99 lines
3.4 KiB
Bash
99 lines
3.4 KiB
Bash
#!/bin/bash
|
|
# Выпуск сертификата cloud.katykhin.ru через certbot DNS-01 Beget и подключение к NPM
|
|
# Usage: BEGET_USER=логин BEGET_PASS=пароль ./npm-cert-cloud.sh
|
|
|
|
set -e
|
|
DOMAIN="cloud.katykhin.ru"
|
|
EMAIL="j3tears100@gmail.com"
|
|
# Запуск: ssh root@PROXMOX "pct exec 100 -- bash -s" < npm-cert-cloud.sh
|
|
# Или: BEGET_USER=xxx BEGET_PASS=xxx pct exec 100 -- bash -c 'eval "$(cat)"' < npm-cert-cloud.sh
|
|
NPM_URL="${NPM_URL:-http://127.0.0.1:81}"
|
|
API="$NPM_URL/api"
|
|
NPM_EMAIL="j3tears100@gmail.com"
|
|
NPM_PASSWORD="kqEUubVq02DJTS8"
|
|
|
|
if [ -z "$BEGET_USER" ] || [ -z "$BEGET_PASS" ]; then
|
|
echo "Укажите BEGET_USER и BEGET_PASS (логин и пароль Beget API)"
|
|
exit 1
|
|
fi
|
|
|
|
echo "1. Создание credentials для certbot..."
|
|
CRED_DIR="/root/.secrets/certbot"
|
|
mkdir -p "$CRED_DIR"
|
|
cat > "$CRED_DIR/beget.ini" << EOF
|
|
dns_beget_api_username = $BEGET_USER
|
|
dns_beget_api_password = $BEGET_PASS
|
|
EOF
|
|
chmod 600 "$CRED_DIR/beget.ini"
|
|
|
|
echo "2. Запрос сертификата Let's Encrypt (DNS-01)..."
|
|
certbot certonly \
|
|
--authenticator dns-beget-api \
|
|
--dns-beget-api-credentials "$CRED_DIR/beget.ini" \
|
|
--dns-beget-api-propagation-seconds 120 \
|
|
-d "$DOMAIN" \
|
|
--non-interactive \
|
|
--agree-tos \
|
|
--email "$EMAIL"
|
|
|
|
CERT_DIR="/etc/letsencrypt/live/$DOMAIN"
|
|
CERT=$(cat "$CERT_DIR/fullchain.pem")
|
|
KEY=$(cat "$CERT_DIR/privkey.pem")
|
|
|
|
echo "3. Добавление сертификата в NPM..."
|
|
TOKEN=$(curl -s -X POST "$API/tokens" \
|
|
-H "Content-Type: application/json" \
|
|
-d "{\"identity\":\"$NPM_EMAIL\",\"secret\":\"$NPM_PASSWORD\"}" \
|
|
| jq -r '.token // empty')
|
|
|
|
if [ -z "$TOKEN" ]; then
|
|
echo "Ошибка: не удалось получить токен NPM"
|
|
exit 1
|
|
fi
|
|
|
|
# Экранируем для JSON
|
|
CERT_ESC=$(echo "$CERT" | jq -Rs .)
|
|
KEY_ESC=$(echo "$KEY" | jq -Rs .)
|
|
|
|
RESP=$(curl -s -w "\n%{http_code}" -X POST "$API/nginx/certificates" \
|
|
-H "Authorization: Bearer $TOKEN" \
|
|
-H "Content-Type: application/json" \
|
|
-d "{\"provider\":\"other\",\"domain_names\":[\"$DOMAIN\"],\"nice_name\":\"$DOMAIN\",\"meta\":{\"certificate\":$CERT_ESC,\"certificate_key\":$KEY_ESC}}")
|
|
|
|
HTTP_CODE=$(echo "$RESP" | tail -1)
|
|
BODY=$(echo "$RESP" | sed '$d')
|
|
|
|
if [ "$HTTP_CODE" != "201" ]; then
|
|
echo "Ошибка добавления сертификата (HTTP $HTTP_CODE):"
|
|
echo "$BODY" | jq . 2>/dev/null || echo "$BODY"
|
|
exit 1
|
|
fi
|
|
|
|
CERT_ID=$(echo "$BODY" | jq -r '.id')
|
|
echo "Сертификат добавлен, ID: $CERT_ID"
|
|
|
|
echo "4. Подключение сертификата к proxy host cloud.katykhin.ru..."
|
|
PROXY_ID=$(curl -s -H "Authorization: Bearer $TOKEN" "$API/nginx/proxy-hosts" \
|
|
| jq -r '.[] | select(.domain_names[]? == "cloud.katykhin.ru") | .id')
|
|
|
|
if [ -z "$PROXY_ID" ]; then
|
|
echo "Proxy host для $DOMAIN не найден"
|
|
exit 1
|
|
fi
|
|
|
|
PROXY=$(curl -s -H "Authorization: Bearer $TOKEN" "$API/nginx/proxy-hosts/$PROXY_ID")
|
|
UPD=$(echo "$PROXY" | jq --argjson cid "$CERT_ID" '
|
|
.certificate_id = $cid |
|
|
.ssl_forced = true |
|
|
del(.owner, .certificate, .access_list)
|
|
')
|
|
# domain_names должен быть массив
|
|
UPD=$(echo "$UPD" | jq '.domain_names = ["cloud.katykhin.ru"]')
|
|
|
|
curl -s -X PUT "$API/nginx/proxy-hosts/$PROXY_ID" \
|
|
-H "Authorization: Bearer $TOKEN" \
|
|
-H "Content-Type: application/json" \
|
|
-d "$UPD" | jq .
|
|
|
|
echo "Готово. Сертификат подключён к https://$DOMAIN"
|