#!/usr/bin/perluse Net::ACME;use Net::ACME::LetsEncrypt;use Digest::SHA;

1. #!/usr/bin/perl
2.  
3. use Net::ACME;
4. use Net::ACME::LetsEncrypt;
5. use Digest::SHA;
6. use MIME::Base64;
7.  
8. $private_key = <<'PEMPRIVATEKEY';
9. -----BEGIN PRIVATE KEY-----
10. MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDEjxjTheYDlD9c
11. <***CENSORED***>
12. bh3IfEEo9vqtRh0Gp26+mSiNEATdEW1z8gzJq2XDnaAUODJ3oLr/ScCkM1awmuYr
13. cAPUAyJ+B1Ur1bKTgiadKY4=
14. -----END PRIVATE KEY-----
15. PEMPRIVATEKEY
16.  
17. $stapled_request = <<'LECSRA';
18. -----BEGIN CERTIFICATE REQUEST-----
19. MIIDtjCCAp4CAQAwgbAxCzAJBgNVBAYTAlNFMQ0wCwYDVQQIDARub25lMQ0wCwYD
20. VQQHDARub25lMQ4wDAYDVQQRDAU0MTY0ODEfMB0GA1UECQwWQW5kZXJzIFBlcnNv
21. bnNnYXRhbiAxOTENMAsGA1UECgwEbm9uZTENMAsGA1UECwwEbm9uZTERMA8GA1UE
22. AwwIc2ViYmUuZXUxITAfBgkqhkiG9w0BCQEWEnNlYmFzdGlhbkBzZWJiZS5ldTCC
23. ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMLqsDt2nzxEFq2bBuPvVwmY
24. iCd4yoOWEj6ZXYNeERTErvVnbZlQrQxmatUjaSzNiCfRHTlGE/KQzcEGAfVy914s
25. SDiwAjlla5+gZpWvAihz2mdjgtItJp37oLmx2vTxtyU1kBx9BoayLr0d9gWA0KAk
26. B2jZNWosRw4hLzV+3Kp+fk/sWvjz00bumweMYwnKn5op/9BzcJiWh1i5sTOsQYAW
27. YO643MYosGVNSXwq7463SCdX4ShuNOfAXM10ZJsbFGxyiOV+MS4rMKwjgmenNdEK
28. QzQfj5SN93gXbwJKoxxPQgT5uF9aF15sPQv2JtYnxmsOYVwuebfDSsoYQQI9fKsC
29. AwEAAaCBvzCBvAYJKoZIhvcNAQkOMYGuMIGrMAkGA1UdEwQCMAAwCwYDVR0PBAQD
30. AgXgMH4GA1UdEQR3MHWCDWRuczIuc2ViYmUuZXWCDWRuczEuc2ViYmUuZXWCDHd3
31. dy5zZWJiZS5ldYIQcHJpbnRlci5zZWJiZS5ldYIIc2ViYmUuZXWCDXNtdHAuc2Vi
32. YmUuZXWCDW1haWwuc2ViYmUuZXWCDWltYXAuc2ViYmUuZXUwEQYIKwYBBQUHARgE
33. BTADAgEFMA0GCSqGSIb3DQEBCwUAA4IBAQARvhUMKyOJyTcaE+v5+7JLWeyY5aWo
34. tc3CW/TL5wVbddTGht0jcpM9GY+Ht5Zrm0Hnsuvlb7/16BtpeONRQo+8zovV6ttu
35. NowBYoLfK7CwXS6XdRNJaCrI5F2WANG2WuA8FNDDCLob1r2eWOpcDc/h7Qq/Fh2B
36. +7d+Dqkz+W8qPTrq+gM+jyWGpXAUg+5aQDsHuNu1b48W8QzVniGk9HnbydYAaNvV
37. U3j+bXrGV0Xq5TrLSHF2JsMEXa2tjO8y/h3ZKx9C8FuiNioto9bkMLBwWWpNG2oz
38. Y0UdIWK11KuZ5jU46cXojjTGAFxGu0U0XWkHiXTfXR+dSbn16XDwbGM2
39. -----END CERTIFICATE REQUEST-----
40. LECSRA
41.  
