From 7103b16938d37a059a79e99c3bf7058687247658 Mon Sep 17 00:00:00 2001
From: Andrew DeFaria <A.DeFaria@cpanel.net>
Date: Mon, 24 Oct 2022 12:06:23 -0700
Subject: [PATCH] Changes to certbot scripts

Hopefull this now fully automates the rewnewal of Let's Encrypt certificates on my Synology using DNS-01 challenge.
---
 bin/certbot_authentication.sh | 52 +++++++++++++++++++----------------
 bin/certbot_cleanup.sh        |  4 +--
 bin/certbot_deploy.sh         | 46 +++++++++++++++++++++++++++++++
 3 files changed, 76 insertions(+), 26 deletions(-)
 create mode 100755 bin/certbot_deploy.sh

diff --git a/bin/certbot_authentication.sh b/bin/certbot_authentication.sh
index 139e274..b84191a 100755
--- a/bin/certbot_authentication.sh
+++ b/bin/certbot_authentication.sh
@@ -14,11 +14,16 @@
 #
 # See also:     https://help.dreamhost.com/hc/en-us/articles/217555707-DNS-API-commands
 #
-# Crontab:      0 0 1 * * certbot renew --manual-auth-hook /path/to/certbot_authentication.sh --manual-cleanup-hook /path/to/certbot_cleanup.sh
+# Crontab:      0 0 20/3 * * certbot renew
+#
+# Note:         If you symlink /etc/letsencrypt/renewal-hooks/{pre|post|deploy}
+#               to the proper scripts then all you need is certbox renew. Also
+#               if certbot doesn't think it's time to renew certs you can force it
+#               with --force-renewal
 #
 # Author:       Andrew@DeFaria.com
 # Created:      Fri 04 Jun 2021 11:20:16 PDT
-# Modified:
+# Modified:     Mon Oct 24 11:53:38 AM PDT 2022
 # Language:     Bash
 #
 # (c) Copyright 2021, ClearSCM, Inc., all rights reserved
@@ -66,32 +71,32 @@ url="https://api.dreamhost.com/?key=$key"
 function addTXT {
     log "Adding TXT record $CERTBOT_DOMAIN = $CERTBOT_VALIDATION"
     cmd="$url&unique_id=$(uuidgen)&cmd=dns-add_record&record=_acme-challenge.$CERTBOT_DOMAIN&type=TXT&value=$CERTBOT_VALIDATION"
-    
+
     log "cmd = $cmd"
-    
+
     response=$(wget -O- -q "$cmd")
-    
+
     log "Response = $response"
 } # addTXT
 
 # Verifies that the TXT record has propogated.
 function verifyPropagation {
     log "Enter verifyPropagation"
-    
-    # We will try 4 times waiting 5 minutes in between
-    max_attempts=4
-    time_between_attempts=300 # 5 minutes (we might be able to shorten this)
-    
+
+    # We will try 20 times waiting 1 minutes in between
+    max_attempts=20
+    time_between_attempts=60
+
     # Obviously it's not propagated immediately so first wait
     attempt=0
-    while [ $attempt -lt 4 ]; do
+    while [ $attempt -lt $max_attempts ]; do
         log "Waiting $time_between_attempts seconds for TXT record $CERTBOT_DOMAIN to propagate..."
         sleep $time_between_attempts
-        
+
         ((attempt++))
         log "Attempt #$attempt: Validating of propagation of TXT record $CERTBOT_DOMAIN"
         TXT=$(nslookup -type=TXT _acme-challenge.$CERTBOT_DOMAIN | grep -vi "can't find" | grep $CERTBOT_DOMAIN)
-        
+
         if [ -n "$TXT" ]; then
             log "TXT record _acme-challenge.$CERTBOT_DOMAIN propagated"
             return
@@ -99,7 +104,7 @@ function verifyPropagation {
             log "TXT record _acme-challenge.$CERTBOT_DOMAIN not propagated yet"
         fi
     done
-    
+
     log "ERROR: Unable to validate propagation"
     exit 1
 } # verifyPropagation
@@ -108,13 +113,12 @@ addTXT
 verifyPropagation
 
 # If we get here then new certs are produced but need to be made available
-# for importation to the Synology. /System/tmp is a directory that is
-# on the Synology mounted via NFS.
-cp /etc/letsencrypt/live/$CERTBOT_DOMAIN/privkey.pem /System/tmp && chmod 444 /System/tmp/privkey.pem
-cp /etc/letsencrypt/live/$CERTBOT_DOMAIN/cert.pem    /System/tmp && chmod 444 /System/tmp/cert.pem
-cp /etc/letsencrypt/live/$CERTBOT_DOMAIN/chain.pem   /System/tmp && chmod 444 /System/tmp/chain.pem
-
-echo "Now go to DSM > Control Panel > Security > Certificate, select $CERTBOT_DOMAIN"
-echo "then Add, Replace an existing certificate for *.$CERTBOT_DOMAIN, Import"
-echo "Certificate and supply privkey.pem, cert.pem, and chain.pem for Private Key"
-echo "Certificate, and Intermediate certificate."
+# for importation to the Synology. $certdir is a directory that is on the
+# Synology mounted via NFS.
+certdir=/System/Data/Certificates
+
+mkdir -p $certdir
+cp /etc/letsencrypt/live/$CERTBOT_DOMAIN/privkey.pem     $certdir && chmod 444 $certdir/privkey.pem
+cp /etc/letsencrypt/live/$CERTBOT_DOMAIN/cert.pem        $certdir && chmod 444 $certdir/cert.pem
+cp /etc/letsencrypt/live/$CERTBOT_DOMAIN/chain.pem       $certdir && chmod 444 $certdir/chain.pem
+cp /etc/letsencrypt/live/$CERTBOT_DOMAIN/fullchain.pem   $certdir && chmod 444 $certdir/fullchain.pem
diff --git a/bin/certbot_cleanup.sh b/bin/certbot_cleanup.sh
index c7d723a..98f8cfe 100755
--- a/bin/certbot_cleanup.sh
+++ b/bin/certbot_cleanup.sh
@@ -12,11 +12,11 @@
 #
 # See also:     https://help.dreamhost.com/hc/en-us/articles/217555707-DNS-API-commands
 #
-# Crontab:      0 0 1 * * certbot renew --manual-auth-hook /path/to/certbot_authentication.sh --manual-cleanup-hook /path/to/certbot_cleanup.sh
+# Crontab:      0 0 20/3 * * certbot renew
 #
 # Author:       Andrew@DeFaria.com
 # Created:      Fri 04 Jun 2021 11:20:16 PDT
-# Modified:
+# Modified:     Mon Oct 24 11:53:38 AM PDT 2022
 # Language:     Bash
 #
 # (c) Copyright 2021, ClearSCM, Inc., all rights reserved
diff --git a/bin/certbot_deploy.sh b/bin/certbot_deploy.sh
new file mode 100755
index 0000000..6340d60
--- /dev/null
+++ b/bin/certbot_deploy.sh
@@ -0,0 +1,46 @@
+#!/bin/bash
+################################################################################
+#
+# File:         certbot_deploy.sh
+# Revision:     1.0
+# Description:  Deploy the new certs. This script is run to deploy the new certs
+#               onto the Synology. We should have already obtained new Let's
+#               Encrypt certs and have placed them into /System/Certificates.
+#               Now we just need to restart nginx on the Synology. This works
+#               because /usr/syno/etc/certificates/_archive already has been
+#               configured to look at /System/Certificates for new certs.
+#
+#               The restarting of nginx on Synology is large and takes time. You
+#               will not be able to get into the DSM web page and Docker will
+#               restart. Be patient and it should come back up with the new certs
+#               active.
+#
+# See also:     https://help.dreamhost.com/hc/en-us/articles/217555707-DNS-API-commands
+#
+# Crontab:      0 0 20/3 * * certbot renew
+#
+# Author:       Andrew@DeFaria.com
+# Created:      Mon Oct 24 11:53:38 AM PDT 2022
+# Modified:
+# Language:     Bash
+#
+# (c) Copyright 2021, ClearSCM, Inc., all rights reserved
+#
+################################################################################
+logfile="/tmp/$(basename $0).log"
+rm -f $logfile
+
+function log {
+    echo $1 >> $logfile
+} # log
+
+log "Starting $0"
+log "Restarting nginx on Synology"
+
+# At this point this is all we need to do. Set up for ssh pre-shared key such that
+# root on your desktop can ssh into the Synology (jupiter) without a password.
+#
+# Note: On DSM 6.x systemctl may be called /usr/syno/sbin/synosystemctl
+ssh root@jupiter systemctl restart nginx
+
+log "Nginx restarted"
\ No newline at end of file
-- 
2.17.1