=_acme-challenge.$CERTBOT_DOMAIN&type=TXT&value=$CERTBOT_VALIDATION"
82 response=$(wget -O- -q "$cmd")
84 log "Response = $response"
87 # Verifies that the TXT record has propogated.
88 function verifyPropagation {
89 log "Enter verifyPropagation"
91 # We will try 20 times waiting 1 minutes in between
93 time_between_attempts=60
95 # Obviously it's not propagated immediately so first wait
97 while [ $attempt -lt $max_attempts ]; do
98 log "Waiting $time_between_attempts seconds for TXT record $CERTBOT_DOMAIN to propagate..."
99 sleep $time_between_attempts
102 log "Attempt #$attempt: Validating of propagation of TXT record $CERTBOT_DOMAIN"
103 TXT=$(nslookup -type=TXT _acme-challenge.$CERTBOT_DOMAIN | grep -vi "can't find" | grep $CERTBOT_DOMAIN)
105 if [ -n "$TXT" ]; then
106 log "TXT record _acme-challenge.$CERTBOT_DOMAIN propagated"
109 log "TXT record _acme-challenge.$CERTBOT_DOMAIN not propagated yet"
113 log "ERROR: Unable to validate propagation"
115 } # verifyPropagation
120 # If we get here then new certs are produced but need to be made available
121 # for importation to the Synology. $certdir is a directory that is on the
122 # Synology mounted via NFS.
123 cp /etc/letsencrypt/live/$CERTBOT_DOMAIN/privkey.pem $certdir && chmod 444 $certdir/privkey.pem
124 cp /etc/letsencrypt/live/$CERTBOT_DOMAIN/cert.pem $certdir && chmod 444 $certdir/cert.pem
125 cp /etc/letsencrypt/live/$CERTBOT_DOMAIN/chain.pem $certdir && chmod 444 $certdir/chain.pem
126 cp /etc/letsencrypt/live/$CERTBOT_DOMAIN/fullchain.pem $certdir && chmod 444 $certdir/fullchain.pem