mirror of
https://github.com/dehydrated-io/dehydrated.git
synced 2026-07-10 15:12:43 +02:00
removed get_json_array helper, rearranged sign_domain method a bit, made grep for PEM-format-check quiet
This commit is contained in:
+22
-35
@@ -145,10 +145,6 @@ get_json_string_value() {
|
|||||||
grep -Eo '"'"${1}"'":[[:space:]]*"[^"]*"' | cut -d'"' -f4
|
grep -Eo '"'"${1}"'":[[:space:]]*"[^"]*"' | cut -d'"' -f4
|
||||||
}
|
}
|
||||||
|
|
||||||
get_json_array() {
|
|
||||||
grep -Eo '"'"${1}"'":[^\[]*\[[^]]*]'
|
|
||||||
}
|
|
||||||
|
|
||||||
# OpenSSL writes to stderr/stdout even when there are no errors. So just
|
# OpenSSL writes to stderr/stdout even when there are no errors. So just
|
||||||
# display the output if the exit code was != 0 to simplify debugging.
|
# display the output if the exit code was != 0 to simplify debugging.
|
||||||
_openssl() {
|
_openssl() {
|
||||||
@@ -200,6 +196,7 @@ http_request() {
|
|||||||
rm -f "${tempcont}"
|
rm -f "${tempcont}"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Send signed request
|
||||||
signed_request() {
|
signed_request() {
|
||||||
# Encode payload as urlbase64
|
# Encode payload as urlbase64
|
||||||
payload64="$(printf '%s' "${2}" | urlbase64)"
|
payload64="$(printf '%s' "${2}" | urlbase64)"
|
||||||
@@ -223,20 +220,20 @@ signed_request() {
|
|||||||
http_request post "${1}" "${data}"
|
http_request post "${1}" "${data}"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Create certificate for domain(s)
|
||||||
sign_domain() {
|
sign_domain() {
|
||||||
domain="${1}"
|
domain="${1}"
|
||||||
altnames="${*}"
|
altnames="${*}"
|
||||||
|
timestamp="$(date +%s)"
|
||||||
|
|
||||||
echo " + Signing domains..."
|
echo " + Signing domains..."
|
||||||
if [[ -z "${CA_NEW_AUTHZ}" ]] || [[ -z "${CA_NEW_CERT}" ]]; then
|
if [[ -z "${CA_NEW_AUTHZ}" ]] || [[ -z "${CA_NEW_CERT}" ]]; then
|
||||||
echo " + ERROR: Certificate authority doesn't allow certificate signing" >&2
|
_exiterr "Certificate authority doesn't allow certificate signing"
|
||||||
exit 1
|
|
||||||
fi
|
fi
|
||||||
timestamp="$(date +%s)"
|
|
||||||
|
|
||||||
# If there is no existing certificate directory => make it
|
# If there is no existing certificate directory => make it
|
||||||
if [[ ! -e "${BASEDIR}/certs/${domain}" ]]; then
|
if [[ ! -e "${BASEDIR}/certs/${domain}" ]]; then
|
||||||
echo " + make directory ${BASEDIR}/certs/${domain} ..."
|
echo " + Creating new directory ${BASEDIR}/certs/${domain} ..."
|
||||||
mkdir -p "${BASEDIR}/certs/${domain}"
|
mkdir -p "${BASEDIR}/certs/${domain}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@@ -249,12 +246,12 @@ sign_domain() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# Generate signing request config and the actual signing request
|
# Generate signing request config and the actual signing request
|
||||||
|
echo " + Generating signing request..."
|
||||||
SAN=""
|
SAN=""
|
||||||
for altname in $altnames; do
|
for altname in ${altnames}; do
|
||||||
SAN+="DNS:${altname}, "
|
SAN+="DNS:${altname}, "
|
||||||
done
|
done
|
||||||
SAN="${SAN%%, }"
|
SAN="${SAN%%, }"
|
||||||
echo " + Generating signing request..."
