Skip to content

snstac/takle

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
bin
bin
 
 
README.md
README.md
 
 
config.sh.example
config.sh.example
 
 

Repository files navigation

Let's Encrypt Certificate Management

Automated Let's Encrypt certificate renewal using DNS-01 challenges with Name.com API, including TAK Server certificate conversion.

🚀 Quick Start

0. Packages

sudo apt install openjdk-17-jre-headless

1. Configure Credentials

Copy the example config and add your credentials:

cp config.sh.example config.sh
nano config.sh

Fill in:

  • USERNAME: Your Name.com username
  • TOKEN: Your Name.com API token (get it here)
  • TAK_CERT_PASS: Password for TAK Server keystores
  • CONTACT_EMAIL: Email for Let's Encrypt notifications

2. Renew Certificates

./bin/renew.sh takserver.example.com

For wildcard certificates:

./bin/renew.sh example.com *.example.com

3. Create TAK Server Files (Optional)

Convert certificates to TAK Server formats (PKCS12/JKS):

# Using defaults (takserver.example.com, current directory)
./bin/create_tak_files.sh

# Specify domain and TAK directory
./bin/create_tak_files.sh takserver.example.com /path/to/tak

# Or with environment variables
CERTBOT_DOMAIN=takserver.example.com TAK_DIR=/path/to/tak ./bin/create_tak_files.sh

📁 Project Structure

├── bin/                          # Executable scripts
│   ├── renew.sh                 # Main renewal script
│   ├── create_txt_record.sh     # DNS challenge hook (creates TXT record)
│   ├── clean.sh                 # Cleanup hook (removes TXT record)
│   ├── create_tak_files.sh      # Convert certs to TAK Server formats
│   └── base_config.sh           # Helper functions & colors
├── letsencrypt/                  # Certbot working directory
│   ├── accounts/                # Let's Encrypt account info
│   ├── archive/                 # Certificate archives
│   ├── live/                    # Current certificates (symlinks)
│   └── renewal/                 # Renewal configuration
├── logs/                         # Certbot logs
├── work/                         # Temporary working files
├── config.sh                     # Your credentials (gitignored)
└── config.sh.example            # Template for credentials

🔧 Scripts Overview

renew.sh

Main script for certificate renewal using DNS-01 challenge.

Usage:

./bin/renew.sh DOMAIN [DOMAIN ...]

Features:

  • ✓ Automatic DNS challenge record creation
  • ✓ DNS propagation waiting
  • ✓ Automatic cleanup after verification
  • ✓ Keeps existing certificates until near expiry

create_tak_files.sh

Converts Let's Encrypt certificates to TAK Server formats.

Usage:

./bin/create_tak_files.sh [DOMAIN] [TAK_DIR]

Defaults:

  • DOMAIN: takserver.example.com
  • TAK_DIR: . (current directory)

Output:

  • ${TAK_DIR}/certs/files/letsencrypt/${DOMAIN}.p12 - PKCS12 format
  • ${TAK_DIR}/certs/files/letsencrypt/${DOMAIN}.jks - Java KeyStore format

create_txt_record.sh

Internal hook - Creates DNS TXT record for ACME challenge. Called automatically by certbot during renewal.

clean.sh

Internal hook - Removes DNS TXT records after verification. Called automatically by certbot after challenge completes.

🎨 Console Output

All scripts now feature:

  • ✓ Color-coded messages (success, info, warning, error)
  • ✓ Progress indicators
  • ✓ Clear step-by-step feedback
  • ✓ Helpful error messages
  • ✓ Emojis for visual scanning

🔒 Security

  • config.sh is excluded from git (contains API credentials)
  • Private keys and certificates are excluded from git
  • Always use strong passwords for TAK_CERT_PASS

📝 Certificate Locations

After renewal, certificates are located at:

./letsencrypt/live/${DOMAIN}/
├── cert.pem       # Certificate only
├── chain.pem      # Intermediate chain
├── fullchain.pem  # Certificate + chain
└── privkey.pem    # Private key

🤖 Automation

To automate renewal, add to crontab:

# Renew certificates weekly (checks if renewal needed)
0 3 * * 1 cd /path/to/LE && ./bin/renew.sh takserver.example.com

⚠️ Troubleshooting

DNS propagation issues:

  • The scripts wait 30 seconds for DNS propagation
  • If challenges fail, increase the sleep time in create_txt_record.sh

"CERTBOT_DOMAIN not set" error:

  • This happens when hooks are run manually
  • Always use renew.sh to start the renewal process

Certificate validation failed:

  • Check your Name.com API credentials in config.sh
  • Verify DNS records are being created in Name.com dashboard
  • Check logs in ./logs/ for detailed error messages

🧹 Cleanup / Migration

Old config directory: If you have an old config/ directory from a previous setup, you can safely remove it after migrating to the new letsencrypt/ structure. The scripts now use ./letsencrypt/ as the certbot config directory.

# Backup old certificates if needed
cp -r config/live/* /backup/location/

# Remove old directory
rm -rf config/

Generated TAK files: The tak/ directory is created by create_tak_files.sh. If you're tracking these files in git, remove tak/ from .gitignore. Otherwise, it's automatically excluded.

📚 Dependencies

  • certbot - Let's Encrypt client
  • curl - API requests
  • python3 - JSON parsing
  • openssl - Certificate conversion
  • keytool - Java keystore management (for TAK Server files)

📄 License

Customize as needed for your infrastructure.

About

TAK LetsEncrypt renewal script

Resources

Readme
Activity
Custom properties

Stars

3 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages