starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-03-12 05:11:33 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

Merge pull request #7 from rudis/master

Browse Source 
add challenge hook and minor fixes/improvements
This commit is contained in:
Lukas Schauer
2015-12-06 02:49:05 +01:00
parent 2e8454b46e b33f128893
commit 16a5589b45
3 changed files with 28 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
certs/.keep
View File

9
config.sh.example
View File

@@ -1,2 +1,9 @@
CA="https://acme-v01.api.letsencrypt.org"
# default values are commented
#CA="https://acme-v01.api.letsencrypt.org"
WELLKNOWN="/var/www/letsencrypt/.well-known/acme-challenge"
# program called before responding to the challenge, arguments: path/to/token
# token; can be used to e.g. upload the challenge if this script doesn't run
# on the webserver
#HOOK_CHALLENGE=

26
letsencrypt.sh
View File

@@ -4,6 +4,11 @@ set -e
set -u
set -o pipefail
# default config values
CA="https://acme-v01.api.letsencrypt.org"
LICENSE="https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf"
HOOK_CHALLENGE=
. ./config.sh
umask 077 # paranoid umask, we're creating private keys
@@ -43,13 +48,17 @@ hex2bin() {
_request() {
temperr="$(mktemp)"
if [ "${1}" = "head" ]; then
curl -sSf -I "${2}" 2>${temperr}
curl -sSf -I "${2}" 2>"${temperr}"
elif [ "${1}" = "get" ]; then
curl -sSf "${2}" 2>${temperr}
curl -sSf "${2}" 2>"${temperr}"
elif [ "${1}" = "post" ]; then
curl -sSf "${2}" -d "${3}" 2>${temperr}
curl -sSf "${2}" -d "${3}" 2>"${temperr}"
fi
if [ -s "${temperr}" ]; then
echo " + ERROR: An error occurred while sending ${1}-request to ${2} ($(<"${temperr}"))" >&2
rm -f "${temperr}"
exit 1
fi
if [ ! -z "$(<${temperr})" ]; then echo " + ERROR: An error occured while sending ${1}-request to ${2} ($(<"${temperr}"))" >&2; exit 1; fi
rm -f "${temperr}"
}
@@ -83,7 +92,7 @@ sign_domain() {
# If there is no existing certificate directory we need a new private key
if [ ! -e "certs/${domain}" ]; then
mkdir "certs/${domain}"
mkdir -p "certs/${domain}"
echo " + Generating private key..."
openssl genrsa -out "certs/${domain}/privkey.pem" 4096 2> /dev/null > /dev/null
fi
@@ -118,6 +127,11 @@ sign_domain() {
printf '%s' "${keyauth}" > "${WELLKNOWN}/${challenge_token}"
chmod a+r "${WELLKNOWN}/${challenge_token}"
# Wait for hook script to deploy the challenge if used
if [ -n "${HOOK_CHALLENGE}" ]; then
${HOOK_CHALLENGE} "${WELLKNOWN}/${challenge_token}" "${keyauth}"
fi
# Ask the acme-server to verify our challenge and wait until it becomes valid
echo " + Responding to challenge for ${altname}..."
result="$(signed_request "${challenge_uri}" '{"resource": "challenge", "keyAuthorization": "'"${keyauth}"'"}')"
@@ -161,7 +175,7 @@ thumbprint="$(printf '%s' "$(printf '%s' '{"e":"'"${pubExponent64}"'","kty":"RSA
# If we generated a new private key in the step above we have to register it with the acme-server
if [ "${register}" = "1" ]; then
echo "+ Registering account key with letsencrypt..."
signed_request "${CA}/acme/new-reg" '{"resource": "new-reg", "agreement": "https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf"}' > /dev/null
signed_request "${CA}/acme/new-reg" '{"resource": "new-reg", "agreement": "'"$LICENSE"'"}' > /dev/null
fi
# Generate certificates for all domains found in domain.txt (TODO: check if certificate already exists and is about to expire)