Browse Source

First commit

Olivier Mauras 2 years ago
commit
0d38ddba61
6 changed files with 106 additions and 0 deletions
  1. 34
    0
      README.md
  2. 40
    0
      certbot_manual
  3. 15
    0
      etc/certbot/config
  4. 3
    0
      etc/certbot/hooks/authenticator.sh
  5. 3
    0
      etc/certbot/hooks/cleanup.sh
  6. 11
    0
      install.sh

+ 34
- 0
README.md View File

@@ -0,0 +1,34 @@
1
+certbot_manual
2
+==============
3
+
4
+This is a very simple wrapper that lets you automate certbot manual renewal of certificates as a non privileged user.
5
+
6
+#### Features
7
+
8
+* Automate certbot certificate renewal in manual mode
9
+* Allows non privileged user
10
+* Supports private key + full chain certificate concatenation
11
+* Supports service restart in FreeBSD jail
12
+
13
+#### Installation
14
+
15
+``` bash
16
+git clone https://git.mauras.ch/Various/certbot_manual.git
17
+cd certbot_manual
18
+sudo ./install.sh
19
+
20
+sudo cat << EOF > {/usr/local}/etc/sudoers.d/certbot
21
+certbot ALL=(ALL) NOPASSWD:/usr/bin/tee <full_path_of_destination_certificate>.pem
22
+# If you use your certificate in a jail
23
+certbot ALL=(ALL) NOPASSWD:/usr/sbin/jexec * service <service_name> restart
24
+EOF
25
+```
26
+
27
+Configure `/etc/certbot/config` then run `certbot_manual` from your configured user.  
28
+
29
+#### Removal
30
+
31
+``` bash
32
+sudo rm -rf /etc/certbot {/usr/local}/etc/sudoers.d/certbot /usr/bin/certbot_manual
33
+```
34
+

+ 40
- 0
certbot_manual View File

@@ -0,0 +1,40 @@
1
+#!/usr/bin/env bash
2
+. /etc/certbot/config
3
+
4
+certbot --config-dir ${BASEDIR}/etc \
5
+	--work-dir ${BASEDIR} \
6
+	--logs-dir ${BASEDIR}/var/log \
7
+	certonly -n --manual \
8
+	--preferred-challenges http \
9
+	--manual-auth-hook ${HOOKS_PATH}/authenticator.sh \
10
+	--manual-cleanup-hook ${HOOKS_PATH}/cleanup.sh \
11
+	--manual-public-ip-logging-ok \
12
+	--agree-tos \
13
+	--email ${EMAIL} \
14
+	-d ${DOMAIN}
15
+
16
+# Check if certbot returned an error
17
+RET=$?
18
+[[ $RET -ne 0 ]] && echo "FAILED: $RET" > ${BASEDIR}/var/log/certbot_res.log \
19
+	&& exit
20
+
21
+# Or if the certificate is not yet due to renewal
22
+[[ $(tail -5 ${BASEDIR}/var/log/letsencrypt.log | grep "Cert not yet due for renewal") ]] \
23
+	&& echo "No renewal needed yet" \
24
+	&& exit
25
+
26
+# Export certificate to its final destination
27
+if [ $CAT_PRIV -eq 1 ]; then
28
+    cat ${BASEDIR}/etc/live/${DOMAIN}/privkey.pem \
29
+        ${BASEDIR}/etc/live/${DOMAIN}/fullchain.pem \
30
+	| sudo tee ${PEMFILE}
31
+else
32
+    cat ${BASEDIR}/etc/live/${DOMAIN}/fullchain.pem \
33
+    | sudo tee ${PEMFILE}
34
+fi
35
+
36
+# Get Jail ID if jail needs a service restart
37
+if [ $JAIL -eq 1 ]; then
38
+    JID=$(jls | grep ${JAILNAME} | awk '{print $1}')
39
+    sudo jexec ${JID} service ${JAILSERVICE} restart
40
+fi

+ 15
- 0
etc/certbot/config View File

@@ -0,0 +1,15 @@
1
+#!/usr/bin/env bash
2
+BASEDIR="/usr/home/certbot/letsencrypt"
3
+HOOKS_PATH="/etc/certbot/hooks"
4
+EMAIL="<your>@<email>"
5
+DOMAIN="<your_domain>"
6
+# Destination of the certificat
7
+PEMFILE="<full_path_for_your_certificate>/full.pem"
8
+# Should private key concatenated with certificate
9
+CAT_PRIV=1
10
+# Root dir where .well-known/acme-challenge token will be store on your HTTP server for automated verification
11
+HTTP_ROOT_PATH="<HTTP_root_dir>"
12
+# Should we restart a service in a jail?
13
+JAIL=1
14
+JAILNAME="<jail_name>"
15
+JAILSERVICE="<http_service>"

+ 3
- 0
etc/certbot/hooks/authenticator.sh View File

@@ -0,0 +1,3 @@
1
+#!/usr/bin/env bash
2
+. /etc/certbot/config
3
+echo $CERTBOT_VALIDATION > ${HTTP_ROOT_PATH}/.well-known/acme-challenge/$CERTBOT_TOKEN

+ 3
- 0
etc/certbot/hooks/cleanup.sh View File

@@ -0,0 +1,3 @@
1
+#!/usr/bin/env bash
2
+. /etc/certbot/config
3
+rm -f ${HTTP_ROOT_PATH}/.well-known/acme-challenge/$CERTBOT_TOKEN

+ 11
- 0
install.sh View File

@@ -0,0 +1,11 @@
1
+#!/usr/bin/env bash
2
+# Very simple "installer"
3
+cp -r ./etc/certbot /etc
4
+cp ./certbot_manual /usr/bin
5
+chown -R root: /etc/certbot
6
+chmod 755 /etc/certbot/hooks/*.sh
7
+chown root: /usr/bin/certbot_manual
8
+chmod 755 /usr/bin/certbot_manual
9
+
10
+# To remove:
11
+# rm -rf /etc/certbot /usr/bin/certbot_manual