Skip to content

Instantly share code, notes, and snippets.

@AnthonyWharton
Last active July 28, 2024 15:24
Show Gist options
  • Save AnthonyWharton/a0e8faae7195a5c1dea210466eda1c92 to your computer and use it in GitHub Desktop.
Save AnthonyWharton/a0e8faae7195a5c1dea210466eda1c92 to your computer and use it in GitHub Desktop.
FreeDNS (afraid.org) Cerbot/Let's Encrypt Manual Automation Script
#!/bin/bash
# Copyright 2018, Anthony Wharton
# Single script that can be called that generates certificates using the
# certbotFreeDNSAuthHook.sh and certbotFreeDNSCleanupHook.sh scripts.
# This should be used as guidence of my usage, and changed to your needs. Note
# the generic `/path/to/...` and `DOMAIN.COM`, which should be replaced with
# your script location and domain respectively. In addition, for this to be
# used on a live system, one must remove the `--dry-run` flag.
certbot certonly \
--dry-run \
--agree-tos \
--manual-public-ip-logging-ok \
--renew-by-default \
--manual \
--preferred-challenges=dns \
--manual-auth-hook /path/to/certbotFreeDNSAuthHook.sh \
--manual-cleanup-hook /path/to/certbotFreeDNSCleanupHook.sh \
-d "DOMAIN.COM" \
-d "*.DOMAIN.COM" \
--server https://acme-v02.api.letsencrypt.org/directory
#!/bin/bash
# Copyright 2018, Anthony Wharton
# Script that logs into FreeDNS.afraid.org and puts in the _acme-challenge TXT
# record as required by certbot for let's encrypt certificates.
# This was made for my need to automate wildcard renewals which cannot work
# automatically.
# TODO: Update to your FreeDNS.afraid.org username and password.
USERNAME='user%40domain.com' # Username for FreeDNS
PASSWORD='verysecurepassword' # Password for FreeDNS
WORKINGDIR="/tmp/CERTBOT_$CERTBOT_DOMAIN"
COOKIEFILE="$WORKINGDIR/cookies.tmp"
TXTID_FILE="$WORKINGDIR/TXT_ID"
REGEX_DOMAINID="s/.*$CERTBOT_DOMAIN.*domain_id=\\([0-9]*\\).*/\\1/;t;d"
REGEX_TXTID="s/.*data_id=\\([0-9]*\\)>_acme-challenge.*/\\1/;t;d"
echo "==============================================="
if [ ! -d $WORKINGDIR ]; then
echo "Creating working director for temporary files ($WORKINGDIR)"
mkdir -m 0700 $WORKINGDIR
fi
echo "Logging in..."
curl -s "https://freedns.afraid.org/zc.php?step=2 " \
-c $COOKIEFILE \
-d "action=auth" \
-d "submit=Login" \
-d "username=$USERNAME" \
-d "password=$PASSWORD"
echo "Getting domain ID..."
DOM_ID=$(curl -s "https://freedns.afraid.org/subdomain/" \
-b $COOKIEFILE \
| sed --posix $REGEX_DOMAINID)
echo "Domain ID: $DOM_ID"
echo "Getting current TXT record ID (if existent)..."
TXT_ID=$(curl -s "https://freedns.afraid.org/subdomain/" \
-b $COOKIEFILE \
| sed --posix $REGEX_TXTID)
echo "Creating/Updaing TXT record..."
curl -s "https://freedns.afraid.org/subdomain/save.php?step=2" \
-b $COOKIEFILE \
-d "type=TXT" \
-d "subdomain=_acme-challenge" \
-d "domain_id=$DOM_ID" \
-d "address=%22$CERTBOT_VALIDATION%22" \
-d "data_id=$TXT_ID" \
-d "send=Save%21"
TXT_ID=$(curl -s "https://freedns.afraid.org/subdomain/" \
-b $COOKIEFILE \
| sed --posix $REGEX_TXTID)
echo "TXT record ID: $TXT_ID"
echo Saving ID for cleanup...
echo $TXT_ID > $TXTID_FILE
echo "Auth Step DONE, Sleeping to allow for DNS records to propagate"
sleep 15
echo "==============================================="
#!/bin/bash
# Copyright 2018, Anthony Wharton
# Script that logs into FreeDNS.afraid.org and cleans up the _acme-challenge
# TXT record as created by the certbotFreeDNSAuthHook.sh script.
# This was made for my need to automate wildcard renewals which cannot work
# automatically.
# TODO: Update to your FreeDNS.afraid.org username and password.
USERNAME='user%40domain.com' # Username for FreeDNS
PASSWORD='verysecurepassword' # Password for FreeDNS
WORKINGDIR="/tmp/CERTBOT_$CERTBOT_DOMAIN"
COOKIEFILE="$WORKINGDIR/cookies.tmp"
TXTID_FILE="$WORKINGDIR/TXT_ID"
echo "==============================================="
echo "Cleaning up..."
if [ ! -f $COOKIESFILE ]; then
echo "No saved cookies found... Logging in..."
curl -s "https://freedns.afraid.org/zc.php?step=2 " \
-c $COOKIEFILE \
-d "action=auth" \
-d "submit=Login" \
-d "username=$USERNAME" \
-d "password=$PASSWORD"
fi
if [ -f $TXTID_FILE ]; then
TXT_ID=$(cat $TXTID_FILE)
echo "Deleting TXT record ID ($TXT_ID)..."
QUERY="https://freedns.afraid.org/subdomain/delete2.php?"
QUERY+="data_id%5B%5D=$TXT_ID&"
QUERY+="submit=delete+selected"
curl -s $QUERY -b $COOKIEFILE
fi
rm -vrf $WORKINGDIR
echo "DONE"
echo "==============================================="
@politick
Copy link

politick commented Mar 8, 2024

If you are trying to use a DNS-01 challenge to get a wildcard *.freedns.afraid.org certificate, then you will NOT be able to do so because you don't own the root domain name "afraid.org". Just not possible, because it would be unsafe.

But you should be able to use an HTTP-01 challenge for your alanmilinovic.freedns.afraid.org name as long as you have port 80 forwarded to the web server where you are running the ACME client. This will give you one certificate per "server" name that you can use only on that "single server" ( you can / should use ReverseProxy functionality from that single name to get to all your internal services).
Kind Regards, Martin Politick, 2024.

@alanmilinovic
Copy link

If you are trying to use a DNS-01 challenge to get a wildcard *.freedns.afraid.org certificate, then you will NOT be able to do so because you don't own the root domain name "afraid.org". Just not possible, because it would be unsafe.

But you should be able to use an HTTP-01 challenge for your alanmilinovic.freedns.afraid.org name as long as you have port 80 forwarded to the web server where you are running the ACME client. This will give you one certificate per "server" name that you can use only on that "single server" ( you can / should use ReverseProxy functionality from that single name to get to all your internal services). Kind Regards, Martin Politick, 2024.

Unfortunately, because of VPN, I am not able to port forward port 80.

@dreamwraith
Copy link

dreamwraith commented Mar 8, 2024 via email

@alanmilinovic
Copy link

Do you not control the network at all? If so, it doesn't seem like you should really be concerned with this. I guess I'm just confused. If this is your own personal VPN, you don't need a valid public cert to use https inside your already secured VPN, you can just self sign.

On Fri, Mar 8, 2024, 3:33 PM Alan @.> wrote: @.* commented on this gist. ------------------------------ If you are trying to use a DNS-01 challenge to get a wildcard *. freedns.afraid.org certificate, then you will NOT be able to do so because you don't own the root domain name "afraid.org". Just not possible, because it would be unsafe. But you should be able to use an HTTP-01 challenge for your alanmilinovic.freedns.afraid.org name as long as you have port 80 forwarded to the web server where you are running the ACME client. This will give you one certificate per "server" name that you can use only on that "single server" ( you can / should use ReverseProxy functionality from that single name to get to all your internal services). Kind Regards, Martin Politick, 2024. Unfortunately, because of VPN, I am not able to port forward port 80. — Reply to this email directly, view it on GitHub https://gist.github.com/AnthonyWharton/a0e8faae7195a5c1dea210466eda1c92#gistcomment-4978412 or unsubscribe https://github.com/notifications/unsubscribe-auth/AAJIPCAFNZCAOVT5UQBMFT3YXJDETBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVA4TEMBVGUZDAONHORZGSZ3HMVZKMY3SMVQXIZI . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub .

It is not my personal VPN, and some of the ports are already taken by other users that also subscribed for the same service.

@alanmilinovic
Copy link

So I finally sort it our. Solution was to use Dynu free dns, where I was able to use acme.sh and generate certificate for subdomains. freedns.afraid.org is not supporting subdomains.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment