Add DNS updates with deSEC (#1920)

enoch85 · web-flow · commit 2e8c2b5763aa · 2021-04-11T17:36:29.000+02:00
diff --git a/addons/desec.sh b/addons/desec.sh
@@ -89,10 +89,6 @@ done
 if yesno_box_yes "Do you want to add automatic updates of your WAN IP using ddclient?
 Please note: this will reset any configuration that might be already in place with ddclient."
 then
-    # Add DynDNS
-    # WANIP6=$(curl -s -k -m 5 https://ipv6bot.whatismyipaddress.com)
-    # curl --user "$DEDYNDOMAIN":"$DEDYNAUTHTOKEN" \
-    #   https://update.dedyn.io/?myipv4="$WANIP4"\&myipv6="$WANIP6" >/dev/null 2>&1
     export DEDYNDOMAIN
     export DEDYNAUTHTOKEN
     run_script NETWORK ddclient-configuration
@@ -102,7 +98,19 @@ fi
 if yesno_box_yes "Do you want to set this domain as your Nextcoud domain \
 and activate TLS for your Nextcloud using Let's Encrypt?"
 then
-    export DEDYNDOMAIN # Not needed since already exported but added for readability
+    # Add DNS renewals with the deSEC hoock script
+    print_text_in_color "$ICyan" "Preparing for DNS-renewals..."
+    mkdir -p "$SCRIPTS"/deSEC
+    curl_to_dir "https://raw.githubusercontent.com/desec-io/desec-certbot-hook/master" "hook.sh" "$SCRIPTS"/deSEC
+    chmod +x "$SCRIPTS"/deSEC/hook.sh
+    curl_to_dir "https://raw.githubusercontent.com/desec-io/desec-certbot-hook/master" ".dedynauth" "$SCRIPTS"/deSEC
+    check_command sed -i "s|DEDYN_TOKEN=.*|DEDYN_TOKEN=$DEDYNAUTHTOKEN|g" "$SCRIPTS"/deSEC/.dedynauth
+    check_command sed -i "s|DEDYN_NAME=.*|DEDYN_NAME=$DEDYNDOMAIN|g" "$SCRIPTS"/deSEC/.dedynauth
+    msg_box "DNS updates for deSEC are now set. This means you don't have to open any ports (80|443) since deSEC TLS renewals will be run with a built in hook. \
+The hook files will end up in $SCRIPTS/deSEC, please don't touch that folder unless you know what you're doing. \
+You can read more about it here: https://github.com/desec-io/desec-certbot-hook"
+
+    # Run the TLS script
     run_script LETS_ENC activate-tls
 fi
 
diff --git a/lets-encrypt/activate-tls.sh b/lets-encrypt/activate-tls.sh
@@ -58,19 +58,22 @@ bash /var/scripts/menu.sh and choose 'Server Configuration' --> 'Activate TLS'"
 Make sure it looks like this:\nyourdomain.com, or cloud.yourdomain.com")
 fi
 
-msg_box "Before continuing, please make sure that you have you have edited the DNS settings for $TLSDOMAIN, \
+if [ -z "$DEDYNDOMAIN" ]
+then
+   msg_box "Before continuing, please make sure that you have you have edited the DNS settings for $TLSDOMAIN, \
 and opened port 80 and 443 directly to this servers IP. A full extensive guide can be found here:
 https://www.techandme.se/open-port-80-443
 
 This can be done automatically if you have UPNP enabled in your firewall/router. \
 You will be offered to use UPNP in the next step."
 
-if yesno_box_no "Do you want to use UPNP to open port 80 and 443?"
-then
-    unset FAIL
-    open_port 80 TCP
-    open_port 443 TCP
-    cleanup_open_port
+    if yesno_box_no "Do you want to use UPNP to open port 80 and 443?"
+    then
+        unset FAIL
+        open_port 80 TCP
+        open_port 443 TCP
+        cleanup_open_port
+    fi
 fi
 
 # Curl the lib another time to get the correct https_conf
@@ -82,11 +85,16 @@ echo
 print_text_in_color "$ICyan" "Checking if $TLSDOMAIN exists and is reachable..."
 domain_check_200 "$TLSDOMAIN"
 
-# Check if port is open with NMAP
+# Set /etc/hosts domain
 sed -i "s|127.0.1.1.*|127.0.1.1       $TLSDOMAIN nextcloud|g" /etc/hosts
 network_ok
-check_open_port 80 "$TLSDOMAIN"
-check_open_port 443 "$TLSDOMAIN"
+    
+if [ -z "$DEDYNDOMAIN" ]
+then
+    # Check if port is open with NMAP
+    check_open_port 80 "$TLSDOMAIN"
+    check_open_port 443 "$TLSDOMAIN"
+fi
 
 # Fetch latest version of test-new-config.sh
 check_command download_script LETS_ENC test-new-config
@@ -207,24 +215,46 @@ then
     sed -i "s|</FilesMatch.*|#|g" "$tls_conf"
 fi
 
-#Generate certs and auto-configure if successful
-if generate_cert "$TLSDOMAIN"
+# Generate certs and auto-configure if successful
+if [ -n "$DEDYNDOMAIN" ]
+then
+    print_text_in_color "$ICyan" "Renewing TLS with DNS, please don't abort the hook, it may take a while..."
+    # Renew with DNS by default
+    certbot --manual \
+    --text \
+    --rsa-key-size 4096 \
+    --renew-by-default \
+    --server https://acme-v02.api.letsencrypt.org/directory \
+    --no-eff-email \
+    --agree-tos \
+    --preferred-challenges dns \
+    --manual-auth-hook "$SCRIPTS"/deSEC/hook.sh  \
+    --manual-cleanup-hook "$SCRIPTS"/deSEC/hook.sh \
+    -d "$DEDYNDOMAIN" \
+    certonly
+else
+    generate_cert "$TLSDOMAIN"
+fi
+
+# Generate DHparams
+if [ -d "$CERTFILES" ]
+then
+    if [ ! -f "$DHPARAMS_TLS" ]
+    then
+        openssl dhparam -dsaparam -out "$DHPARAMS_TLS" 4096
+    fi
+fi
+
+# Activate new config
+if check_command bash "$SCRIPTS/test-new-config.sh" "$TLSDOMAIN.conf"
 then
-    if [ -d "$CERTFILES" ]
+    if [ -z "$DEDYNDOMAIN" ]
     then
-        # Generate DHparams cipher
-        if [ ! -f "$DHPARAMS_TLS" ]
-        then
-            openssl dhparam -dsaparam -out "$DHPARAMS_TLS" 4096
-        fi
-        # Activate new config
-        check_command bash "$SCRIPTS/test-new-config.sh" "$TLSDOMAIN.conf"
         msg_box "Please remember to keep port 80 (and 443) open so that Let's Encrypt can do \
 the automatic renewal of the cert. If port 80 is closed the cert will expire in 3 months.
 
 You don't need to worry about security as port 80 is directly forwarded to 443, so \
 no traffic will actually be on port 80, except for the forwarding to 443 (HTTPS)."
-        exit 0
     fi
 else
     last_fail_tls "$SCRIPTS"/activate-tls.sh cleanup
