Skip to content

Commit 2e8c2b5

Browse files
authored
Add DNS updates with deSEC (#1920)
1 parent e58a408 commit 2e8c2b5

File tree

2 files changed

+64
-26
lines changed

2 files changed

+64
-26
lines changed

addons/desec.sh

+13-5
Original file line numberDiff line numberDiff line change
@@ -89,10 +89,6 @@ done
8989
if yesno_box_yes "Do you want to add automatic updates of your WAN IP using ddclient?
9090
Please note: this will reset any configuration that might be already in place with ddclient."
9191
then
92-
# Add DynDNS
93-
# WANIP6=$(curl -s -k -m 5 https://ipv6bot.whatismyipaddress.com)
94-
# curl --user "$DEDYNDOMAIN":"$DEDYNAUTHTOKEN" \
95-
# https://update.dedyn.io/?myipv4="$WANIP4"\&myipv6="$WANIP6" >/dev/null 2>&1
9692
export DEDYNDOMAIN
9793
export DEDYNAUTHTOKEN
9894
run_script NETWORK ddclient-configuration
@@ -102,7 +98,19 @@ fi
10298
if yesno_box_yes "Do you want to set this domain as your Nextcoud domain \
10399
and activate TLS for your Nextcloud using Let's Encrypt?"
104100
then
105-
export DEDYNDOMAIN # Not needed since already exported but added for readability
101+
# Add DNS renewals with the deSEC hoock script
102+
print_text_in_color "$ICyan" "Preparing for DNS-renewals..."
103+
mkdir -p "$SCRIPTS"/deSEC
104+
curl_to_dir "https://raw.githubusercontent.com/desec-io/desec-certbot-hook/master" "hook.sh" "$SCRIPTS"/deSEC
105+
chmod +x "$SCRIPTS"/deSEC/hook.sh
106+
curl_to_dir "https://raw.githubusercontent.com/desec-io/desec-certbot-hook/master" ".dedynauth" "$SCRIPTS"/deSEC
107+
check_command sed -i "s|DEDYN_TOKEN=.*|DEDYN_TOKEN=$DEDYNAUTHTOKEN|g" "$SCRIPTS"/deSEC/.dedynauth
108+
check_command sed -i "s|DEDYN_NAME=.*|DEDYN_NAME=$DEDYNDOMAIN|g" "$SCRIPTS"/deSEC/.dedynauth
109+
msg_box "DNS updates for deSEC are now set. This means you don't have to open any ports (80|443) since deSEC TLS renewals will be run with a built in hook. \
110+
The hook files will end up in $SCRIPTS/deSEC, please don't touch that folder unless you know what you're doing. \
111+
You can read more about it here: https://github.com/desec-io/desec-certbot-hook"
112+
113+
# Run the TLS script
106114
run_script LETS_ENC activate-tls
107115
fi
108116

lets-encrypt/activate-tls.sh

+51-21
Original file line numberDiff line numberDiff line change
@@ -58,19 +58,22 @@ bash /var/scripts/menu.sh and choose 'Server Configuration' --> 'Activate TLS'"
5858
Make sure it looks like this:\nyourdomain.com, or cloud.yourdomain.com")
5959
fi
6060

61-
msg_box "Before continuing, please make sure that you have you have edited the DNS settings for $TLSDOMAIN, \
61+
if [ -z "$DEDYNDOMAIN" ]
62+
then
63+
msg_box "Before continuing, please make sure that you have you have edited the DNS settings for $TLSDOMAIN, \
6264
and opened port 80 and 443 directly to this servers IP. A full extensive guide can be found here:
6365
https://www.techandme.se/open-port-80-443
6466
6567
This can be done automatically if you have UPNP enabled in your firewall/router. \
6668
You will be offered to use UPNP in the next step."
6769

68-
if yesno_box_no "Do you want to use UPNP to open port 80 and 443?"
69-
then
70-
unset FAIL
71-
open_port 80 TCP
72-
open_port 443 TCP
73-
cleanup_open_port
70+
if yesno_box_no "Do you want to use UPNP to open port 80 and 443?"
71+
then
72+
unset FAIL
73+
open_port 80 TCP
74+
open_port 443 TCP
75+
cleanup_open_port
76+
fi
7477
fi
7578

7679
# Curl the lib another time to get the correct https_conf
@@ -82,11 +85,16 @@ echo
8285
print_text_in_color "$ICyan" "Checking if $TLSDOMAIN exists and is reachable..."
8386
domain_check_200 "$TLSDOMAIN"
8487

85-
# Check if port is open with NMAP
88+
# Set /etc/hosts domain
8689
sed -i "s|127.0.1.1.*|127.0.1.1 $TLSDOMAIN nextcloud|g" /etc/hosts
8790
network_ok
88-
check_open_port 80 "$TLSDOMAIN"
89-
check_open_port 443 "$TLSDOMAIN"
91+
92+
if [ -z "$DEDYNDOMAIN" ]
93+
then
94+
# Check if port is open with NMAP
95+
check_open_port 80 "$TLSDOMAIN"
96+
check_open_port 443 "$TLSDOMAIN"
97+
fi
9098

9199
# Fetch latest version of test-new-config.sh
92100
check_command download_script LETS_ENC test-new-config
@@ -207,24 +215,46 @@ then
207215
sed -i "s|</FilesMatch.*|#|g" "$tls_conf"
208216
fi
209217

210-
#Generate certs and auto-configure if successful
211-
if generate_cert "$TLSDOMAIN"
218+
# Generate certs and auto-configure if successful
219+
if [ -n "$DEDYNDOMAIN" ]
220+
then
221+
print_text_in_color "$ICyan" "Renewing TLS with DNS, please don't abort the hook, it may take a while..."
222+
# Renew with DNS by default
223+
certbot --manual \
224+
--text \
225+
--rsa-key-size 4096 \
226+
--renew-by-default \
227+
--server https://acme-v02.api.letsencrypt.org/directory \
228+
--no-eff-email \
229+
--agree-tos \
230+
--preferred-challenges dns \
231+
--manual-auth-hook "$SCRIPTS"/deSEC/hook.sh \
232+
--manual-cleanup-hook "$SCRIPTS"/deSEC/hook.sh \
233+
-d "$DEDYNDOMAIN" \
234+
certonly
235+
else
236+
generate_cert "$TLSDOMAIN"
237+
fi
238+
239+
# Generate DHparams
240+
if [ -d "$CERTFILES" ]
241+
then
242+
if [ ! -f "$DHPARAMS_TLS" ]
243+
then
244+
openssl dhparam -dsaparam -out "$DHPARAMS_TLS" 4096
245+
fi
246+
fi
247+
248+
# Activate new config
249+
if check_command bash "$SCRIPTS/test-new-config.sh" "$TLSDOMAIN.conf"
212250
then
213-
if [ -d "$CERTFILES" ]
251+
if [ -z "$DEDYNDOMAIN" ]
214252
then
215-
# Generate DHparams cipher
216-
if [ ! -f "$DHPARAMS_TLS" ]
217-
then
218-
openssl dhparam -dsaparam -out "$DHPARAMS_TLS" 4096
219-
fi
220-
# Activate new config
221-
check_command bash "$SCRIPTS/test-new-config.sh" "$TLSDOMAIN.conf"
222253
msg_box "Please remember to keep port 80 (and 443) open so that Let's Encrypt can do \
223254
the automatic renewal of the cert. If port 80 is closed the cert will expire in 3 months.
224255
225256
You don't need to worry about security as port 80 is directly forwarded to 443, so \
226257
no traffic will actually be on port 80, except for the forwarding to 443 (HTTPS)."
227-
exit 0
228258
fi
229259
else
230260
last_fail_tls "$SCRIPTS"/activate-tls.sh cleanup

0 commit comments

Comments
 (0)