Râu Cao
4a8ab3abe3
Allows to point other domains' `_acme-challenge.example.com` entries at `example.com.letsencrypt.kosmos.chat` so we can validate from our side without access to the other domain's DNS records. Used for 5apps.com XMPP for now. Can be used for others later. Co-authored-by: Greg Karékinian <greg@karekinian.com>
80 lines
2.3 KiB
Plaintext
Executable File
80 lines
2.3 KiB
Plaintext
Executable File
#!/usr/bin/env bash
|
|
set -euf -o pipefail
|
|
|
|
# ************** USAGE **************
|
|
#
|
|
# Example usage (with this hook file saved in /root/):
|
|
#
|
|
# sudo su -
|
|
# certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos -d "5apps.com" -d muc.5apps.com -d "xmpp.5apps.com" \
|
|
# --manual-auth-hook "/root/letsencrypt_hook.sh auth" --manual-cleanup-hook "/root/letsencrypt_hook.sh cleanup"
|
|
#
|
|
# This hook requires configuration, continue reading.
|
|
#
|
|
# ************** CONFIGURATION **************
|
|
#
|
|
# GANDI_API_KEY: Your Gandi Live API key
|
|
#
|
|
# PROVIDER_UPDATE_DELAY:
|
|
# How many seconds to wait after updating your DNS records. This may be required,
|
|
# depending on how slow your DNS host is to begin serving new DNS records after updating
|
|
# them via the API. 30 seconds is a safe default, but some providers can be very slow
|
|
# (e.g. Linode).
|
|
#
|
|
# Defaults to 30 seconds.
|
|
#
|
|
ACCESS_TOKEN="<%= @access_token %>"
|
|
PROVIDER_UPDATE_DELAY=10
|
|
VALIDATION_DOMAIN="${2:-}"
|
|
|
|
regex='.*\.(.*\..*)'
|
|
|
|
if [[ $CERTBOT_DOMAIN =~ $regex ]]
|
|
then
|
|
DOMAIN="${BASH_REMATCH[1]}"
|
|
else
|
|
DOMAIN="${CERTBOT_DOMAIN}"
|
|
fi
|
|
|
|
if [[ -n "$VALIDATION_DOMAIN" ]]
|
|
then
|
|
if [[ $VALIDATION_DOMAIN =~ $regex ]]
|
|
then
|
|
ACME_BASE_DOMAIN="${BASH_REMATCH[1]}"
|
|
else
|
|
echo "Validation domain has to be a subdomain, but it is not: \"${VALIDATION_DOMAIN}\""
|
|
exit 1
|
|
fi
|
|
ACME_DOMAIN="${CERTBOT_DOMAIN}.${VALIDATION_DOMAIN}"
|
|
else
|
|
ACME_BASE_DOMAIN="${DOMAIN}"
|
|
ACME_DOMAIN="_acme-challenge.${CERTBOT_DOMAIN}"
|
|
fi
|
|
|
|
# To be invoked via Certbot's --manual-auth-hook
|
|
function auth {
|
|
curl -s -D- \
|
|
-H "Content-Type: application/json" \
|
|
-H "Authorization: Bearer ${ACCESS_TOKEN}" \
|
|
-d "{\"rrset_name\": \"${ACME_DOMAIN}.\",
|
|
\"rrset_type\": \"TXT\",
|
|
\"rrset_ttl\": 300,
|
|
\"rrset_values\": [\"${CERTBOT_VALIDATION}\"]}" \
|
|
"https://api.gandi.net/v5/livedns/domains/${ACME_BASE_DOMAIN}/records"
|
|
|
|
sleep ${PROVIDER_UPDATE_DELAY}
|
|
}
|
|
|
|
# To be invoked via Certbot's --manual-cleanup-hook
|
|
function cleanup {
|
|
curl -s -X DELETE \
|
|
-H "Content-Type: application/json" \
|
|
-H "Authorization: Bearer ${ACCESS_TOKEN}" \
|
|
"https://api.gandi.net/v5/livedns/domains/${ACME_BASE_DOMAIN}/records/${ACME_DOMAIN}./TXT"
|
|
}
|
|
|
|
HANDLER=$1; shift;
|
|
if [ -n "$(type -t $HANDLER)" ] && [ "$(type -t $HANDLER)" = function ]; then
|
|
$HANDLER "$@"
|
|
fi
|