teamblack-ci/00-update-vault.sh

## 00-update-vault.sh
#!/bin/sh
#
# Perform certificate updates in Vault.

set -eo pipefail

if ! vault token lookup > /dev/null; then
  echo "Login to Vault first."
  exit 1
fi

# Certificate renewal might take some time,
# so renew the token if possible
vault token renew > /dev/null

for domain in $RENEWED_DOMAINS; do

  # Wildcard certificates lead to domains like *.example.com
  # which should become example.com
  target=$domain
  case $target in \*\.*)
    target=${target#*.}
  esac

  vault kv put \
    "secret/lets-encrypt/certificates/$target" \
    "cert=@$RENEWED_LINEAGE/cert.pem" \
    "chain=@$RENEWED_LINEAGE/chain.pem" \
    "privkey=@$RENEWED_LINEAGE/privkey.pem"

  # In case of a multiple-domain certificate, there is no need to re-run this for next domains
  exit 0
done

## Dockerfile
FROM certbot/dns-dnsimple:v0.33.1

ARG VAULT_VERSION=1.1.3

RUN set -eux; \
    apk add --no-cache curl gnupg jq tzdata && \
    apkArch="$(apk --print-arch)"; \
    case "$apkArch" in \
        armhf) ARCH='arm' ;; \
        aarch64) ARCH='arm64' ;; \
        x86_64) ARCH='amd64' ;; \
        x86) ARCH='386' ;; \
        *) echo >&2 "error: unsupported architecture: $apkArch"; exit 1 ;; \
    esac && \
    VAULT_GPGKEY=91A6E7F85D05C65630BEF18951852D87348FFC4C; \
    found=''; \
    for server in \
        hkp://p80.pool.sks-keyservers.net:80 \
        hkp://keyserver.ubuntu.com:80 \
        hkp://pgp.mit.edu:80 \
    ; do \
        echo "Fetching GPG key $VAULT_GPGKEY from $server"; \
        gpg --batch --keyserver "$server" --recv-keys "$VAULT_GPGKEY" && found=yes && break; \
    done; \
    test -z "$found" && echo >&2 "error: failed to fetch GPG key $VAULT_GPGKEY" && exit 1; \
    mkdir -p /tmp/vault && \
    cd /tmp/vault && \
    wget https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_${ARCH}.zip && \
    wget https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS && \
    wget https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS.sig && \
    gpg --batch --verify vault_${VAULT_VERSION}_SHA256SUMS.sig vault_${VAULT_VERSION}_SHA256SUMS && \
    grep vault_${VAULT_VERSION}_linux_${ARCH}.zip vault_${VAULT_VERSION}_SHA256SUMS | sha256sum -c && \
    unzip -d /bin vault_${VAULT_VERSION}_linux_amd64.zip && \
    cd /tmp && \
    rm -rf /tmp/vault && \
    gpgconf --kill dirmngr && \
    gpgconf --kill gpg-agent && \
    apk del gnupg && \
    rm -rf /root/.gnupg

COPY entrypoint.sh /usr/local/bin/
COPY initialize.sh /usr/local/bin/
COPY 00-update-vault.sh /etc/letsencrypt/renewal-hooks/deploy/

## entrypoint.sh
#!/bin/sh
set -e

if [ "$1" = 'renew' ]; then
    initialize.sh
    certbot renew
else
    exec "$@"
fi

## initialize.sh
#!/bin/sh
# Initialize the environment for certbot
# Requires vault and jq

set -eo pipefail

if ! vault token lookup > /dev/null; then
  echo "Login to Vault first."
  exit 1
fi

# Get account path
ACCOUNT_PARENT_PATH=/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory
ACCOUNT_ID=$(vault kv get --format=json secret/lets-encrypt/account/extra_details | jq -r '.data.data.account_id')
ACCOUNT_PATH="$ACCOUNT_PARENT_PATH/$ACCOUNT_ID"

mkdir -p "$ACCOUNT_PATH"

for i in meta private_key regr; do
  vault kv get --format=json "secret/lets-encrypt/account/$i" | \
    jq -c '.data.data' \
    > "$ACCOUNT_PATH/$i.json"
done

echo "dns_dnsimple_token = $(vault kv get --format=json secret/dnsimple | jq -r '.data.data.token')" > /etc/letsencrypt/dnsimple.ini
chmod 600 /etc/letsencrypt/dnsimple.ini

CERTIFICATES_TO_CHECK=$(vault kv list --format=json secret/lets-encrypt/certificates | jq -r '.[]')

mkdir -p /etc/letsencrypt/renewal

for certificate in $CERTIFICATES_TO_CHECK; do
  CERTIFICATE_DATA=$(vault kv get --format=json "secret/beyond/lets-encrypt-certificates/certificates/${certificate}")
  mkdir -p "/etc/letsencrypt/archive/${certificate}"
  mkdir -p "/etc/letsencrypt/live/${certificate}"
  for field in cert chain privkey; do
    cat > "/etc/letsencrypt/archive/${certificate}/${field}1.pem" <<EOF
$(echo "${CERTIFICATE_DATA}" | jq -r ".data.data.${field}")
EOF
    ln \
      -s "../../archive/${certificate}/${field}1.pem" \
      "/etc/letsencrypt/live/${certificate}/${field}.pem"
  done

  cat \
    "/etc/letsencrypt/archive/${certificate}/cert1.pem" \
    "/etc/letsencrypt/archive/${certificate}/chain1.pem" \
    > "/etc/letsencrypt/archive/${certificate}/fullchain1.pem"
  ln \
    -s "../../archive/${certificate}/fullchain1.pem" \
    "/etc/letsencrypt/live/${certificate}/fullchain.pem"

  cat > "/etc/letsencrypt/renewal/$certificate.conf" <<EOF
version = 0.33.1
archive_dir = /etc/letsencrypt/archive/$certificate
cert = /etc/letsencrypt/live/$certificate/cert.pem
privkey = /etc/letsencrypt/live/$certificate/privkey.pem
chain = /etc/letsencrypt/live/$certificate/chain.pem
fullchain = /etc/letsencrypt/live/$certificate/fullchain.pem
# Options used in the renewal process
[renewalparams]
authenticator = dns-dnsimple
account = $ACCOUNT_ID
dns_dnsimple_credentials = /etc/letsencrypt/dnsimple.ini
server = https://acme-v02.api.letsencrypt.org/directory
EOF
done
	#!/bin/sh
	#
	# Perform certificate updates in Vault.

	set -eo pipefail

	if ! vault token lookup > /dev/null; then
	echo "Login to Vault first."
	exit 1
	fi

	# Certificate renewal might take some time,
	# so renew the token if possible
	vault token renew > /dev/null

	for domain in $RENEWED_DOMAINS; do

	# Wildcard certificates lead to domains like *.example.com
	# which should become example.com
	target=$domain
	case $target in \\.)
	target=${target#*.}
	esac

	vault kv put \
	"secret/lets-encrypt/certificates/$target" \
	"cert=@$RENEWED_LINEAGE/cert.pem" \
	"chain=@$RENEWED_LINEAGE/chain.pem" \
	"privkey=@$RENEWED_LINEAGE/privkey.pem"

	# In case of a multiple-domain certificate, there is no need to re-run this for next domains
	exit 0
	done
	FROM certbot/dns-dnsimple:v0.33.1

	ARG VAULT_VERSION=1.1.3

	RUN set -eux; \
	apk add --no-cache curl gnupg jq tzdata && \
	apkArch="$(apk --print-arch)"; \
	case "$apkArch" in \
	armhf) ARCH='arm' ;; \
	aarch64) ARCH='arm64' ;; \
	x86_64) ARCH='amd64' ;; \
	x86) ARCH='386' ;; \
	*) echo >&2 "error: unsupported architecture: $apkArch"; exit 1 ;; \
	esac && \
	VAULT_GPGKEY=91A6E7F85D05C65630BEF18951852D87348FFC4C; \
	found=''; \
	for server in \
	hkp://p80.pool.sks-keyservers.net:80 \
	hkp://keyserver.ubuntu.com:80 \
	hkp://pgp.mit.edu:80 \
	; do \
	echo "Fetching GPG key $VAULT_GPGKEY from $server"; \
	gpg --batch --keyserver "$server" --recv-keys "$VAULT_GPGKEY" && found=yes && break; \
	done; \
	test -z "$found" && echo >&2 "error: failed to fetch GPG key $VAULT_GPGKEY" && exit 1; \
	mkdir -p /tmp/vault && \
	cd /tmp/vault && \
	wget https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_${ARCH}.zip && \
	wget https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS && \
	wget https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS.sig && \
	gpg --batch --verify vault_${VAULT_VERSION}_SHA256SUMS.sig vault_${VAULT_VERSION}_SHA256SUMS && \
	grep vault_${VAULT_VERSION}_linux_${ARCH}.zip vault_${VAULT_VERSION}_SHA256SUMS \| sha256sum -c && \
	unzip -d /bin vault_${VAULT_VERSION}_linux_amd64.zip && \
	cd /tmp && \
	rm -rf /tmp/vault && \
	gpgconf --kill dirmngr && \
	gpgconf --kill gpg-agent && \
	apk del gnupg && \
	rm -rf /root/.gnupg

	COPY entrypoint.sh /usr/local/bin/
	COPY initialize.sh /usr/local/bin/
	COPY 00-update-vault.sh /etc/letsencrypt/renewal-hooks/deploy/
	#!/bin/sh
	set -e

	if [ "$1" = 'renew' ]; then
	initialize.sh
	certbot renew
	else
	exec "$@"
	fi
	#!/bin/sh
	# Initialize the environment for certbot
	# Requires vault and jq

	set -eo pipefail

	if ! vault token lookup > /dev/null; then
	echo "Login to Vault first."
	exit 1
	fi

	# Get account path
	ACCOUNT_PARENT_PATH=/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory
	ACCOUNT_ID=$(vault kv get --format=json secret/lets-encrypt/account/extra_details \| jq -r '.data.data.account_id')
	ACCOUNT_PATH="$ACCOUNT_PARENT_PATH/$ACCOUNT_ID"

	mkdir -p "$ACCOUNT_PATH"

	for i in meta private_key regr; do
	vault kv get --format=json "secret/lets-encrypt/account/$i" \| \
	jq -c '.data.data' \
	> "$ACCOUNT_PATH/$i.json"
	done

	echo "dns_dnsimple_token = $(vault kv get --format=json secret/dnsimple \| jq -r '.data.data.token')" > /etc/letsencrypt/dnsimple.ini
	chmod 600 /etc/letsencrypt/dnsimple.ini

	CERTIFICATES_TO_CHECK=$(vault kv list --format=json secret/lets-encrypt/certificates \| jq -r '.[]')

	mkdir -p /etc/letsencrypt/renewal

	for certificate in $CERTIFICATES_TO_CHECK; do
	CERTIFICATE_DATA=$(vault kv get --format=json "secret/beyond/lets-encrypt-certificates/certificates/${certificate}")
	mkdir -p "/etc/letsencrypt/archive/${certificate}"
	mkdir -p "/etc/letsencrypt/live/${certificate}"
	for field in cert chain privkey; do
	cat > "/etc/letsencrypt/archive/${certificate}/${field}1.pem" <<EOF
	$(echo "${CERTIFICATE_DATA}" \| jq -r ".data.data.${field}")
	EOF
	ln \
	-s "../../archive/${certificate}/${field}1.pem" \
	"/etc/letsencrypt/live/${certificate}/${field}.pem"
	done

	cat \
	"/etc/letsencrypt/archive/${certificate}/cert1.pem" \
	"/etc/letsencrypt/archive/${certificate}/chain1.pem" \
	> "/etc/letsencrypt/archive/${certificate}/fullchain1.pem"
	ln \
	-s "../../archive/${certificate}/fullchain1.pem" \
	"/etc/letsencrypt/live/${certificate}/fullchain.pem"

	cat > "/etc/letsencrypt/renewal/$certificate.conf" <<EOF
	version = 0.33.1
	archive_dir = /etc/letsencrypt/archive/$certificate
	cert = /etc/letsencrypt/live/$certificate/cert.pem
	privkey = /etc/letsencrypt/live/$certificate/privkey.pem
	chain = /etc/letsencrypt/live/$certificate/chain.pem
	fullchain = /etc/letsencrypt/live/$certificate/fullchain.pem
	# Options used in the renewal process
	[renewalparams]
	authenticator = dns-dnsimple
	account = $ACCOUNT_ID
	dns_dnsimple_credentials = /etc/letsencrypt/dnsimple.ini
	server = https://acme-v02.api.letsencrypt.org/directory
	EOF
	done