From c88b417eb04e2833bfaff9e5ac19db946f971d8d Mon Sep 17 00:00:00 2001 From: gru Date: Sat, 24 May 2025 11:51:31 +0200 Subject: [PATCH] Add getcert.py pojedynczy cert (via rfc2136) --- getcert.py | 105 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 105 insertions(+) create mode 100644 getcert.py diff --git a/getcert.py b/getcert.py new file mode 100644 index 0000000..d4b36ca --- /dev/null +++ b/getcert.py @@ -0,0 +1,105 @@ +import subprocess +import os +import sys + +# Konfiguracja +DOMAIN = "ldns1.linuxiarz.pl" +WILDCARD_DOMAIN = f"*.{DOMAIN}" +INSTALL_DIR = "/root/.acme.sh/" +DNS_SERVER = "linuxiarz.pl" +KEY_FILE = "/root/tsig.key" +KEY_NAME = "certbot-key" +KEY_ALGO = "hmac-sha512" +SYSTEMD_SERVICE = "AdGuardHome.service" +CERT_DIR = "/etc/ssl/wildcard-linuxiarz.pl" +CERT_KEY_PATH = f"{CERT_DIR}/key.key" +CERT_FULLCHAIN_PATH = f"{CERT_DIR}/cert.crt" + +def set_env(): + os.environ["NSUPDATE_SERVER"] = DNS_SERVER + os.environ["NSUPDATE_KEY"] = KEY_FILE + os.environ["NSUPDATE_KEY_NAME"] = KEY_NAME + os.environ["NSUPDATE_KEY_ALGO"] = KEY_ALGO + os.environ["NSUPDATE_TIMEOUT"] = "120" + os.environ["RFC2136_SERVER"] = DNS_SERVER + os.environ["RFC2136_KEY"] = KEY_FILE + os.environ["RFC2136_KEY_NAME"] = KEY_NAME + os.environ["RFC2136_KEY_ALGO"] = KEY_ALGO + os.environ["RFC2136_TIMEOUT"] = "120" + +def run_command(cmd): + result = subprocess.run(cmd, shell=True, text=True, capture_output=True) + output = result.stdout + result.stderr + + # Rozpoznaj "Skipping" jako nie-błąd + if result.returncode != 0: + if "Skipping. Next renewal time is" in output: + print(output) + print("ℹ️ Certyfikat jeszcze nie wymaga odnowienia. Pominięto.") + return False # ← cert nieodnowiony + else: + print(f"❌ Błąd wykonania komendy [{cmd}]:\n{output}") + sys.exit(1) + + print(output) + return True + +def issue_cert(): + print(f"Generowanie certyfikatu {DOMAIN}") + cmd = ( + f"{INSTALL_DIR}/acme.sh --log --set-default-ca --server letsencrypt " + f"--issue --dns dns_nsupdate " + f"-d {DOMAIN} " + f"--yes-I-know-dns-manual-mode-enough-go-ahead-please" + ) + run_command(cmd) + install_cert() + +def renew_cert(force=False): + print(f"Odnawianie certyfikatu {DOMAIN}") + cmd = ( + f"{INSTALL_DIR}/acme.sh --renew " + f"-d {DOMAIN} " + f"--dns dns_nsupdate" + ) + if force: + cmd += " --force" + + updated = run_command(cmd) + if updated or force: + install_cert() + else: + print("⏭️ Pominięto instalację, certyfikat nie został zmieniony.") + + +def install_cert(): + print("Instalacja certyfikatu...") + os.makedirs(CERT_DIR, exist_ok=True) + cmd = ( + f"{INSTALL_DIR}/acme.sh --install-cert " + f"-d {DOMAIN} " + f"--key-file {CERT_KEY_PATH} " + f"--fullchain-file {CERT_FULLCHAIN_PATH} " + f"--reloadcmd \"systemctl restart {SYSTEMD_SERVICE}\"" + ) + run_command(cmd) + +def main(): + if len(sys.argv) < 2: + print("Użycie: python getcert.py [issue|renew] [force]") + sys.exit(1) + + set_env() + action = sys.argv[1] + force = len(sys.argv) > 2 and sys.argv[2] == "force" + + if action == "issue": + issue_cert() + elif action == "renew": + renew_cert(force) + else: + print("Nieznane polecenie. Użyj: issue lub renew") + sys.exit(1) + +if __name__ == "__main__": + main() \ No newline at end of file