-
-
Save unicornware/0290fdec5496fff43a82543d76f768f8 to your computer and use it in GitHub Desktop.
Certbot x Google Cloud DNS - Local Machine to Project Directory & Local Machine to VM Transfers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Environment Variables | |
CERTBOT_DOMAINS="*.$TLD,*.api.$TLD,*.db.$TLD,*.docs.$TLD,*.redis.$TLD" | |
CERTBOT_EMAIL=<email-address> | |
GCLOUD_PROJECT=<project-id> | |
TLD=<top-level-domain> | |
VM_IDENTITY_FILE=~/.ssh/ubuntu_rsa | |
VM_IP=<vm-static-ip> | |
VM_USER=ubuntu |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/zsh | |
# Certbot x Google Cloud DNS | |
# | |
# Prerequesites: | |
# | |
# 1. Setup a domain using Cloud DNS | |
# - https://cloud.google.com/dns/docs/tutorials/create-domain-tutorial | |
# 2. Install Google Cloud SDK | |
# - brew install --cask google-cloud-sdk | |
# 3. Install certbot | |
# - brew install certbot | |
# 4. Install python (and pip3) | |
# - brew install python | |
# 5. Install certbot-dns-google plugin | |
# - pip3 install certbot-dns-google | |
# - https://certbot-dns-google.readthedocs.io/en/stable | |
# 6. Create service account for certbot | |
# - sudo gcloud iam service-accounts create certbot --project $GCLOUD_PROJECT | |
# 7. Assign dns admin permissions to certbot service account | |
# - SA=certbot@$GCLOUD_PROJECT.iam.gserviceaccount.com | |
# - sudo gcloud projects add-iam-policy-binding $GCLOUD_PROJECT | |
# --role=roles/dns.admin --member=serviceAccount:$SA | |
# | |
# Usage: | |
# | |
# $ chmod +x ./tools/scripts/certbot-google-dns.sh | |
# $ CERTBOT_DOMAINS=<certbot-domains-list> | |
# $ CERTBOT_EMAIL=<email> | |
# $ GCLOUD_PROJECT=<project-id> | |
# $ ./tools/scripts/certbot-google-dns.sh | |
# | |
# References: | |
# | |
# - https://brew.sh | |
# - https://certbot.eff.org/renewal-setup | |
# - https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts | |
# - https://itsmetommy.com/2019/08/03/auto-renew-lets-encrypt-wildcard-certificate-using-google-cloud-dns | |
# - http://andrewcmaxwell.com/2014/07/how-to-add-a-custom-subdomain-using-google-cloud-dns | |
certbot_google_dns() { | |
# Domains list and letsencrypt account email | |
local DOMAINS=$CERTBOT_DOMAINS | |
local EMAIL=$CERTBOT_EMAIL | |
# Service account email | |
local SA=certbot@$GCLOUD_PROJECT.iam.gserviceaccount.com | |
GCLOUD_SA_CERTBOT=$SA | |
# Path to private key file | |
local PK=~/.service-accounts/google/$GCLOUD_SA_CERTBOT.json | |
GCLOUD_SA_CERTBOT_PK=$PK | |
# 3. Create private key for service account | |
[ ! -f $PK ] && gcloud iam service-accounts keys create $PK --iam-account=$SA | |
# 4. Create certificate(s) | |
sudo certbot certonly --dns-google --dns-google-credentials $PK -d $DOMAINS -m $EMAIL -v $@ | |
# 5. Fix permissions | |
sudo chmod 0755 /etc/letsencrypt/{live,archive} | |
sudo chgrp -R staff /etc/letsencrypt/live/$TLD/privkey.pem | |
sudo chmod 0640 /etc/letsencrypt/live/$TLD/privkey.pem | |
} | |
certbot_google_dns |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/zsh | |
# Certbot x Google Cloud DNS - Local | |
# | |
# Usage: | |
# | |
# $ chmod +x ./tools/scripts/certbot-local.sh | |
# $ CERTBOT_DOMAINS=<certbot-domains-list> | |
# $ CERTBOT_EMAIL=<certbot-email> | |
# $ ./tools/scripts/certbot-local.sh | |
certbot_local() { | |
local CERTBOT_DIR_VM_USER=/home/$VM_USER/letsencrypt | |
local DOMAINS=$CERTBOT_DOMAINS | |
local EMAIL=$CERTBOT_EMAIL | |
source ./tools/scripts/certbot-google-dns.sh | |
sudo rm -rf ./letsencrypt && mkdir ./letsencrypt | |
mkdir ./letsencrypt/{archive,live} | |
sudo cp -rf /etc/letsencrypt/archive/$TLD ./letsencrypt/archive/$TLD | |
sudo cp -rf /etc/letsencrypt/live/$TLD ./letsencrypt/live/$TLD | |
sudo cp -rf /etc/letsencrypt/ssl-dhparams.pem ./letsencrypt/ssl-dhparams.pem | |
} | |
certbot_local |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/zsh | |
# Certbot x Google Cloud DNS x VM | |
# | |
# Usage: | |
# | |
# $ chmod +x ./tools/scripts/certbot-vm.sh | |
# $ CERTBOT_DOMAINS=<certbot-domains-list> | |
# $ CERTBOT_EMAIL=<certbot-email> | |
# $ TLD=<top-level-domain> | |
# $ VM_IDENTITY_FILE=<path-to-scp-identify-file> | |
# $ VM_IP=<vm-ip-address> | |
# $ VM_USER=<vm-ip-address> | |
# $ ./tools/scripts/certbot-vm.sh | |
certbot_vm() { | |
local CERTBOT_DIR=/etc/letsencrypt | |
local DOMAINS=$CERTBOT_DOMAINS | |
local EMAIL=$CERTBOT_EMAIL | |
local SA_DIR=/Users/$USER/.service-accounts/google | |
local VM_ID=$VM_IDENTITY_FILE | |
local VM_SA_DIR=/home/$VM_USER/.service-accounts | |
source ./tools/scripts/certbot-google-dns.sh | |
sudo rm -rf ./letsencrypt && sudo cp -rf $CERTBOT_DIR ./ | |
sudo sed -i "" -e "s#$SA_DIR#$VM_SA_DIR#g" ./letsencrypt/renewal/$TLD.conf | |
sudo scp -i $VM_ID -p $GCLOUD_SA_CERTBOT_PK $VM_USER@$VM_IP:$VM_SA_DIR | |
sudo scp -i $VM_ID -r ./letsencrypt $VM_USER@$VM_IP:/home/$VM_USER | |
ssh -i $VM_ID -t $VM_USER@$VM_IP sudo rm -rf $CERTBOT_DIR | |
ssh -i $VM_ID -t $VM_USER@$VM_IP sudo mv /home/$VM_USER/letsencrypt /etc | |
sudo rm -rf ./letsencrypt | |
} | |
certbot_vm |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment