Automating ad cert migration on trigger

Shane_Treweek · October 19, 2024, 12:32am

Sorry I’ve been absent for a while and just found time to setup and migrate to ns8 ive got most of it done, including the samba cert from LE butim now trying to

Out of curiosity if i was to create a script to automate the process say something like

#!/usr/bin/bash
mv /home/samba1/.local/share/containers/storage/volumes/data/_data/private/tls/cert.pem /home/samba1/.local/share/containers/storage/volumes/data/_data/private/tls/cert.pem.bkp

mv /home/samba1/.local/share/containers/storage/volumes/data/_data/private/tls/key.pem /home/samba1/.local/share/containers/storage/volumes/data/_data/private/tls/key.pem.bkp 

~/traefik-certs-dumper file --source /home/traefik1/.local/share/containers/storage/volumes/traefik-acme/_data/acme.json --domain-subdir --crt-ext=.pem --key-ext=.pem --version v2

cp ~/dump/dc1.ad.ksatdesign.com.au/certificate.pem /home/samba1/.local/share/containers/storage/volumes/data/_data/private/tls/cert.pem

cp ~/dump/dc1.ad.ksatdesign.com.au/privatekey.pem /home/samba1/.local/share/containers/storage/volumes/data/_data/private/tls/key.pem

chown samba1:samba1 /home/samba1/.local/share/containers/storage/volumes/data/_data/private/tls/*.pem

runagent -m samba1 systemctl --user restart samba-dc

how could i have it trigger on the certificate renewal?

mrmarkuz · October 21, 2024, 8:07pm

Hi @Shane_Treweek,

the dev manual gives some pointers about certificates and events.

The script needs root permissions so to just make it work, I’d put it to the events of the node. Create a file /var/lib/nethserver/node/events/certificate-updated/10sambacert that contains your script. The directory certificate-updated needs to be created.

Make it executable:

chmod +x /var/lib/nethserver/node/events/certificate-updated/10sambacert

You could add some echo output to the script, it’s written to the logs so you can check if it ran correctly.

I’m not sure if this method still works after an update and maybe there’s a way to use 2 events inside the containers (rootless) for better security but I hope it’s a starting point.

Shane_Treweek · October 22, 2024, 12:22am

thanks ill test it an post the results.

It’s definately a start ill look into making it persistant and more secure

davidep · October 22, 2024, 7:12am

Yes it works, thank you Markus.

Adding custom executable scripts as event and action steps is possible and does not conflict with module updates. However, they are not included in backups.

For the future, I’d like to develop an authenticated HTTP API to distribute certificates outside of the cluster. This would allow external systems to import NS8 certificates using a simple cron job.

Andy_Wismer · October 22, 2024, 8:57am

Really nice thinking!

My 2 cents
Andy

Shane_Treweek · October 22, 2024, 11:30pm

Also I was thinking (my idea is not in a concrete form yet but thought I’d put it down as a starting point)

But somehow a module that uses cloud flare api to add a DNS reference I did make a script for it but the main idea would be something like this

Module has fields on it’s settings page on ns8 to enter token, email, sub domain, IP and record type* that creates my script with those and runs it creating the entry in cloud flare.
*Note:

maybe have a drop down menu for record type that changes the options asked for like a record as above
cname with sub domain and target,
txt records with appropriate fields etc.
Could also make something similar for opnsense