rfc2136: add support
This commit is contained in:
Alarig Le Lay
parent
204af35901
commit
9fda2b204f
|
|
@ -0,0 +1,89 @@
|
|||
#!/bin/sh
|
||||
# Script de renouvellement de certificat buypass go ssl
|
||||
# Copyright 2021 Alarig Le Lay <alarig@swordarmor.fr>
|
||||
# Released under the 2-clause BSD license.
|
||||
|
||||
# Bootstrap du bordel :
|
||||
# Création de la clé d’authentification au service ACME
|
||||
# openssl genrsa -out account.key 4096
|
||||
# Création du CSR et de la clé privée
|
||||
# openssl req -nodes -newkey rsa:4096 -sha256 -keyout \
|
||||
# bulbizarre.swordarmor.fr.key -out bulbizarre.swordarmor.fr.csr
|
||||
# Génératon du cerificat
|
||||
# ./acme_tiny.py --account-key ../account.key --csr \
|
||||
# ../bulbizarre.swordarmor.fr.csr --acme-dir /var/www/le-challenges/ > \
|
||||
# ../signed.crt
|
||||
|
||||
service="$1"
|
||||
domain="$2"
|
||||
base_dir='/etc/ssl'
|
||||
|
||||
certok=0
|
||||
|
||||
_write_err () {
|
||||
>&2 printf "$1"
|
||||
}
|
||||
|
||||
if [ $# != 2 ]; then
|
||||
_write_err "Paramètre manquant\n"
|
||||
_write_err "$0 \$service \$domain\n"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# 2592000 secondes correspondent à 30 jour
|
||||
openssl x509 -checkend 2678400 -noout -in $base_dir/$service/${domain}.crt
|
||||
if [ $? = 0 ]; then
|
||||
printf "$base_dir/$service/${domain}.crt est valide pour plus d’un "
|
||||
printf "mois\n"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ ! -f "$base_dir/$service/${domain}.csr" ]; then
|
||||
_write_err ".csr introuvable : $base_dir/$service/${domain}.csr\n"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# sauvegarde du dossier actuel
|
||||
cp -r "$base_dir/$service" "$base_dir/$service-$(date +%F)"
|
||||
if [ $? != 0 ]; then
|
||||
_write_err "Erreur de sauvegarde du dossier $base_dir/$service\n"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
mv $base_dir/$service/$domain.crt $base_dir/$service/$domain.crt.bak-$(date +%F)
|
||||
mv $base_dir/$service/$domain.chained.crt $base_dir/$service/$domain.chained.crt-$(date +%F)
|
||||
mv $base_dir/$service/$domain.intermediate.crt $base_dir/$service/$domain.intermediate.crt-$(date +%F)
|
||||
|
||||
certbot certonly \
|
||||
--dns-rfc2136 \
|
||||
--dns-rfc2136-credentials /usr/local/src/renew_cert/rfc2136.conf \
|
||||
--dns-rfc2136-propagation-seconds 30 \
|
||||
--csr /etc/ssl/$service/$domain.csr \
|
||||
--cert-path /etc/ssl/$service/$domain.crt \
|
||||
--chain-path /etc/ssl/$service/$domain.intermediate.crt
|
||||
|
||||
# on peut pas tester le code de retour, il est != 0 même quand ça marche…
|
||||
mv 0000_chain.pem /etc/ssl/$service/$domain.chained.crt
|
||||
|
||||
if [ "${service}" = "inspircd" ]; then
|
||||
kill -USR1 $(cat /run/inspircd/inspircd.pid)
|
||||
else
|
||||
rc-service $service reload
|
||||
fi
|
||||
|
||||
if [ $? = 0 ]; then
|
||||
rm -r "$base_dir/$service-$(date +%F)"
|
||||
fi
|
||||
exit 0
|
||||
|
||||
# bulbizarre ~ # openssl verify -CAfile /etc/ssl/lets-encrypt-x1-cross-signed.pem
|
||||
# /etc/ssl/apache2/akilina.swordarmor.fr.crt
|
||||
# /etc/ssl/apache2/akilina.swordarmor.fr.crt: CN = akilina.swordarmor.fr
|
||||
# error 20 at 0 depth lookup:unable to get local issuer certificate
|
||||
# bulbizarre ~ # echo $?
|
||||
# 2
|
||||
# bulbizarre ~ # openssl verify -CAfile /etc/ssl/lets-encrypt-x3-cross-signed.pem
|
||||
# /etc/ssl/apache2/akilina.swordarmor.fr.crt
|
||||
# /etc/ssl/apache2/akilina.swordarmor.fr.crt: OK
|
||||
# bulbizarre ~ # echo $?
|
||||
# 0
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
# Target DNS server
|
||||
dns_rfc2136_server = 127.0.0.1
|
||||
# Target DNS port
|
||||
dns_rfc2136_port = 53
|
||||
# TSIG key name
|
||||
dns_rfc2136_name = localhost
|
||||
# TSIG key secret
|
||||
dns_rfc2136_secret = random_base64
|
||||
# TSIG key algorithm
|
||||
dns_rfc2136_algorithm = HMAC-SHA256
|
||||
Loading…
Reference in New Issue