Decicus/generate-acme.sh Secret

## generate-acme.sh
#!/bin/bash

# Make sure to load environment variables.
. ~/.bashrc

ACME_DIR="/root/.acme.sh"
ACME="${ACME_DIR}/acme.sh --force"
BASE="/srv/ssl"
ECHO_PREFIX="[acme.sh Helper Script]"

CMD_PARAMS="$@";

ACTALIS=0;
if [[ "${CMD_PARAMS}" =~ "--actalis" ]]; then
    ACTALIS=1;
    echo "${ECHO_PREFIX} '--actalis' specified - Using Actalis CA (Go SSL)."

    # Check if EAB keys are set.
    if [[ -z "${ACTALIS_EAB_KID}" || -z "${ACTALIS_EAB_HMAC_KEY}" ]]; then
        echo "${ECHO_PREFIX} Error: Actalis EAB keys are not set. Please set ACTALIS_EAB_KID and ACTALIS_EAB_HMAC_KEY environment variables."
        exit 1;
    fi
fi

if [[ $ACTALIS -eq 1 ]]; then
    CA_DIR="${ACME_DIR}/ca/acme-api.actalis.com";

    if [[ ! -d "${CA_DIR}" ]]; then
        echo "${ECHO_PREFIX} Account email for Actalis CA (required)?"
        read ACCOUNT_EMAIL

        eval "${ACME} --server https://acme-api.actalis.com/acme/directory --register-account --accountemail '${ACCOUNT_EMAIL}' --eab-kid '${ACTALIS_EAB_KID}' --eab-hmac-key '${ACTALIS_EAB_HMAC_KEY}'"
    fi
fi

# Create directory if it exists, make sure permissions are as strict as possible.
echo "${ECHO_PREFIX} Creating base certificate directory: ${BASE}"
mkdir -p $BASE
chmod -R 600 $BASE
chown -R root:root $BASE

echo "${ECHO_PREFIX} Name of folder containing certificates? (Will be created under ${BASE})"
read FOLDERNAME

echo "${ECHO_PREFIX} Creating folder if it doesn't exist: ${BASE}/${FOLDERNAME}"
mkdir -p "${BASE}/${FOLDERNAME}"

# ¯\_(ツ)_/¯ - https://timmurphy.org/2012/03/09/convert-a-delimited-string-into-an-array-in-bash/
OIFS=$IFS
IFS=' '

echo "${ECHO_PREFIX} Space-separated list of domains to generate a certificate for?"
echo "${ECHO_PREFIX} You can specify a DNS provider or webroot for each domain. For example: some.example.com:/var/www/html other.example.com:dns_cf"
read DOMAIN_LIST

DOMAINS=($DOMAIN_LIST)
IFS=$OIFS
DOMAIN_PARAMS=""
ACME_PARAMS=""

for (( i = 0; i < ${#DOMAINS[@]}; i++ )); do
    DOMAIN="${DOMAINS[$i]}";
    DOMAIN_NAME="$(echo $DOMAIN | cut -d ':' -f 1)";
    PROVIDER_NAME="$(echo $DOMAIN | cut -d ':' -f 2)";

    PROVIDER_TYPE="--dns";
    if [[ -z "${PROVIDER_NAME}" ]]; then
        PROVIDER_NAME="dns_cf";
    fi

    # Starts with a slash, we assume it's a path & webroot.
    if [[ "${PROVIDER_NAME}" =~ "^/"* ]]; then
        PROVIDER_TYPE="-w";
    fi

    DOMAIN_PARAMS+=" -d ${DOMAIN_NAME}";
    ACME_PARAMS+=" -d ${DOMAIN_NAME} ${PROVIDER_TYPE} ${PROVIDER_NAME}";
done

# DNS handler is now specified as part of the domain list.
# echo "${ECHO_PREFIX} DNS? [y/N]"
# read IS_DNS

# IS_DNS=${IS_DNS,,}
# if [[ $IS_DNS == *"y"* ]]; then
#     echo "${ECHO_PREFIX} DNS provider? For example: Cloudflare = dns_cf."
#     echo "${ECHO_PREFIX} Provider also assumes the proper environment variables are set. Read: https://github.com/Neilpang/acme.sh/tree/master/dnsapi#how-to-use-dns-api"
#     read DNS_PROVIDER

