rfc2136: add support

renew_cert_dns.sh

@@ -0,0 +1,89 @@
+#!/bin/sh
+# Script de renouvellement de certificat buypass go ssl
+# Copyright 2021 Alarig Le Lay <alarig@swordarmor.fr>
+# Released under the 2-clause BSD license.
+
+# Bootstrap du bordel :
+# Création de la clé d’authentification au service ACME
+# openssl genrsa -out account.key 4096
+# Création du CSR et de la clé privée
+# openssl req -nodes -newkey rsa:4096 -sha256 -keyout \
+# 	bulbizarre.swordarmor.fr.key -out bulbizarre.swordarmor.fr.csr
+# Génératon du cerificat
+# ./acme_tiny.py --account-key ../account.key --csr \
+# 	../bulbizarre.swordarmor.fr.csr --acme-dir /var/www/le-challenges/ > \
+# 	../signed.crt
+
+service="$1"
+domain="$2"
+base_dir='/etc/ssl'
+
+certok=0
+
+_write_err () {
+	>&2 printf "$1"
+}
+
+if [ $# != 2 ]; then
+	_write_err "Paramètre manquant\n"
+	_write_err "$0 \$service \$domain\n"
+	exit 1
+fi
+
+# 2592000 secondes correspondent à 30 jour
+openssl x509 -checkend 2678400 -noout -in $base_dir/$service/${domain}.crt
+if [ $? = 0 ]; then
+	printf "$base_dir/$service/${domain}.crt est valide pour plus d’un "
+	printf "mois\n"
+	exit 1
+fi
+
+if [ ! -f "$base_dir/$service/${domain}.csr" ]; then
+	_write_err ".csr introuvable : $base_dir/$service/${domain}.csr\n"
+	exit 1
+fi
+
+# sauvegarde du dossier actuel
+cp -r "$base_dir/$service" "$base_dir/$service-$(date +%F)"
+if [ $? != 0 ]; then
+	_write_err "Erreur de sauvegarde du dossier $base_dir/$service\n"
+	exit 1
+fi
+
+mv $base_dir/$service/$domain.crt $base_dir/$service/$domain.crt.bak-$(date +%F)
+mv $base_dir/$service/$domain.chained.crt $base_dir/$service/$domain.chained.crt-$(date +%F)
+mv $base_dir/$service/$domain.intermediate.crt $base_dir/$service/$domain.intermediate.crt-$(date +%F)
+
+certbot certonly \
+	--dns-rfc2136 \
+	--dns-rfc2136-credentials /usr/local/src/renew_cert/rfc2136.conf \
+	--dns-rfc2136-propagation-seconds 30 \
+	--csr /etc/ssl/$service/$domain.csr \
+	--cert-path /etc/ssl/$service/$domain.crt \
+	--chain-path /etc/ssl/$service/$domain.intermediate.crt
+
+# on peut pas tester le code de retour, il est != 0 même quand ça marche…
+mv 0000_chain.pem /etc/ssl/$service/$domain.chained.crt
+
+if [ "${service}" = "inspircd" ]; then
+	kill -USR1 $(cat /run/inspircd/inspircd.pid)
+else
+	rc-service $service reload
+fi
+
+if [ $? = 0 ]; then
+	rm -r "$base_dir/$service-$(date +%F)"
+fi
+exit 0
+
+# bulbizarre ~ # openssl verify -CAfile /etc/ssl/lets-encrypt-x1-cross-signed.pem
+# /etc/ssl/apache2/akilina.swordarmor.fr.crt 
+# /etc/ssl/apache2/akilina.swordarmor.fr.crt: CN = akilina.swordarmor.fr
+# error 20 at 0 depth lookup:unable to get local issuer certificate
+# bulbizarre ~ # echo $?
+# 2
+# bulbizarre ~ # openssl verify -CAfile /etc/ssl/lets-encrypt-x3-cross-signed.pem
+# /etc/ssl/apache2/akilina.swordarmor.fr.crt 
+# /etc/ssl/apache2/akilina.swordarmor.fr.crt: OK
+# bulbizarre ~ # echo $?
+# 0

rfc2136.dist.conf

@@ -0,0 +1,10 @@
+# Target DNS server
+dns_rfc2136_server = 127.0.0.1
+# Target DNS port
+dns_rfc2136_port = 53
+# TSIG key name
+dns_rfc2136_name = localhost
+# TSIG key secret
+dns_rfc2136_secret = random_base64
+# TSIG key algorithm
+dns_rfc2136_algorithm = HMAC-SHA256