diff --git a/renew_cert_dns.sh b/renew_cert_dns.sh new file mode 100755 index 0000000..6ad25a6 --- /dev/null +++ b/renew_cert_dns.sh @@ -0,0 +1,89 @@ +#!/bin/sh +# Script de renouvellement de certificat buypass go ssl +# Copyright 2021 Alarig Le Lay +# Released under the 2-clause BSD license. + +# Bootstrap du bordel : +# Création de la clé d’authentification au service ACME +# openssl genrsa -out account.key 4096 +# Création du CSR et de la clé privée +# openssl req -nodes -newkey rsa:4096 -sha256 -keyout \ +# bulbizarre.swordarmor.fr.key -out bulbizarre.swordarmor.fr.csr +# Génératon du cerificat +# ./acme_tiny.py --account-key ../account.key --csr \ +# ../bulbizarre.swordarmor.fr.csr --acme-dir /var/www/le-challenges/ > \ +# ../signed.crt + +service="$1" +domain="$2" +base_dir='/etc/ssl' + +certok=0 + +_write_err () { + >&2 printf "$1" +} + +if [ $# != 2 ]; then + _write_err "Paramètre manquant\n" + _write_err "$0 \$service \$domain\n" + exit 1 +fi + +# 2592000 secondes correspondent à 30 jour +openssl x509 -checkend 2678400 -noout -in $base_dir/$service/${domain}.crt +if [ $? = 0 ]; then + printf "$base_dir/$service/${domain}.crt est valide pour plus d’un " + printf "mois\n" + exit 1 +fi + +if [ ! -f "$base_dir/$service/${domain}.csr" ]; then + _write_err ".csr introuvable : $base_dir/$service/${domain}.csr\n" + exit 1 +fi + +# sauvegarde du dossier actuel +cp -r "$base_dir/$service" "$base_dir/$service-$(date +%F)" +if [ $? != 0 ]; then + _write_err "Erreur de sauvegarde du dossier $base_dir/$service\n" + exit 1 +fi + +mv $base_dir/$service/$domain.crt $base_dir/$service/$domain.crt.bak-$(date +%F) +mv $base_dir/$service/$domain.chained.crt $base_dir/$service/$domain.chained.crt-$(date +%F) +mv $base_dir/$service/$domain.intermediate.crt $base_dir/$service/$domain.intermediate.crt-$(date +%F) + +certbot certonly \ + --dns-rfc2136 \ + --dns-rfc2136-credentials /usr/local/src/renew_cert/rfc2136.conf \ + --dns-rfc2136-propagation-seconds 30 \ + --csr /etc/ssl/$service/$domain.csr \ + --cert-path /etc/ssl/$service/$domain.crt \ + --chain-path /etc/ssl/$service/$domain.intermediate.crt + +# on peut pas tester le code de retour, il est != 0 même quand ça marche… +mv 0000_chain.pem /etc/ssl/$service/$domain.chained.crt + +if [ "${service}" = "inspircd" ]; then + kill -USR1 $(cat /run/inspircd/inspircd.pid) +else + rc-service $service reload +fi + +if [ $? = 0 ]; then + rm -r "$base_dir/$service-$(date +%F)" +fi +exit 0 + +# bulbizarre ~ # openssl verify -CAfile /etc/ssl/lets-encrypt-x1-cross-signed.pem +# /etc/ssl/apache2/akilina.swordarmor.fr.crt +# /etc/ssl/apache2/akilina.swordarmor.fr.crt: CN = akilina.swordarmor.fr +# error 20 at 0 depth lookup:unable to get local issuer certificate +# bulbizarre ~ # echo $? +# 2 +# bulbizarre ~ # openssl verify -CAfile /etc/ssl/lets-encrypt-x3-cross-signed.pem +# /etc/ssl/apache2/akilina.swordarmor.fr.crt +# /etc/ssl/apache2/akilina.swordarmor.fr.crt: OK +# bulbizarre ~ # echo $? +# 0 diff --git a/rfc2136.dist.conf b/rfc2136.dist.conf new file mode 100644 index 0000000..b121e3c --- /dev/null +++ b/rfc2136.dist.conf @@ -0,0 +1,10 @@ +# Target DNS server +dns_rfc2136_server = 127.0.0.1 +# Target DNS port +dns_rfc2136_port = 53 +# TSIG key name +dns_rfc2136_name = localhost +# TSIG key secret +dns_rfc2136_secret = random_base64 +# TSIG key algorithm +dns_rfc2136_algorithm = HMAC-SHA256