42. $no_request = <<'LECSRB';
43. -----BEGIN CERTIFICATE REQUEST-----
44. MIIDozCCAosCAQAwgbAxCzAJBgNVBAYTAlNFMQ0wCwYDVQQIDARub25lMQ0wCwYD
45. VQQHDARub25lMQ4wDAYDVQQRDAU0MTY0ODEfMB0GA1UECQwWQW5kZXJzIFBlcnNv
46. bnNnYXRhbiAxOTENMAsGA1UECgwEbm9uZTENMAsGA1UECwwEbm9uZTERMA8GA1UE
47. AwwIc2ViYmUuZXUxITAfBgkqhkiG9w0BCQEWEnNlYmFzdGlhbkBzZWJiZS5ldTCC
48. ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMLqsDt2nzxEFq2bBuPvVwmY
49. iCd4yoOWEj6ZXYNeERTErvVnbZlQrQxmatUjaSzNiCfRHTlGE/KQzcEGAfVy914s
50. SDiwAjlla5+gZpWvAihz2mdjgtItJp37oLmx2vTxtyU1kBx9BoayLr0d9gWA0KAk
51. B2jZNWosRw4hLzV+3Kp+fk/sWvjz00bumweMYwnKn5op/9BzcJiWh1i5sTOsQYAW
52. YO643MYosGVNSXwq7463SCdX4ShuNOfAXM10ZJsbFGxyiOV+MS4rMKwjgmenNdEK
53. QzQfj5SN93gXbwJKoxxPQgT5uF9aF15sPQv2JtYnxmsOYVwuebfDSsoYQQI9fKsC
54. AwEAAaCBrDCBqQYJKoZIhvcNAQkOMYGbMIGYMAkGA1UdEwQCMAAwCwYDVR0PBAQD
55. AgXgMH4GA1UdEQR3MHWCDWRuczIuc2ViYmUuZXWCDWRuczEuc2ViYmUuZXWCDHd3
56. dy5zZWJiZS5ldYIQcHJpbnRlci5zZWJiZS5ldYIIc2ViYmUuZXWCDXNtdHAuc2Vi
57. YmUuZXWCDW1haWwuc2ViYmUuZXWCDWltYXAuc2ViYmUuZXUwDQYJKoZIhvcNAQEL
58. BQADggEBAFmEd8yVszmp2lCCxXrM/M2/w65XyHnE6uX1YeLsolxwdhSdoHAvAyMw
59. rdhzY0tUD178K6Q/dpZfw6JssO63HJNUMo/L37XnBSaiYCbPsOhNxDCnZfHrtFKE
60. Y1lGXWl+8PlyOpLZ2X4jedxCuKhSQ6EEFAw5QApKsoUg9DPniIbwPGJGrkU+BiTg
61. B3/0Tr5GgHlN1cBoZW1lnCQ0oQi/CNOnhmCUXqQEYNKWRcBdLlal35KdLzOoUb2a
62. p0kTheszJLGVaeCAIJu2NK3qf8aFgNInvvR2SqWaK92fqG9srTaAQdCNoin41VHA
63. i4T3WQnGvWUObdFeYkFPj7LSHN34PRI=
64. -----END CERTIFICATE REQUEST-----
65. LECSRB
66.  
67.  
68.  
69. $cert_request = $no_request;
70.  
71. #$tos_url = Net::ACME::LetsEncrypt->get_terms_of_service();
72. $acme = Net::ACME::LetsEncrypt->new( key => $private_key );
73. #$reg = $acme->register('mailto:sebastian@sebbe.eu');
74. #$acme->accept_tos( $reg->uri(), $tos_url );
75. $key_jwk = Net::ACME::Crypt::parse_key($private_key)->get_struct_for_public_jwk();
76.  
77. @domains = ('sebbe.eu', 'www.sebbe.eu', 'dns1.sebbe.eu', 'dns2.sebbe.eu', 'printer.sebbe.eu', 'mail.sebbe.eu', 'smtp.sebbe.eu', 'imap.sebbe.eu');
78.  
