Dmitry Yu Okunev 4 years ago
parent
commit
4a8c6131cf

+ 5 - 0
generate-certificate-auth-hook-certbot.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin
+
+$CERTBOT_DOMAIN
+$CERTBOT_VALIDATION

+ 6 - 0
generate-certificate-auth-hook.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin
+
+DOMAIN_ID=$(mysql --defaults-file=/etc/mysql/debian.cnf pdns -Ne "SELECT id FROM domains WHERE name='$CERTBOT_DOMAIN'")
+mysql --defaults-file=/etc/mysql/debian.cnf pdns -Ne "DELETE FROM records WHERE domain_id='$DOMAIN_ID' AND name='_acme-challenge'"
+pdnsutil add-record "$CERTBOT_DOMAIN" _acme-challenge TXT '"'"$CERTBOT_VALIDATION"'"'

+ 5 - 0
generate-certificate-cleanup-hook.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin
+
+DOMAIN_ID=$(mysql --defaults-file=/etc/mysql/debian.cnf pdns -Ne "SELECT id FROM domains WHERE name='$CERTBOT_DOMAIN'")
+mysql --defaults-file=/etc/mysql/debian.cnf pdns -Ne "DELETE FROM records WHERE domain_id='$DOMAIN_ID' AND name='_acme-challenge'"

+ 2 - 1
generate-certificate.sh

@@ -2,6 +2,7 @@
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin
 
 #certbot certonly --cert-name instances --agree-tos --email admin@ut.mephi.ru --preferred-challenges=dns --expand --manual-public-ip-logging-ok -n --renew-by-default --manual --manual-auth-hook /root/bin/generate-certificate-auth-hook.sh --manual-cleanup-hook /root/bin/generate-certificate-cleanup-hook.sh $@
-certbot certonly --cert-name sites --agree-tos --email admin@ut.mephi.ru --preferred-challenges http --expand --manual-public-ip-logging-ok -n --renew-by-default --authenticator certbot-haproxy:haproxy-authenticator --installer certbot-haproxy:haproxy-installer $@
+#certbot certonly --cert-name sites --agree-tos --email admin@ut.mephi.ru --preferred-challenges http --expand --manual-public-ip-logging-ok -n --renew-by-default --authenticator certbot-haproxy:haproxy-authenticator --installer certbot-haproxy:haproxy-installer $@
+certbot certonly --cert-name sites --agree-tos --email admin@ut.mephi.ru --preferred-challenges http --expand --manual-public-ip-logging-ok -n --renew-by-default --webroot -w /var/www/certbot $@
 
 cat /etc/letsencrypt/live/sites/{fullchain,privkey}.pem > /etc/letsencrypt/live/sites/haproxy.pem

+ 20 - 12
reload-instance-list.sh

@@ -1,6 +1,7 @@
 #!/bin/bash
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin
 
+DASHBOARD="os.mephi.ru"
 ZONE="private.os.mephi.ru"
 ZONE_PUBLIC="public.os.mephi.ru"
 MY_IP=85.143.112.100
@@ -10,7 +11,7 @@ cd ~/reload-instance-list-workdir
 CURRENT_INSTANCES=($(~/go/bin/openstack-instance-list | sort))
 
 OLD_HASH="$(cat /run/reload-instance-list.sh.hash)"
-CURRENT_HASH="$(echo "$CURRENT_INSTANCES" | md5sum | awk '{print $1}')"
+CURRENT_HASH="$(echo "${CURRENT_INSTANCES[@]}" | md5sum | awk '{print $1}')"
 
 if [ "$CURRENT_HASH" = "$OLD_HASH" ]; then
 	exit
@@ -65,13 +66,13 @@ done
 
 # generating the certificate
 
-GENCERT_ARGS=()
+GENCERT_ARGS=(" -d $DASHBOARD ")
 
-for LINE in ${CURRENT_INSTANCES[@]}; do
-	IFS=","; WORDS=($LINE); IFS="$oldIFS"
-	ID="${WORDS[0]}"
-	GENCERT_ARGS+=" -d ${ID}.${ZONE_PUBLIC} "
-done
+#for LINE in ${CURRENT_INSTANCES[@]}; do
+#	IFS=","; WORDS=($LINE); IFS="$oldIFS"
+#	ID="${WORDS[0]}"
+#	GENCERT_ARGS+=" -d ${ID}.${ZONE_PUBLIC} "
+#done
 
 for LINE in $(cat /etc/webaliases); do
 	IFS=":"; WORDS=($LINE); IFS="$oldIFS"
@@ -100,12 +101,12 @@ for LINE in ${CURRENT_INSTANCES[@]}; do
 	IP="${WORDS[1]}"
 
 	cat >> /etc/haproxy/gen-conf.d/050-frontends.conf <<EOF
-	acl host_${ID} hdr(host) -i ${ID}.${ZONE}
-	acl host_${ID} hdr(host) -i ${ID}.${ZONE_PUBLIC}
-	use_backend backend_${ID} if host_${ID}
+	acl host_${ID}_internal hdr(host) -i ${ID}.${ZONE}
+	acl host_${ID}_internal hdr(host) -i ${ID}.${ZONE_PUBLIC}
+	use_backend backend_${ID}_internal if host_${ID}_internal
 EOF
 	cat >> /etc/haproxy/gen-conf.d/060-backends.conf <<EOF
-backend backend_${ID}
+backend backend_${ID}_internal
 	mode http
 	server primary ${IP}:80
 EOF
@@ -129,8 +130,15 @@ for LINE in $(cat /etc/webaliases); do
 	fi
 
 	cat >> /etc/haproxy/gen-conf.d/050-frontends.conf <<EOF
-	acl host_${ID} hdr(host) -i ${HOST}
+	acl host_${ID}_external hdr(host) -i ${HOST}
+	use_backend backend_${ID}_external if host_${ID}_external
+EOF
+	cat >> /etc/haproxy/gen-conf.d/060-backends.conf <<EOF
+backend backend_${ID}_external
+	mode http
+	server primary ${IP}:80
 EOF
 done
 
 cat /etc/haproxy/gen-conf.d/* > /etc/haproxy/haproxy.cfg
+service haproxy reload

+ 4 - 0
renew-certificates.sh

@@ -0,0 +1,4 @@
+certbot renew
+
+cat /etc/letsencrypt/live/public.os.mephi.ru/fullchain.pem /etc/letsencrypt/live/public.os.mephi.ru/privkey.pem > /etc/letsencrypt/live/public.os.mephi.ru/haproxy.pem
+cat /etc/letsencrypt/live/sites/fullchain.pem /etc/letsencrypt/live/public.os.mephi.ru/privkey.pem > /etc/letsencrypt/live/sites/haproxy.pem