Run action on demand and once a month #55
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Obtain Certificate | |
on: | |
push: | |
branches: [ main ] | |
pull_request: | |
branches: [ main ] | |
workflow_dispatch: | |
schedule: | |
- cron: '37 13 19 * *' # on the 19th of every month at 13:37 | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
environment: desec-test-account | |
strategy: | |
# You can use PyPy versions in python-version. | |
# For example, pypy2 and pypy3 | |
matrix: | |
python-version: [ | |
'3.7', | |
'3.8', | |
'3.9', | |
'3.10', | |
'3.11', | |
] | |
certbot-version: [ | |
# TODO at the time of writing, versions earlier than 1.14, including '0.40.0', the latest version for Ubuntu | |
# 20.04, are broken because ImportError: cannot import name 'IO' from 'acme.magic_typing' | |
# (venv/lib/python3.8/site-packages/acme/magic_typing.py) | |
'1.14.0', | |
'1.32.0', | |
'2.0.0', | |
] | |
steps: | |
- uses: actions/checkout@v2 | |
- uses: actions/setup-python@v1 | |
with: | |
python-version: ${{ matrix.python-version }} | |
- name: Install | |
run: | | |
sudo apt-get install -y dnsutils | |
pip3 install . | |
if [[ $CERTBOT_VERSION != "latest" ]] | |
then | |
pip3 install --upgrade certbot~=$CERTBOT_VERSION | |
pip3 install --upgrade acme~=$CERTBOT_VERSION | |
fi | |
env: | |
CERTBOT_VERSION: ${{ matrix.certbot-version }} | |
- name: Create domain | |
shell: bash | |
run: | | |
PYTHON=$(echo $PYTHON | sed "s/\./-/g") | |
CERTBOT=$(echo $CERTBOT | sed "s/\./-/g") | |
curl -X POST https://desec.io/api/v1/domains/ \ | |
--header "Authorization: Token $TOKEN" \ | |
--header "Content-Type: application/json" --data @- <<< \ | |
"{\"name\": \"certbot-$CERTBOT-python-$PYTHON-$DOMAIN\"}" | |
sleep 80 # wait for deSEC to propagate changes | |
env: | |
DOMAIN: ${{secrets.DESEC_DOMAIN}} | |
CERTBOT: ${{matrix.certbot-version}} | |
PYTHON: ${{matrix.python-version}} | |
TOKEN: ${{secrets.DESEC_TOKEN}} | |
- name: Setup Credentials | |
run: 'echo "dns_desec_token = $TOKEN" > desec-secret.ini' | |
shell: bash | |
env: | |
TOKEN: ${{secrets.DESEC_TOKEN}} | |
- name: Get Cert | |
run: | | |
PYTHON=$(echo $PYTHON | sed "s/\./-/g") | |
CERTBOT=$(echo $CERTBOT | sed "s/\./-/g") | |
certbot certonly \ | |
--config-dir tmp/certbot/config \ | |
--logs-dir tmp/certbot/logs \ | |
--work-dir tmp/certbot/work \ | |
--authenticator dns-desec \ | |
--email $EMAIL \ | |
--dns-desec-credentials desec-secret.ini \ | |
--server https://acme-v02.api.letsencrypt.org/directory \ | |
--agree-tos \ | |
--dry-run \ | |
-d "certbot-$CERTBOT-python-$PYTHON-$DOMAIN" \ | |
-d "*.certbot-$CERTBOT-python-$PYTHON-$DOMAIN" | |
shell: bash | |
env: | |
DOMAIN: ${{secrets.DESEC_DOMAIN}} | |
EMAIL: ${{secrets.DESEC_EMAIL}} | |
CERTBOT: ${{matrix.certbot-version}} | |
PYTHON: ${{matrix.python-version}} | |
- name: Query TXT record and show log | |
if: ${{ failure() }} | |
run: | | |
PYTHON=$(echo $PYTHON | sed "s/\./-/g") | |
CERTBOT=$(echo $CERTBOT | sed "s/\./-/g") | |
dig @ns1.desec.io TXT _acme-challenge.certbot-$CERTBOT-python-$PYTHON-$DOMAIN | |
dig @ns2.desec.org TXT _acme-challenge.certbot-$CERTBOT-python-$PYTHON-$DOMAIN | |
cat tmp/certbot/logs/letsencrypt.log | |
env: | |
DOMAIN: ${{secrets.DESEC_DOMAIN}} | |
CERTBOT: ${{matrix.certbot-version}} | |
PYTHON: ${{matrix.python-version}} |