From b8889df82dc00fd4a9f87d3f90100730e8bac416 Mon Sep 17 00:00:00 2001 From: cynic Date: Sat, 10 Aug 2024 05:32:10 +0000 Subject: [PATCH] add bridge46 support, change acme provider to letsencrypt --- README.md | 14 +++++-- get-certs.sh | 114 +++++++++++++++++++++++++++++++++++++-------------- 2 files changed, 94 insertions(+), 34 deletions(-) diff --git a/README.md b/README.md index be1e9e7..13e210f 100644 --- a/README.md +++ b/README.md @@ -1,19 +1,25 @@ -# Get certificates for your *mesh.cat* domain +# Get a TLS certificate for your yggdrasil *mesh.cat* domain -Dependencies: +### Dependencies [Yggdrasil](https://yggdrasil-network.github.io/installation.html) [dnsmasq](https://thekelleys.org.uk/dnsmasq/doc.html) -Installation and usage: + +### Installation and usage ```shell wget https://git.thisisjoes.site/mesh.cat/get-certs/raw/branch/master/get-certs.sh chmod +x get-certs.sh ./get-certs.sh ``` -Remember to create a cron job to run the script every month. +### Tor/proxies +You can edit the script to enable [proxychains](https://proxychains.sourceforge.net/) support, like this: `proxychains=true` + + +### Note +Remember to create a cron job to run the script once a week. Example: ```cron diff --git a/get-certs.sh b/get-certs.sh index e20e8b7..1e1db9b 100755 --- a/get-certs.sh +++ b/get-certs.sh @@ -3,20 +3,29 @@ # define variables +# enable proxychains? +proxychains=true + +# wait for this many seconds before trying certificate issuance/renewal +wait_before_renew=30 + +# bridge46 provider ipv4 address +bridge46_ipv4="207.127.103.198" + # mesh domain provider provider="mesh.cat" -# mesh domain provider port for dns acme challenge -acme_challenge_port="53536" - -# temporary working directory -twd="/tmp" - # whoami service whoami_url="https://ygg.mesh.cat/whoami" -# enable proxychains? -proxychains=false +# mesh domain provider alternative dns port for acme challenge and bridge46 A records +alternative_dns_port="53536" + +# acme challenge dnsmasq instance port +acme_challenge_port="53537" + +# temporary working directory +twd="/tmp" # internal function to check if a command exists @@ -50,6 +59,9 @@ else exit 1 fi +# start +echo Starting... + # check if we got dnsmasq if _exists dnsmasq --help ; then echo "dnsmasq is available." @@ -58,7 +70,6 @@ else echo "Please install dnsmasq and try again." exit 1 fi -echo "" # get my domain domain=`$_get "$whoami_url"` @@ -66,12 +77,16 @@ if [ $? -ne 0 ]; then echo "Error: could not fetch my domain." exit 1 fi +my_ygg_ip=`$_get "$whoami_url?ip=true"` +if [ $? -ne 0 ]; then + echo "Error: could not fetch my yggdrasil ip address." + exit 1 +fi provider_regex=`echo "$provider" | sed 's/\./\\\./g'` domain_regex="^[a-zA-Z0-9]+\\.$provider_regex$" echo $domain_regexp if echo "$domain" | grep -qE "$domain_regex"; then echo "Got domain: $domain" - echo "" else echo "Error: Received string does not match the expected format." exit 1 @@ -110,7 +125,7 @@ $acme_cmd \ timestamp=`date +"%Y%m%d%H%M%S"` long_flag="--yes-I-know-dns-manual-mode-enough-go-ahead-please" challenge_file=$twd/acme_challenge.$timestamp.txt -$acme_cmd --issue \ +$acme_cmd --issue --server letsencrypt \ -d "$domain" \ --dns $long_flag \ > $challenge_file @@ -120,32 +135,71 @@ echo "" # extract TXT value txt_value=`cat $challenge_file | grep 'TXT' | sed -n "s/.*\x27\(.*\)\x27$/\1/p"` rm $challenge_file -echo TXT value is $txt_value -echo "" +if [ $txt_value != "" ] ; then + echo TXT value is $txt_value + echo "" +else + echo "Error: could not get an acme challenge TXT string." + exit 1 +fi -# launch dnsmasq -touch $twd/dnsm.tmp.cnf \ +tmp_conf_file=$twd/dnsmasq.$USER.tmp.cnf + +# launch acme challenge dnsmasq process +touch $tmp_conf_file \ && dnsmasq \ - --conf-file=/tmp/dnsm.tmp.cnf \ - -k -d -D -b -R -n -h -q \ + --conf-file=$tmp_conf_file \ + -k -d -D -b -R -n -N -h -q \ -p $acme_challenge_port \ - --txt-record="_acme-challenge.$domain,$txt_value" & -dnsmasq_pid=$! -echo dnsmasq PID: $dnsmasq_pid -echo "" -sleep 5 + --txt-record="_acme-challenge.$domain,$txt_value" \ + 1>&- 2>&- & +acme_dnsmasq_pid=$! +sleep 3 +if [ "`ps aux | grep dnsmasq | grep $acme_dnsmasq_pid`" != "" ]; then + echo acme dnsmasq PID: $acme_dnsmasq_pid + echo "" +else + echo "Error: could not start a dnsmasq process for the acme challenge." + exit 1 +fi + +# launch main dnsmasq process +touch $tmp_conf_file \ + && dnsmasq \ + --conf-file=$tmp_conf_file \ + -k -d -D -b -R -n -N -h -q \ + -p $alternative_dns_port \ + --address="/$domain/$my_ygg_ip" \ + --address="/$domain/$bridge46_ipv4" \ + --server="/_acme-challenge.$domain/127.0.0.1#$acme_challenge_port" \ + 1>&- 2>&- & +main_dnsmasq_pid=$! +sleep 3 +if [ "`ps aux | grep dnsmasq | grep $main_dnsmasq_pid`" != "" ]; then + echo main dnsmasq PID: $main_dnsmasq_pid + echo "" +fi + +echo "Waiting for $wait_before_renew seconds." +sleep $wait_before_renew # issue certificate -$acme_cmd --renew \ +$acme_cmd --renew --server letsencrypt \ -d "$domain" \ --dns $long_flag +acme_renew_state=$? -# kill dnsmasq -kill $dnsmasq_pid +# kill acme challenge dnsmasq process +kill $acme_dnsmasq_pid -rm $twd/dnsm.tmp.cnf +rm $tmp_conf_file -echo "Job finished." -echo "Remember to create a cron job to run this script once a month." - -exit +echo "" +if [ $acme_renew_state == "0" ]; then + echo "Job finished." + echo "Remember to create a cron job to run this script once a week." + exit 0 +else + echo "Someething when wrong when trying to get/renew the certificate." + exit $acme_renew_state +fi