79. foreach $domain (@domains) {
80.   $authz_p = $acme->start_domain_authz($domain);
81.   $pollcomplete{$domain} = $authz_p;
82.   foreach $cmb_ar ( $authz_p->combinations() ) {
83.     next if @$cmb_ar > 1;
84.     next if $cmb_ar->[0]->type() ne 'dns-01';
85.     $kauthz = $cmb_ar->[0]->make_key_authz( $key_jwk );
86.     $sha = Digest::SHA::sha256($kauthz);
87.     $b64 = MIME::Base64::encode_base64url($sha);
88.     print "Creating challenge for $domain\n";
89.     push(@writechallenges, $domain."!!".$b64);
90.     push(@pendingcompletion, $cmb_ar->[0]);
91.   }
92. }
93. print "Writing challenges to zone file\n";
94.  
95. open(ZONEFILEA, ">/etc/nsd/sebbe.eu.zone.signed");
96. print ZONEFILEA "";
97. close(ZONEFILEA);
98. open(ZONEFILEB, ">/etc/nsd/sebbe.eu.zone");
99. print ZONEFILEB "";
100. close(ZONEFILEB);
101.  
102. open(ZONETEMPLATE, "/etc/nsd/sebbe.eu.template");
103. @zonetemp = <ZONETEMPLATE>;
104. close(ZONETEMPLATE);
105. open(ZONEFILE, ">/etc/nsd/sebbe.eu.zone");
106. foreach $zoneline (@zonetemp) {
107.   print ZONEFILE $zoneline;
108. }
109. foreach $challauth (@writechallenges) {
110.   ($domain, $b64) = split("!!", $challauth);
111.   print ZONEFILE "_acme-challenge.".$domain.". 3600 IN TXT \"$b64\"\n";
112. }
113. close(ZONEFILE);
114.  
115. print "Signing DNSSEC data...\n";
116. $currenttime = time;
117. $dnssec_expiration = $currenttime + 7776060;
118. system("ldns-signzone -e ".$dnssec_expiration." /etc/nsd/sebbe.eu.zone /etc/nsd/Ksebbe.eu.+007+14838 /etc/nsd/Ksebbe.eu.+007+47438");
119. system("service nsd restart");
120. sleep 1;
121.  
122. print "Submitting challenges for validation...\n";
123. foreach $uchall (@pendingcompletion) {
124.   $acme->do_challenge($uchall);
125. }
126.  
127. print "Getting validation results...\n";
128. foreach $dom (keys %pollcomplete) {
129.   while (1) {
130.     if ( $pollcomplete{$dom}->is_time_to_poll() ) {
131.       $poll = $pollcomplete{$dom}->poll();
132.       last if $poll->status() eq 'valid';
133.       if ( $poll->status() eq 'invalid' ) {
134.         die "Failed authorization for \"$dom\"!";
135.       }
136.     }
137.     sleep 1;
138.   }
139. }
140.  
141.  
142. print "Generating certificate...\n";
143. $cert = $acme->get_certificate($cert_request);
144. while ( !$cert->pem() ) {
145.   sleep 1;
146.   next if !$cert->is_time_to_poll();
147.   $cert = $cert->poll() || $cert;
148. }
149.  
150. print "Writing certificate...\n";
151. open(CAFILE, "/etc/nsd/cacert.pem");
152. @cacert = <CAFILE>;
153. close(CAFILE);
154.  
155. open(OCSPFILE, ">/etc/nsd/ocspcert.pem");
156. open(CERTFILE, ">/etc/nsd/servercert.pem");
157. open(INSFILE, ">/etc/inspircd/cert.pem");
158. print CERTFILE $cert->pem();
159. print OCSPFILE $cert->pem();
160. print INSFILE $cert->pem();
161. close(OCSPFILE);
162. print CERTFILE "\n";
163. foreach $caline (@cacert) {
164. print CERTFILE $caline;
165. print INSFILE $caline;
166. }
167. close(CERTFILE);
168. close(INSFILE);
169.  
170.  
171. print "Refetching OCSP proof...\2";
172. system("service exim4 stop");
173. system("openssl ocsp -no_nonce -issuer /etc/nsd/cacert.pem -cert /etc/nsd/ocspcert.pem -VAfile /etc/nsd/cacert.pem -text -url http://ocsp.int-x3.letsencrypt.org/ -header Host=ocsp.int-x3.letsencrypt.org -respout /etc/nsd/ocspfile >> /dev/null");
174. system("service exim4 start");
175. system("service nginx restart");
176. system("service dovecot restart");
177.  
178. print "Successfully generated LE certificate!\n";