Certbot hook for Cortex XSOAR + Cloudflare DNS + tutorial letsencrypt

README.md

Tested on ubuntu 22.04

1. Install certbot cloudflare related packages

sudo snap install --classic certbot
sudo snap set certbot trust-plugin-with-root=ok
sudo snap install certbot-dns-cloudflare
sudo snap connect certbot:plugin certbot-dns-cloudflare

2. Create a cloudflare credential file

mkdir -p ~/.secrets/certbot/
tee -a ~/.secrets/certbot/cloudflare.mydomain.ini > /dev/null <<EOT
# Cloudflare API token used by Certbot for all domains on mydomain account
dns_cloudflare_api_token = your_api_token
EOT

3. Restrict accession of the credential file

chmod 600 ~/.secrets/certbot/cloudflare.mydomain.ini

4. Download / Deploy Hook script

sudo wget -O /etc/letsencrypt/renewal-hooks/deploy/xsoar.sh https://gist.github.com/lenoxys/e543cde35c3ff85f4c44f9b802bb3a06/raw/xsoar.sh
sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/xsoar.sh

6. Make sure hostname server is set accordingly with the fqdn your planned to use

sudo hostname xxx.xxx.com
echo "xxx.xxx.com" | sudo tee /etc/hostname
echo "public_ip xxx.xxx.com xxx" | sudo tee -a /etc/hosts

7. Acquire new certificate

sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.mydomain.ini -d xxx.xxx.com

8. Test certbot automatic renewal

sudo certbot renew --dry-run

xsoar.sh

#!/bin/sh
# This script goes in: /etc/letsencrypt/renewal-hooks/deploy

for domain in $RENEWED_DOMAINS
do
    if [ "$domain" = "$(hostname --fqdn)" ]
    then
        echo ">> Cortex XSOAR fqdn server detected - reloading XSOAR service"
	systemctl stop demisto
        cat "$RENEWED_LINEAGE/privkey.pem" > /usr/local/demisto/cert.key
        cat "$RENEWED_LINEAGE/fullchain.pem" > /usr/local/demisto/cert.pem
        systemctl start demisto
    fi
done