Last active
March 17, 2021 18:59
-
-
Save tylrd/7beac28139489dae4b9e69c541d8f927 to your computer and use it in GitHub Desktop.
Use certbot google-dns plugin to generate and store letsencyrpt certs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
project="" | |
domain="" | |
email="" | |
tmpdir=$(mktemp -d) | |
finish() { | |
rm -rf "$tmpdir" | |
} | |
trap finish EXIT | |
while getopts ":p:d:e:" opt; do | |
case ${opt} in | |
p ) | |
project=$OPTARG | |
;; | |
d ) | |
domain=$OPTARG | |
;; | |
e ) | |
email=$OPTARG | |
;; | |
: ) | |
echo "Invalid option: $OPTARG requires an argument" 1>&2 | |
exit 1 | |
;; | |
\? ) | |
echo "Invalid Option: -$OPTARG" 1>&2 | |
exit 1 | |
;; | |
esac | |
done | |
shift $((OPTIND -1)) | |
if [ -z "$project" ]; then | |
echo "Must provide -p for project" | |
exit 1 | |
fi | |
if [ -z "$domain" ]; then | |
echo "Must provide -d for domain" | |
exit 1 | |
fi | |
if [ -z "$email" ]; then | |
echo "Must provide -e for email" | |
exit 1 | |
fi | |
echo "Running with google project: $project" | |
echo "Running with domain: $domain" | |
echo "Running with email: $email" | |
SERVICE_ACCOUNT_NAME=certbot | |
SERVICE_ACCOUNT="$SERVICE_ACCOUNT_NAME@$project.iam.gserviceaccount.com" | |
if ! gcloud iam service-accounts list | grep -q "$SERVICE_ACCOUNT_NAME"; then | |
gcloud iam service-accounts create "$SERVICE_ACCOUNT_NAME" --display-name certbot | |
gcloud projects add-iam-policy-binding "$project" \ | |
--member serviceAccount:"$SERVICE_ACCOUNT" | |
--role roles/dns.admin | |
fi | |
if [ ! -f ~/certbot/gcpkey.json ]; then | |
mkdir -pv $HOME/certbot | |
gcloud iam service-accounts keys create ~/certbot/gcpkey.json \ | |
--iam-account "$SERVICE_ACCOUNT" | |
fi | |
mkdir -p "${tmpdir}/etc" "${tmpdir}/var" "${tmpdir}/certbot" | |
docker run | |
--rm \ | |
--name certbot \ | |
--net=host \ | |
-v "${tmpdir}/etc:/etc/letsencrypt" \ | |
-v "${tmpdir}/var:/var/lib/letsencrypt" \ | |
-v "${tmpdir}/certbot:/var/lib/certbot" \ | |
-e "GOOGLE_CLOUD_PROJECT=$project" \ | |
certbot/dns-google \ | |
certonly --dns-google \ | |
--email "$email" \ | |
--agree-tos \ | |
-n \ | |
--dns-google-propagation-seconds 120 \ | |
--dns-google-credentials "/var/lib/certbot/key.json" \ | |
-d "$domain" | |
tar -czf "${domain}.tar.gz" "${tmpdir}/letsencrypt/etc/archive/" | |
gcloud kms encrypt \ | |
--ciphertext-file="${domain}.com.tar.gz.enc" \ | |
--plaintext-file="${domain}.com.tar.gz" \ | |
--keyring=fe-xmain-app \ | |
--key=key-0 \ | |
--location=global | |
local bucketName=${domain//./-} | |
gsutil mb "gs://${bucketName}-certs/" | |
gsutil cp ${domain}.tar.gz.enc "gs://${bucketName}-certs/" | |
gcloud compute ssl-certificates create ${bucketName} --certificate=cert1.pem --private-key=privkey1.pem | |
rm -rf /tmp/letsencrypt |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment