210 lines
7.2 KiB
Bash
Executable File
210 lines
7.2 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# Set up Let's Encrypt certificate using DNS-01 challenge for RPC-01 (VMID 2500)
|
|
# This is useful when port 80 is not accessible or for internal domains
|
|
# Usage: ./setup-letsencrypt-dns-01-rpc-2500.sh <domain> [cloudflare-api-token]
|
|
|
|
set -e
|
|
|
|
VMID=2500
|
|
PROXMOX_HOST="192.168.11.10"
|
|
|
|
if [ $# -lt 1 ]; then
|
|
echo "Usage: $0 <domain> [cloudflare-api-token]"
|
|
echo "Example: $0 rpc-core.yourdomain.com YOUR_CLOUDFLARE_API_TOKEN"
|
|
exit 1
|
|
fi
|
|
|
|
DOMAIN="$1"
|
|
API_TOKEN="${2:-}"
|
|
|
|
# Colors
|
|
RED='\033[0;31m'
|
|
GREEN='\033[0;32m'
|
|
YELLOW='\033[1;33m'
|
|
BLUE='\033[0;34m'
|
|
NC='\033[0m'
|
|
|
|
log_info() { echo -e "${BLUE}[INFO]${NC} $1"; }
|
|
log_success() { echo -e "${GREEN}[✓]${NC} $1"; }
|
|
log_warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }
|
|
log_error() { echo -e "${RED}[ERROR]${NC} $1"; }
|
|
|
|
log_info "Setting up Let's Encrypt certificate (DNS-01) for RPC-01 (VMID $VMID)"
|
|
log_info "Domain: $DOMAIN"
|
|
echo ""
|
|
|
|
# Check if domain is .local
|
|
if echo "$DOMAIN" | grep -q "\.local$"; then
|
|
log_error "Let's Encrypt does not support .local domains"
|
|
log_info "Please use a public domain (e.g., rpc-core.yourdomain.com)"
|
|
exit 1
|
|
fi
|
|
|
|
# Install Certbot
|
|
log_info "1. Installing Certbot..."
|
|
if ! sshpass -p 'L@kers2010' ssh -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
|
|
"pct exec $VMID -- which certbot >/dev/null 2>&1"; then
|
|
sshpass -p 'L@kers2010' ssh -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
|
|
"pct exec $VMID -- bash -c '
|
|
export DEBIAN_FRONTEND=noninteractive
|
|
apt-get update -qq
|
|
apt-get install -y -qq certbot
|
|
'"
|
|
log_success "Certbot installed"
|
|
else
|
|
log_success "Certbot already installed"
|
|
fi
|
|
|
|
# Check if Cloudflare API token provided
|
|
if [ -n "$API_TOKEN" ]; then
|
|
log_info ""
|
|
log_info "2. Setting up Cloudflare DNS plugin..."
|
|
|
|
# Install Cloudflare plugin
|
|
sshpass -p 'L@kers2010' ssh -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
|
|
"pct exec $VMID -- bash -c '
|
|
export DEBIAN_FRONTEND=noninteractive
|
|
apt-get install -y -qq python3-certbot-dns-cloudflare python3-pip
|
|
pip3 install -q cloudflare 2>/dev/null || true
|
|
'"
|
|
|
|
# Create credentials file
|
|
log_info "Creating Cloudflare credentials file..."
|
|
sshpass -p 'L@kers2010' ssh -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
|
|
"pct exec $VMID -- bash -c '
|
|
mkdir -p /etc/cloudflare
|
|
cat > /etc/cloudflare/credentials.ini <<EOF
|
|
dns_cloudflare_api_token = $API_TOKEN
|
|
EOF
|
|
chmod 600 /etc/cloudflare/credentials.ini
|
|
'"
|
|
|
|
log_success "Cloudflare credentials configured"
|
|
|
|
# Obtain certificate using DNS-01
|
|
log_info ""
|
|
log_info "3. Obtaining certificate using DNS-01 challenge..."
|
|
log_warn "This will use Let's Encrypt staging server for testing"
|
|
log_info "Press Ctrl+C to cancel, or wait 5 seconds..."
|
|
sleep 5
|
|
|
|
CERTBOT_OUTPUT=$(sshpass -p 'L@kers2010' ssh -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
|
|
"pct exec $VMID -- certbot certonly \
|
|
--dns-cloudflare \
|
|
--dns-cloudflare-credentials /etc/cloudflare/credentials.ini \
|
|
--non-interactive \
|
|
--agree-tos \
|
|
--staging \
|
|
--email admin@$(echo $DOMAIN | cut -d. -f2-) \
|
|
-d $DOMAIN 2>&1" || echo "FAILED")
|
|
|
|
if echo "$CERTBOT_OUTPUT" | grep -q "Successfully received certificate\|Congratulations"; then
|
|
log_success "Certificate obtained successfully (STAGING)"
|
|
log_warn "To get production certificate, run without --staging flag"
|
|
else
|
|
log_error "Certificate acquisition failed"
|
|
log_info "Output: $CERTBOT_OUTPUT"
|
|
exit 1
|
|
fi
|
|
else
|
|
log_info ""
|
|
log_info "2. Manual DNS-01 challenge setup..."
|
|
log_info "No Cloudflare API token provided. Using manual DNS challenge."
|
|
log_info ""
|
|
log_info "Run this command and follow the prompts:"
|
|
log_info " pct exec $VMID -- certbot certonly --manual --preferred-challenges dns -d $DOMAIN"
|
|
log_info ""
|
|
log_info "You will need to:"
|
|
log_info " 1. Add a TXT record to your DNS"
|
|
log_info " 2. Wait for DNS propagation"
|
|
log_info " 3. Press Enter to continue"
|
|
exit 0
|
|
fi
|
|
|
|
# Update Nginx configuration
|
|
log_info ""
|
|
log_info "4. Updating Nginx configuration..."
|
|
CERT_PATH="/etc/letsencrypt/live/$DOMAIN/fullchain.pem"
|
|
KEY_PATH="/etc/letsencrypt/live/$DOMAIN/privkey.pem"
|
|
|
|
sshpass -p 'L@kers2010' ssh -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
|
|
"pct exec $VMID -- bash" <<UPDATE_NGINX
|
|
# Update SSL certificate paths in Nginx config
|
|
sed -i "s|ssl_certificate /etc/nginx/ssl/rpc.crt;|ssl_certificate $CERT_PATH;|" /etc/nginx/sites-available/rpc-core
|
|
sed -i "s|ssl_certificate_key /etc/nginx/ssl/rpc.key;|ssl_certificate_key $KEY_PATH;|" /etc/nginx/sites-available/rpc-core
|
|
|
|
# Add domain to server_name if not present
|
|
if ! grep -q "$DOMAIN" /etc/nginx/sites-available/rpc-core; then
|
|
sed -i "s|server_name.*rpc-core.besu.local|server_name $DOMAIN rpc-core.besu.local|" /etc/nginx/sites-available/rpc-core
|
|
fi
|
|
|
|
# Test configuration
|
|
nginx -t
|
|
UPDATE_NGINX
|
|
|
|
if [ $? -eq 0 ]; then
|
|
log_success "Nginx configuration updated"
|
|
else
|
|
log_error "Failed to update Nginx configuration"
|
|
exit 1
|
|
fi
|
|
|
|
# Reload Nginx
|
|
log_info ""
|
|
log_info "5. Reloading Nginx..."
|
|
sshpass -p 'L@kers2010' ssh -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
|
|
"pct exec $VMID -- systemctl reload nginx"
|
|
|
|
log_success "Nginx reloaded"
|
|
|
|
# Set up auto-renewal
|
|
log_info ""
|
|
log_info "6. Setting up auto-renewal..."
|
|
sshpass -p 'L@kers2010' ssh -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
|
|
"pct exec $VMID -- systemctl enable certbot.timer && systemctl start certbot.timer"
|
|
|
|
log_success "Auto-renewal enabled"
|
|
|
|
# Verify certificate
|
|
log_info ""
|
|
log_info "7. Verifying certificate..."
|
|
CERT_INFO=$(sshpass -p 'L@kers2010' ssh -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
|
|
"pct exec $VMID -- openssl x509 -in $CERT_PATH -noout -subject -issuer -dates 2>&1")
|
|
|
|
log_info "Certificate details:"
|
|
echo "$CERT_INFO" | while read line; do
|
|
log_info " $line"
|
|
done
|
|
|
|
# Test HTTPS
|
|
log_info ""
|
|
log_info "8. Testing HTTPS endpoint..."
|
|
HTTPS_TEST=$(sshpass -p 'L@kers2010' ssh -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
|
|
"pct exec $VMID -- timeout 5 curl -s -X POST https://localhost:443 \
|
|
-H 'Content-Type: application/json' \
|
|
-d '{\"jsonrpc\":\"2.0\",\"method\":\"eth_blockNumber\",\"params\":[],\"id\":1}' 2>&1" || echo "FAILED")
|
|
|
|
if echo "$HTTPS_TEST" | grep -q "result"; then
|
|
log_success "HTTPS endpoint is working!"
|
|
else
|
|
log_warn "HTTPS test inconclusive"
|
|
fi
|
|
|
|
echo ""
|
|
log_success "Let's Encrypt certificate setup complete!"
|
|
echo ""
|
|
log_info "Summary:"
|
|
log_info " ✓ Certificate obtained for: $DOMAIN"
|
|
log_info " ✓ Nginx configuration updated"
|
|
log_info " ✓ Auto-renewal enabled"
|
|
echo ""
|
|
if echo "$CERTBOT_OUTPUT" | grep -q "staging"; then
|
|
log_warn "NOTE: Certificate is from STAGING server (for testing)"
|
|
log_info "To get production certificate, run:"
|
|
log_info " pct exec $VMID -- certbot certonly --dns-cloudflare \\"
|
|
log_info " --dns-cloudflare-credentials /etc/cloudflare/credentials.ini \\"
|
|
log_info " --non-interactive --agree-tos \\"
|
|
log_info " --email admin@$(echo $DOMAIN | cut -d. -f2-) -d $DOMAIN"
|
|
fi
|
|
|