diff --git a/docs/install-alpine.sh b/docs/install-alpine.sh index 0408684..bc208a6 100644 --- a/docs/install-alpine.sh +++ b/docs/install-alpine.sh @@ -305,6 +305,11 @@ cp.${REGISTRY_DOMAIN} { Permissions-Policy "accelerometer=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(self), usb=()" } } + +cp.${REGISTRY_DOMAIN} { + ${BIND_LINE} + redir https://cp.${REGISTRY_DOMAIN}{uri} +} EOF # Create log directory and adjust permissions @@ -321,6 +326,11 @@ chown caddy:caddy /var/log/namingo/web-rdap.log rc-service caddy restart rc-update add caddy default +sleep 5 + +ln -sf /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/epp.${REGISTRY_DOMAIN}/epp.${REGISTRY_DOMAIN}.crt /opt/registry/epp/epp.crt +ln -sf /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/epp.${REGISTRY_DOMAIN}/epp.${REGISTRY_DOMAIN}.key /opt/registry/epp/epp.key + # --- Install Control Panel --- echo "Installing Control Panel..." mkdir -p /var/www @@ -425,9 +435,18 @@ echo "Downloading initial data and setting up cache..." php /var/www/cp/bin/file_cache.php chown caddy:caddy /var/www/cp/cache +echo "Downloading ICANN TMCH certificate data." +curl -o /etc/ssl/certs/tmch.pem https://ca.icann.org/tmch.crt +curl -o /etc/ssl/certs/tmch_pilot.pem https://ca.icann.org/tmch_pilot.crt +chmod 644 /etc/ssl/certs/tmch.pem /etc/ssl/certs/tmch_pilot.pem + echo -e "Installation complete!\n" echo -e "Next steps:\n" echo -e "1. Configure each component by editing their respective configuration files." echo -e "2. Once configuration is complete, start each service with the following command:\n rc-service SERVICE_NAME start\n Replace 'SERVICE_NAME' with the specific service (whois, rdap, epp, das) as needed." echo -e "3. To initiate the automation system, please refer to the configuration manual.\n" -echo -e "For more detailed information, please consult the accompanying documentation or support resources." \ No newline at end of file +echo -e "For more detailed information, please consult the accompanying documentation or support resources." + +echo -e "⚠️ Notice: Automatic certificate monitoring and EPP reload via systemd is NOT supported on Alpine Linux." +echo -e "Please remember to manually reload the EPP service every 3 months after certificate renewal:" +echo -e " systemctl reload namingo-epp" \ No newline at end of file diff --git a/docs/install.md b/docs/install.md index 76c9842..7d97864 100644 --- a/docs/install.md +++ b/docs/install.md @@ -298,6 +298,11 @@ cp.example.com { Permissions-Policy: accelerometer=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(self), usb=(); } } + +cp.example.com { + bind NEW_IPV4_ADDRESS NEW_IPV6_ADDRESS + redir https://cp.example.com{uri} +} ``` Activate and reload Caddy: @@ -307,6 +312,13 @@ systemctl enable caddy systemctl restart caddy ``` +Wait a few seconds and link the EPP certificates: + +``` +ln -sf /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/epp.example.com/epp.example.com.crt /opt/registry/epp/epp.crt +ln -sf /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/epp.example.com/epp.example.com.key /opt/registry/epp/epp.key +``` + ### 6b. Nginx: Move configuration files and create symbolic links: @@ -496,19 +508,18 @@ mv config.php.dist config.php Configure all options in ```config.php```. -To create test certificates (cert.pem and key.pem): - -```bash -openssl genrsa -out key.pem 2048 -openssl req -new -x509 -key key.pem -out cert.pem -days 365 -``` - - Copy ```docs/epp.service``` to ```/etc/systemd/system/```. Change only User and Group lines to your user and group. ```bash +cp /opt/registry/docs/namingo-epp-reload.service /etc/systemd/system/namingo-epp-reload.service +cp /opt/registry/docs/namingo-epp-reload.path /etc/systemd/system/namingo-epp-reload.path + +systemctl daemon-reexec systemctl daemon-reload systemctl start epp.service systemctl enable epp.service + +systemctl enable --now namingo-epp-reload.path ``` After that you can manage EPP via systemctl as any other service. diff --git a/docs/install.sh b/docs/install.sh index 49f21e0..77a9645 100644 --- a/docs/install.sh +++ b/docs/install.sh @@ -387,6 +387,11 @@ EOF Permissions-Policy: accelerometer=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(self), usb=(); } } + + epp.$REGISTRY_DOMAIN { + $BIND_LINE + redir https://cp.$REGISTRY_DOMAIN{uri} + } EOF mkdir -p /var/log/namingo @@ -400,6 +405,11 @@ EOF systemctl enable caddy systemctl restart caddy + + sleep 5 + + ln -sf /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/epp.$REGISTRY_DOMAIN/epp.$REGISTRY_DOMAIN.crt /opt/registry/epp/epp.crt + ln -sf /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/epp.$REGISTRY_DOMAIN/epp.$REGISTRY_DOMAIN.key /opt/registry/epp/epp.key echo "Installing Control Panel." mkdir -p /var/www @@ -510,6 +520,27 @@ EOF systemctl enable msg_producer systemctl enable msg_worker + SERVICE_SRC="/opt/registry/docs/namingo-epp-reload.service" + PATH_SRC="/opt/registry/docs/namingo-epp-reload.path" + SERVICE_DEST="/etc/systemd/system/namingo-epp-reload.service" + PATH_DEST="/etc/systemd/system/namingo-epp-reload.path" + + if [[ ! -f "$SERVICE_SRC" || ! -f "$PATH_SRC" ]]; then + echo "Error: Required files not found in /opt/registry/docs/" + exit 1 + fi + + echo "Copying systemd service and path files..." + cp "$SERVICE_SRC" "$SERVICE_DEST" + cp "$PATH_SRC" "$PATH_DEST" + + echo "Reloading systemd daemon..." + systemctl daemon-reexec + systemctl daemon-reload + + echo "Enabling and starting namingo-epp-reload.path..." + systemctl enable --now namingo-epp-reload.path + echo "Enabling Redis." systemctl daemon-reload systemctl enable redis-server diff --git a/docs/namingo-epp-reload.path b/docs/namingo-epp-reload.path new file mode 100644 index 0000000..f9eeae1 --- /dev/null +++ b/docs/namingo-epp-reload.path @@ -0,0 +1,9 @@ +[Unit] +Description=Watch for changes in EPP TLS cert/key + +[Path] +PathChanged=/opt/registry/epp/epp.crt +PathChanged=/opt/registry/epp/epp.key + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/docs/namingo-epp-reload.service b/docs/namingo-epp-reload.service new file mode 100644 index 0000000..fbe9562 --- /dev/null +++ b/docs/namingo-epp-reload.service @@ -0,0 +1,6 @@ +[Unit] +Description=Reload Namingo EPP server after cert update + +[Service] +Type=oneshot +ExecStart=/bin/systemctl reload epp \ No newline at end of file diff --git a/docs/update1021.sh b/docs/update1021.sh index 2eec7cb..3fa59b5 100644 --- a/docs/update1021.sh +++ b/docs/update1021.sh @@ -169,6 +169,68 @@ curl -o /etc/ssl/certs/tmch.pem https://ca.icann.org/tmch.crt curl -o /etc/ssl/certs/tmch_pilot.pem https://ca.icann.org/tmch_pilot.crt chmod 644 /etc/ssl/certs/tmch.pem /etc/ssl/certs/tmch_pilot.pem +echo "Updating EPP server configuration." +CADDYFILE="/etc/caddy/Caddyfile" +CBACKUP="/etc/caddy/Caddyfile.bak.$(date +%F-%H%M%S)" + +# Step 0: Backup original Caddyfile +cp "$CADDYFILE" "$CBACKUP" +echo "Caddy backup saved to $CBACKUP" + +rdap_line=$(grep -E '^\s*rdap\.[^ ]+\s*\{' "$CADDYFILE") +bind_line=$(grep -A 3 "$rdap_line" "$CADDYFILE" | grep -E '^\s*bind\s') + +base_domain=$(echo "$rdap_line" | sed -E "s/^\s*rdap\.([^ ]+)\s*\{/\1/") + +bind_values=$(echo "$bind_line" | sed -E 's/^\s*bind\s+//') + +cat <> "$CADDYFILE" + +epp.$base_domain { + bind $bind_values + redir https://cp.$base_domain{uri} +} +EOF + +echo "Added EPP block for epp.$base_domain with bind: $bind_values" + +systemctl reload caddy + +sleep 5 + +ln -sf /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/epp.$base_domain/epp.$base_domain.crt /opt/registry/epp/epp.crt +ln -sf /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/epp.$base_domain/epp.$base_domain.key /opt/registry/epp/epp.key + +CONFIG_FILE="/opt/registry/epp/config.php" +NEW_CERT="/opt/registry/epp/epp.crt" +NEW_KEY="/opt/registry/epp/epp.key" + +sed -i \ + -e "s|^\(\s*'ssl_cert'\s*=>\s*\).*|\\1'$NEW_CERT',|" \ + -e "s|^\(\s*'ssl_key'\s*=>\s*\).*|\\1'$NEW_KEY',|" \ + "$CONFIG_FILE" + +SERVICE_SRC="/opt/registry/docs/namingo-epp-reload.service" +PATH_SRC="/opt/registry/docs/namingo-epp-reload.path" +SERVICE_DEST="/etc/systemd/system/namingo-epp-reload.service" +PATH_DEST="/etc/systemd/system/namingo-epp-reload.path" + +if [[ ! -f "$SERVICE_SRC" || ! -f "$PATH_SRC" ]]; then + echo "Error: Required files not found in /opt/registry/docs/" + exit 1 +fi + +echo "Copying systemd service and path files..." +cp "$SERVICE_SRC" "$SERVICE_DEST" +cp "$PATH_SRC" "$PATH_DEST" + +echo "Reloading systemd daemon..." +systemctl daemon-reexec +systemctl daemon-reload + +echo "Enabling and starting namingo-epp-reload.path..." +systemctl enable --now namingo-epp-reload.path + # Start services echo "Starting services..." systemctl start epp diff --git a/epp/config.php.dist b/epp/config.php.dist index 84d64bc..1c8d388 100644 --- a/epp/config.php.dist +++ b/epp/config.php.dist @@ -12,8 +12,8 @@ return [ 'epp_pid' => '/var/run/epp.pid', 'epp_greeting' => 'Namingo EPP Server 1.0', 'epp_prefix' => 'namingo', - 'ssl_cert' => '', - 'ssl_key' => '', + 'ssl_cert' => '/opt/registry/epp/epp.crt', + 'ssl_key' => '/opt/registry/epp/epp.key', 'test_tlds' => '.test,.com.test', 'rately' => false, 'limit' => 1000,