Added automatic reload of EPP server certificates

docs/install-alpine.sh

@@ -305,6 +305,11 @@ cp.${REGISTRY_DOMAIN} {
         Permissions-Policy "accelerometer=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(self), usb=()"
     }
 }
+
+cp.${REGISTRY_DOMAIN} {
+    ${BIND_LINE}
+    redir https://cp.${REGISTRY_DOMAIN}{uri}
+}
 EOF
 
 # Create log directory and adjust permissions
@@ -321,6 +326,11 @@ chown caddy:caddy /var/log/namingo/web-rdap.log
 rc-service caddy restart
 rc-update add caddy default
 
+sleep 5
+
+ln -sf /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/epp.${REGISTRY_DOMAIN}/epp.${REGISTRY_DOMAIN}.crt /opt/registry/epp/epp.crt
+ln -sf /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/epp.${REGISTRY_DOMAIN}/epp.${REGISTRY_DOMAIN}.key /opt/registry/epp/epp.key
+
 # --- Install Control Panel ---
 echo "Installing Control Panel..."
 mkdir -p /var/www
@@ -425,9 +435,18 @@ echo "Downloading initial data and setting up cache..."
 php /var/www/cp/bin/file_cache.php
 chown caddy:caddy /var/www/cp/cache
 
+echo "Downloading ICANN TMCH certificate data."
+curl -o /etc/ssl/certs/tmch.pem https://ca.icann.org/tmch.crt
+curl -o /etc/ssl/certs/tmch_pilot.pem https://ca.icann.org/tmch_pilot.crt
+chmod 644 /etc/ssl/certs/tmch.pem /etc/ssl/certs/tmch_pilot.pem
+
 echo -e "Installation complete!\n"
 echo -e "Next steps:\n"
 echo -e "1. Configure each component by editing their respective configuration files."
 echo -e "2. Once configuration is complete, start each service with the following command:\n   rc-service SERVICE_NAME start\n   Replace 'SERVICE_NAME' with the specific service (whois, rdap, epp, das) as needed."
 echo -e "3. To initiate the automation system, please refer to the configuration manual.\n"
 echo -e "For more detailed information, please consult the accompanying documentation or support resources."
+
+echo -e "⚠️ Notice: Automatic certificate monitoring and EPP reload via systemd is NOT supported on Alpine Linux."
+echo -e "Please remember to manually reload the EPP service every 3 months after certificate renewal:"
+echo -e "    systemctl reload namingo-epp"

docs/install.md

@@ -298,6 +298,11 @@ cp.example.com {
         Permissions-Policy: accelerometer=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(self), usb=();
     }
 }
+
+cp.example.com {
+    bind NEW_IPV4_ADDRESS NEW_IPV6_ADDRESS
+    redir https://cp.example.com{uri}
+}
 ```
 
 Activate and reload Caddy:
@@ -307,6 +312,13 @@ systemctl enable caddy
 systemctl restart caddy
 ```
 
+Wait a few seconds and link the EPP certificates:
+
+```
+ln -sf /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/epp.example.com/epp.example.com.crt /opt/registry/epp/epp.crt
+ln -sf /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/epp.example.com/epp.example.com.key /opt/registry/epp/epp.key
+```
+
 ### 6b. Nginx:
 
 Move configuration files and create symbolic links:
@@ -496,19 +508,18 @@ mv config.php.dist config.php
 
 Configure all options in ```config.php```.
 
-To create test certificates (cert.pem and key.pem):
-
-```bash
-openssl genrsa -out key.pem 2048
-openssl req -new -x509 -key key.pem -out cert.pem -days 365
-```
-
 - Copy ```docs/epp.service``` to ```/etc/systemd/system/```. Change only User and Group lines to your user and group.
 
 ```bash
+cp /opt/registry/docs/namingo-epp-reload.service /etc/systemd/system/namingo-epp-reload.service
+cp /opt/registry/docs/namingo-epp-reload.path /etc/systemd/system/namingo-epp-reload.path
+
+systemctl daemon-reexec
 systemctl daemon-reload
 systemctl start epp.service
 systemctl enable epp.service
+
+systemctl enable --now namingo-epp-reload.path
 ```
 
 After that you can manage EPP via systemctl as any other service.

docs/install.sh

@@ -387,6 +387,11 @@ EOF
             Permissions-Policy: accelerometer=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(self), usb=();
         }
     }
+
+    epp.$REGISTRY_DOMAIN {
+        $BIND_LINE
+        redir https://cp.$REGISTRY_DOMAIN{uri}
+    }
 EOF
 
     mkdir -p /var/log/namingo
@@ -401,6 +406,11 @@ EOF
     systemctl enable caddy
     systemctl restart caddy
 
+    sleep 5
+
+    ln -sf /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/epp.$REGISTRY_DOMAIN/epp.$REGISTRY_DOMAIN.crt /opt/registry/epp/epp.crt
+    ln -sf /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/epp.$REGISTRY_DOMAIN/epp.$REGISTRY_DOMAIN.key /opt/registry/epp/epp.key
+    
     echo "Installing Control Panel."
     mkdir -p /var/www
     cp -r /opt/registry/cp /var/www
@@ -510,6 +520,27 @@ EOF
     systemctl enable msg_producer
     systemctl enable msg_worker
 
+    SERVICE_SRC="/opt/registry/docs/namingo-epp-reload.service"
+    PATH_SRC="/opt/registry/docs/namingo-epp-reload.path"
+    SERVICE_DEST="/etc/systemd/system/namingo-epp-reload.service"
+    PATH_DEST="/etc/systemd/system/namingo-epp-reload.path"
+
+    if [[ ! -f "$SERVICE_SRC" || ! -f "$PATH_SRC" ]]; then
+      echo "Error: Required files not found in /opt/registry/docs/"
+      exit 1
+    fi
+
+    echo "Copying systemd service and path files..."
+    cp "$SERVICE_SRC" "$SERVICE_DEST"
+    cp "$PATH_SRC" "$PATH_DEST"
+
+    echo "Reloading systemd daemon..."
+    systemctl daemon-reexec
+    systemctl daemon-reload
+
+    echo "Enabling and starting namingo-epp-reload.path..."
+    systemctl enable --now namingo-epp-reload.path
+
     echo "Enabling Redis."
     systemctl daemon-reload
     systemctl enable redis-server

docs/namingo-epp-reload.path

@@ -0,0 +1,9 @@
+[Unit]
+Description=Watch for changes in EPP TLS cert/key
+
+[Path]
+PathChanged=/opt/registry/epp/epp.crt
+PathChanged=/opt/registry/epp/epp.key
+
+[Install]
+WantedBy=multi-user.target

docs/namingo-epp-reload.service

@@ -0,0 +1,6 @@
+[Unit]
+Description=Reload Namingo EPP server after cert update
+
+[Service]
+Type=oneshot
+ExecStart=/bin/systemctl reload epp

docs/update1021.sh

@@ -169,6 +169,68 @@ curl -o /etc/ssl/certs/tmch.pem https://ca.icann.org/tmch.crt
 curl -o /etc/ssl/certs/tmch_pilot.pem https://ca.icann.org/tmch_pilot.crt
 chmod 644 /etc/ssl/certs/tmch.pem /etc/ssl/certs/tmch_pilot.pem
 
+echo "Updating EPP server configuration."
+CADDYFILE="/etc/caddy/Caddyfile"
+CBACKUP="/etc/caddy/Caddyfile.bak.$(date +%F-%H%M%S)"
+
+# Step 0: Backup original Caddyfile
+cp "$CADDYFILE" "$CBACKUP"
+echo "Caddy backup saved to $CBACKUP"
+
+rdap_line=$(grep -E '^\s*rdap\.[^ ]+\s*\{' "$CADDYFILE")
+bind_line=$(grep -A 3 "$rdap_line" "$CADDYFILE" | grep -E '^\s*bind\s')
+
+base_domain=$(echo "$rdap_line" | sed -E "s/^\s*rdap\.([^ ]+)\s*\{/\1/")
+
+bind_values=$(echo "$bind_line" | sed -E 's/^\s*bind\s+//')
+
+cat <<EOF >> "$CADDYFILE"
+
+epp.$base_domain {
+    bind $bind_values
+    redir https://cp.$base_domain{uri}
+}
+EOF
+
+echo "Added EPP block for epp.$base_domain with bind: $bind_values"
+
+systemctl reload caddy
+
+sleep 5
+
+ln -sf /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/epp.$base_domain/epp.$base_domain.crt /opt/registry/epp/epp.crt
+ln -sf /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/epp.$base_domain/epp.$base_domain.key /opt/registry/epp/epp.key
+
+CONFIG_FILE="/opt/registry/epp/config.php"
+NEW_CERT="/opt/registry/epp/epp.crt"
+NEW_KEY="/opt/registry/epp/epp.key"
+
+sed -i \
+  -e "s|^\(\s*'ssl_cert'\s*=>\s*\).*|\\1'$NEW_CERT',|" \
+  -e "s|^\(\s*'ssl_key'\s*=>\s*\).*|\\1'$NEW_KEY',|" \
+  "$CONFIG_FILE"
+
+SERVICE_SRC="/opt/registry/docs/namingo-epp-reload.service"
+PATH_SRC="/opt/registry/docs/namingo-epp-reload.path"
+SERVICE_DEST="/etc/systemd/system/namingo-epp-reload.service"
+PATH_DEST="/etc/systemd/system/namingo-epp-reload.path"
+
+if [[ ! -f "$SERVICE_SRC" || ! -f "$PATH_SRC" ]]; then
+  echo "Error: Required files not found in /opt/registry/docs/"
+  exit 1
+fi
+
+echo "Copying systemd service and path files..."
+cp "$SERVICE_SRC" "$SERVICE_DEST"
+cp "$PATH_SRC" "$PATH_DEST"
+
+echo "Reloading systemd daemon..."
+systemctl daemon-reexec
+systemctl daemon-reload
+
+echo "Enabling and starting namingo-epp-reload.path..."
+systemctl enable --now namingo-epp-reload.path
+
 # Start services
 echo "Starting services..."
 systemctl start epp

epp/config.php.dist

@@ -12,8 +12,8 @@ return [
     'epp_pid' => '/var/run/epp.pid',
     'epp_greeting' => 'Namingo EPP Server 1.0',
     'epp_prefix' => 'namingo',
-    'ssl_cert' => '',
+    'ssl_cert' => '/opt/registry/epp/epp.crt',
-    'ssl_key' => '',
+    'ssl_key' => '/opt/registry/epp/epp.key',
     'test_tlds' => '.test,.com.test',
     'rately' => false,
     'limit' => 1000,