X-Git-Url: https://defaria.com/gitweb/?a=blobdiff_plain;f=bin%2Fcertbot_authentication.sh;fp=bin%2Fcertbot_authentication.sh;h=b84191ad9888f69983d1b3c88e780d050d087b66;hb=7103b16938d37a059a79e99c3bf7058687247658;hp=139e274d82f66ce11db884917785d255a6f83c12;hpb=2f62d48c53bb2a488e34cf5ae31871a93763f9a2;p=clearscm.git diff --git a/bin/certbot_authentication.sh b/bin/certbot_authentication.sh index 139e274..b84191a 100755 --- a/bin/certbot_authentication.sh +++ b/bin/certbot_authentication.sh @@ -14,11 +14,16 @@ # # See also: https://help.dreamhost.com/hc/en-us/articles/217555707-DNS-API-commands # -# Crontab: 0 0 1 * * certbot renew --manual-auth-hook /path/to/certbot_authentication.sh --manual-cleanup-hook /path/to/certbot_cleanup.sh +# Crontab: 0 0 20/3 * * certbot renew +# +# Note: If you symlink /etc/letsencrypt/renewal-hooks/{pre|post|deploy} +# to the proper scripts then all you need is certbox renew. Also +# if certbot doesn't think it's time to renew certs you can force it +# with --force-renewal # # Author: Andrew@DeFaria.com # Created: Fri 04 Jun 2021 11:20:16 PDT -# Modified: +# Modified: Mon Oct 24 11:53:38 AM PDT 2022 # Language: Bash # # (c) Copyright 2021, ClearSCM, Inc., all rights reserved @@ -66,32 +71,32 @@ url="https://api.dreamhost.com/?key=$key" function addTXT { log "Adding TXT record $CERTBOT_DOMAIN = $CERTBOT_VALIDATION" cmd="$url&unique_id=$(uuidgen)&cmd=dns-add_record&record=_acme-challenge.$CERTBOT_DOMAIN&type=TXT&value=$CERTBOT_VALIDATION" - + log "cmd = $cmd" - + response=$(wget -O- -q "$cmd") - + log "Response = $response" } # addTXT # Verifies that the TXT record has propogated. function verifyPropagation { log "Enter verifyPropagation" - - # We will try 4 times waiting 5 minutes in between - max_attempts=4 - time_between_attempts=300 # 5 minutes (we might be able to shorten this) - + + # We will try 20 times waiting 1 minutes in between + max_attempts=20 + time_between_attempts=60 + # Obviously it's not propagated immediately so first wait attempt=0 - while [ $attempt -lt 4 ]; do + while [ $attempt -lt $max_attempts ]; do log "Waiting $time_between_attempts seconds for TXT record $CERTBOT_DOMAIN to propagate..." sleep $time_between_attempts - + ((attempt++)) log "Attempt #$attempt: Validating of propagation of TXT record $CERTBOT_DOMAIN" TXT=$(nslookup -type=TXT _acme-challenge.$CERTBOT_DOMAIN | grep -vi "can't find" | grep $CERTBOT_DOMAIN) - + if [ -n "$TXT" ]; then log "TXT record _acme-challenge.$CERTBOT_DOMAIN propagated" return @@ -99,7 +104,7 @@ function verifyPropagation { log "TXT record _acme-challenge.$CERTBOT_DOMAIN not propagated yet" fi done - + log "ERROR: Unable to validate propagation" exit 1 } # verifyPropagation @@ -108,13 +113,12 @@ addTXT verifyPropagation # If we get here then new certs are produced but need to be made available -# for importation to the Synology. /System/tmp is a directory that is -# on the Synology mounted via NFS. -cp /etc/letsencrypt/live/$CERTBOT_DOMAIN/privkey.pem /System/tmp && chmod 444 /System/tmp/privkey.pem -cp /etc/letsencrypt/live/$CERTBOT_DOMAIN/cert.pem /System/tmp && chmod 444 /System/tmp/cert.pem -cp /etc/letsencrypt/live/$CERTBOT_DOMAIN/chain.pem /System/tmp && chmod 444 /System/tmp/chain.pem - -echo "Now go to DSM > Control Panel > Security > Certificate, select $CERTBOT_DOMAIN" -echo "then Add, Replace an existing certificate for *.$CERTBOT_DOMAIN, Import" -echo "Certificate and supply privkey.pem, cert.pem, and chain.pem for Private Key" -echo "Certificate, and Intermediate certificate." +# for importation to the Synology. $certdir is a directory that is on the +# Synology mounted via NFS. +certdir=/System/Data/Certificates + +mkdir -p $certdir +cp /etc/letsencrypt/live/$CERTBOT_DOMAIN/privkey.pem $certdir && chmod 444 $certdir/privkey.pem +cp /etc/letsencrypt/live/$CERTBOT_DOMAIN/cert.pem $certdir && chmod 444 $certdir/cert.pem +cp /etc/letsencrypt/live/$CERTBOT_DOMAIN/chain.pem $certdir && chmod 444 $certdir/chain.pem +cp /etc/letsencrypt/live/$CERTBOT_DOMAIN/fullchain.pem $certdir && chmod 444 $certdir/fullchain.pem