From 690e56f558aa8e1cb817d5c47593aa59fc192ece Mon Sep 17 00:00:00 2001
From: Franziska Kunsmann <hi@kunsmann.eu>
Date: Sun, 25 Apr 2021 09:11:21 +0200
Subject: [PATCH] scripts/letsencrypt-wildcard: import script to repo

---
 scripts/letsencrypt-wildcard | 74 ++++++++++++++++++++++++++++++++++++
 1 file changed, 74 insertions(+)
 create mode 100755 scripts/letsencrypt-wildcard

diff --git a/scripts/letsencrypt-wildcard b/scripts/letsencrypt-wildcard
new file mode 100755
index 0000000..98eca7a
--- /dev/null
+++ b/scripts/letsencrypt-wildcard
@@ -0,0 +1,74 @@
+#!/usr/bin/env bash
+
+if [[ -z "$1" ]] || [[ "$1" == '--help' ]]
+then
+    echo "Usage: $0 <wildcard-domain>"
+    exit 1
+fi
+
+set -e
+
+domain=$1
+certalias="_.$1"
+
+tmpdir=$(mktemp -d)
+trap 'cd /; rm -Rf "$tmpdir"' EXIT
+
+export BW_REPO_PATH="${BW_REPO_PATH:-$PWD}"
+
+cd -- "$tmpdir"
+git clone https://github.com/dehydrated-io/dehydrated.git
+cd dehydrated
+git checkout "$(git describe --tags --abbrev=0)"
+
+cat >config <<EOF
+BASEDIR=$tmpdir
+KEYSIZE=4096
+HOOK=$tmpdir/dehydrated/hook
+RENEW_DAYS=90
+CHALLENGETYPE=dns-01
+EOF
+
+cat >hook <<"EOF"
+#!/usr/bin/env bash
+
+if [[ "$1" == 'deploy_challenge' ]]
+then
+    domain=$2
+    token_value=$4
+
+    echo
+    echo You must now provide this DNS record:
+    echo "$(tput bold)_acme-challenge.$domain. IN TXT $token_value$(tput sgr0)"
+    echo
+    echo "Hit ENTER once it's available."
+    read
+fi
+EOF
+chmod +x hook
+
+cat <<EOF
+
+You will soon be asked to create several DNS records.
+$(tput bold)Please create all of them. The second one does NOT replace
+the first one.$(tput sgr0)
+
+EOF
+
+./dehydrated --register --accept-terms -f config
+./dehydrated -c -d "$domain" --alias "$certalias" -d "*.$domain" -f config
+
+cd -- "$tmpdir"/certs/"$certalias"
+
+echo
+echo Copying final files:
+echo
+bw_repo=$(bw debug -c 'print(repo.path)')
+cp -v cert.pem "$bw_repo"/data/ssl/"$certalias".crt.pem
+cp -v chain.pem "$bw_repo"/data/ssl/"$certalias".crt_intermediate.pem
+
+echo "Encrypting private key via bw ..."
+bw debug -c "repo.vault.encrypt_file('$tmpdir/certs/$certalias/privkey.pem', 'ssl/$certalias.key.pem.vault')"
+
+echo
+echo "Certificate and key created."