#!/bin/bash
# Certificate management script with Certbot and RFC2136
DOMAIN='*.example.com' # Replace with your domain
EMAIL='your-email@example.com' # Replace with your email for notifications
DNS_SERVER='10.0.0.1' # Replace with your DNS server IP
KEY_NAME='your-key-name' # Must match the key name on your DNS server
KEY_SECRET='your-base64-secret' # Base64 encoded secret
KEY_ALGORITHM='HMAC-SHA512' # or HMAC-MD5, HMAC-SHA1, HMAC-SHA256, HMAC-SHA384
PROPAGATION_SECONDS=20 # Time to wait for DNS propagation
# Create temporary rfc2136 credentials file on host
TMP_CREDS=$(mktemp)
cat > "$TMP_CREDS" <<EOF
dns_rfc2136_server = $DNS_SERVER
dns_rfc2136_name = $KEY_NAME
dns_rfc2136_secret = $KEY_SECRET
dns_rfc2136_algorithm = $KEY_ALGORITHM
EOF
chmod 600 "$TMP_CREDS"
echo "Created temporary credentials file: $TMP_CREDS"
echo "Issuing new certificate for $DOMAIN with Certbot (RFC2136)..."
docker run --rm -it \
-v ./letsencrypt:/etc/letsencrypt \
-v "$TMP_CREDS:/tmp/rfc2136.ini:ro" \
certbot/dns-rfc2136 \
certonly \
--dns-rfc2136 \
--dns-rfc2136-credentials /tmp/rfc2136.ini \
--dns-rfc2136-propagation-seconds $PROPAGATION_SECONDS \
--email "$EMAIL" \
--agree-tos \
--non-interactive \
-d "$DOMAIN"
# Clean up temporary file
rm -f "$TMP_CREDS"
echo "Cleaned up temporary credentials file"
echo "Done!"
