cpswan/zerossl-api-certgen.sh

## zerossl-api-certgen.sh
#!/bin/bash

# API keys for ZeroSSL and Digital Ocean
# These particular keys are fake random hex
ZEROSSL_KEY='0f027ac0f3b24ddb3c4412f11fa1e746'
DO_KEY='a3e6ee004fd7c352af61f0465765030b5d162acc94c24fdbb42f7a8c81e897a3'

# Set root domain and take CN from params
DOMAIN=subdomain.example.com
CERT_NAME="$1"."$DOMAIN"

# Create CSR and Private Key
openssl req -new -newkey rsa:2048 -nodes -out "$CERT_NAME".csr \
            -keyout "$CERT_NAME".key \
            -subj "/C=GB/ST=London/L=London/O=Example/OU=Testing/CN=$CERT_NAME" \
            &>/dev/null

# Draft certificate at ZeroSSL
curl -s -X POST https://api.zerossl.com/certificates?access_key="$ZEROSSL_KEY" \
        --data-urlencode certificate_csr@"$CERT_NAME".csr \
        -d certificate_domains="$CERT_NAME" \
        -d certificate_validity_days=90 \
        -o "$CERT_NAME".resp

# Extract CNAME parameters from ZeroSSL response
ID=$(< "$CERT_NAME".resp  python3 -c "import sys, json; print(json.load(sys.stdin)['id'])")
CNAME_HOST=$(< "$CERT_NAME".resp sed -e 's/[{}]/''/g' \
        | awk -v RS=',"' -F: '/^cname_validation_p1/ {print $2}' \
        | sed -e 's/"//g' | sed -s s/".$DOMAIN"//g)
CNAME_ALIAS=$(< "$CERT_NAME".resp sed -e 's/[{}]/''/g' \
        | awk -v RS=',"' -F: '/^cname_validation_p2/ {print $2}' \
        | sed -s 's/"//g')

# jq seemed to be stripping dots out :/ Also it's an extra dependency
#CNAME_HOST=`jq -r '.validation.other_methods."'"$CERT_NAME"'".cname_validation_p1' "$CERT_NAME".resp \
#       | sed -s s/".$DOMAIN"//g`
#CNAME_ALIAS=`jq -r '.validation.other_methods."'"$CERT_NAME"'".cname_validation_p2' "$CERT_NAME".resp`
echo ID="$ID"
echo CNAME_HOST="$CNAME_HOST"
echo CNAME_ALIAS="$CNAME_ALIAS"

# Add DNS CNAME at Digital Ocean for verification
curl -s -X POST -H "Content-Type: application/json" \
        -H "Authorization: Bearer $DO_KEY" \
        -d '{"type":"CNAME","name":"'"$CNAME_HOST"'","data":"'"$CNAME_ALIAS"'.","priority":null,"port":null,"ttl":1800,"weight":null,"flags":null,"tag":null}' \
        https://api.digitalocean.com/v2/domains/"$DOMAIN"/records \
        -o "$CERT_NAME".name

# Wait for DNS record to propagate
sleep 30

# Validate certificate at ZeroSSL
curl -s -X POST https://api.zerossl.com/certificates/"$ID"/challenges?access_key="$ZEROSSL_KEY" \
        -d validation_method=CNAME_CSR_HASH \
        -o "$CERT_NAME".vald

# Wait for cert to be issued
sleep 30

# Get the cert
curl -s https://api.zerossl.com/certificates/"$ID"/download/return?access_key="$ZEROSSL_KEY" \
        | jq -r '."certificate.crt"' > "$CERT_NAME".crt

DNSID=$(< "$CERT_NAME".name python3 -c "import sys, json; print(json.load(sys.stdin)['domain_record']['id'])")
echo "$DNSID"

# Delete the verification CNAME
curl -s -X DELETE -H "Content-Type: application/json" \
        -H "Authorization: Bearer $DO_KEY" \
        https://api.digitalocean.com/v2/domains/"$DOMAIN"/records/"$DNSID"
	#!/bin/bash

	# API keys for ZeroSSL and Digital Ocean
	# These particular keys are fake random hex
	ZEROSSL_KEY='0f027ac0f3b24ddb3c4412f11fa1e746'
	DO_KEY='a3e6ee004fd7c352af61f0465765030b5d162acc94c24fdbb42f7a8c81e897a3'

	# Set root domain and take CN from params
	DOMAIN=subdomain.example.com
	CERT_NAME="$1"."$DOMAIN"

	# Create CSR and Private Key
	openssl req -new -newkey rsa:2048 -nodes -out "$CERT_NAME".csr \
	-keyout "$CERT_NAME".key \
	-subj "/C=GB/ST=London/L=London/O=Example/OU=Testing/CN=$CERT_NAME" \
	&>/dev/null

	# Draft certificate at ZeroSSL
	curl -s -X POST https://api.zerossl.com/certificates?access_key="$ZEROSSL_KEY" \
	--data-urlencode certificate_csr@"$CERT_NAME".csr \
	-d certificate_domains="$CERT_NAME" \
	-d certificate_validity_days=90 \
	-o "$CERT_NAME".resp

	# Extract CNAME parameters from ZeroSSL response
	ID=$(< "$CERT_NAME".resp python3 -c "import sys, json; print(json.load(sys.stdin)['id'])")
	CNAME_HOST=$(< "$CERT_NAME".resp sed -e 's/[{}]/''/g' \
	\| awk -v RS=',"' -F: '/^cname_validation_p1/ {print $2}' \
	\| sed -e 's/"//g' \| sed -s s/".$DOMAIN"//g)
	CNAME_ALIAS=$(< "$CERT_NAME".resp sed -e 's/[{}]/''/g' \
	\| awk -v RS=',"' -F: '/^cname_validation_p2/ {print $2}' \
	\| sed -s 's/"//g')

	# jq seemed to be stripping dots out :/ Also it's an extra dependency
	#CNAME_HOST=`jq -r '.validation.other_methods."'"$CERT_NAME"'".cname_validation_p1' "$CERT_NAME".resp \
	# \| sed -s s/".$DOMAIN"//g`
	#CNAME_ALIAS=`jq -r '.validation.other_methods."'"$CERT_NAME"'".cname_validation_p2' "$CERT_NAME".resp`
	echo ID="$ID"
	echo CNAME_HOST="$CNAME_HOST"
	echo CNAME_ALIAS="$CNAME_ALIAS"

	# Add DNS CNAME at Digital Ocean for verification
	curl -s -X POST -H "Content-Type: application/json" \
	-H "Authorization: Bearer $DO_KEY" \
	-d '{"type":"CNAME","name":"'"$CNAME_HOST"'","data":"'"$CNAME_ALIAS"'.","priority":null,"port":null,"ttl":1800,"weight":null,"flags":null,"tag":null}' \
	https://api.digitalocean.com/v2/domains/"$DOMAIN"/records \
	-o "$CERT_NAME".name

	# Wait for DNS record to propagate
	sleep 30

	# Validate certificate at ZeroSSL
	curl -s -X POST https://api.zerossl.com/certificates/"$ID"/challenges?access_key="$ZEROSSL_KEY" \
	-d validation_method=CNAME_CSR_HASH \
	-o "$CERT_NAME".vald

	# Wait for cert to be issued
	sleep 30

	# Get the cert
	curl -s https://api.zerossl.com/certificates/"$ID"/download/return?access_key="$ZEROSSL_KEY" \
	\| jq -r '."certificate.crt"' > "$CERT_NAME".crt

	DNSID=$(< "$CERT_NAME".name python3 -c "import sys, json; print(json.load(sys.stdin)['domain_record']['id'])")
	echo "$DNSID"

	# Delete the verification CNAME
	curl -s -X DELETE -H "Content-Type: application/json" \
	-H "Authorization: Bearer $DO_KEY" \
	https://api.digitalocean.com/v2/domains/"$DOMAIN"/records/"$DNSID"