#!/usr/bin/env bash if [[ -z "$1" ]] || [[ "$1" == '--help' ]] then echo "Usage: $0 <wildcard-domain>" exit 1 fi set -e domain=$1 certalias="_.$1" tmpdir=$(mktemp -d) trap 'cd /; rm -Rf "$tmpdir"' EXIT export BW_REPO_PATH="${BW_REPO_PATH:-$PWD}" cd -- "$tmpdir" git clone https://github.com/dehydrated-io/dehydrated.git cd dehydrated git checkout "$(git describe --tags --abbrev=0)" cat >config <<EOF BASEDIR=$tmpdir KEYSIZE=4096 HOOK=$tmpdir/dehydrated/hook RENEW_DAYS=90 CHALLENGETYPE=dns-01 EOF cat >hook <<"EOF" #!/usr/bin/env bash if [[ "$1" == 'deploy_challenge' ]] then domain=$2 token_value=$4 echo echo You must now provide this DNS record: echo "$(tput bold)_acme-challenge.$domain. IN TXT $token_value$(tput sgr0)" echo echo "Hit ENTER once it's available." read fi EOF chmod +x hook cat <<EOF You will soon be asked to create several DNS records. $(tput bold)Please create all of them. The second one does NOT replace the first one.$(tput sgr0) EOF ./dehydrated --register --accept-terms -f config ./dehydrated -c -d "$domain" --alias "$certalias" -d "*.$domain" -f config cd -- "$tmpdir"/certs/"$certalias" echo echo Copying final files: echo bw_repo=$(bw debug -c 'print(repo.path)') cp -v cert.pem "$bw_repo"/data/ssl/"$certalias".crt.pem cp -v chain.pem "$bw_repo"/data/ssl/"$certalias".crt_intermediate.pem echo "Encrypting private key via bw ..." bw debug -c "repo.vault.encrypt_file('$tmpdir/certs/$certalias/privkey.pem', 'ssl/$certalias.key.pem.vault')" echo echo "Certificate and key created."