|
|
||||||
local tmp_openssl_cnf
|
local tmp_openssl_cnf
|
||||||
tmp_openssl_cnf="$(mktemp)"
|
tmp_openssl_cnf="$(mktemp)"
|
||||||
cat "${OPENSSL_CNF}" > "${tmp_openssl_cnf}"
|
cat "${OPENSSL_CNF}" > "${tmp_openssl_cnf}"
|
||||||
@@ -263,20 +260,19 @@ sign_domain() {
|
|||||||
rm -f "${tmp_openssl_cnf}"
|
rm -f "${tmp_openssl_cnf}"
|
||||||
|
|
||||||
# Request and respond to challenges
|
# Request and respond to challenges
|
||||||
for altname in $altnames; do
|
for altname in ${altnames}; do
|
||||||
# Ask the acme-server for new challenge token and extract them from the resulting json block
|
# Ask the acme-server for new challenge token and extract them from the resulting json block
|
||||||
echo " + Requesting challenge for ${altname}..."
|
echo " + Requesting challenge for ${altname}..."
|
||||||
response="$(signed_request "${CA_NEW_AUTHZ}" '{"resource": "new-authz", "identifier": {"type": "dns", "value": "'"${altname}"'"}}')"
|
response="$(signed_request "${CA_NEW_AUTHZ}" '{"resource": "new-authz", "identifier": {"type": "dns", "value": "'"${altname}"'"}}')"
|
||||||
|
|
||||||
challenges="$(printf '%s\n' "${response}" | get_json_array challenges)"
|
challenges="$(printf '%s\n' "${response}" | grep -Eo '"challenges":[^\[]*\[[^]]*]')"
|
||||||
repl=$'\n''{' # fix syntax highlighting in Vim
|
repl=$'\n''{' # fix syntax highlighting in Vim
|
||||||
challenge="$(printf "%s" "${challenges//\{/${repl}}" | grep 'http-01')"
|
challenge="$(printf "%s" "${challenges//\{/${repl}}" | grep 'http-01')"
|
||||||
challenge_token="$(printf '%s' "${challenge}" | get_json_string_value token | sed 's/[^A-Za-z0-9_\-]/_/g')"
|
challenge_token="$(printf '%s' "${challenge}" | get_json_string_value token | sed 's/[^A-Za-z0-9_\-]/_/g')"
|
||||||
challenge_uri="$(printf '%s' "${challenge}" | get_json_string_value uri)"
|
challenge_uri="$(printf '%s' "${challenge}" | get_json_string_value uri)"
|
||||||
|
|
||||||
if [[ -z "${challenge_token}" ]] || [[ -z "${challenge_uri}" ]]; then
|
if [[ -z "${challenge_token}" ]] || [[ -z "${challenge_uri}" ]]; then
|
||||||
echo " + Error: Can't retrieve challenges (${response})" >&2
|
_exiterr "Can't retrieve challenges (${response})"
|
||||||
exit 1
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Challenge response consists of the challenge token and the thumbprint of our public certificate
|
# Challenge response consists of the challenge token and the thumbprint of our public certificate
|
||||||
@@ -287,17 +283,14 @@ sign_domain() {
|
|||||||
chmod a+r "${WELLKNOWN}/${challenge_token}"
|
chmod a+r "${WELLKNOWN}/${challenge_token}"
|
||||||
|
|
||||||
# Wait for hook script to deploy the challenge if used
|
# Wait for hook script to deploy the challenge if used
|
||||||
if [[ -n "${HOOK}" ]]; then
|
[[ -n "${HOOK}" ]] && ${HOOK} "deploy_challenge" "${altname}" "${challenge_token}" "${keyauth}"
|
||||||
${HOOK} "deploy_challenge" "${altname}" "${challenge_token}" "${keyauth}"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Ask the acme-server to verify our challenge and wait until it becomes valid
|
# Ask the acme-server to verify our challenge and wait until it is no longer pending
|
||||||
echo " + Responding to challenge for ${altname}..."
|
echo " + Responding to challenge for ${altname}..."
|
||||||
result="$(signed_request "${challenge_uri}" '{"resource": "challenge", "keyAuthorization": "'"${keyauth}"'"}')"
|
result="$(signed_request "${challenge_uri}" '{"resource": "challenge", "keyAuthorization": "'"${keyauth}"'"}')"
|
||||||
|
|
||||||
status="$(printf '%s\n' "${result}" | get_json_string_value status)"
|
status="$(printf '%s\n' "${result}" | get_json_string_value status)"
|
||||||
|
|
||||||
# get status until a result is reached => not pending anymore
|
|
||||||
while [[ "${status}" = "pending" ]]; do
|
while [[ "${status}" = "pending" ]]; do
|
||||||
sleep 1
|
sleep 1
|
||||||
status="$(http_request get "${challenge_uri}" | get_json_string_value status)"
|
status="$(http_request get "${challenge_uri}" | get_json_string_value status)"
|
||||||
@@ -313,10 +306,8 @@ sign_domain() {
|
|||||||
if [[ "${status}" = "valid" ]]; then
|
if [[ "${status}" = "valid" ]]; then
|
||||||
echo " + Challenge is valid!"
|
echo " + Challenge is valid!"
|
||||||
else
|
else
|
||||||
echo " + Challenge is invalid! (returned: ${status})" >&2
|
_exiterr "Challenge is invalid! (returned: ${status})"
|
||||||
exit 1
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
done
|
done
|
||||||
|
|
||||||
# Finally request certificate from the acme-server and store it in cert-${timestamp}.pem and link from cert.pem
|
# Finally request certificate from the acme-server and store it in cert-${timestamp}.pem and link from cert.pem
|
||||||
@@ -325,7 +316,8 @@ sign_domain() {
|
|||||||
crt64="$(signed_request "${CA_NEW_CERT}" '{"resource": "new-cert", "csr": "'"${csr64}"'"}' | openssl base64 -e)"
|
crt64="$(signed_request "${CA_NEW_CERT}" '{"resource": "new-cert", "csr": "'"${csr64}"'"}' | openssl base64 -e)"
|
||||||
crt_path="${BASEDIR}/certs/${domain}/cert-${timestamp}.pem"
|
crt_path="${BASEDIR}/certs/${domain}/cert-${timestamp}.pem"
|
||||||
printf -- '-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----\n' "${crt64}" > "${crt_path}"
|
printf -- '-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----\n' "${crt64}" > "${crt_path}"
|
||||||
# try to load the certificate to detect corruption
|
|
||||||
|
# Try to load the certificate to detect corruption
|
||||||
echo " + Checking certificate..."
|
echo " + Checking certificate..."
|
||||||
_openssl x509 -text < "${crt_path}"
|
_openssl x509 -text < "${crt_path}"
|
||||||
|
|
||||||
@@ -333,31 +325,26 @@ sign_domain() {
|
|||||||
echo " + Creating fullchain.pem..."
|
echo " + Creating fullchain.pem..."
