starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-04-24 17:28:29 +02:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

remove --sign in favor of two options "--force" and "--domain" (try 2)

Browse Source
This commit is contained in:
Markus Germeier
2015-12-15 20:56:07 +01:00
parent d04dc548a0
commit 8f6c23280d
3 changed files with 51 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.travis.yml
View File

@@ -30,7 +30,7 @@ script:
# move config out of the way and try signing certificate by using temporary config location # move config out of the way and try signing certificate by using temporary config location
- mv config.sh tmp_config.sh - mv config.sh tmp_config.sh
- ./letsencrypt.sh --sign "${TMP_URL}" -f tmp_config.sh - ./letsencrypt.sh --domain "${TMP_URL}" -f tmp_config.sh
- mv tmp_config.sh config.sh - mv tmp_config.sh config.sh
# run in cron mode (should find a non-expiring certificate) + check running without given mode (should default to cron mode) # run in cron mode (should find a non-expiring certificate) + check running without given mode (should default to cron mode)

3
README.md
View File

@@ -26,12 +26,13 @@ Default command: cron
Commands: Commands:
--cron (-c) Sign/renew non-existant/changed(TODO)/expiring certificates. --cron (-c) Sign/renew non-existant/changed(TODO)/expiring certificates.
--sign (-s) domain.tld Force-sign specific certificate from domains.txt, even if not yet expiring or changed.
--revoke (-r) path/to/cert.pem Revoke specified certificate --revoke (-r) path/to/cert.pem Revoke specified certificate
--help (-h) Show help text --help (-h) Show help text
--env (-e) Output configuration variables for use in other scripts --env (-e) Output configuration variables for use in other scripts
Parameters: Parameters:
--domain (-d) domain.tld Use specified domain name instead of domains.txt, use multiple times for certificate with SAN names
--force (-x) force renew of certificate even if it is longer valid than value in RENEW_DAYS
--config (-f) path/to/config.sh Use specified config file --config (-f) path/to/config.sh Use specified config file
--privkey (-p) path/to/key.pem Use specified private key instead of account key (useful for revocation) --privkey (-p) path/to/key.pem Use specified private key instead of account key (useful for revocation)
``` ```

79
letsencrypt.sh
View File

@@ -222,6 +222,11 @@ _request() {
${HOOK} "clean_challenge" '' "${challenge_token}" "${keyauth}" ${HOOK} "clean_challenge" '' "${challenge_token}" "${keyauth}"
fi fi
# remove temporary domains.txt file if used
if [[ -n "${PARAM_DOMAIN:-}" ]]; then
rm "${DOMAINS_TXT}"
fi
exit 1 exit 1
fi fi
@@ -395,13 +400,24 @@ sign_domain() {
# Usage: --cron (-c) # Usage: --cron (-c)
# Description: Sign/renew non-existant/changed(TODO)/expiring certificates. # Description: Sign/renew non-existant/changed(TODO)/expiring certificates.
command_cron() { command_sign_domains() {
if [[ -n "${PARAM_DOMAIN:-}" ]]; then
# we are using a temporary domains.txt file so we don't need to duplicate any code
DOMAINS_TXT="$(mktemp)"
echo "${PARAM_DOMAIN}" > "${DOMAINS_TXT}"
fi
# Generate certificates for all domains found in domains.txt. Check if existing certificate are about to expire # Generate certificates for all domains found in domains.txt. Check if existing certificate are about to expire
<"${DOMAINS_TXT}" sed 's/^\s*//g;s/\s*$//g' | grep -v '^#' | grep -v '^$' | while read -r line; do <"${DOMAINS_TXT}" sed 's/^\s*//g;s/\s*$//g' | grep -v '^#' | grep -v '^$' | while read -r line; do
domain="$(printf '%s\n' "${line}" | cut -d' ' -f1)" domain="$(printf '%s\n' "${line}" | cut -d' ' -f1)"
morenames="$(printf '%s\n' "${line}" | cut -s -d' ' -f2-)"
cert="${BASEDIR}/certs/${domain}/cert.pem" cert="${BASEDIR}/certs/${domain}/cert.pem"
echo "Processing ${domain}" if [[ -z "${morenames}" ]];then
echo "Processing ${domain}"
else
echo "Processing ${domain} with SAN: ${morenames}"
fi
if [[ -e "${cert}" ]]; then if [[ -e "${cert}" ]]; then
echo " + Found existing cert..." echo " + Found existing cert..."
@@ -409,33 +425,26 @@ command_cron() {
echo -n " + Valid till ${valid} " echo -n " + Valid till ${valid} "
if openssl x509 -checkend $((RENEW_DAYS * 86400)) -noout -in "${cert}"; then if openssl x509 -checkend $((RENEW_DAYS * 86400)) -noout -in "${cert}"; then
echo "(Longer than ${RENEW_DAYS} days). Skipping!" echo -n "(Longer than ${RENEW_DAYS} days). "
continue if [[ "${PARAM_FORCE:-}" = "yes" ]]; then
echo "Ignoring because --force was specified!"
else
echo "Skipping!"
continue
fi
else
echo "(Less than ${RENEW_DAYS} days). Renewing!"
fi fi
echo "(Less than ${RENEW_DAYS} days). Renewing!"
fi fi
# shellcheck disable=SC2086 # shellcheck disable=SC2086
sign_domain $line sign_domain $line
done done
}
# Usage: --sign (-s) domain.tld # remove temporary domains.txt file if used
# Description: Force-sign specific certificate from domains.txt, even if not yet expiring or changed. if [[ -n "${PARAM_DOMAIN:-}" ]]; then
command_sign() { rm "${DOMAINS_TXT}"
# Generate certificates for all domains found in domains.txt. Check if existing certificate are about to expire fi
<"${DOMAINS_TXT}" sed 's/^\s*//g;s/\s*$//g' | grep -E "^${1}($|\s)" | head -1 | while read -r line; do
domain="$(printf '%s\n' "${line}" | cut -d' ' -f1)"
cert="${BASEDIR}/certs/${domain}/cert.pem"
echo "Processing ${domain}"
if [[ -e "${cert}" ]]; then
echo " + Found existing cert... ignoring."
fi
# shellcheck disable=SC2086
sign_domain $line
done || (echo "No entry for ${1} found in ${DOMAINS_TXT}."; exit 1)
} }
# Usage: --revoke (-r) path/to/cert.pem # Usage: --revoke (-r) path/to/cert.pem
@@ -509,7 +518,8 @@ for arg; do
case "${arg}" in case "${arg}" in
--help) args="${args}-h ";; --help) args="${args}-h ";;
--cron) args="${args}-c ";; --cron) args="${args}-c ";;
--sign) args="${args}-s ";; --domain) args="${args}-d ";;
--force ) args="${args}-x ";;
--revoke) args="${args}-r ";; --revoke) args="${args}-r ";;
--privkey) args="${args}-p ";; --privkey) args="${args}-p ";;
--config) args="${args}-f ";; --config) args="${args}-f ";;
@@ -547,7 +557,7 @@ check_parameters() {
fi fi
} }
while getopts ":hcer:s:f:p:" option; do while getopts ":hcer:d:xf:p:" option; do
case "${option}" in case "${option}" in
h) h)
command_help command_help
@@ -564,10 +574,20 @@ while getopts ":hcer:s:f:p:" option; do
check_parameters "${OPTARG:-}" check_parameters "${OPTARG:-}"
revoke_me="${OPTARG}" revoke_me="${OPTARG}"
;; ;;
s) d)
set_command sign # PARAM_Usage: --domain (-d) domain.tld
# PARAM_Description: Use specified domain name instead of domains.txt, use multiple times for certificate with SAN names
check_parameters "${OPTARG:-}" check_parameters "${OPTARG:-}"
sign_me="${OPTARG}" if [[ -z "${PARAM_DOMAIN:-}" ]]; then
PARAM_DOMAIN="${OPTARG}"
else
PARAM_DOMAIN="${PARAM_DOMAIN} ${OPTARG}"
fi
;;
x)
# PARAM_Usage: --force (-x)
# PARAM_Description: force renew of certificate even if it is longer valid than value in RENEW_DAYS
PARAM_FORCE="yes"
;; ;;
f) f)
# PARAM_Usage: --config (-f) path/to/config.sh # PARAM_Usage: --config (-f) path/to/config.sh
@@ -598,14 +618,11 @@ init_system
case "${COMMAND}" in case "${COMMAND}" in
cron) cron)
command_cron command_sign_domains
;; ;;
env) env)
command_env command_env
;; ;;
sign)
command_sign "${sign_me}"
;;
revoke) revoke)
command_revoke "${revoke_me}" command_revoke "${revoke_me}"
;; ;;