server-setup-tools/setup-ssl.sh at main · MSC72m/server-setup-tools · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
#!/bin/bash
#
# =================================================================
#  SSL Certificate Setup Script (Let's Encrypt)
# =================================================================
#  This script is called from the main setup script.
#  It handles:
#  - Installing certbot.
#  - Verifying domain ownership.
#  - Obtaining an SSL certificate from Let's Encrypt.
#  - Setting up automatic renewal.
# =================================================================

# Exit on any error
set -e

# Function to check if a command exists
command_exists() {
    command -v "$1" >/dev/null 2>&1
}

# Function to check if running as root
check_root() {
    if [ "$EUID" -ne 0 ]; then
        echo "Please run as root"
        exit 1
    fi
}

# Function to check if port 80 is available
check_port_80() {
    if netstat -tuln | grep -q ":80 "; then
        local pid=$(lsof -i :80 -t 2>/dev/null)
        if [ -n "$pid" ]; then
            local process_info=$(ps -p $pid -o comm= 2>/dev/null)
            echo "Port 80 is in use by process: $process_info (PID: $pid)"
            echo "To fix this, you can:"
            echo "1. Stop the process: sudo systemctl stop $process_info (if it's a service)"
            echo "   or"
            echo "2. Kill the process: sudo kill $pid"
            echo "   or"
            echo "3. Temporarily stop the process and run this script again"
            return 1
        fi
    fi
    return 0
}

# Function to get server's IPv4 address
get_server_ipv4() {
    # Try multiple methods to get the IPv4 address
    local ipv4=""

    # Method 1: Using curl and ipify
    ipv4=$(curl -s https://api.ipify.org)

    # Method 2: Using curl and ifconfig.me
    if [ -z "$ipv4" ]; then
        ipv4=$(curl -s https://ifconfig.me/ip)
    fi

    # Method 3: Using hostname
    if [ -z "$ipv4" ]; then
        ipv4=$(hostname -I | awk '{print $1}')
    fi

    echo "$ipv4"
}

# Function to check DNS propagation
check_dns_propagation() {
    local domain=$1
    local expected_ip=$2
    local max_attempts=30
    local attempt=1
    local wait_time=10

    echo "Checking DNS propagation..."
    echo "This may take a few minutes..."

    while [ $attempt -le $max_attempts ]; do
        local current_ip=$(dig +short A $domain)

        if [ -n "$current_ip" ]; then
            if [ "$current_ip" = "$expected_ip" ]; then
                echo "✅ DNS propagation successful!"
                return 0
            else
                echo "Attempt $attempt/$max_attempts: Domain points to $current_ip, expected $expected_ip"
            fi
        else
            echo "Attempt $attempt/$max_attempts: DNS record not found yet"
        fi

        if [ $attempt -lt $max_attempts ]; then
            echo "Waiting ${wait_time}s for DNS propagation..."
            sleep $wait_time
        fi

        attempt=$((attempt + 1))
    done

    return 1
}

# Function to verify domain DNS
verify_dns() {
    local domain=$1
    local server_ipv4=$(get_server_ipv4)

    echo "Verifying DNS configuration..."
    echo "Your server's public IPv4 address is: $server_ipv4"
    echo "Checking if $domain points to this IP..."

    # Get domain's IP
    local domain_ip=$(dig +short A $domain)

    if [ -z "$domain_ip" ]; then
        echo "Error: Could not resolve $domain"
        echo "Please add an A record in your domain's DNS settings:"
        echo "Type: A"
        echo "Name: @ (or leave blank)"
        echo "Value: $server_ipv4"
        echo "TTL: 3600 (or default)"
        echo ""
        echo "After adding the DNS record, wait a few minutes for propagation and run this script again."
        return 1
    fi

    if [ "$domain_ip" != "$server_ipv4" ]; then
        echo "Current DNS configuration for $domain:"
        echo "A record points to: $domain_ip"
        echo "Expected IP: $server_ipv4"
        echo ""
        echo "Please update your domain's A record to point to: $server_ipv4"
        echo "After updating the DNS record, wait a few minutes for propagation and run this script again."
        return 1
    fi

    # Check DNS propagation
    if ! check_dns_propagation "$domain" "$server_ipv4"; then
        echo "❌ DNS propagation check failed"
        echo "Please ensure your DNS changes have propagated and run this script again."
        return 1
    fi

    echo "✅ DNS verification successful"
    return 0
}

# Check if running as root
check_root

# Install required dependencies
echo "Installing required dependencies..."
apt-get update
apt-get install -y \
    certbot \
    net-tools \
    dnsutils \
    curl

# Get user input
read -p "Enter your domain name (e.g., example.com): " DOMAIN
read -p "Enter your email address: " EMAIL

# Verify DNS configuration
if ! verify_dns "$DOMAIN"; then
    echo "Please fix your DNS configuration and run this script again."
    exit 1
fi

# Check if port 80 is available
if ! check_port_80; then
    echo "Please free up port 80 and run this script again."
    exit 1
fi

# Configure firewall to allow port 80 temporarily
echo "Configuring firewall..."
if command_exists ufw; then
    # Allow port 80 for ACME challenge
    ufw allow 80/tcp
fi

# Get SSL certificate
echo "Obtaining SSL certificate for $DOMAIN..."
certbot certonly --standalone \
    --preferred-challenges http \
    --agree-tos \
    --email "$EMAIL" \
    -d "$DOMAIN" \
    --non-interactive

# Check if certificate was obtained successfully
if [ ! -f "/etc/letsencrypt/live/$DOMAIN/fullchain.pem" ]; then
    echo "Failed to obtain SSL certificate. Please check the error messages above."
    exit 1
fi

echo "SSL certificates have been set up successfully!"
echo "Domain: $DOMAIN"
echo "Certificates are stored in: /etc/letsencrypt/live/$DOMAIN/"

# Set up auto-renewal
echo "Setting up auto-renewal..."
echo "0 0 * * * root certbot renew --quiet" > /etc/cron.d/ssl-renewal
chmod 644 /etc/cron.d/ssl-renewal

echo "Auto-renewal has been set up. Certificates will be renewed automatically when needed."

# Remove temporary port 80 access if it was added
if command_exists ufw; then
    ufw delete allow 80/tcp
fi

echo "✅ Setup completed successfully!"