diff --git a/README.md b/README.md index f395e49a..c61dad9a 100644 --- a/README.md +++ b/README.md @@ -320,6 +320,7 @@ You don't have to do anything manually! 1. Loopia.se API 1. acme-dns (https://github.com/joohoi/acme-dns) 1. TELE3 (https://www.tele3.cz) +1. Netcup DNS API (https://www.netcup.de) And: diff --git a/deploy/README.md b/deploy/README.md index 0b820dff..181989da 100644 --- a/deploy/README.md +++ b/deploy/README.md @@ -255,3 +255,23 @@ acme.sh --deploy -d fritzbox.example.com --deploy-hook fritzbox ```sh acme.sh --deploy -d ftp.example.com --deploy-hook strongswan ``` + +## 10. Deploy the cert to HAProxy + +You must specify the path where you want the concatenated key and certificate chain written. +```sh +export DEPLOY_HAPROXY_PEM_PATH=/etc/haproxy +``` + +You may optionally define the command to reload HAProxy. The value shown below will be used as the default if you don't set this environment variable. + +```sh +export DEPLOY_HAPROXY_RELOAD="/usr/sbin/service haproxy restart" +``` + +You can then deploy the certificate as follows +```sh +acme.sh --deploy -d haproxy.example.com --deploy-hook haproxy +``` + +The path for the PEM file will be stored with the domain configuration and will be available when renewing, so that deploy will happen automatically when renewed. diff --git a/deploy/haproxy.sh b/deploy/haproxy.sh index 34efbb1f..5c1a40e2 100644 --- a/deploy/haproxy.sh +++ b/deploy/haproxy.sh @@ -20,7 +20,39 @@ haproxy_deploy() { _debug _cca "$_cca" _debug _cfullchain "$_cfullchain" - _err "deploy cert to haproxy server, Not implemented yet" - return 1 + # handle reload preference + DEFAULT_HAPROXY_RELOAD="/usr/sbin/service haproxy restart" + if [ -z "${DEPLOY_HAPROXY_RELOAD}" ]; then + _reload="${DEFAULT_HAPROXY_RELOAD}" + _cleardomainconf DEPLOY_HAPROXY_RELOAD + else + _reload="${DEPLOY_HAPROXY_RELOAD}" + _savedomainconf DEPLOY_HAPROXY_RELOAD "$DEPLOY_HAPROXY_RELOAD" + fi + _savedomainconf DEPLOY_HAPROXY_PEM_PATH "$DEPLOY_HAPROXY_PEM_PATH" + + # work out the path where the PEM file should go + _pem_path="${DEPLOY_HAPROXY_PEM_PATH}" + if [ -z "$_pem_path" ]; then + _err "Path to save PEM file not found. Please define DEPLOY_HAPROXY_PEM_PATH." + return 1 + fi + _pem_full_path="$_pem_path/$_cdomain.pem" + _info "Full path to PEM $_pem_full_path" + + # combine the key and fullchain into a single pem and install + cat "$_cfullchain" "$_ckey" >"$_pem_full_path" + chmod 600 "$_pem_full_path" + _info "Certificate successfully deployed" + + # restart HAProxy + _info "Run reload: $_reload" + if eval "$_reload"; then + _info "Reload success!" + return 0 + else + _err "Reload error" + return 1 + fi } diff --git a/dnsapi/README.md b/dnsapi/README.md index ef6c9d09..dd200b1e 100644 --- a/dnsapi/README.md +++ b/dnsapi/README.md @@ -876,6 +876,24 @@ acme.sh --issue --dns dns_tele3 -d example.com -d *.example.com ``` The TELE3_Key and TELE3_Secret will be saved in ~/.acme.sh/account.conf and will be reused when needed. + +## 47. Use Netcup DNS API to automatically issue cert + +First you need to login to your CCP account to get your API Key and API Password. +``` +export NC_Apikey="" +export NC_Apipw="" +export NC_CID="" +``` + +Now, let's issue a cert: +``` +acme.sh --issue --dns dns_netcup -d example.com -d www.example.com +``` + +The `NC_Apikey`,`NC_Apipw` and `NC_CID` will be saved in `~/.acme.sh/account.conf` and will be reused when needed. + + # Use custom API If your API is not supported yet, you can write your own DNS API. diff --git a/dnsapi/dns_netcup.sh b/dnsapi/dns_netcup.sh new file mode 100644 index 00000000..85928e4f --- /dev/null +++ b/dnsapi/dns_netcup.sh @@ -0,0 +1,133 @@ +#!/usr/bin/env sh + +#Requirments: jq + +NC_Apikey="${NC_Apikey:-$(_readaccountconf_mutable NC_Apikey)}" +NC_Apipw="${NC_Apipw:-$(_readaccountconf_mutable NC_Apipw)}" +NC_CID="${NC_CID:-$(_readaccountconf_mutable NC_CID)}" +end=https://ccp.netcup.net/run/webservice/servers/endpoint.php?JSON +client="" + +dns_netcup_add() { + login + if [ "$NC_Apikey" = "" ] || [ "$NC_Apipw" = "" ] || [ "$NC_CID" = "" ]; then + _err "No Credentials given" + return 1 + fi + fulldomain=$1 + txtvalue=$2 + tld="" + domain="" + exit=0 + for (( i=20; i>0; i--)) + do + tmp=$(cut -d'.' -f$i <<< $fulldomain) + if [ "$tmp" != "" ]; then + if [ "$tld" = "" ]; then + tld=$tmp + else + domain=$tmp + exit=$i + break; + fi + fi + done + inc="" + for (( i=1; i<($exit); i++)) + do + if [ "$((exit-1))" = "$i" ]; then + inc="$inc$i" + break; + else + if [ "$inc" = "" ]; then + inc="$i," + else + inc="$inc$i," + fi + fi + done + tmp=$(cut -d'.' -f$inc <<< $fulldomain) + msg=$(_post "{\"action\": \"updateDnsRecords\", \"param\": {\"apikey\": \"$NC_Apikey\", \"apisessionid\": \"$sid\", \"customernumber\": \"$NC_CID\",\"clientrequestid\": \"$client\" , \"domainname\": \"$domain.$tld\", \"dnsrecordset\": { \"dnsrecords\": [ {\"id\": \"\", \"hostname\": \"$tmp\", \"type\": \"TXT\", \"priority\": \"\", \"destination\": \"$txtvalue\", \"deleterecord\": \"false\", \"state\": \"yes\"} ]}}}" $end "" "POST") + _debug "$msg" + if [ $(echo $msg | jq -r .status) != "success" ]; then + _err "$msg" + return 1 + fi + logout +} + +dns_netcup_rm() { + login + fulldomain=$1 + txtvalue=$2 + tld="" + domain="" + exit=0 + for (( i=20; i>0; i--)) + do + tmp=$(cut -d'.' -f$i <<< $fulldomain) + if [ "$tmp" != "" ]; then + if [ "$tld" = "" ]; then + tld=$tmp + else + domain=$tmp + exit=$i + break; + fi + fi + done + inc="" + for (( i=1; i<($exit); i++)) + do + if [ "$((exit-1))" = "$i" ]; then + inc="$inc$i" + break; + else + if [ "$inc" = "" ]; then + inc="$i," + else + inc="$inc$i," + fi + fi + done + tmp=$(cut -d'.' -f$inc <<< $fulldomain) + doma="$domain.$tld" + rec=$(getRecords $doma) + ids=$(echo $rec | jq -r ".[]|select(.destination==\"$txtvalue\")|.id") + msg=$(_post "{\"action\": \"updateDnsRecords\", \"param\": {\"apikey\": \"$NC_Apikey\", \"apisessionid\": \"$sid\", \"customernumber\": \"$NC_CID\",\"clientrequestid\": \"$client\" , \"domainname\": \"$doma\", \"dnsrecordset\": { \"dnsrecords\": [ {\"id\": \"$ids\", \"hostname\": \"$tmp\", \"type\": \"TXT\", \"priority\": \"\", \"destination\": \"$txtvalue\", \"deleterecord\": \"TRUE\", \"state\": \"yes\"} ]}}}" $end "" "POST") + _debug "$msg" + if [ $(echo $msg | jq -r .status) != "success" ]; then + _err "$msg" + return 1 + fi + logout +} + +login() { + tmp=$(_post '{"action": "login", "param": {"apikey": "'$NC_Apikey'", "apipassword": "'$NC_Apipw'", "customernumber": "'$NC_CID'"}}' $end "" "POST") + sid=$(echo ${tmp} | jq -r .responsedata.apisessionid) + _debug "$tmp" + if [ $(echo $tmp | jq -r .status) != "success" ]; then + _err "$tmp" + return 1 + fi +} +logout() { + tmp=$(_post '{"action": "logout", "param": {"apikey": "'$NC_Apikey'", "apisessionid": "'$sid'", "customernumber": "'$NC_CID'"}}' $end "" "POST") + _debug "$tmp" + if [ $(echo $tmp | jq -r .status) != "success" ]; then + _err "$tmp" + return 1 + fi +} +getRecords() { + tmp2=$(_post "{\"action\": \"infoDnsRecords\", \"param\": {\"apikey\": \"$NC_Apikey\", \"apisessionid\": \"$sid\", \"customernumber\": \"$NC_CID\", \"domainname\": \"$1\"}}" $end "" "POST") + xxd=$(echo ${tmp2} | jq -r '.responsedata.dnsrecords | .[]') + xcd=$(echo $xxd | sed 's/} {/},{/g') + echo "[ $xcd ]" + _debug "$tmp2" + if [ $(echo $tmp2 | jq -r .status) != "success" ]; then + _err "$tmp2" + return 1 + fi +}