tylrd/certbot.sh

## certbot.sh
#!/usr/bin/env bash

project=""
domain=""
email=""

tmpdir=$(mktemp -d)
finish() {
  rm -rf "$tmpdir"
}
trap finish EXIT

while getopts ":p:d:e:" opt; do
  case ${opt} in
    p )
      project=$OPTARG
      ;;
    d )
      domain=$OPTARG
      ;;
    e )
      email=$OPTARG
      ;;
    : )
      echo "Invalid option: $OPTARG requires an argument" 1>&2
      exit 1
      ;;
    \? )
      echo "Invalid Option: -$OPTARG" 1>&2
      exit 1
      ;;
  esac
done
shift $((OPTIND -1))

if [ -z "$project" ]; then
  echo "Must provide -p for project"
  exit 1
fi

if [ -z "$domain" ]; then
  echo "Must provide -d for domain"
  exit 1
fi

if [ -z "$email" ]; then
  echo "Must provide -e for email"
  exit 1
fi

echo "Running with google project: $project"
echo "Running with domain: $domain"
echo "Running with email: $email"

SERVICE_ACCOUNT_NAME=certbot
SERVICE_ACCOUNT="$SERVICE_ACCOUNT_NAME@$project.iam.gserviceaccount.com"

if ! gcloud iam service-accounts list | grep -q "$SERVICE_ACCOUNT_NAME";  then
    gcloud iam service-accounts create "$SERVICE_ACCOUNT_NAME" --display-name certbot
    gcloud projects add-iam-policy-binding "$project" \
      --member serviceAccount:"$SERVICE_ACCOUNT"
      --role roles/dns.admin
fi

if [ ! -f ~/certbot/gcpkey.json ]; then
    mkdir -pv $HOME/certbot
    gcloud iam service-accounts keys create ~/certbot/gcpkey.json \
      --iam-account "$SERVICE_ACCOUNT"
fi

mkdir -p "${tmpdir}/etc" "${tmpdir}/var" "${tmpdir}/certbot"

docker run
  --rm \
  --name certbot \
  --net=host \
  -v "${tmpdir}/etc:/etc/letsencrypt" \
  -v "${tmpdir}/var:/var/lib/letsencrypt" \
  -v "${tmpdir}/certbot:/var/lib/certbot" \
  -e "GOOGLE_CLOUD_PROJECT=$project" \
  certbot/dns-google \
  certonly --dns-google \
  --email "$email" \
  --agree-tos \
  -n \
  --dns-google-propagation-seconds 120 \
  --dns-google-credentials "/var/lib/certbot/key.json" \
  -d "$domain"

tar -czf "${domain}.tar.gz" "${tmpdir}/letsencrypt/etc/archive/"

gcloud kms encrypt \
  --ciphertext-file="${domain}.com.tar.gz.enc" \
  --plaintext-file="${domain}.com.tar.gz" \
  --keyring=fe-xmain-app \
  --key=key-0 \
  --location=global

local bucketName=${domain//./-}

gsutil mb "gs://${bucketName}-certs/"
gsutil cp ${domain}.tar.gz.enc "gs://${bucketName}-certs/"

gcloud compute ssl-certificates create ${bucketName} --certificate=cert1.pem --private-key=privkey1.pem
rm -rf /tmp/letsencrypt
	#!/usr/bin/env bash

	project=""
	domain=""
	email=""

	tmpdir=$(mktemp -d)
	finish() {
	rm -rf "$tmpdir"
	}
	trap finish EXIT

	while getopts ":p:d:e:" opt; do
	case ${opt} in
	p )
	project=$OPTARG
	;;
	d )
	domain=$OPTARG
	;;
	e )
	email=$OPTARG
	;;
	: )
	echo "Invalid option: $OPTARG requires an argument" 1>&2
	exit 1
	;;
	\? )
	echo "Invalid Option: -$OPTARG" 1>&2
	exit 1
	;;
	esac
	done
	shift $((OPTIND -1))

	if [ -z "$project" ]; then
	echo "Must provide -p for project"
	exit 1
	fi

	if [ -z "$domain" ]; then
	echo "Must provide -d for domain"
	exit 1
	fi

	if [ -z "$email" ]; then
	echo "Must provide -e for email"
	exit 1
	fi

	echo "Running with google project: $project"
	echo "Running with domain: $domain"
	echo "Running with email: $email"

	SERVICE_ACCOUNT_NAME=certbot
	SERVICE_ACCOUNT="$SERVICE_ACCOUNT_NAME@$project.iam.gserviceaccount.com"

	if ! gcloud iam service-accounts list \| grep -q "$SERVICE_ACCOUNT_NAME"; then
	gcloud iam service-accounts create "$SERVICE_ACCOUNT_NAME" --display-name certbot
	gcloud projects add-iam-policy-binding "$project" \
	--member serviceAccount:"$SERVICE_ACCOUNT"
	--role roles/dns.admin
	fi

	if [ ! -f ~/certbot/gcpkey.json ]; then
	mkdir -pv $HOME/certbot
	gcloud iam service-accounts keys create ~/certbot/gcpkey.json \
	--iam-account "$SERVICE_ACCOUNT"
	fi

	mkdir -p "${tmpdir}/etc" "${tmpdir}/var" "${tmpdir}/certbot"

	docker run
	--rm \
	--name certbot \
	--net=host \
	-v "${tmpdir}/etc:/etc/letsencrypt" \
	-v "${tmpdir}/var:/var/lib/letsencrypt" \
	-v "${tmpdir}/certbot:/var/lib/certbot" \
	-e "GOOGLE_CLOUD_PROJECT=$project" \
	certbot/dns-google \
	certonly --dns-google \
	--email "$email" \
	--agree-tos \
	-n \
	--dns-google-propagation-seconds 120 \
	--dns-google-credentials "/var/lib/certbot/key.json" \
	-d "$domain"

	tar -czf "${domain}.tar.gz" "${tmpdir}/letsencrypt/etc/archive/"

	gcloud kms encrypt \
	--ciphertext-file="${domain}.com.tar.gz.enc" \
	--plaintext-file="${domain}.com.tar.gz" \
	--keyring=fe-xmain-app \
	--key=key-0 \
	--location=global

	local bucketName=${domain//./-}

	gsutil mb "gs://${bucketName}-certs/"
	gsutil cp ${domain}.tar.gz.enc "gs://${bucketName}-certs/"

	gcloud compute ssl-certificates create ${bucketName} --certificate=cert1.pem --private-key=privkey1.pem
	rm -rf /tmp/letsencrypt