Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
#!/bin/bash
# API keys for ZeroSSL and Digital Ocean
# These particular keys are fake random hex
ZEROSSL_KEY='0f027ac0f3b24ddb3c4412f11fa1e746'
DO_KEY='a3e6ee004fd7c352af61f0465765030b5d162acc94c24fdbb42f7a8c81e897a3'
# Set root domain and take CN from params
DOMAIN=subdomain.example.com
CERT_NAME="$1"."$DOMAIN"
# Create CSR and Private Key
openssl req -new -newkey rsa:2048 -nodes -out "$CERT_NAME".csr \
-keyout "$CERT_NAME".key \
-subj "/C=GB/ST=London/L=London/O=Example/OU=Testing/CN=$CERT_NAME" \
&>/dev/null
# Draft certificate at ZeroSSL
curl -s -X POST https://api.zerossl.com/certificates?access_key="$ZEROSSL_KEY" \
--data-urlencode certificate_csr@"$CERT_NAME".csr \
-d certificate_domains="$CERT_NAME" \
-d certificate_validity_days=90 \
-o "$CERT_NAME".resp
# Extract CNAME parameters from ZeroSSL response
ID=$(< "$CERT_NAME".resp python3 -c "import sys, json; print(json.load(sys.stdin)['id'])")
CNAME_HOST=$(< "$CERT_NAME".resp sed -e 's/[{}]/''/g' \
| awk -v RS=',"' -F: '/^cname_validation_p1/ {print $2}' \
| sed -e 's/"//g' | sed -s s/".$DOMAIN"//g)
CNAME_ALIAS=$(< "$CERT_NAME".resp sed -e 's/[{}]/''/g' \
| awk -v RS=',"' -F: '/^cname_validation_p2/ {print $2}' \
| sed -s 's/"//g')
# jq seemed to be stripping dots out :/ Also it's an extra dependency
#CNAME_HOST=`jq -r '.validation.other_methods."'"$CERT_NAME"'".cname_validation_p1' "$CERT_NAME".resp \
# | sed -s s/".$DOMAIN"//g`
#CNAME_ALIAS=`jq -r '.validation.other_methods."'"$CERT_NAME"'".cname_validation_p2' "$CERT_NAME".resp`
echo ID="$ID"
echo CNAME_HOST="$CNAME_HOST"
echo CNAME_ALIAS="$CNAME_ALIAS"
# Add DNS CNAME at Digital Ocean for verification
curl -s -X POST -H "Content-Type: application/json" \
-H "Authorization: Bearer $DO_KEY" \
-d '{"type":"CNAME","name":"'"$CNAME_HOST"'","data":"'"$CNAME_ALIAS"'.","priority":null,"port":null,"ttl":1800,"weight":null,"flags":null,"tag":null}' \
https://api.digitalocean.com/v2/domains/"$DOMAIN"/records \
-o "$CERT_NAME".name
# Wait for DNS record to propagate
sleep 30
# Validate certificate at ZeroSSL
curl -s -X POST https://api.zerossl.com/certificates/"$ID"/challenges?access_key="$ZEROSSL_KEY" \
-d validation_method=CNAME_CSR_HASH \
-o "$CERT_NAME".vald
# Wait for cert to be issued
sleep 30
# Get the cert
curl -s https://api.zerossl.com/certificates/"$ID"/download/return?access_key="$ZEROSSL_KEY" \
| jq -r '."certificate.crt"' > "$CERT_NAME".crt
DNSID=$(< "$CERT_NAME".name python3 -c "import sys, json; print(json.load(sys.stdin)['domain_record']['id'])")
echo "$DNSID"
# Delete the verification CNAME
curl -s -X DELETE -H "Content-Type: application/json" \
-H "Authorization: Bearer $DO_KEY" \
https://api.digitalocean.com/v2/domains/"$DOMAIN"/records/"$DNSID"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment