#!/usr/bin/perluse Net::ACME;use Net::ACME::LetsEncrypt;use Digest::SHA;

1. #!/usr/bin/perl
2.  
3. use Net::ACME;
4. use Net::ACME::LetsEncrypt;
5. use Digest::SHA;
6. use MIME::Base64;
7.  
8. $private_key = <<'PEMPRIVATEKEY';
9. -----BEGIN PRIVATE KEY-----
10. MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDEjxjTheYDlD9c
11. <***CENSORED***>
12. bh3IfEEo9vqtRh0Gp26+mSiNEATdEW1z8gzJq2XDnaAUODJ3oLr/ScCkM1awmuYr
13. cAPUAyJ+B1Ur1bKTgiadKY4=
14. -----END PRIVATE KEY-----
15. PEMPRIVATEKEY
16.  
17. $stapled_request = <<'LECSRA';
18. -----BEGIN CERTIFICATE REQUEST-----
19. MIIDtjCCAp4CAQAwgbAxCzAJBgNVBAYTAlNFMQ0wCwYDVQQIDARub25lMQ0wCwYD
20. VQQHDARub25lMQ4wDAYDVQQRDAU0MTY0ODEfMB0GA1UECQwWQW5kZXJzIFBlcnNv
21. bnNnYXRhbiAxOTENMAsGA1UECgwEbm9uZTENMAsGA1UECwwEbm9uZTERMA8GA1UE
22. AwwIc2ViYmUuZXUxITAfBgkqhkiG9w0BCQEWEnNlYmFzdGlhbkBzZWJiZS5ldTCC
23. ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMLqsDt2nzxEFq2bBuPvVwmY
24. iCd4yoOWEj6ZXYNeERTErvVnbZlQrQxmatUjaSzNiCfRHTlGE/KQzcEGAfVy914s
25. SDiwAjlla5+gZpWvAihz2mdjgtItJp37oLmx2vTxtyU1kBx9BoayLr0d9gWA0KAk
26. B2jZNWosRw4hLzV+3Kp+fk/sWvjz00bumweMYwnKn5op/9BzcJiWh1i5sTOsQYAW
27. YO643MYosGVNSXwq7463SCdX4ShuNOfAXM10ZJsbFGxyiOV+MS4rMKwjgmenNdEK
28. QzQfj5SN93gXbwJKoxxPQgT5uF9aF15sPQv2JtYnxmsOYVwuebfDSsoYQQI9fKsC
29. AwEAAaCBvzCBvAYJKoZIhvcNAQkOMYGuMIGrMAkGA1UdEwQCMAAwCwYDVR0PBAQD
30. AgXgMH4GA1UdEQR3MHWCDWRuczIuc2ViYmUuZXWCDWRuczEuc2ViYmUuZXWCDHd3
31. dy5zZWJiZS5ldYIQcHJpbnRlci5zZWJiZS5ldYIIc2ViYmUuZXWCDXNtdHAuc2Vi
32. YmUuZXWCDW1haWwuc2ViYmUuZXWCDWltYXAuc2ViYmUuZXUwEQYIKwYBBQUHARgE
33. BTADAgEFMA0GCSqGSIb3DQEBCwUAA4IBAQARvhUMKyOJyTcaE+v5+7JLWeyY5aWo
34. tc3CW/TL5wVbddTGht0jcpM9GY+Ht5Zrm0Hnsuvlb7/16BtpeONRQo+8zovV6ttu
35. NowBYoLfK7CwXS6XdRNJaCrI5F2WANG2WuA8FNDDCLob1r2eWOpcDc/h7Qq/Fh2B
36. +7d+Dqkz+W8qPTrq+gM+jyWGpXAUg+5aQDsHuNu1b48W8QzVniGk9HnbydYAaNvV
37. U3j+bXrGV0Xq5TrLSHF2JsMEXa2tjO8y/h3ZKx9C8FuiNioto9bkMLBwWWpNG2oz
38. Y0UdIWK11KuZ5jU46cXojjTGAFxGu0U0XWkHiXTfXR+dSbn16XDwbGM2
39. -----END CERTIFICATE REQUEST-----
40. LECSRA
41.  
