cpswan · April 22, 2024 13:28 · namhikelo · Apr 22, 2024
diff --git a/zerossl-api-certgen.sh b/zerossl-api-certgen.sh
 #!/bin/bash

 # API keys for ZeroSSL and Digital Ocean
 # These particular keys are fake random hex
 ZEROSSL_KEY='0f027ac0f3b24ddb3c4412f11fa1e746'
 DO_KEY='a3e6ee004fd7c352af61f0465765030b5d162acc94c24fdbb42f7a8c81e897a3'

 # Set root domain and take CN from params
 DOMAIN=subdomain.example.com
 CERT_NAME="$1"."$DOMAIN"

 # Create CSR and Private Key
 openssl req -new -newkey rsa:2048 -nodes -out "$CERT_NAME".csr \
            -keyout "$CERT_NAME".key \
            -subj "/C=GB/ST=London/L=London/O=Example/OU=Testing/CN=$CERT_NAME" \
            &>/dev/null

 # Draft certificate at ZeroSSL
 curl -s -X POST https://api.zerossl.com/certificates?access_key="$ZEROSSL_KEY" \
        --data-urlencode certificate_csr@"$CERT_NAME".csr \
        -d certificate_domains="$CERT_NAME" \
        -d certificate_validity_days=90 \
        -o "$CERT_NAME".resp

 # Extract CNAME parameters from ZeroSSL response
 ID=$(< "$CERT_NAME".resp  python3 -c "import sys, json; print(json.load(sys.stdin)['id'])")
 CNAME_HOST=$(< "$CERT_NAME".resp sed -e 's/[{}]/''/g' \
        | awk -v RS=',"' -F: '/^cname_validation_p1/ {print $2}' \
        | sed -e 's/"//g' | sed -s s/".$DOMAIN"//g)
 CNAME_ALIAS=$(< "$CERT_NAME".resp sed -e 's/[{}]/''/g' \
        | awk -v RS=',"' -F: '/^cname_validation_p2/ {print $2}' \
        | sed -s 's/"//g')

 # jq seemed to be stripping dots out :/ Also it's an extra dependency
 #CNAME_HOST=`jq -r '.validation.other_methods."'"$CERT_NAME"'".cname_validation_p1' "$CERT_NAME".resp \
 #       | sed -s s/".$DOMAIN"//g`
 #CNAME_ALIAS=`jq -r '.validation.other_methods."'"$CERT_NAME"'".cname_validation_p2' "$CERT_NAME".resp`
 echo ID="$ID"
 echo CNAME_HOST="$CNAME_HOST"
 echo CNAME_ALIAS="$CNAME_ALIAS"

 # Add DNS CNAME at Digital Ocean for verification
 curl -s -X POST -H "Content-Type: application/json" \
        -H "Authorization: Bearer $DO_KEY" \
        -d '{"type":"CNAME","name":"'"$CNAME_HOST"'","data":"'"$CNAME_ALIAS"'.","priority":null,"port":null,"ttl":1800,"weight":null,"flags":null,"tag":null}' \
        https://api.digitalocean.com/v2/domains/"$DOMAIN"/records \
        -o "$CERT_NAME".name

 # Wait for DNS record to propagate
 sleep 30

 # Validate certificate at ZeroSSL
 curl -s -X POST https://api.zerossl.com/certificates/"$ID"/challenges?access_key="$ZEROSSL_KEY" \
        -d validation_method=CNAME_CSR_HASH \
        -o "$CERT_NAME".vald

 # Wait for cert to be issued
 sleep 30

 # Get the cert
 curl -s https://api.zerossl.com/certificates/"$ID"/download/return?access_key="$ZEROSSL_KEY" \
        | jq -r '."certificate.crt"' > "$CERT_NAME".crt

 DNSID=$(< "$CERT_NAME".name python3 -c "import sys, json; print(json.load(sys.stdin)['domain_record']['id'])")
 echo "$DNSID"

 # Delete the verification CNAME
 curl -s -X DELETE -H "Content-Type: application/json" \
        -H "Authorization: Bearer $DO_KEY" \
        https://api.digitalocean.com/v2/domains/"$DOMAIN"/records/"$DNSID"
	#!/bin/bash

	# API keys for ZeroSSL and Digital Ocean
	# These particular keys are fake random hex
	ZEROSSL_KEY='0f027ac0f3b24ddb3c4412f11fa1e746'
	DO_KEY='a3e6ee004fd7c352af61f0465765030b5d162acc94c24fdbb42f7a8c81e897a3'

	# Set root domain and take CN from params
	DOMAIN=subdomain.example.com
	CERT_NAME="$1"."$DOMAIN"

	# Create CSR and Private Key
	openssl req -new -newkey rsa:2048 -nodes -out "$CERT_NAME".csr \
	-keyout "$CERT_NAME".key \
	-subj "/C=GB/ST=London/L=London/O=Example/OU=Testing/CN=$CERT_NAME" \
	&>/dev/null

	# Draft certificate at ZeroSSL
	curl -s -X POST https://api.zerossl.com/certificates?access_key="$ZEROSSL_KEY" \
	--data-urlencode certificate_csr@"$CERT_NAME".csr \
	-d certificate_domains="$CERT_NAME" \
	-d certificate_validity_days=90 \
	-o "$CERT_NAME".resp

	# Extract CNAME parameters from ZeroSSL response
	ID=$(< "$CERT_NAME".resp python3 -c "import sys, json; print(json.load(sys.stdin)['id'])")
	CNAME_HOST=$(< "$CERT_NAME".resp sed -e 's/[{}]/''/g' \
	\| awk -v RS=',"' -F: '/^cname_validation_p1/ {print $2}' \
	\| sed -e 's/"//g' \| sed -s s/".$DOMAIN"//g)
	CNAME_ALIAS=$(< "$CERT_NAME".resp sed -e 's/[{}]/''/g' \
	\| awk -v RS=',"' -F: '/^cname_validation_p2/ {print $2}' \
	\| sed -s 's/"//g')

	# jq seemed to be stripping dots out :/ Also it's an extra dependency
	#CNAME_HOST=`jq -r '.validation.other_methods."'"$CERT_NAME"'".cname_validation_p1' "$CERT_NAME".resp \
	# \| sed -s s/".$DOMAIN"//g`
	#CNAME_ALIAS=`jq -r '.validation.other_methods."'"$CERT_NAME"'".cname_validation_p2' "$CERT_NAME".resp`
	echo ID="$ID"
	echo CNAME_HOST="$CNAME_HOST"
	echo CNAME_ALIAS="$CNAME_ALIAS"

	# Add DNS CNAME at Digital Ocean for verification
	curl -s -X POST -H "Content-Type: application/json" \
	-H "Authorization: Bearer $DO_KEY" \
	-d '{"type":"CNAME","name":"'"$CNAME_HOST"'","data":"'"$CNAME_ALIAS"'.","priority":null,"port":null,"ttl":1800,"weight":null,"flags":null,"tag":null}' \
	https://api.digitalocean.com/v2/domains/"$DOMAIN"/records \
	-o "$CERT_NAME".name

	# Wait for DNS record to propagate
	sleep 30

	# Validate certificate at ZeroSSL
	curl -s -X POST https://api.zerossl.com/certificates/"$ID"/challenges?access_key="$ZEROSSL_KEY" \
	-d validation_method=CNAME_CSR_HASH \
	-o "$CERT_NAME".vald

	# Wait for cert to be issued
	sleep 30

	# Get the cert
	curl -s https://api.zerossl.com/certificates/"$ID"/download/return?access_key="$ZEROSSL_KEY" \
	\| jq -r '."certificate.crt"' > "$CERT_NAME".crt

	DNSID=$(< "$CERT_NAME".name python3 -c "import sys, json; print(json.load(sys.stdin)['domain_record']['id'])")
	echo "$DNSID"

	# Delete the verification CNAME
	curl -s -X DELETE -H "Content-Type: application/json" \
	-H "Authorization: Bearer $DO_KEY" \
	https://api.digitalocean.com/v2/domains/"$DOMAIN"/records/"$DNSID"