#     ACME_PARAMS+="--dns ${DNS_PROVIDER}"
# else
#     echo "${ECHO_PREFIX} Webroot? For example: /var/www/html"
#     read WEBROOT_DIR

#     ACME_PARAMS+="-w ${WEBROOT_DIR}"
# fi

# Make sure we point to the right CA.
if [[ $ACTALIS -eq 1 ]]; then
    ACME_PARAMS+=" --server https://acme-api.actalis.com/acme/directory --eab-kid '${ACTALIS_EAB_KID}' --eab-hmac-key '${ACTALIS_EAB_HMAC_KEY}'"
else
    # For some reason acme.sh is now using ZeroSSL as the default CA for new certs.
    # I hate change, so we force Let's Encrypt unless BuyPass is used.
    ACME_PARAMS+=" --server letsencrypt"
fi

echo "${ECHO_PREFIX} Reload command? For example: nginx -s reload"
read RELOADCMD

echo "${ECHO_PREFIX} Requesting certificate using the chosen methods:"
eval "${ACME} ${ACME_PARAMS} --issue"

SSL_PATH="$BASE/$FOLDERNAME"
if [[ "$?" == "0" ]]; then
    echo "${ECHO_PREFIX} Certificate request completed. Installing certificate with reload command."
    eval "${ACME} ${DOMAIN_PARAMS} --key-file '${SSL_PATH}/key.pem' --fullchain-file '${SSL_PATH}/fullchain.pem' --cert-file '${SSL_PATH}/cert.pem' --ca-file '${SSL_PATH}/chain.pem' --reloadcmd '${RELOADCMD}' --install-cert"
else
    echo "${ECHO_PREFIX} An error occurred during certificate request. Aborting."
fi
	#!/bin/bash

	# Make sure to load environment variables.
	. ~/.bashrc

	ACME_DIR="/root/.acme.sh"
	ACME="${ACME_DIR}/acme.sh --force"
	BASE="/srv/ssl"
	ECHO_PREFIX="[acme.sh Helper Script]"

	CMD_PARAMS="$@";

	ACTALIS=0;
	if [[ "${CMD_PARAMS}" =~ "--actalis" ]]; then
	ACTALIS=1;
	echo "${ECHO_PREFIX} '--actalis' specified - Using Actalis CA (Go SSL)."

	# Check if EAB keys are set.
	if [[ -z "${ACTALIS_EAB_KID}" \|\| -z "${ACTALIS_EAB_HMAC_KEY}" ]]; then
	echo "${ECHO_PREFIX} Error: Actalis EAB keys are not set. Please set ACTALIS_EAB_KID and ACTALIS_EAB_HMAC_KEY environment variables."
	exit 1;
	fi
	fi

	if [[ $ACTALIS -eq 1 ]]; then
	CA_DIR="${ACME_DIR}/ca/acme-api.actalis.com";

	if [[ ! -d "${CA_DIR}" ]]; then
	echo "${ECHO_PREFIX} Account email for Actalis CA (required)?"
	read ACCOUNT_EMAIL

	eval "${ACME} --server https://acme-api.actalis.com/acme/directory --register-account --accountemail '${ACCOUNT_EMAIL}' --eab-kid '${ACTALIS_EAB_KID}' --eab-hmac-key '${ACTALIS_EAB_HMAC_KEY}'"
	fi
	fi

	# Create directory if it exists, make sure permissions are as strict as possible.
	echo "${ECHO_PREFIX} Creating base certificate directory: ${BASE}"
	mkdir -p $BASE
	chmod -R 600 $BASE
	chown -R root:root $BASE

	echo "${ECHO_PREFIX} Name of folder containing certificates? (Will be created under ${BASE})"
	read FOLDERNAME

	echo "${ECHO_PREFIX} Creating folder if it doesn't exist: ${BASE}/${FOLDERNAME}"
	mkdir -p "${BASE}/${FOLDERNAME}"

