fix: Issue 20

.gitignore

@@ -0,0 +1,2 @@
+.aws/*
+.gcloud/*

README.md

@@ -30,6 +30,10 @@ This script is setup such that if it determines that on-boot-script is enabled,
 
 AWS Route53 DNS challenge can use configuration and authentication values easily through shared credentials and configuration files [as described here](https://go-acme.github.io/lego/dns/route53/). This script will check for and include these files during the initial certificate generation and subsequent renewals. Ensure that `route53` is set for `DNS_PROVIDER` in `udm-le.env`, create a new directory called `.aws` in `/mnt/data/udm-le` and add `credentials` and `config` files as required for your authentication. See the [AWS CLI Documentation](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html) for more information. Currently only the `default` profile is supported.
 
+### GCP Cloud DNS
+
+GCP Cloud DNS can be configured by establishing a service account with the role [`roles/dns.admin`](https://cloud.google.com/iam/docs/understanding-roles#dns-roles) and exporting a [service account key](https://cloud.google.com/iam/docs/creating-managing-service-account-keys) for that service account. Ensure that `gcloud` is set for `DNS_PROVIDER` in `udm-le.env`, and `GCE_SERVICE_ACCOUNT_FILE` references the path to the service account key (e.g. `./root/.gcloud/my_service_account.json`) . Create a new directory called `.gcloud` in `/mnt/data/udm-le` and add the service account file.
+
 ### Cloudflare
 
 In your Cloudflare account settings, create an API token with the following permissions:

udm-le.env

@@ -6,7 +6,7 @@
 CERT_EMAIL='your@email.com'
 
 # The FQDN of your UDMP (comma separated fqdns are supported)
-CERT_HOSTS='whatever.hostname.com,*.whatever.hostname.com'
+CERT_HOSTS='whatever.hostname.com,*.whatever.anotherhostname.com'
 
 # Enable updating Captive Portal certificate as well as device certificate
 ENABLE_CAPTIVE='no'
@@ -16,6 +16,13 @@ ENABLE_CAPTIVE='no'
 CLOUDFLARE_DNS_API_TOKEN=YOUR_CLOUDFLARE_API_TOKEN
 DNS_PROVIDER='cloudflare'
 
+# GCP CloudDNS settings, see the README.md for information about other providers.
+# Note: The default path for the service account file is /root/.gcloud
+#GCE_SERVICE_ACCOUNT_FILE=/root/.gcloud/sa.json
+#DNS_PROVIDER='gcloud'
+#GCE_PROPAGATION_TIMEOUT=3600
+
+
 #
 # Change stuff below at your own risk
 #

udm-le.sh

@@ -11,11 +11,13 @@ LEGO_ARGS="--dns ${DNS_PROVIDER} --email ${CERT_EMAIL} --key-type rsa2048"
 NEW_CERT=""
 
 deploy_cert() {
-	if [ "$(find -L "${UDM_LE_PATH}"/lego -type f -name "${CERT_NAME}".crt -mmin -5)" ]; then
+	#Re-write CERT_NAME if it is a wildcard cert. Replace * with _
+	LEGO_CERT_NAME=${CERT_NAME/\*/_}
+	if [ "$(find -L "${UDM_LE_PATH}"/lego -type f -name "${LEGO_CERT_NAME}".crt -mmin -5)" ]; then
 		echo 'New certificate was generated, time to deploy it'
 		# Controller certificate
-		cp -f ${UDM_LE_PATH}/lego/certificates/${CERT_NAME}.crt ${UBIOS_CERT_PATH}/unifi-core.crt
-		cp -f ${UDM_LE_PATH}/lego/certificates/${CERT_NAME}.key ${UBIOS_CERT_PATH}/unifi-core.key
+		cp -f ${UDM_LE_PATH}/lego/certificates/${LEGO_CERT_NAME}.crt ${UBIOS_CERT_PATH}/unifi-core.crt
+		cp -f ${UDM_LE_PATH}/lego/certificates/${LEGO_CERT_NAME}.key ${UBIOS_CERT_PATH}/unifi-core.key
 		chmod 644 ${UBIOS_CERT_PATH}/unifi-core.*
 		NEW_CERT="yes"
 	else
@@ -48,6 +50,12 @@ if [ -d "${UDM_LE_PATH}/.aws" ]; then
         DOCKER_VOLUMES="${DOCKER_VOLUMES} -v ${UDM_LE_PATH}/.aws:/root/.aws/"
 fi
 
+# Check for optional .gcloud directory, and add it to the mounts if it exists
+if [ -d "${UDM_LE_PATH}/.gcloud" ]; then
+        DOCKER_VOLUMES="${DOCKER_VOLUMES} -v ${UDM_LE_PATH}/.gcloud:/root/.gcloud/"
+fi
+
+
 # Setup persistent on_boot.d trigger
 ON_BOOT_DIR='/mnt/data/on_boot.d'
 ON_BOOT_FILE='99-udm-le.sh'
@@ -88,4 +96,8 @@ bootrenew)
 	echo 'Attempting certificate renewal'
 	${PODMAN_CMD} ${LEGO_ARGS} renew --days 60 && deploy_cert && add_captive && unifi-os restart
 	;;
+testdeploy)
+	echo 'Attempting to deploy certificate'
+	deploy_cert
+	;;
 esac