gcloud auth and cleanup hooks for certbot

README

There's a built-in timout of 60 seconds verifying the record updated to the nameserver.
You may need to adjust for your environment.

Since the script only checks against the first nameserver, it's possible that certbot
could validate despite the script saying operation timed out. But if certbot fails and you see
that the operation timed out, that will give you a starting point to debug.

certbot-gcloud

#!/bin/bash
if [ -z "$CERTBOT_DOMAIN" ] || [ -z "$CERTBOT_VALIDATION" ]
then
echo "Empty domain or validation."
exit 1
fi

timeout=60
host="_acme-challenge"
zonefound=-1
zonelist=$(gcloud dns managed-zones list --format=text)
zones=($(echo "${zonelist}" | grep "name: " | sed "s/name:[ ]*//"))
domains=($(echo "${zonelist}" | grep dnsName | sed "s/dnsName:[ ]*//" | sed "s/\.$//"))
nameservers=($(echo "${zonelist}" | grep "nameServers\[0\]" | sed "s/nameServers\[0\]:[ ]*//"))
index=0
domain=""
for item in "${domains[@]}"; do
  if [ $(echo "${CERTBOT_DOMAIN}" | grep "${item}" | wc -l) -eq 1 ]; then
    zonefound=${index}
    domain=${item}
    break
  fi
  index=$(expr ${index} + 1)
done
if [ ${zonefound} -lt 0 ]; then
  echo "No managed zones found for the domain $CERTBOT_DOMAIN"
  exit 1
else
  zone="${zones[${zonefound}]}"
  ns="${nameservers[${zonefound}]}"
  rm -f transaction.yaml
  gcloud dns record-sets transaction start -z=${zone} 2> /dev/null
  gcloud dns record-sets transaction add -z=${zone} --name ${host}.${CERTBOT_DOMAIN}. --ttl 900 --type TXT "${CERTBOT_VALIDATION}" 2> /dev/null
  if gcloud dns record-sets transaction execute -z=${zone} 2> /dev/null; then
    rm -f transaction.yaml
    timer=0
    while : ; do
      if [ $(dig -t txt "${host}.${CERTBOT_DOMAIN}" +short "@${ns}" | wc -l) -gt 0 ]; then
        echo "Waiting 10 seconds for things to clear up."
        sleep 10
        exit 0
      else
        if [ ${timer} -eq ${timeout} ]; then
          echo "Operation timed out."
          exit 1
        fi
        timer=$(expr ${timer} + 1)
        sleep 1
      fi
    done
  else
    rm -f transaction.yaml
    echo "Record not added to zone."
    exit 1
  fi
fi
exit 1

certbot-gcloud-cleanup

#!/bin/bash
if [ -z "$CERTBOT_DOMAIN" ] || [ -z "$CERTBOT_VALIDATION" ]
then
echo "Empty domain or validation."
exit 1
fi

timeout=60
host="_acme-challenge"
zonefound=-1
zonelist=$(gcloud dns managed-zones list --format=text)
zones=($(echo "${zonelist}" | grep "name: " | sed "s/name:[ ]*//"))
domains=($(echo "${zonelist}" | grep dnsName | sed "s/dnsName:[ ]*//" | sed "s/\.$//"))
nameservers=($(echo "${zonelist}" | grep "nameServers\[0\]" | sed "s/nameServers\[0\]:[ ]*//"))
index=0
domain=""
for item in "${domains[@]}"; do
  if [ $(echo "${CERTBOT_DOMAIN}" | grep "${item}" | wc -l) -eq 1 ]; then
    zonefound=${index}
    domain=${item}
    break
  fi
  index=$(expr ${index} + 1)
done
if [ ${zonefound} -lt 0 ]; then
  echo "No managed zones found for the domain $CERTBOT_DOMAIN"
  exit 1
else
  zone="${zones[${zonefound}]}"
  ns="${nameservers[${zonefound}]}"
  rm -f transaction.yaml
  gcloud dns record-sets transaction start -z=${zone} 2> /dev/null
  gcloud dns record-sets transaction remove -z=${zone} --name ${host}.${CERTBOT_DOMAIN}. --ttl 900 --type TXT "${CERTBOT_VALIDATION}" 2> /dev/null
  if gcloud dns record-sets transaction execute -z=${zone} 2> /dev/null; then
    rm -f transaction.yaml
    timer=0
    while : ; do
      if [ $(dig -t txt ${host}.${CERTBOT_DOMAIN} +short "@${ns}" | wc -l) -eq 0 ]; then
        exit 0
      else
        if [ ${timer} -eq ${timeout} ]; then
          echo "Operation timed out."
          exit 1
        fi
        timer=$(expr ${timer} + 1)
        sleep 1
      fi
    done
  else
    rm -f transaction.yaml
    echo "Record not added to zone."
    exit 1
  fi
fi
exit 1