From c61f7c70f7377c27da8dbfd76a54e76f57d5ca6a Mon Sep 17 00:00:00 2001 From: Matthew Saunders Brown Date: Wed, 20 Apr 2022 12:06:18 -0700 Subject: [PATCH] added reload-services.sh, added DNS TXT authenticator --- bin/letsencrypt-certonly.sh | 51 ++++++++++--------- etc/letsencrypt/cli.ini | 1 + .../renewal-hooks/post/reload-services.sh | 18 +++++++ install.sh | 2 +- 4 files changed, 48 insertions(+), 24 deletions(-) create mode 100644 etc/letsencrypt/renewal-hooks/post/reload-services.sh diff --git a/bin/letsencrypt-certonly.sh b/bin/letsencrypt-certonly.sh index 472c52a..bd29eca 100644 --- a/bin/letsencrypt-certonly.sh +++ b/bin/letsencrypt-certonly.sh @@ -11,36 +11,32 @@ help() echo "$thisfilename" echo "Create a Let's Encrypt certificate." echo "" - echo "Usage: $thisfilename domain [OPTIONS]" + echo "Usage: $thisfilename domain -d [-t] [-n] [-h]" echo "" - echo " -h Print this help." - echo " -n Dry Run - don't create cert, just echo command to run." + echo " -h Print this help." + echo " -d Domain (hostname) to create certificate for." + echo " -t Obtain certificates using a DNS TXT record (if you are using PowerDNS for DNS.)" + echo " -n Dry Run - don't create cert, just echo command to run." exit } -# check for and set domain -if [ -n "$1" ]; then - if [ $1 == "-h" ]; then - help - else - domain=$1 - shift - # basic but good enough domain name regex validation - if [[ ! $domain =~ ^(([a-zA-Z](-?[a-zA-Z0-9])*)\.)+[a-zA-Z]{2,}$ ]] ; then - echo "ERROR: Invalid domain name: $1" - exit 1 - fi - fi -else - help -fi - -# set any options that were passed -while getopts "hn" opt; do +# set options +while getopts "hd:tn" opt; do case "${opt}" in h ) help exit;; + d ) # domain name (hostname) to create cert for + domain=${OPTARG,,} + # basic but good enough domain name regex validation + if [[ ! $domain =~ ^(([a-zA-Z](-?[a-zA-Z0-9])*)\.)+[a-zA-Z]{2,}$ ]] ; then + echo "ERROR: Invalid domain name: $1" + exit 1 + fi + ;; + t ) + dnstxt=true + ;; n ) dryrun=true ;; @@ -54,7 +50,16 @@ while getopts "hn" opt; do done # set vars -command="certbot certonly --cert-name $domain" +command="certbot certonly" +if [[ -n $dnstxt ]]; then + if [[ -f ~/.pdns-credentials.ini ]]; then + command="$command --authenticator certbot-dns-powerdns:dns-powerdns --certbot-dns-powerdns:dns-powerdns-credentials ~/.pdns-credentials.ini --certbot-dns-powerdns:dns-powerdns-propagation-seconds 3" + else + echo "ERROR: ~/.pdns-credentials.ini config file does not exist, can't use -t (DNS TXT authenticator)." + exit 1 + fi +fi + dnscheck=false ips=(`ip -4 -o addr show | awk '{ print $4 }' | cut -d / -f 1`) diff --git a/etc/letsencrypt/cli.ini b/etc/letsencrypt/cli.ini index 146f42e..6ce5d1b 100644 --- a/etc/letsencrypt/cli.ini +++ b/etc/letsencrypt/cli.ini @@ -9,3 +9,4 @@ non-interactive = True standalone = True http-01-port=18080 deploy-hook = /etc/letsencrypt/renewal-hooks/deploy/cp-to-etc-ssl.sh +post-hook = /etc/letsencrypt/renewal-hooks/post/reload-services.sh diff --git a/etc/letsencrypt/renewal-hooks/post/reload-services.sh b/etc/letsencrypt/renewal-hooks/post/reload-services.sh new file mode 100644 index 0000000..b0b3fc9 --- /dev/null +++ b/etc/letsencrypt/renewal-hooks/post/reload-services.sh @@ -0,0 +1,18 @@ +#!/bin/bash + +# This script is run once after an attempt to renew one or more certs. + +# Array of services to reload. A default list of typical services is listed. +# Note that service will only be restarted if it's installed and active, +# it's safe to have inactive/unneeded services in this array. +# Change this to suit your needs. +services=(apache2 dovecot exim4 haproxy postfix) + +# Cycle through each service. +for service in "${services[@]}"; do + # Check if service is active. + if systemctl --quiet is-active $service; then + # Reload service. + systemctl reload $service + fi +done diff --git a/install.sh b/install.sh index 349861c..340f25a 100755 --- a/install.sh +++ b/install.sh @@ -41,7 +41,7 @@ fi echo cp etc/apache2/conf-available/certbot.conf /etc/apache2/conf-available/certbot.conf -a2enmod --quiet proxy +a2enmod --quiet proxy proxy_http a2enconf --quiet certbot systemctl restart apache2