mesh.cat/get-certs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add bridge46 support, change acme provider to letsencrypt

Browse Source
This commit is contained in:
cynic 2024-08-10 05:32:10 +00:00
parent b41bc990c3
commit b8889df82d
2 changed files with 94 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
README.md
View File

@ -1,19 +1,25 @@
# Get certificates for your *mesh.cat* domain # Get a TLS certificate for your yggdrasil *mesh.cat* domain
Dependencies: ### Dependencies
[Yggdrasil](https://yggdrasil-network.github.io/installation.html) [Yggdrasil](https://yggdrasil-network.github.io/installation.html)
[dnsmasq](https://thekelleys.org.uk/dnsmasq/doc.html) [dnsmasq](https://thekelleys.org.uk/dnsmasq/doc.html)
Installation and usage:
### Installation and usage
```shell ```shell
wget https://git.thisisjoes.site/mesh.cat/get-certs/raw/branch/master/get-certs.sh wget https://git.thisisjoes.site/mesh.cat/get-certs/raw/branch/master/get-certs.sh
chmod +x get-certs.sh chmod +x get-certs.sh
./get-certs.sh ./get-certs.sh
``` ```
Remember to create a cron job to run the script every month. ### Tor/proxies
You can edit the script to enable [proxychains](https://proxychains.sourceforge.net/) support, like this: `proxychains=true`
### Note
Remember to create a cron job to run the script once a week.
Example: Example:
```cron ```cron

114
get-certs.sh
View File

@ -3,20 +3,29 @@
# define variables # define variables
# enable proxychains?
proxychains=true
# wait for this many seconds before trying certificate issuance/renewal
wait_before_renew=30
# bridge46 provider ipv4 address
bridge46_ipv4="207.127.103.198"
# mesh domain provider # mesh domain provider
provider="mesh.cat" provider="mesh.cat"
# mesh domain provider port for dns acme challenge
acme_challenge_port="53536"
# temporary working directory
twd="/tmp"
# whoami service # whoami service
whoami_url="https://ygg.mesh.cat/whoami" whoami_url="https://ygg.mesh.cat/whoami"
# enable proxychains? # mesh domain provider alternative dns port for acme challenge and bridge46 A records
proxychains=false alternative_dns_port="53536"
# acme challenge dnsmasq instance port
acme_challenge_port="53537"
# temporary working directory
twd="/tmp"
# internal function to check if a command exists # internal function to check if a command exists
@ -50,6 +59,9 @@ else
exit 1 exit 1
fi fi
# start
echo Starting...
# check if we got dnsmasq # check if we got dnsmasq
if _exists dnsmasq --help ; then if _exists dnsmasq --help ; then
echo "dnsmasq is available." echo "dnsmasq is available."
@ -58,7 +70,6 @@ else
echo "Please install dnsmasq and try again." echo "Please install dnsmasq and try again."
exit 1 exit 1
fi fi
echo ""
# get my domain # get my domain
domain=`$_get "$whoami_url"` domain=`$_get "$whoami_url"`
@ -66,12 +77,16 @@ if [ $? -ne 0 ]; then
echo "Error: could not fetch my domain." echo "Error: could not fetch my domain."
exit 1 exit 1
fi fi
my_ygg_ip=`$_get "$whoami_url?ip=true"`
if [ $? -ne 0 ]; then
echo "Error: could not fetch my yggdrasil ip address."
exit 1
fi
provider_regex=`echo "$provider" | sed 's/\./\\\./g'` provider_regex=`echo "$provider" | sed 's/\./\\\./g'`
domain_regex="^[a-zA-Z0-9]+\\.$provider_regex$" domain_regex="^[a-zA-Z0-9]+\\.$provider_regex$"
echo $domain_regexp echo $domain_regexp
if echo "$domain" | grep -qE "$domain_regex"; then if echo "$domain" | grep -qE "$domain_regex"; then
echo "Got domain: $domain" echo "Got domain: $domain"
echo ""
else else
echo "Error: Received string does not match the expected format." echo "Error: Received string does not match the expected format."
exit 1 exit 1
@ -110,7 +125,7 @@ $acme_cmd \
timestamp=`date +"%Y%m%d%H%M%S"` timestamp=`date +"%Y%m%d%H%M%S"`
long_flag="--yes-I-know-dns-manual-mode-enough-go-ahead-please" long_flag="--yes-I-know-dns-manual-mode-enough-go-ahead-please"
challenge_file=$twd/acme_challenge.$timestamp.txt challenge_file=$twd/acme_challenge.$timestamp.txt
$acme_cmd --issue \ $acme_cmd --issue --server letsencrypt \
-d "$domain" \ -d "$domain" \
--dns $long_flag \ --dns $long_flag \
> $challenge_file > $challenge_file
@ -120,32 +135,71 @@ echo ""
# extract TXT value # extract TXT value
txt_value=`cat $challenge_file | grep 'TXT' | sed -n "s/.*\x27\(.*\)\x27$/\1/p"` txt_value=`cat $challenge_file | grep 'TXT' | sed -n "s/.*\x27\(.*\)\x27$/\1/p"`
rm $challenge_file rm $challenge_file
echo TXT value is $txt_value if [ $txt_value != "" ] ; then
echo "" echo TXT value is $txt_value
echo ""
else
echo "Error: could not get an acme challenge TXT string."
exit 1
fi
# launch dnsmasq tmp_conf_file=$twd/dnsmasq.$USER.tmp.cnf
touch $twd/dnsm.tmp.cnf \
# launch acme challenge dnsmasq process
touch $tmp_conf_file \
&& dnsmasq \ && dnsmasq \
--conf-file=/tmp/dnsm.tmp.cnf \ --conf-file=$tmp_conf_file \
-k -d -D -b -R -n -h -q \ -k -d -D -b -R -n -N -h -q \
-p $acme_challenge_port \ -p $acme_challenge_port \
--txt-record="_acme-challenge.$domain,$txt_value" & --txt-record="_acme-challenge.$domain,$txt_value" \
dnsmasq_pid=$! 1>&- 2>&- &
echo dnsmasq PID: $dnsmasq_pid acme_dnsmasq_pid=$!
echo "" sleep 3
sleep 5 if [ "`ps aux | grep dnsmasq | grep $acme_dnsmasq_pid`" != "" ]; then
echo acme dnsmasq PID: $acme_dnsmasq_pid
echo ""
else
echo "Error: could not start a dnsmasq process for the acme challenge."
exit 1
fi
# launch main dnsmasq process
touch $tmp_conf_file \
&& dnsmasq \
--conf-file=$tmp_conf_file \
-k -d -D -b -R -n -N -h -q \
-p $alternative_dns_port \
--address="/$domain/$my_ygg_ip" \
--address="/$domain/$bridge46_ipv4" \
--server="/_acme-challenge.$domain/127.0.0.1#$acme_challenge_port" \
1>&- 2>&- &
main_dnsmasq_pid=$!
sleep 3
if [ "`ps aux | grep dnsmasq | grep $main_dnsmasq_pid`" != "" ]; then
echo main dnsmasq PID: $main_dnsmasq_pid
echo ""
fi
echo "Waiting for $wait_before_renew seconds."
sleep $wait_before_renew
# issue certificate # issue certificate
$acme_cmd --renew \ $acme_cmd --renew --server letsencrypt \
-d "$domain" \ -d "$domain" \
--dns $long_flag --dns $long_flag
acme_renew_state=$?
# kill dnsmasq # kill acme challenge dnsmasq process
kill $dnsmasq_pid kill $acme_dnsmasq_pid
rm $twd/dnsm.tmp.cnf rm $tmp_conf_file
echo "Job finished." echo ""
echo "Remember to create a cron job to run this script once a month." if [ $acme_renew_state == "0" ]; then
echo "Job finished."
exit echo "Remember to create a cron job to run this script once a week."
exit 0
else
echo "Someething when wrong when trying to get/renew the certificate."
exit $acme_renew_state
fi