feat(vm201): wildcard *.roa auto-renew via cPanel DNS-01 hook
Fix expirare cert wildcard *.roa.romfast.ro (incident 2026-05-31): renewal-ul era [Manual] DNS-01, nu rula din Scheduled Task -> 61 erori -> expirat. Subdomeniile Dokploy (efactura.roa etc.) dadeau ERR_CERT_DATE_INVALID. - cpanel-acme-dns.ps1: hook win-ACME DNS-01 (cPanel UAPI mass_edit_zone, fallback ZoneEdit) care pune/sterge TXT _acme-challenge automat - cpanel-dns.config.example.json: template (token-ul real e gitignored) - monitor-ssl-certificates.sh: sentinel efactura.roa (wildcard) + alerta in loc de auto-renew prin guest-exec (dezactivat) - README + doc cert: flux DNS-01 cPanel + acces OpenSSH VM 201 Renewal nou roa-wildcard-cpanel, auto, due 2026-08-19; vechiul [Manual] anulat. Cert live valid pana 2026-09-23. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
192
proxmox/vm201-windows/scripts/cpanel-acme-dns.ps1
Normal file
192
proxmox/vm201-windows/scripts/cpanel-acme-dns.ps1
Normal file
@@ -0,0 +1,192 @@
|
||||
<#
|
||||
.SYNOPSIS
|
||||
win-acme DNS-01 validation hook for cPanel-hosted zones (hosting.com).
|
||||
|
||||
.DESCRIPTION
|
||||
Creates / deletes the _acme-challenge TXT record via the cPanel API so the
|
||||
wildcard certificate *.roa.romfast.ro renews FULLY UNATTENDED (no manual TXT).
|
||||
|
||||
Replaces the old "[Manual]" validation of the wildcard renewal in win-acme,
|
||||
which could not run from the scheduled task and accumulated 60+ errors until
|
||||
the certificate expired (incident 2026-05-31, see README).
|
||||
|
||||
Authentication uses a cPanel API token (cPanel -> Manage API Tokens), passed
|
||||
as the header: Authorization: cpanel <USER>:<TOKEN>
|
||||
|
||||
Modern panels (cPanel & WHM v90+) -> UAPI DNS::mass_edit_zone (default).
|
||||
Legacy panels (only API2 ZoneEdit) -> set "LegacyZoneEdit": true in config.
|
||||
|
||||
.PARAMETER Action
|
||||
create | delete (win-acme calls the script once for each)
|
||||
|
||||
.PARAMETER RecordName
|
||||
Full record name, e.g. _acme-challenge.roa.romfast.ro (win-acme {RecordName})
|
||||
|
||||
.PARAMETER Token
|
||||
TXT value to publish, supplied by the ACME server (win-acme {Token})
|
||||
|
||||
.NOTES
|
||||
Place on VM 201 at: C:\Tools\win-acme\cpanel-acme-dns.ps1
|
||||
Credentials live in: C:\Tools\win-acme\cpanel-dns.config.json (NEVER commit)
|
||||
Template: cpanel-dns.config.example.json
|
||||
|
||||
Configure the renewal with "wacs.exe" (as Administrator):
|
||||
M -> Create renewal (full options)
|
||||
Source: Manual -> *.roa.romfast.ro
|
||||
Validation: dns-01 -> "Create verification records with your own script"
|
||||
Run create: Powershell.exe -File C:\Tools\win-acme\cpanel-acme-dns.ps1
|
||||
Create args : create {RecordName} {Token}
|
||||
Run delete: Powershell.exe -File C:\Tools\win-acme\cpanel-acme-dns.ps1
|
||||
Delete args : delete {RecordName} {Token}
|
||||
Store: Windows Certificate Store (My)
|
||||
Installation: IIS -> site "roa-apps" (re-binds the cert automatically)
|
||||
|
||||
Manual test before wiring into win-acme:
|
||||
.\cpanel-acme-dns.ps1 create _acme-challenge.roa.romfast.ro testvalue123
|
||||
(check the TXT appears in cPanel Zone Editor, then:)
|
||||
.\cpanel-acme-dns.ps1 delete _acme-challenge.roa.romfast.ro testvalue123
|
||||
#>
|
||||
[CmdletBinding()]
|
||||
param(
|
||||
[Parameter(Mandatory)][ValidateSet('create', 'delete')][string]$Action,
|
||||
[Parameter(Mandatory)][string]$RecordName,
|
||||
[Parameter(Mandatory)][string]$Token
|
||||
)
|
||||
|
||||
$ErrorActionPreference = 'Stop'
|
||||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||||
|
||||
# --- load config -----------------------------------------------------------
|
||||
$cfgPath = Join-Path $PSScriptRoot 'cpanel-dns.config.json'
|
||||
if (-not (Test-Path $cfgPath)) {
|
||||
throw "Missing config: $cfgPath (copy cpanel-dns.config.example.json and fill it in)"
|
||||
}
|
||||
$cfg = Get-Content $cfgPath -Raw | ConvertFrom-Json
|
||||
|
||||
# Tolerate Hostname pasted as a URL ("https://host/cpanel", "host:2083", ...):
|
||||
# keep only the bare hostname.
|
||||
$cpHost = ($cfg.Hostname -replace '^\s*https?://', '') -replace '/.*$', '' -replace ':\d+\s*$', ''
|
||||
$cpPort = if ($cfg.Port) { $cfg.Port } else { 2083 }
|
||||
$cpUser = $cfg.User
|
||||
$cpTok = $cfg.ApiToken
|
||||
$ttl = if ($cfg.Ttl) { [int]$cfg.Ttl } else { 300 }
|
||||
$legacy = [bool]$cfg.LegacyZoneEdit
|
||||
|
||||
if (-not $cpHost -or -not $cpUser -or -not $cpTok) {
|
||||
throw "Config incomplete: Hostname, User and ApiToken are required in $cfgPath"
|
||||
}
|
||||
|
||||
$headers = @{ Authorization = "cpanel ${cpUser}:${cpTok}" }
|
||||
$base = "https://${cpHost}:${cpPort}"
|
||||
$dname = $RecordName.TrimEnd('.') + '.' # cPanel wants FQDN with trailing dot
|
||||
|
||||
function Invoke-Uapi {
|
||||
param([string]$Module, [string]$Func, [hashtable]$Params)
|
||||
$qs = ($Params.GetEnumerator() | ForEach-Object {
|
||||
"$($_.Key)=$([uri]::EscapeDataString([string]$_.Value))"
|
||||
}) -join '&'
|
||||
$uri = "$base/execute/$Module/$Func"
|
||||
if ($qs) { $uri += "?$qs" }
|
||||
$r = Invoke-RestMethod -Uri $uri -Headers $headers -Method Get
|
||||
if ($r.errors) { throw "cPanel UAPI ${Module}::${Func} -> $($r.errors -join '; ')" }
|
||||
return $r
|
||||
}
|
||||
|
||||
# Find the apex zone managed by cPanel that the record belongs to.
|
||||
# _acme-challenge.roa.romfast.ro -> tries roa.romfast.ro, then romfast.ro
|
||||
function Resolve-Zone {
|
||||
param([string]$fqdn)
|
||||
$labels = $fqdn.TrimEnd('.').Split('.')
|
||||
for ($i = 1; $i -le $labels.Count - 2; $i++) {
|
||||
$cand = ($labels[$i..($labels.Count - 1)]) -join '.'
|
||||
try {
|
||||
$r = Invoke-Uapi 'DNS' 'parse_zone' @{ zone = $cand }
|
||||
if ($r.data) { return [pscustomobject]@{ Zone = $cand; Data = $r.data } }
|
||||
}
|
||||
catch { }
|
||||
}
|
||||
throw "No cPanel-managed zone found for $fqdn"
|
||||
}
|
||||
|
||||
function Get-ZoneSerial {
|
||||
param($zoneData)
|
||||
foreach ($l in $zoneData) {
|
||||
if ($l.type -eq 'record' -and $l.record_type -eq 'SOA') {
|
||||
$vals = $l.data_b64 | ForEach-Object {
|
||||
[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($_))
|
||||
}
|
||||
return [int64]$vals[2] # SOA: primary, hostmaster, SERIAL, refresh, ...
|
||||
}
|
||||
}
|
||||
throw 'SOA serial not found in parsed zone'
|
||||
}
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
# Legacy path: cPanel API2 ZoneEdit (only if panel lacks UAPI DNS module)
|
||||
# ---------------------------------------------------------------------------
|
||||
if ($legacy) {
|
||||
$z = Resolve-Zone $RecordName
|
||||
$name = $RecordName.TrimEnd('.')
|
||||
if ($Action -eq 'create') {
|
||||
$uri = "$base/json-api/cpanel?cpanel_jsonapi_user=$cpUser&cpanel_jsonapi_apiversion=2" +
|
||||
"&cpanel_jsonapi_module=ZoneEdit&cpanel_jsonapi_func=add_zone_record" +
|
||||
"&domain=$($z.Zone)&name=$([uri]::EscapeDataString($name))&type=TXT" +
|
||||
"&txtdata=$([uri]::EscapeDataString($Token))&ttl=$ttl"
|
||||
$r = Invoke-RestMethod -Uri $uri -Headers $headers -Method Get
|
||||
if ($r.cpanelresult.error) { throw $r.cpanelresult.error }
|
||||
Write-Host "[create] TXT $name added to $($z.Zone) (legacy ZoneEdit)"
|
||||
}
|
||||
else {
|
||||
$look = "$base/json-api/cpanel?cpanel_jsonapi_user=$cpUser&cpanel_jsonapi_apiversion=2" +
|
||||
"&cpanel_jsonapi_module=ZoneEdit&cpanel_jsonapi_func=fetchzone_records&domain=$($z.Zone)&type=TXT"
|
||||
$r = Invoke-RestMethod -Uri $look -Headers $headers -Method Get
|
||||
$hits = @($r.cpanelresult.data | Where-Object {
|
||||
($_.name.TrimEnd('.') -eq $name) -and ($_.txtdata -eq $Token)
|
||||
} | Sort-Object { [int]$_.line } -Descending)
|
||||
foreach ($rec in $hits) {
|
||||
$del = "$base/json-api/cpanel?cpanel_jsonapi_user=$cpUser&cpanel_jsonapi_apiversion=2" +
|
||||
"&cpanel_jsonapi_module=ZoneEdit&cpanel_jsonapi_func=remove_zone_record&domain=$($z.Zone)&line=$($rec.line)"
|
||||
Invoke-RestMethod -Uri $del -Headers $headers -Method Get | Out-Null
|
||||
Write-Host "[delete] TXT line $($rec.line) removed from $($z.Zone) (legacy ZoneEdit)"
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
# Modern path: UAPI DNS::mass_edit_zone (serial-checked, atomic)
|
||||
# ---------------------------------------------------------------------------
|
||||
if ($Action -eq 'create') {
|
||||
$z = Resolve-Zone $RecordName
|
||||
$serial = Get-ZoneSerial $z.Data
|
||||
# mass_edit_zone wants 'add' as a raw JSON record object (NOT base64).
|
||||
$rec = @{ dname = $dname; ttl = $ttl; record_type = 'TXT'; data = @($Token) } | ConvertTo-Json -Compress
|
||||
Invoke-Uapi 'DNS' 'mass_edit_zone' @{ zone = $z.Zone; serial = $serial; add = $rec } | Out-Null
|
||||
Write-Host "[create] TXT $dname = $Token added to zone $($z.Zone)"
|
||||
}
|
||||
else {
|
||||
# Re-parse before each removal: line_index and serial shift after every edit.
|
||||
for ($pass = 0; $pass -lt 10; $pass++) {
|
||||
$z = Resolve-Zone $RecordName
|
||||
$serial = Get-ZoneSerial $z.Data
|
||||
# parse_zone returns names RELATIVE to the zone (e.g. "_acme-challenge.roa"),
|
||||
# so match against both the absolute and the zone-relative form.
|
||||
$want = $RecordName.TrimEnd('.')
|
||||
$wantRel = $want -replace ('\.' + [regex]::Escape($z.Zone) + '$'), ''
|
||||
$idx = $null
|
||||
foreach ($l in $z.Data) {
|
||||
if ($l.type -eq 'record' -and $l.record_type -eq 'TXT') {
|
||||
$n = ([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($l.dname_b64))).TrimEnd('.')
|
||||
$d = $l.data_b64 | ForEach-Object {
|
||||
[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($_))
|
||||
}
|
||||
if ((($n -eq $want) -or ($n -eq $wantRel)) -and ($d -contains $Token)) {
|
||||
$idx = $l.line_index; break
|
||||
}
|
||||
}
|
||||
}
|
||||
if ($null -eq $idx) { break }
|
||||
Invoke-Uapi 'DNS' 'mass_edit_zone' @{ zone = $z.Zone; serial = $serial; remove = $idx } | Out-Null
|
||||
Write-Host "[delete] TXT line $idx removed from zone $($z.Zone)"
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,9 @@
|
||||
{
|
||||
"_comment": "Copy to cpanel-dns.config.json on VM 201 (C:\\Tools\\win-acme\\). NEVER commit the real file - it holds the cPanel API token.",
|
||||
"Hostname": "your-server.hosting.com",
|
||||
"Port": 2083,
|
||||
"User": "cpanel_account_username",
|
||||
"ApiToken": "PASTE_CPANEL_API_TOKEN_HERE",
|
||||
"Ttl": 300,
|
||||
"LegacyZoneEdit": false
|
||||
}
|
||||
@@ -13,15 +13,22 @@ LOG_FILE="/var/log/ssl-monitor.log"
|
||||
EMAIL_TO="root" # Proxmox trimite la adresa configurata
|
||||
|
||||
# Domenii de verificat
|
||||
# NOTA: efactura.roa.romfast.ro este un SENTINEL pentru certificatul wildcard
|
||||
# *.roa.romfast.ro. Wildcardul nu poate fi testat direct, asa ca verificam
|
||||
# un subdomeniu real acoperit de el. Site ID "WILDCARD" => doar ALERTA,
|
||||
# fara auto-renew (wildcardul e DNS-01, reinnoit de cpanel-acme-dns.ps1 pe
|
||||
# VM 201; auto-renew prin guest-exec nu mai functioneaza - exec dezactivat).
|
||||
# Context: incident expirare wildcard 2026-05-31 (vezi README VM 201).
|
||||
DOMAINS=(
|
||||
"roa.romfast.ro"
|
||||
"dokploy.romfast.ro"
|
||||
"gitea.romfast.ro"
|
||||
"roa2web.romfast.ro"
|
||||
"efactura.roa.romfast.ro"
|
||||
)
|
||||
|
||||
# Site IDs pentru fiecare domeniu (in aceeasi ordine)
|
||||
SITE_IDS=(1 2 3 4)
|
||||
SITE_IDS=(1 2 3 4 "WILDCARD")
|
||||
|
||||
log() {
|
||||
echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_FILE"
|
||||
@@ -52,6 +59,14 @@ force_renew_certificate() {
|
||||
local site_id=$1
|
||||
local domain=$2
|
||||
|
||||
# Wildcard (*.roa) = DNS-01, reinnoit automat de cpanel-acme-dns.ps1 pe VM 201.
|
||||
# Nu incercam auto-renew aici (nu e HTTP-01/siteid si guest-exec e dezactivat) -
|
||||
# doar semnalam ca a expirat ca sa intervina cineva pe VM 201.
|
||||
if ! [[ "$site_id" =~ ^[0-9]+$ ]]; then
|
||||
log "ALERTA: $domain (wildcard *.roa) necesita interventie manuala pe VM 201 - verifica renewal-ul win-acme cu validare cPanel (cpanel-acme-dns.ps1)"
|
||||
return 1
|
||||
fi
|
||||
|
||||
log "Fortez reinstalare certificat pentru $domain (Site ID: $site_id)..."
|
||||
|
||||
# Executa pe VM 201 prin Proxmox guest agent
|
||||
|
||||
Reference in New Issue
Block a user