From e99ec690f60cfbdeffbfcaa88551fec0ffaa6e19 Mon Sep 17 00:00:00 2001
From: Sophie Schiller <sophie.schiller01@gmail.com>
Date: Wed, 4 Jun 2025 20:14:32 +0200
Subject: [PATCH] letsencrypt: add pyenv compatible version

---
 scripts/letsencrypt-wildcard-venv | 78 +++++++++++++++++++++++++++++++
 1 file changed, 78 insertions(+)
 create mode 100755 scripts/letsencrypt-wildcard-venv

diff --git a/scripts/letsencrypt-wildcard-venv b/scripts/letsencrypt-wildcard-venv
new file mode 100755
index 0000000..d6bbd28
--- /dev/null
+++ b/scripts/letsencrypt-wildcard-venv
@@ -0,0 +1,78 @@
+#!/usr/bin/env bash
+
+if [[ -z "$1" ]] || [[ "$1" == '--help' ]]
+then
+    echo "Usage: $0 <wildcard-domain>"
+    exit 1
+fi
+
+set -e
+
+domain=$1
+certalias="_.$1"
+
+tmpdir=$(mktemp -d)
+echo "temp dir is $tmpdir"
+#trap 'cd /; rm -Rf "$tmpdir"' EXIT
+
+export BW_REPO_PATH="${BW_REPO_PATH:-$PWD}"
+
+
+cd -- "$tmpdir"
+git clone https://github.com/dehydrated-io/dehydrated.git
+cd dehydrated
+git checkout "$(git describe --tags --abbrev=0)"
+
+cat >config <<EOF
+BASEDIR=$tmpdir
+KEYSIZE=4096
+HOOK=$tmpdir/dehydrated/hook
+RENEW_DAYS=90
+CHALLENGETYPE=dns-01
+EOF
+
+cat >hook <<"EOF"
+#!/usr/bin/env bash
+
+if [[ "$1" == 'deploy_challenge' ]]
+then
+    domain=$2
+    token_value=$4
+
+    echo
+    echo You must now provide this DNS record:
+    echo "$(tput bold)_acme-challenge.$domain IN TXT $token_value$(tput sgr0)"
+    echo
+    echo "Hit ENTER once it's available."
+    read
+fi
+EOF
+chmod +x hook
+
+cat <<EOF
+
+You will soon be asked to create several DNS records.
+$(tput bold)Please create all of them. The second one does NOT replace
+the first one.$(tput sgr0)
+
+EOF
+
+./dehydrated --register --accept-terms -f config
+./dehydrated -c -d "$domain" --alias "$certalias" -d "*.$domain" -f config
+
+cd -- "$tmpdir"/certs/"$certalias"
+
+echo
+echo Copying final files:
+echo
+bw_repo=$(${PYENV_ROOT}/versions/bw/bin/bw debug -c 'print(repo.path)')
+cd -- "$tmpdir"/certs/"$certalias"
+cp -v cert.pem "$bw_repo"/data/ssl/"$certalias".crt.pem
+cp -v chain.pem "$bw_repo"/data/ssl/"$certalias".crt_intermediate.pem
+
+
+echo "Encrypting private key via bw ..."
+${PYENV_ROOT}/versions/bw/bin/bw debug -c "repo.vault.encrypt_file('$tmpdir/certs/$certalias/privkey.pem', 'ssl/$certalias.key.pem.vault')"
+
+echo
+echo "Certificate and key created."