Fix SSL issuance
parent
bd57110ffa
commit
6080d75210
20
mbadmin.jps
20
mbadmin.jps
|
|
@ -108,12 +108,12 @@ onInstall:
|
||||||
else
|
else
|
||||||
echo "Skipping DNS plugin installation as Certbot wasn't installed";
|
echo "Skipping DNS plugin installation as Certbot wasn't installed";
|
||||||
fi
|
fi
|
||||||
# Install acme.sh
|
# Install Certbot DNS Bunny plugin
|
||||||
- if [ ! -f /root/.acme.sh/acme.sh ]; then
|
- if command -v certbot > /dev/null; then
|
||||||
echo "Installing acme.sh...";
|
echo "Installing Certbot DNS Bunny plugin...";
|
||||||
curl https://get.acme.sh | sh;
|
pip install certbot-dns-bunny || echo "Certbot DNS Bunny plugin installation failed but continuing";
|
||||||
else
|
else
|
||||||
echo "acme.sh is already installed.";
|
echo "Skipping Certbot DNS Bunny plugin installation as Certbot wasn't installed";
|
||||||
fi
|
fi
|
||||||
|
|
||||||
menu:
|
menu:
|
||||||
|
|
@ -482,14 +482,6 @@ settings:
|
||||||
type: text
|
type: text
|
||||||
caption: Domain Name
|
caption: Domain Name
|
||||||
required: true
|
required: true
|
||||||
- name: email
|
|
||||||
type: text
|
|
||||||
caption: Email Address
|
|
||||||
required: true
|
|
||||||
- name: bunny_api_key
|
|
||||||
type: password
|
|
||||||
caption: BunnyDNS API Key
|
|
||||||
required: true
|
|
||||||
sslRemoveConfig:
|
sslRemoveConfig:
|
||||||
submitUnchanged: true
|
submitUnchanged: true
|
||||||
fields:
|
fields:
|
||||||
|
|
@ -990,7 +982,7 @@ actions:
|
||||||
- cmd[cp]:
|
- cmd[cp]:
|
||||||
user: root
|
user: root
|
||||||
commands:
|
commands:
|
||||||
- bash /home/litespeed/mbmanager/ssl-manager/ssl_manager.sh --dns-challenge --domain="${settings.domain}" --email="${settings.email}" --bunny-api-key="${settings.bunny_api_key}" --verbose
|
- bash /home/litespeed/mbmanager/ssl-manager/ssl_manager.sh --dns-challenge --domain="${settings.domain}" --verbose
|
||||||
- return:
|
- return:
|
||||||
type: info
|
type: info
|
||||||
message: "SSL certificate issuance process via DNS challenge completed."
|
message: "SSL certificate issuance process via DNS challenge completed."
|
||||||
|
|
|
||||||
|
|
@ -112,20 +112,6 @@ on_exit() {
|
||||||
}
|
}
|
||||||
trap 'rc=$?; SCRIPT_EXIT_STATUS=$rc; on_exit' EXIT
|
trap 'rc=$?; SCRIPT_EXIT_STATUS=$rc; on_exit' EXIT
|
||||||
|
|
||||||
install_acme_sh() {
|
|
||||||
if ! command -v "$HOME/.acme.sh/acme.sh" &>/dev/null; then
|
|
||||||
log "acme.sh not found. Installing..."
|
|
||||||
if curl https://get.acme.sh | sh; then
|
|
||||||
log_success "acme.sh installed successfully."
|
|
||||||
else
|
|
||||||
log_error "Failed to install acme.sh."
|
|
||||||
SCRIPT_EXIT_STATUS=1; return 1
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
log "acme.sh is already installed."
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
check_command() {
|
check_command() {
|
||||||
local cmd="$1"
|
local cmd="$1"
|
||||||
local pkg="$2"
|
local pkg="$2"
|
||||||
|
|
@ -192,40 +178,40 @@ validate_http_access() {
|
||||||
|
|
||||||
issue_certificate_dns() {
|
issue_certificate_dns() {
|
||||||
local domain="$1"
|
local domain="$1"
|
||||||
local bunny_api_key="$2"
|
local creds_file="/etc/letsencrypt/bunny.ini"
|
||||||
local email="$3"
|
|
||||||
|
|
||||||
if [[ -z "$bunny_api_key" ]]; then
|
if [[ ! -f "$creds_file" ]]; then
|
||||||
log_error "BunnyDNS API key is required for DNS challenge."
|
log_error "DNS challenge credentials file not found at '$creds_file'."
|
||||||
|
log_error "Please create it with the following content:"
|
||||||
|
log_error "dns_bunny_api_key = your_api_key_here"
|
||||||
|
log_error "dns_bunny_account_email = your_email@example.com"
|
||||||
SCRIPT_EXIT_STATUS=1; return 1
|
SCRIPT_EXIT_STATUS=1; return 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
log "Issuing SSL certificate for domain '$domain' using DNS challenge..."
|
# Ensure permissions are correct for certbot
|
||||||
export BUNNY_API_KEY="$bunny_api_key"
|
sudo chmod 600 "$creds_file"
|
||||||
|
|
||||||
# Use acme.sh to issue the certificate
|
# Extract email from credentials file for the --email flag
|
||||||
"$HOME/.acme.sh/acme.sh" --issue --dns dns_bunny -d "$domain" --accountemail "$email" || {
|
local email
|
||||||
log_error "Failed to issue certificate for '$domain' using DNS challenge."
|
email=$(grep "dns_bunny_account_email" "$creds_file" | sed 's/.*= *//')
|
||||||
unset BUNNY_API_KEY
|
|
||||||
|
if [[ -z "$email" ]]; then
|
||||||
|
log_error "dns_bunny_account_email not set in '$creds_file'."
|
||||||
|
SCRIPT_EXIT_STATUS=1; return 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
log "Issuing SSL certificate for domain '$domain' using certbot with DNS challenge..."
|
||||||
|
|
||||||
|
sudo certbot certonly \
|
||||||
|
--dns-bunny \
|
||||||
|
--dns-bunny-credentials "$creds_file" \
|
||||||
|
-d "$domain" \
|
||||||
|
--non-interactive --agree-tos --email "$email" || {
|
||||||
|
log_error "Failed to issue certificate for '$domain' using certbot DNS challenge."
|
||||||
SCRIPT_EXIT_STATUS=1; return 1
|
SCRIPT_EXIT_STATUS=1; return 1
|
||||||
}
|
}
|
||||||
|
|
||||||
log_success "Certificate successfully issued for '$domain' using DNS challenge."
|
log_success "Certificate successfully issued for '$domain' by certbot."
|
||||||
|
|
||||||
# Install the certificate to the standard Let's Encrypt directory
|
|
||||||
local cert_path="$CERT_DIR/$domain"
|
|
||||||
sudo mkdir -p "$cert_path"
|
|
||||||
"$HOME/.acme.sh/acme.sh" --install-cert -d "$domain" \
|
|
||||||
--key-file "$cert_path/privkey.pem" \
|
|
||||||
--fullchain-file "$cert_path/fullchain.pem" \
|
|
||||||
--reloadcmd "sudo systemctl restart lsws" || {
|
|
||||||
log_error "Failed to install certificate for '$domain'."
|
|
||||||
unset BUNNY_API_KEY
|
|
||||||
SCRIPT_EXIT_STATUS=1; return 1
|
|
||||||
}
|
|
||||||
|
|
||||||
log_success "Certificate successfully installed for '$domain'."
|
|
||||||
unset BUNNY_API_KEY
|
|
||||||
}
|
}
|
||||||
|
|
||||||
issue_certificate() {
|
issue_certificate() {
|
||||||
|
|
@ -401,7 +387,6 @@ main() {
|
||||||
|
|
||||||
# Parse parameters
|
# Parse parameters
|
||||||
DNS_CHALLENGE=0
|
DNS_CHALLENGE=0
|
||||||
BUNNY_API_KEY=""
|
|
||||||
for arg in "$@"; do
|
for arg in "$@"; do
|
||||||
case $arg in
|
case $arg in
|
||||||
--public-ip=*) PUBLIC_IP="${arg#*=}"; log_verbose "Set public IP: $PUBLIC_IP";;
|
--public-ip=*) PUBLIC_IP="${arg#*=}"; log_verbose "Set public IP: $PUBLIC_IP";;
|
||||||
|
|
@ -412,14 +397,13 @@ main() {
|
||||||
--verbose) VERBOSE=1; log "Verbose mode enabled";;
|
--verbose) VERBOSE=1; log "Verbose mode enabled";;
|
||||||
--update-listener) UPDATE_LISTENER=1; log "Updating listener certificate to LE for $PRIMARY_DOMAIN";;
|
--update-listener) UPDATE_LISTENER=1; log "Updating listener certificate to LE for $PRIMARY_DOMAIN";;
|
||||||
--dns-challenge) DNS_CHALLENGE=1; log "DNS challenge mode enabled";;
|
--dns-challenge) DNS_CHALLENGE=1; log "DNS challenge mode enabled";;
|
||||||
--bunny-api-key=*) BUNNY_API_KEY="${arg#*=}";;
|
|
||||||
*) log_error "Invalid argument: $arg"; SCRIPT_EXIT_STATUS=1; exit 1;;
|
*) log_error "Invalid argument: $arg"; SCRIPT_EXIT_STATUS=1; exit 1;;
|
||||||
esac
|
esac
|
||||||
done
|
done
|
||||||
|
|
||||||
if [[ "$DNS_CHALLENGE" -eq 1 ]]; then
|
if [[ "$DNS_CHALLENGE" -eq 1 ]]; then
|
||||||
[[ -z "$PRIMARY_DOMAIN" || -z "$EMAIL" ]] && {
|
[[ -z "$PRIMARY_DOMAIN" ]] && {
|
||||||
log_error "Missing required parameters for DNS challenge. Provide --domain and --email."
|
log_error "Missing required parameter for DNS challenge. Provide --domain."
|
||||||
SCRIPT_EXIT_STATUS=1; exit 1
|
SCRIPT_EXIT_STATUS=1; exit 1
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
|
|
@ -430,9 +414,9 @@ main() {
|
||||||
fi
|
fi
|
||||||
|
|
||||||
validate_domain "$PRIMARY_DOMAIN" || { log_error "Invalid domain '$PRIMARY_DOMAIN'"; SCRIPT_EXIT_STATUS=1; exit 1; }
|
validate_domain "$PRIMARY_DOMAIN" || { log_error "Invalid domain '$PRIMARY_DOMAIN'"; SCRIPT_EXIT_STATUS=1; exit 1; }
|
||||||
validate_email "$EMAIL" || { log_error "Invalid email '$EMAIL'"; SCRIPT_EXIT_STATUS=1; exit 1; }
|
|
||||||
|
|
||||||
if [[ "$DNS_CHALLENGE" -eq 0 ]]; then
|
if [[ "$DNS_CHALLENGE" -eq 0 ]]; then
|
||||||
|
validate_email "$EMAIL" || { log_error "Invalid email '$EMAIL'"; SCRIPT_EXIT_STATUS=1; exit 1; }
|
||||||
validate_ip "$PUBLIC_IP" || { log_error "Invalid IP '$PUBLIC_IP'"; SCRIPT_EXIT_STATUS=1; exit 1; }
|
validate_ip "$PUBLIC_IP" || { log_error "Invalid IP '$PUBLIC_IP'"; SCRIPT_EXIT_STATUS=1; exit 1; }
|
||||||
validate_dns "$PRIMARY_DOMAIN" "$PUBLIC_IP" || { log_error "DNS validation failed"; SCRIPT_EXIT_STATUS=1; exit 1; }
|
validate_dns "$PRIMARY_DOMAIN" "$PUBLIC_IP" || { log_error "DNS validation failed"; SCRIPT_EXIT_STATUS=1; exit 1; }
|
||||||
validate_http_access "$PRIMARY_DOMAIN" || { log_error "HTTP access validation failed"; SCRIPT_EXIT_STATUS=1; exit 1; }
|
validate_http_access "$PRIMARY_DOMAIN" || { log_error "HTTP access validation failed"; SCRIPT_EXIT_STATUS=1; exit 1; }
|
||||||
|
|
@ -446,14 +430,10 @@ main() {
|
||||||
check_command curl curl
|
check_command curl curl
|
||||||
check_command openssl openssl
|
check_command openssl openssl
|
||||||
|
|
||||||
if [[ "$DNS_CHALLENGE" -eq 1 ]]; then
|
|
||||||
install_acme_sh
|
|
||||||
fi
|
|
||||||
|
|
||||||
create_default_backup
|
create_default_backup
|
||||||
for domain in "${DOMAINS[@]}"; do
|
for domain in "${DOMAINS[@]}"; do
|
||||||
if [[ "$DNS_CHALLENGE" -eq 1 ]]; then
|
if [[ "$DNS_CHALLENGE" -eq 1 ]]; then
|
||||||
issue_certificate_dns "$domain" "$BUNNY_API_KEY" "$EMAIL"
|
issue_certificate_dns "$domain"
|
||||||
else
|
else
|
||||||
issue_certificate "$domain" "$EMAIL"
|
issue_certificate "$domain" "$EMAIL"
|
||||||
fi
|
fi
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue