gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 14:21:37 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
bcf2c3ae92722723c6bbf2f80300b94baecfa23e
certctl/examples/acme-wildcard-dns01/dns-hooks/cloudflare-cleanup.sh
T
shankar0123 bcf2c3ae92 feat(pre-2.1.0): demo data overhaul, examples, migration guides, install script 
Pre-2.1.0 adoption polish delivering all four milestones:

A) Demo Data Overhaul — seed_demo.sql rewritten with 35 certs across
   5 issuers, 8 agents, 8 targets, 50+ jobs spanning 90 days, 55+
   audit events, discovery scans, network scan targets, S/MIME cert.

B) Examples Directory — 5 turnkey docker-compose configs:
   acme-nginx, acme-wildcard-dns01, private-ca-traefik,
   step-ca-haproxy, multi-issuer.

C) Migration Guides — migrate-from-certbot.md,
   migrate-from-acmesh.md, certctl-for-cert-manager-users.md.

D) Agent Install Script — install-agent.sh with cross-platform
   support (Linux systemd + macOS launchd), release.yml updated
   for 6-target cross-compilation.

Triple-audited against codebase: 22 factual corrections applied
across docs, examples, and config (env var names, CLI flags, ports,
DNS hook interface, scheduler loop counts, license conversion date).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-29 18:26:58 -04:00

87 lines
2.9 KiB
Bash
Raw Blame History

#!/bin/bash
#
# Cloudflare DNS-01 Challenge Script (CLEANUP)
#
# This script removes a DNS TXT record after ACME DNS-01 challenge validation.
# Called by certctl after certificate issuance to clean up temporary challenge records.
#
# certctl sets these environment variables before invoking this script:
# CERTCTL_DNS_DOMAIN - Base domain (e.g., "example.com")
# CERTCTL_DNS_FQDN - Full challenge FQDN (e.g., "_acme-challenge.example.com")
# CERTCTL_DNS_VALUE - Challenge value/token that was in the TXT record
#
# You must set these environment variables before running:
# CLOUDFLARE_API_TOKEN - Cloudflare API token with DNS:write permission
# CLOUDFLARE_ZONE_ID - Cloudflare zone ID for your domain
#
# Error Handling:
# This script exits 0 on success, non-zero on failure.
# If cleanup fails, certctl logs the error but doesn't block renewals.
#
set -euo pipefail
# Get values from certctl environment variables
DOMAIN="${CERTCTL_DNS_DOMAIN:-}"
RECORD_NAME="${CERTCTL_DNS_FQDN:-}"
VALIDATION_TOKEN="${CERTCTL_DNS_VALUE:-}"
# Validate inputs
if [[ -z "$DOMAIN" || -z "$RECORD_NAME" || -z "$VALIDATION_TOKEN" ]]; then
echo "Error: Required certctl environment variables not set (CERTCTL_DNS_DOMAIN, CERTCTL_DNS_FQDN, CERTCTL_DNS_VALUE)" >&2
exit 1
fi
# Validate environment
if [[ -z "${CLOUDFLARE_API_TOKEN:-}" ]]; then
echo "Error: CLOUDFLARE_API_TOKEN environment variable not set" >&2
exit 1
fi
if [[ -z "${CLOUDFLARE_ZONE_ID:-}" ]]; then
echo "Error: CLOUDFLARE_ZONE_ID environment variable not set" >&2
exit 1
fi
# Validate RECORD_NAME (set by certctl above)
RECORD_TYPE="TXT"
# Cloudflare API endpoint
CF_API="https://api.cloudflare.com/client/v4"
CF_ZONE="$CLOUDFLARE_ZONE_ID"
CF_TOKEN="$CLOUDFLARE_API_TOKEN"
echo "[certctl DNS-01] Cleaning up DNS record: $RECORD_NAME"
# Step 1: Find the record ID
RECORD_ID=$(curl -s -X GET \
"$CF_API/zones/$CF_ZONE/dns_records?name=$RECORD_NAME&type=$RECORD_TYPE" \
-H "Authorization: Bearer $CF_TOKEN" \
-H "Content-Type: application/json" \
| jq -r '.result | if length > 0 then .[0].id else "" end')
if [[ -z "$RECORD_ID" ]]; then
echo "[certctl DNS-01] Record not found (already deleted?). Skipping cleanup."
exit 0
fi
# Step 2: Delete the record (DELETE /zones/{zone_id}/dns_records/{record_id})
echo "[certctl DNS-01] Deleting DNS record (ID: $RECORD_ID)..."
RESPONSE=$(curl -s -X DELETE \
"$CF_API/zones/$CF_ZONE/dns_records/$RECORD_ID" \
-H "Authorization: Bearer $CF_TOKEN" \
-H "Content-Type: application/json")
# Check response success
SUCCESS=$(echo "$RESPONSE" | jq -r '.success')
if [[ "$SUCCESS" != "true" ]]; then
ERROR=$(echo "$RESPONSE" | jq -r '.errors[0].message // "Unknown error"')
echo "Warning: Cloudflare API failed to delete record: $ERROR" >&2
# Don't exit 1 here — DNS cleanup is best-effort; cleanup failures shouldn't block certs
exit 0
fi
echo "[certctl DNS-01] Successfully deleted DNS record"
exit 0
Reference in New Issue View Git Blame Copy Permalink