scripts/letsencrypt-wildcard: import script to repo
bundlewrap/pipeline/head This commit looks good Details

This commit is contained in:
Franzi 2021-04-25 09:11:21 +02:00
parent a8e07c62c3
commit 690e56f558
Signed by: kunsi
GPG Key ID: 12E3D2136B818350
1 changed files with 74 additions and 0 deletions

74
scripts/letsencrypt-wildcard Executable file
View File

@ -0,0 +1,74 @@
#!/usr/bin/env bash
if [[ -z "$1" ]] || [[ "$1" == '--help' ]]
then
echo "Usage: $0 <wildcard-domain>"
exit 1
fi
set -e
domain=$1
certalias="_.$1"
tmpdir=$(mktemp -d)
trap 'cd /; rm -Rf "$tmpdir"' EXIT
export BW_REPO_PATH="${BW_REPO_PATH:-$PWD}"
cd -- "$tmpdir"
git clone https://github.com/dehydrated-io/dehydrated.git
cd dehydrated
git checkout "$(git describe --tags --abbrev=0)"
cat >config <<EOF
BASEDIR=$tmpdir
KEYSIZE=4096
HOOK=$tmpdir/dehydrated/hook
RENEW_DAYS=90
CHALLENGETYPE=dns-01
EOF
cat >hook <<"EOF"
#!/usr/bin/env bash
if [[ "$1" == 'deploy_challenge' ]]
then
domain=$2
token_value=$4
echo
echo You must now provide this DNS record:
echo "$(tput bold)_acme-challenge.$domain. IN TXT $token_value$(tput sgr0)"
echo
echo "Hit ENTER once it's available."
read
fi
EOF
chmod +x hook
cat <<EOF
You will soon be asked to create several DNS records.
$(tput bold)Please create all of them. The second one does NOT replace
the first one.$(tput sgr0)
EOF
./dehydrated --register --accept-terms -f config
./dehydrated -c -d "$domain" --alias "$certalias" -d "*.$domain" -f config
cd -- "$tmpdir"/certs/"$certalias"
echo
echo Copying final files:
echo
bw_repo=$(bw debug -c 'print(repo.path)')
cp -v cert.pem "$bw_repo"/data/ssl/"$certalias".crt.pem
cp -v chain.pem "$bw_repo"/data/ssl/"$certalias".crt_intermediate.pem
echo "Encrypting private key via bw ..."
bw debug -c "repo.vault.encrypt_file('$tmpdir/certs/$certalias/privkey.pem', 'ssl/$certalias.key.pem.vault')"
echo
echo "Certificate and key created."