Commit e5c9b5bd authored by Janek Bevendorff's avatar Janek Bevendorff

Add Letsencrypt wildcard cert issuance helper script

parent 91ea596a
#!/usr/bin/env bash
### \b
### Letsencrypt DNS challenge helper.
### \b
### Author: Janek Bevendorff
### Year: 2020-today
if [ -n "$WEBIS_LIB_PATH" ]; then
. "${WEBIS_LIB_PATH}/bashhelper.sh"
check_tools certbot
fi
### \b
### Retrieve (wildcard) cert for a webis.de subdomain using the dns-01 challenge.
### \b
### This command requires root to save the certificates.
###
### : domain ::
### : -k : --sso-key-file : fpath! :: File containing the Godaddy API sso-key
cmd_retrieve_cert() {
if [ -z "$ARG_SSO_KEY_FILE" ]; then
read -rp "Godaddy API key: " api_key
read -rsp "Godaddy API secret: " api_secret
sso_key="/tmp/.webis-sso-key.${RANDOM}"
touch "$sso_key"
chmod 700 "$sso_key"
echo -n "${api_key}:${api_secret}" > "$sso_key"
else
sso_key="$ARG_SSO_KEY_FILE"
fi
sudo SSO_KEY_FILE="$sso_key" \
certbot certonly \
--domain "$ARG_DOMAIN" \
--manual \
--non-interactive \
--no-bootstrap \
--agree-tos \
--manual-public-ip-logging-ok \
--preferred-challenges dns-01 \
--email webis@listserv.uni-weimar.de \
--manual-auth-hook "${WEBIS_CMD_ROOT_PATH}/tools/util/letsencrypt.sh"
if [ -z "$ARG_SSO_KEY_FILE" ]; then
rm -f "$sso_key"
fi
}
update_txt_record() {
authoritative_ns="$(dig +short NS webis.de | head -n1)"
record_name="_acme-challenge.${CERTBOT_DOMAIN/.webis.de/}"
if [ -z "$SSO_KEY_FILE" ]; then
echo "SSO_KEY_FILE unset." >&2
exit 1
elif [ ! -f "$SSO_KEY_FILE" ]; then
echo "SSO_KEY_FILE ${SSO_KEY_FILE} does not exist." >&2
exit 1
fi
if ! curl -s -XPUT \
-H"Authorization: sso-key $(cat "$SSO_KEY_FILE")" \
-H"Content-Type: application/json" \
--data '[{"data": "'"${CERTBOT_VALIDATION}"'", "ttl": 600}]' \
"https://api.godaddy.com/v1/domains/webis.de/records/TXT/${record_name}"; then
echo "ERROR: Failed to add TXT record." >&2
exit 1
fi
echo -n "Waiting for changes to propagate"
seconds=0
while [ "$(dig +short TXT "${record_name}.webis.de" "@${authoritative_ns}" | cut -d\" -f2)" != "$CERTBOT_VALIDATION" ]; do
echo -n "."
sleep 1
seconds=$(($seconds + 1))
if [ $seconds -gt 30 ]; then
echo "ERROR: Changes did not propagate in time." >&2
exit 1
fi
done
echo -e "\nChanges propagated. Waiting for 10 more seconds.."
sleep 10
}
if [ -n "$CERTBOT_VALIDATION" ]; then
update_txt_record
else
exec_sub_cmd "$@"
fi
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment