killbus · April 4, 2023 20:27 · Dec 2, 2020 · Aug 19, 2019
diff --git a/00-update-vault.sh b/00-update-vault.sh
@@ -22,7 +22,7 @@ for domain in $RENEWED_DOMAINS; do
     target=${target#*.}
   esac
 
-  vault kv get \
+  vault kv put \
     "secret/lets-encrypt/certificates/$target" \
     "cert=@$RENEWED_LINEAGE/cert.pem" \
     "chain=@$RENEWED_LINEAGE/chain.pem" \

diff --git a/00-update-vault.sh b/00-update-vault.sh
@@ -0,0 +1,33 @@
+#!/bin/sh
+#
+# Perform certificate updates in Vault.
+
+set -eo pipefail
+
+if ! vault token lookup > /dev/null; then
+  echo "Login to Vault first."
+  exit 1
+fi
+
+# Certificate renewal might take some time,
+# so renew the token if possible
+vault token renew > /dev/null
+
+for domain in $RENEWED_DOMAINS; do
+
+  # Wildcard certificates lead to domains like *.example.com
+  # which should become example.com
+  target=$domain
+  case $target in \*\.*)
+    target=${target#*.}
+  esac
+
+  vault kv get \
+    "secret/lets-encrypt/certificates/$target" \
+    "cert=@$RENEWED_LINEAGE/cert.pem" \
+    "chain=@$RENEWED_LINEAGE/chain.pem" \
+    "privkey=@$RENEWED_LINEAGE/privkey.pem"
+
+  # In case of a multiple-domain certificate, there is no need to re-run this for next domains
+  exit 0
+done
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,43 @@
+FROM certbot/dns-dnsimple:v0.33.1
+
+ARG VAULT_VERSION=1.1.3
+
+RUN set -eux; \
+    apk add --no-cache curl gnupg jq tzdata && \
+    apkArch="$(apk --print-arch)"; \
+    case "$apkArch" in \
+        armhf) ARCH='arm' ;; \
+        aarch64) ARCH='arm64' ;; \
+        x86_64) ARCH='amd64' ;; \
+        x86) ARCH='386' ;; \
+        *) echo >&2 "error: unsupported architecture: $apkArch"; exit 1 ;; \
+    esac && \
+    VAULT_GPGKEY=91A6E7F85D05C65630BEF18951852D87348FFC4C; \
+    found=''; \
+    for server in \
+        hkp://p80.pool.sks-keyservers.net:80 \
+        hkp://keyserver.ubuntu.com:80 \
+        hkp://pgp.mit.edu:80 \
+    ; do \
+        echo "Fetching GPG key $VAULT_GPGKEY from $server"; \
+        gpg --batch --keyserver "$server" --recv-keys "$VAULT_GPGKEY" && found=yes && break; \
+    done; \
+    test -z "$found" && echo >&2 "error: failed to fetch GPG key $VAULT_GPGKEY" && exit 1; \
+    mkdir -p /tmp/vault && \
+    cd /tmp/vault && \
+    wget https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_${ARCH}.zip && \
+    wget https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS && \
+    wget https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS.sig && \
+    gpg --batch --verify vault_${VAULT_VERSION}_SHA256SUMS.sig vault_${VAULT_VERSION}_SHA256SUMS && \
+    grep vault_${VAULT_VERSION}_linux_${ARCH}.zip vault_${VAULT_VERSION}_SHA256SUMS | sha256sum -c && \
+    unzip -d /bin vault_${VAULT_VERSION}_linux_amd64.zip && \
+    cd /tmp && \
+    rm -rf /tmp/vault && \
+    gpgconf --kill dirmngr && \
+    gpgconf --kill gpg-agent && \
+    apk del gnupg && \
+    rm -rf /root/.gnupg
+
+COPY entrypoint.sh /usr/local/bin/
+COPY initialize.sh /usr/local/bin/
+COPY 00-update-vault.sh /etc/letsencrypt/renewal-hooks/deploy/
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+set -e
+
+if [ "$1" = 'renew' ]; then
+    initialize.sh
+    certbot renew
+else
+    exec "$@"
+fi
diff --git a/initialize.sh b/initialize.sh
@@ -0,0 +1,67 @@
+#!/bin/sh
+# Initialize the environment for certbot
+# Requires vault and jq
+
+set -eo pipefail
+
+if ! vault token lookup > /dev/null; then
+  echo "Login to Vault first."
+  exit 1
+fi
+
+# Get account path
+ACCOUNT_PARENT_PATH=/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory
+ACCOUNT_ID=$(vault kv get --format=json secret/lets-encrypt/account/extra_details | jq -r '.data.data.account_id')
+ACCOUNT_PATH="$ACCOUNT_PARENT_PATH/$ACCOUNT_ID"
+
+mkdir -p "$ACCOUNT_PATH"
+
+for i in meta private_key regr; do
+  vault kv get --format=json "secret/lets-encrypt/account/$i" | \
+    jq -c '.data.data' \
+    > "$ACCOUNT_PATH/$i.json"
+done
+
+echo "dns_dnsimple_token = $(vault kv get --format=json secret/dnsimple | jq -r '.data.data.token')" > /etc/letsencrypt/dnsimple.ini
+chmod 600 /etc/letsencrypt/dnsimple.ini
+
+CERTIFICATES_TO_CHECK=$(vault kv list --format=json secret/lets-encrypt/certificates | jq -r '.[]')
+
+mkdir -p /etc/letsencrypt/renewal
+
+for certificate in $CERTIFICATES_TO_CHECK; do
+  CERTIFICATE_DATA=$(vault kv get --format=json "secret/beyond/lets-encrypt-certificates/certificates/${certificate}")
+  mkdir -p "/etc/letsencrypt/archive/${certificate}"
+  mkdir -p "/etc/letsencrypt/live/${certificate}"
+  for field in cert chain privkey; do
+    cat > "/etc/letsencrypt/archive/${certificate}/${field}1.pem" <<EOF
+$(echo "${CERTIFICATE_DATA}" | jq -r ".data.data.${field}")
+EOF
+    ln \
+      -s "../../archive/${certificate}/${field}1.pem" \
+      "/etc/letsencrypt/live/${certificate}/${field}.pem"
+  done
+
+  cat \
+    "/etc/letsencrypt/archive/${certificate}/cert1.pem" \
+    "/etc/letsencrypt/archive/${certificate}/chain1.pem" \
+    > "/etc/letsencrypt/archive/${certificate}/fullchain1.pem"
+  ln \
+    -s "../../archive/${certificate}/fullchain1.pem" \
+    "/etc/letsencrypt/live/${certificate}/fullchain.pem"
+
+  cat > "/etc/letsencrypt/renewal/$certificate.conf" <<EOF
+version = 0.33.1
+archive_dir = /etc/letsencrypt/archive/$certificate
+cert = /etc/letsencrypt/live/$certificate/cert.pem
+privkey = /etc/letsencrypt/live/$certificate/privkey.pem
+chain = /etc/letsencrypt/live/$certificate/chain.pem
+fullchain = /etc/letsencrypt/live/$certificate/fullchain.pem
+# Options used in the renewal process
+[renewalparams]
+authenticator = dns-dnsimple
+account = $ACCOUNT_ID
+dns_dnsimple_credentials = /etc/letsencrypt/dnsimple.ini
+server = https://acme-v02.api.letsencrypt.org/directory
+EOF
+done
No results found