|
||||||
cat "${crt_path}" > "${BASEDIR}/certs/${domain}/fullchain-${timestamp}.pem"
|
cat "${crt_path}" > "${BASEDIR}/certs/${domain}/fullchain-${timestamp}.pem"
|
||||||
http_request get "$(openssl x509 -in "${BASEDIR}/certs/${domain}/cert-${timestamp}.pem" -noout -text | grep 'CA Issuers - URI:' | cut -d':' -f2-)" > "${BASEDIR}/certs/${domain}/chain-${timestamp}.pem"
|
http_request get "$(openssl x509 -in "${BASEDIR}/certs/${domain}/cert-${timestamp}.pem" -noout -text | grep 'CA Issuers - URI:' | cut -d':' -f2-)" > "${BASEDIR}/certs/${domain}/chain-${timestamp}.pem"
|
||||||
if ! grep "BEGIN CERTIFICATE" "${BASEDIR}/certs/${domain}/chain-${timestamp}.pem" > /dev/null 2>&1; then
|
if ! grep -q "BEGIN CERTIFICATE" "${BASEDIR}/certs/${domain}/chain-${timestamp}.pem"; then
|
||||||
openssl x509 -in "${BASEDIR}/certs/${domain}/chain-${timestamp}.pem" -inform DER -out "${BASEDIR}/certs/${domain}/chain-${timestamp}.pem" -outform PEM
|
openssl x509 -in "${BASEDIR}/certs/${domain}/chain-${timestamp}.pem" -inform DER -out "${BASEDIR}/certs/${domain}/chain-${timestamp}.pem" -outform PEM
|
||||||
fi
|
fi
|
||||||
ln -sf "chain-${timestamp}.pem" "${BASEDIR}/certs/${domain}/chain.pem"
|
|
||||||
cat "${BASEDIR}/certs/${domain}/chain-${timestamp}.pem" >> "${BASEDIR}/certs/${domain}/fullchain-${timestamp}.pem"
|
cat "${BASEDIR}/certs/${domain}/chain-${timestamp}.pem" >> "${BASEDIR}/certs/${domain}/fullchain-${timestamp}.pem"
|
||||||
|
|
||||||
|
# Update symlinks
|
||||||
|
[[ "${privkey}" = "privkey.pem" ]] || ln -sf "privkey-${timestamp}.pem" "${BASEDIR}/certs/${domain}/privkey.pem"
|
||||||
|
|
||||||
|
ln -sf "chain-${timestamp}.pem" "${BASEDIR}/certs/${domain}/chain.pem"
|
||||||
ln -sf "fullchain-${timestamp}.pem" "${BASEDIR}/certs/${domain}/fullchain.pem"
|
ln -sf "fullchain-${timestamp}.pem" "${BASEDIR}/certs/${domain}/fullchain.pem"
|
||||||
|
|
||||||
# Update remaining symlinks
|
|
||||||
if [ ! "${privkey}" = "privkey.pem" ]; then
|
|
||||||
ln -sf "privkey-${timestamp}.pem" "${BASEDIR}/certs/${domain}/privkey.pem"
|
|
||||||
fi
|
|
||||||
|
|
||||||
ln -sf "cert-${timestamp}.csr" "${BASEDIR}/certs/${domain}/cert.csr"
|
ln -sf "cert-${timestamp}.csr" "${BASEDIR}/certs/${domain}/cert.csr"
|
||||||
ln -sf "cert-${timestamp}.pem" "${BASEDIR}/certs/${domain}/cert.pem"
|
ln -sf "cert-${timestamp}.pem" "${BASEDIR}/certs/${domain}/cert.pem"
|
||||||
|
|
||||||
# Wait for hook script to clean the challenge and to deploy cert if used
|
# Wait for hook script to clean the challenge and to deploy cert if used
|
||||||
if [[ -n "${HOOK}" ]]; then
|
[[ -n "${HOOK}" ]] && ${HOOK} "deploy_cert" "${domain}" "${BASEDIR}/certs/${domain}/privkey.pem" "${BASEDIR}/certs/${domain}/cert.pem" "${BASEDIR}/certs/${domain}/fullchain.pem"
|
||||||
${HOOK} "deploy_cert" "${domain}" "${BASEDIR}/certs/${domain}/privkey.pem" "${BASEDIR}/certs/${domain}/cert.pem" "${BASEDIR}/certs/${domain}/fullchain.pem"
|
|
||||||
fi
|
|
||||||
|
|
||||||
unset challenge_token
|
unset challenge_token
|
||||||
echo " + Done!"
|
echo " + Done!"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
# Usage: --cron (-c)
|
# Usage: --cron (-c)
|
||||||
# Description: Sign/renew non-existant/changed/expiring certificates.
|
# Description: Sign/renew non-existant/changed/expiring certificates.
|
||||||
command_sign_domains() {
|
command_sign_domains() {
|
||||||
|
|||||||
Reference in New Issue
Block a user