	# ¯\_(ツ)_/¯ - https://timmurphy.org/2012/03/09/convert-a-delimited-string-into-an-array-in-bash/
	OIFS=$IFS
	IFS=' '

	echo "${ECHO_PREFIX} Space-separated list of domains to generate a certificate for?"
	echo "${ECHO_PREFIX} You can specify a DNS provider or webroot for each domain. For example: some.example.com:/var/www/html other.example.com:dns_cf"
	read DOMAIN_LIST

	DOMAINS=($DOMAIN_LIST)
	IFS=$OIFS
	DOMAIN_PARAMS=""
	ACME_PARAMS=""

	for (( i = 0; i < ${#DOMAINS[@]}; i++ )); do
	DOMAIN="${DOMAINS[$i]}";
	DOMAIN_NAME="$(echo $DOMAIN \| cut -d ':' -f 1)";
	PROVIDER_NAME="$(echo $DOMAIN \| cut -d ':' -f 2)";

	PROVIDER_TYPE="--dns";
	if [[ -z "${PROVIDER_NAME}" ]]; then
	PROVIDER_NAME="dns_cf";
	fi

	# Starts with a slash, we assume it's a path & webroot.
	if [[ "${PROVIDER_NAME}" =~ "^/"* ]]; then
	PROVIDER_TYPE="-w";
	fi

	DOMAIN_PARAMS+=" -d ${DOMAIN_NAME}";
	ACME_PARAMS+=" -d ${DOMAIN_NAME} ${PROVIDER_TYPE} ${PROVIDER_NAME}";
	done

	# DNS handler is now specified as part of the domain list.
	# echo "${ECHO_PREFIX} DNS? [y/N]"
	# read IS_DNS

	# IS_DNS=${IS_DNS,,}
	# if [[ $IS_DNS == "y" ]]; then
	# echo "${ECHO_PREFIX} DNS provider? For example: Cloudflare = dns_cf."
	# echo "${ECHO_PREFIX} Provider also assumes the proper environment variables are set. Read: https://github.com/Neilpang/acme.sh/tree/master/dnsapi#how-to-use-dns-api"
	# read DNS_PROVIDER

	# ACME_PARAMS+="--dns ${DNS_PROVIDER}"
	# else
	# echo "${ECHO_PREFIX} Webroot? For example: /var/www/html"
	# read WEBROOT_DIR

	# ACME_PARAMS+="-w ${WEBROOT_DIR}"
	# fi

	# Make sure we point to the right CA.
	if [[ $ACTALIS -eq 1 ]]; then
	ACME_PARAMS+=" --server https://acme-api.actalis.com/acme/directory --eab-kid '${ACTALIS_EAB_KID}' --eab-hmac-key '${ACTALIS_EAB_HMAC_KEY}'"
	else
	# For some reason acme.sh is now using ZeroSSL as the default CA for new certs.
	# I hate change, so we force Let's Encrypt unless BuyPass is used.
	ACME_PARAMS+=" --server letsencrypt"
	fi

	echo "${ECHO_PREFIX} Reload command? For example: nginx -s reload"
	read RELOADCMD

	echo "${ECHO_PREFIX} Requesting certificate using the chosen methods:"
	eval "${ACME} ${ACME_PARAMS} --issue"

	SSL_PATH="$BASE/$FOLDERNAME"
	if [[ "$?" == "0" ]]; then
	echo "${ECHO_PREFIX} Certificate request completed. Installing certificate with reload command."
	eval "${ACME} ${DOMAIN_PARAMS} --key-file '${SSL_PATH}/key.pem' --fullchain-file '${SSL_PATH}/fullchain.pem' --cert-file '${SSL_PATH}/cert.pem' --ca-file '${SSL_PATH}/chain.pem' --reloadcmd '${RELOADCMD}' --install-cert"
	else
	echo "${ECHO_PREFIX} An error occurred during certificate request. Aborting."
	fi
No results found