42. $no_request = <<'LECSRB';
43. -----BEGIN CERTIFICATE REQUEST-----
44. MIIDozCCAosCAQAwgbAxCzAJBgNVBAYTAlNFMQ0wCwYDVQQIDARub25lMQ0wCwYD
45. VQQHDARub25lMQ4wDAYDVQQRDAU0MTY0ODEfMB0GA1UECQwWQW5kZXJzIFBlcnNv
46. bnNnYXRhbiAxOTENMAsGA1UECgwEbm9uZTENMAsGA1UECwwEbm9uZTERMA8GA1UE
47. AwwIc2ViYmUuZXUxITAfBgkqhkiG9w0BCQEWEnNlYmFzdGlhbkBzZWJiZS5ldTCC
48. ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMLqsDt2nzxEFq2bBuPvVwmY
49. iCd4yoOWEj6ZXYNeERTErvVnbZlQrQxmatUjaSzNiCfRHTlGE/KQzcEGAfVy914s
50. SDiwAjlla5+gZpWvAihz2mdjgtItJp37oLmx2vTxtyU1kBx9BoayLr0d9gWA0KAk
51. B2jZNWosRw4hLzV+3Kp+fk/sWvjz00bumweMYwnKn5op/9BzcJiWh1i5sTOsQYAW
52. YO643MYosGVNSXwq7463SCdX4ShuNOfAXM10ZJsbFGxyiOV+MS4rMKwjgmenNdEK
53. QzQfj5SN93gXbwJKoxxPQgT5uF9aF15sPQv2JtYnxmsOYVwuebfDSsoYQQI9fKsC
54. AwEAAaCBrDCBqQYJKoZIhvcNAQkOMYGbMIGYMAkGA1UdEwQCMAAwCwYDVR0PBAQD
55. AgXgMH4GA1UdEQR3MHWCDWRuczIuc2ViYmUuZXWCDWRuczEuc2ViYmUuZXWCDHd3
56. dy5zZWJiZS5ldYIQcHJpbnRlci5zZWJiZS5ldYIIc2ViYmUuZXWCDXNtdHAuc2Vi
57. YmUuZXWCDW1haWwuc2ViYmUuZXWCDWltYXAuc2ViYmUuZXUwDQYJKoZIhvcNAQEL
58. BQADggEBAFmEd8yVszmp2lCCxXrM/M2/w65XyHnE6uX1YeLsolxwdhSdoHAvAyMw
59. rdhzY0tUD178K6Q/dpZfw6JssO63HJNUMo/L37XnBSaiYCbPsOhNxDCnZfHrtFKE
60. Y1lGXWl+8PlyOpLZ2X4jedxCuKhSQ6EEFAw5QApKsoUg9DPniIbwPGJGrkU+BiTg
61. B3/0Tr5GgHlN1cBoZW1lnCQ0oQi/CNOnhmCUXqQEYNKWRcBdLlal35KdLzOoUb2a
62. p0kTheszJLGVaeCAIJu2NK3qf8aFgNInvvR2SqWaK92fqG9srTaAQdCNoin41VHA
63. i4T3WQnGvWUObdFeYkFPj7LSHN34PRI=
64. -----END CERTIFICATE REQUEST-----
65. LECSRB
66.  
67. $cert_request = $no_request;
68.  
69. #$tos_url = Net::ACME::LetsEncrypt->get_terms_of_service();
70. $acme = Net::ACME::LetsEncrypt->new( key => $private_key );
71. #$reg = $acme->register('mailto:[email protected]');
72. #$acme->accept_tos( $reg->uri(), $tos_url );
73. $key_jwk = Net::ACME::Crypt::parse_key($private_key)->get_struct_for_public_jwk();
74.  
75. @domains = ('sebbe.eu', 'www.sebbe.eu', 'dns1.sebbe.eu', 'dns2.sebbe.eu', 'printer.sebbe.eu', 'mail.sebbe.eu', 'smtp.sebbe.eu', 'imap.sebbe.eu');
76.  
77. foreach $domain (@domains) {
78.   $authz_p = $acme->start_domain_authz($domain);
79.   $pollcomplete{$domain} = $authz_p;
80.   foreach $cmb_ar ( $authz_p->combinations() ) {
81.     next if @$cmb_ar > 1;
82.     next if $cmb_ar->[0]->type() ne 'dns-01';
83.     $kauthz = $cmb_ar->[0]->make_key_authz( $key_jwk );
84.     $sha = Digest::SHA::sha256($kauthz);
85.     $b64 = MIME::Base64::encode_base64url($sha);
86.     print "Creating challenge for $domain\n";
87.     push(@writechallenges, $domain."!!".$b64);
88.     push(@pendingcompletion, $cmb_ar->[0]);
89.   }
90. }
91.  
92. print "Writing challenges to zone file\n";
93. open(ZONEFILEA, ">/etc/nsd/sebbe.eu.zone.signed");
94. print ZONEFILEA "";
95. close(ZONEFILEA);
96. open(ZONEFILEB, ">/etc/nsd/sebbe.eu.zone");
97. print ZONEFILEB "";
98. close(ZONEFILEB);
99.  
100. open(ZONETEMPLATE, "/etc/nsd/sebbe.eu.template");
101. @zonetemp = <ZONETEMPLATE>;
102. close(ZONETEMPLATE);
103. open(ZONEFILE, ">/etc/nsd/sebbe.eu.zone");
104. foreach $zoneline (@zonetemp) {
105.   print ZONEFILE $zoneline;
106. }
107. foreach $challauth (@writechallenges) {
108.   ($domain, $b64) = split("!!", $challauth);
109.   print ZONEFILE "_acme-challenge.".$domain.". 1 IN TXT \"$b64\"\n";
110. }
111. close(ZONEFILE);
112.  
113. print "Signing DNSSEC data...\n";
114. $currenttime = time;
115. $dnssec_expiration = $currenttime + 7776060;
116. system("ldns-signzone -e ".$dnssec_expiration." /etc/nsd/sebbe.eu.zone /etc/nsd/Ksebbe.eu.+007+14838 /etc/nsd/Ksebbe.eu.+007+47438");
117. system("service nsd restart");
118. print "Submitting challenges for validation...\n";
119. foreach $uchall (@pendingcompletion) {
120.   $acme->do_challenge($uchall);
121.   sleep 1
122. }
123.  
124. print "Getting validation results...\n";
125. foreach $dom (keys %pollcomplete) {
126.   while (1) {
127.     if ( $pollcomplete{$dom}->is_time_to_poll() ) {
128.       $poll = $pollcomplete{$dom}->poll();
129.       $uri = $pollcomplete{$dom}->uri;
130.       last if $poll->status() eq 'valid';
131.       if ( $poll->status() eq 'invalid' ) {
132.         die "Failed authorization for \"$dom\"! (URI: $uri )";
133.       }
134.     }
135.     sleep 5;
136.   }
137. }
138.  
139.  
140. print "Generating certificate...\n";
141. $cert = $acme->get_certificate($cert_request);
142. while ( !$cert->pem() ) {
143.   sleep 1;
144.   next if !$cert->is_time_to_poll();
145.   $cert = $cert->poll() || $cert;
146. }
147.  
148. print "Writing certificate...\n";
149. open(CAFILE, "/etc/nsd/cacert.pem");
150. @cacert = <CAFILE>;
151. close(CAFILE);
152.  
153. open(OCSPFILE, ">/etc/nsd/ocspcert.pem");
154. open(CERTFILE, ">/etc/nsd/servercert.pem");
155. open(INSFILE, ">/etc/inspircd/cert.pem");
156. print CERTFILE $cert->pem();
157. print OCSPFILE $cert->pem();
158. print INSFILE $cert->pem();
159. close(OCSPFILE);
160. print CERTFILE "\n";
161. foreach $caline (@cacert) {
162. print CERTFILE $caline;
163. print INSFILE $caline;
164. }
165. close(CERTFILE);
166. close(INSFILE);
167.  
168.  
169. print "Refetching OCSP proof...\2";
170. system("service exim4 stop");
171. system("openssl ocsp -no_nonce -issuer /etc/nsd/cacert.pem -cert /etc/nsd/ocspcert.pem -VAfile /etc/nsd/cacert.pem -text -url http://ocsp.int-x3.letsencrypt.org/ -header Host=ocsp.int-x3.letsencrypt.org -respout /etc/nsd/ocspfile >> /dev/null");
172. print "Restarting services...\n";
173. system("service exim4 start");
174. system("service nginx restart");
175. system("service dovecot restart");
176.  
177. print "Successfully generated LE certificate!\n";