add bridge46 support, change acme provider to letsencrypt

2024-08-10 05:32:10 +00:00 · 2024-08-10 05:32:10 +00:00 · b8889df82d
commit b8889df82d
parent b41bc990c3
2 changed files with 94 additions and 34 deletions
--- a/README.md
+++ b/README.md
@ -1,19 +1,25 @@
-# Get certificates for your *mesh.cat* domain
+# Get a TLS certificate for your yggdrasil *mesh.cat* domain

-Dependencies:
+### Dependencies

 [Yggdrasil](https://yggdrasil-network.github.io/installation.html)

 [dnsmasq](https://thekelleys.org.uk/dnsmasq/doc.html)

-Installation and usage:
+
+### Installation and usage
 ```shell
 wget https://git.thisisjoes.site/mesh.cat/get-certs/raw/branch/master/get-certs.sh
 chmod +x get-certs.sh
 ./get-certs.sh
 ```

-Remember to create a cron job to run the script every month.
+### Tor/proxies
+You can edit the script to enable [proxychains](https://proxychains.sourceforge.net/) support, like this: `proxychains=true`
+
+
+### Note
+Remember to create a cron job to run the script once a week.

 Example:
 ```cron
--- a/get-certs.sh
+++ b/get-certs.sh
@ -3,20 +3,29 @@

 # define variables

+# enable proxychains?
+proxychains=true
+
+# wait for this many seconds before trying certificate issuance/renewal
+wait_before_renew=30
+
+# bridge46 provider ipv4 address
+bridge46_ipv4="207.127.103.198"
+
 # mesh domain provider
 provider="mesh.cat"

-# mesh domain provider port for dns acme challenge
-acme_challenge_port="53536"
-
-# temporary working directory
-twd="/tmp"
-
 # whoami service
 whoami_url="https://ygg.mesh.cat/whoami"

-# enable proxychains?
-proxychains=false
+# mesh domain provider alternative dns port for acme challenge and bridge46 A records
+alternative_dns_port="53536"
+
+# acme challenge dnsmasq instance port
+acme_challenge_port="53537"
+
+# temporary working directory
+twd="/tmp"


 # internal function to check if a command exists
@ -50,6 +59,9 @@ else
  exit 1
 fi

+# start
+echo Starting...
+
 # check if we got dnsmasq
 if _exists dnsmasq --help ; then
  echo "dnsmasq is available."
@ -58,7 +70,6 @@ else
  echo "Please install dnsmasq and try again."
  exit 1
 fi
-echo ""

 # get my domain
 domain=`$_get "$whoami_url"`
@ -66,12 +77,16 @@ if [ $? -ne 0 ]; then
  echo "Error: could not fetch my domain."
  exit 1
 fi
+my_ygg_ip=`$_get "$whoami_url?ip=true"`
+if [ $? -ne 0 ]; then
+  echo "Error: could not fetch my yggdrasil ip address."
+  exit 1
+fi
 provider_regex=`echo "$provider" | sed 's/\./\\\./g'`
 domain_regex="^[a-zA-Z0-9]+\\.$provider_regex$"
 echo $domain_regexp
 if echo "$domain" | grep -qE "$domain_regex"; then
  echo "Got domain: $domain"
-  echo ""
 else
  echo "Error: Received string does not match the expected format."
  exit 1
@ -110,7 +125,7 @@ $acme_cmd \
 timestamp=`date +"%Y%m%d%H%M%S"`
 long_flag="--yes-I-know-dns-manual-mode-enough-go-ahead-please"
 challenge_file=$twd/acme_challenge.$timestamp.txt
-$acme_cmd --issue \
+$acme_cmd --issue --server letsencrypt \
  -d "$domain" \
  --dns $long_flag \
  > $challenge_file
@ -120,32 +135,71 @@ echo ""
 # extract TXT value
 txt_value=`cat $challenge_file | grep 'TXT' | sed -n "s/.*\x27\(.*\)\x27$/\1/p"`
 rm $challenge_file
+if [ $txt_value != "" ] ; then
  echo TXT value is $txt_value
  echo ""
+else
+  echo "Error: could not get an acme challenge TXT string."
+  exit 1
+fi

-# launch dnsmasq
-touch $twd/dnsm.tmp.cnf \
+tmp_conf_file=$twd/dnsmasq.$USER.tmp.cnf
+
+# launch acme challenge dnsmasq process
+touch $tmp_conf_file \
  && dnsmasq \
-    --conf-file=/tmp/dnsm.tmp.cnf \
-    -k -d -D -b -R -n -h -q \
+    --conf-file=$tmp_conf_file \
+    -k -d -D -b -R -n -N -h -q \
    -p $acme_challenge_port \
-    --txt-record="_acme-challenge.$domain,$txt_value" &
-dnsmasq_pid=$!
-echo dnsmasq PID: $dnsmasq_pid
+    --txt-record="_acme-challenge.$domain,$txt_value" \
+    1>&- 2>&- &
+acme_dnsmasq_pid=$!
+sleep 3
+if [ "`ps aux | grep dnsmasq | grep $acme_dnsmasq_pid`" != "" ]; then
+  echo acme dnsmasq PID: $acme_dnsmasq_pid
  echo ""
-sleep 5
+else
+  echo "Error: could not start a dnsmasq process for the acme challenge."
+  exit 1
+fi
+
+# launch main dnsmasq process
+touch $tmp_conf_file \
+  && dnsmasq \
+    --conf-file=$tmp_conf_file \
+    -k -d -D -b -R -n -N -h -q \
+    -p $alternative_dns_port \
+    --address="/$domain/$my_ygg_ip" \
+    --address="/$domain/$bridge46_ipv4" \
+    --server="/_acme-challenge.$domain/127.0.0.1#$acme_challenge_port" \
+    1>&- 2>&- &
+main_dnsmasq_pid=$!
+sleep 3
+if [ "`ps aux | grep dnsmasq | grep $main_dnsmasq_pid`" != "" ]; then
+  echo main dnsmasq PID: $main_dnsmasq_pid
+  echo ""
+fi
+
+echo "Waiting for $wait_before_renew seconds."
+sleep $wait_before_renew

 # issue certificate
-$acme_cmd --renew \
+$acme_cmd --renew --server letsencrypt \
  -d "$domain" \
  --dns $long_flag
+acme_renew_state=$?

-# kill dnsmasq
-kill $dnsmasq_pid
+# kill acme challenge dnsmasq process
+kill $acme_dnsmasq_pid

-rm $twd/dnsm.tmp.cnf
+rm $tmp_conf_file

+echo ""
+if [ $acme_renew_state == "0" ]; then
  echo "Job finished."
-echo "Remember to create a cron job to run this script once a month."
-
-exit
+  echo "Remember to create a cron job to run this script once a week."
+  exit 0
+else
+  echo "Someething when wrong when trying to get/renew the certificate."
+  exit $acme_renew_state
+fi