X-Git-Url: https://defaria.com/gitweb/?a=blobdiff_plain;f=bin%2Fcertbot_authentication.sh;fp=bin%2Fcertbot_authentication.sh;h=139e274d82f66ce11db884917785d255a6f83c12;hb=44aaba558b2244c52c99d5a4bc50cae05c4ed514;hp=b804ec9cabc880e47da5ab994137b12854fdc4b6;hpb=294415e0b506d050524eecc134dc0fa0b5d57f49;p=clearscm.git diff --git a/bin/certbot_authentication.sh b/bin/certbot_authentication.sh index b804ec9..139e274 100755 --- a/bin/certbot_authentication.sh +++ b/bin/certbot_authentication.sh @@ -4,7 +4,7 @@ # File: certbot_authentication.sh # Revision: 1.0 # Description: Perform domain validation by creating a TXT record on the domain -# from certbot. This script is designed to work with +# from certbot. This script is designed to work with # Dreamhost.com's API and certbot running on Ubuntu 20.04. Note # that it has not been extended to handle multiple domains. # @@ -14,7 +14,7 @@ # # See also: https://help.dreamhost.com/hc/en-us/articles/217555707-DNS-API-commands # -# Crontab: 0 0 1 * * certbot renew --manual-aacmeuth-hook /path/to/certbot_authentication.sh --manual-cleanup-hook /path/to/certbot_cleanup.sh +# Crontab: 0 0 1 * * certbot renew --manual-auth-hook /path/to/certbot_authentication.sh --manual-cleanup-hook /path/to/certbot_cleanup.sh # # Author: Andrew@DeFaria.com # Created: Fri 04 Jun 2021 11:20:16 PDT @@ -24,30 +24,38 @@ # (c) Copyright 2021, ClearSCM, Inc., all rights reserved # ################################################################################ -# The following are environment variables that certbot passes to us -# -# CERTBOT_DOMAIN: Domain being authenticated. For example, -# _acme-challenge.example.com for a wildcart cert or -# _acme-challenge.subdomain.example.com for a subdomain -# Note: Pass in $1 for testing or use the default of -# CERTBOT_DOMAIN -domain=${1:-$CERTBOT_DOMAIN} - -# CERTBOT_VALIDATION: The validation string. Pass in $2 or use the default of -# CERTBOT_VALIDATION -value=${2:-$CERTBOT_VALIDATION} - -logfile=/tmp/debug.log +logfile="/tmp/$(basename $0).log" rm -f $logfile function log { - #echo $1 - echo $1 >> $logfile + echo $1 >> $logfile } # log -log "domain = $domain" -log "value = $value" +log "Starting $0" +# The following are environment variables that certbot passes to us +# +# CERTBOT_DOMAIN: Domain being authenticated. +# CERTBOT_VALIDATION: Validation string for domain. +# +# Check that CERTBOT_DOMAIN and CERTBOT_VALIDATION have been passed in properly: +if [ -z "$CERTBOT_DOMAIN"]; then + log "CERTBOT_DOMAIN not passed in!" + exit 1 +else + log "CERTBOT_DOMAIN = $CERTBOT_DOMAIN" +fi + +if [ -z "$CERTBOT_VALIDATION"]; then + log "CERTBOT_VALIDATION not passed in!" + exit 1 +else + log "CERTBOT_VALIDATION = $CERTBOT_VALIDATION" +fi + +# My DNS registar is Dreamhost. These variables are specific to their DNS API. +# Yours will probably be different. +# # Dreamhost key - generate at https://panel.dreamhost.com/?tree=home.api key=KHY6UJQXD9MEJZHR @@ -56,51 +64,57 @@ url="https://api.dreamhost.com/?key=$key" # Add a TXT record to domain function addTXT { - log "Adding TXT record $domain = $value" >> $logfile - cmd="$url&unique_id=$(uuidgen)&cmd=dns-add_record&record=&type=TXT&value=_acme-challenge.$domain=$value" - - log "cmd = $cmd" >> $logfile - - response=$(wget -O- -q "$cmd") - - log "Response = $response" >> $logfile + log "Adding TXT record $CERTBOT_DOMAIN = $CERTBOT_VALIDATION" + cmd="$url&unique_id=$(uuidgen)&cmd=dns-add_record&record=_acme-challenge.$CERTBOT_DOMAIN&type=TXT&value=$CERTBOT_VALIDATION" + + log "cmd = $cmd" + + response=$(wget -O- -q "$cmd") + + log "Response = $response" } # addTXT -# Verifies that the TXT record has propogated. Note that this cannot be -# likewise used for removal of the TXT record, which also needs to propagate. -# However, we are not concerned with when the removal is propagated, it can -# do so on its own time +# Verifies that the TXT record has propogated. function verifyPropagation { - log "Enter verifyPropagation" >> $logfile - # We will try 4 times waiting 5 minutes in between - max_attempts=4 - time_between_attempts=300 - - # Obviously it's not propagated immediately so first wait - attempt=0 - while [ $attempt -lt 4 ]; do - log "Waiting 5 minutes for TXT record $domain to propagate..." >> $logfile - sleep $time_between_attempts - - ((attempt++)) - log "Attempt #$attempt: Validating of propagation of TXT record $domain" >> $logfile - TXT=$(nslookup -type=TXT $domain | grep -vi "can't find" | grep $domain) - - if [ -n "$TXT" ]; then - log "TXT record $name.$domain propagated" >> $logfile - return - else - log "TXT record $name.$domain not propagated yet" >> $logfile - fi - done - - log "ERROR: Unable to validate propagation" >> $logfile - exit 1 + log "Enter verifyPropagation" + + # We will try 4 times waiting 5 minutes in between + max_attempts=4 + time_between_attempts=300 # 5 minutes (we might be able to shorten this) + + # Obviously it's not propagated immediately so first wait + attempt=0 + while [ $attempt -lt 4 ]; do + log "Waiting $time_between_attempts seconds for TXT record $CERTBOT_DOMAIN to propagate..." + sleep $time_between_attempts + + ((attempt++)) + log "Attempt #$attempt: Validating of propagation of TXT record $CERTBOT_DOMAIN" + TXT=$(nslookup -type=TXT _acme-challenge.$CERTBOT_DOMAIN | grep -vi "can't find" | grep $CERTBOT_DOMAIN) + + if [ -n "$TXT" ]; then + log "TXT record _acme-challenge.$CERTBOT_DOMAIN propagated" + return + else + log "TXT record _acme-challenge.$CERTBOT_DOMAIN not propagated yet" + fi + done + + log "ERROR: Unable to validate propagation" + exit 1 } # verifyPropagation -log "Calling addTXT" >> $logfile addTXT -log "Returned from addTXT" >> $logfile -log "calling verifyPropagation" >> $logfile verifyPropagation -log "Returned from verifyPropagation" >> $logfile + +# If we get here then new certs are produced but need to be made available +# for importation to the Synology. /System/tmp is a directory that is +# on the Synology mounted via NFS. +cp /etc/letsencrypt/live/$CERTBOT_DOMAIN/privkey.pem /System/tmp && chmod 444 /System/tmp/privkey.pem +cp /etc/letsencrypt/live/$CERTBOT_DOMAIN/cert.pem /System/tmp && chmod 444 /System/tmp/cert.pem +cp /etc/letsencrypt/live/$CERTBOT_DOMAIN/chain.pem /System/tmp && chmod 444 /System/tmp/chain.pem + +echo "Now go to DSM > Control Panel > Security > Certificate, select $CERTBOT_DOMAIN" +echo "then Add, Replace an existing certificate for *.$CERTBOT_DOMAIN, Import" +echo "Certificate and supply privkey.pem, cert.pem, and chain.pem for Private Key" +echo "Certificate, and Intermediate certificate."