Skip challenge for already validated domains (#293)

* skip challenge for already validated domains * only call deploy_challenge hook if there is work No need to call the hook if there are no challenges to deploy
2026-03-12 05:11:33 +01:00 · 2016-12-18 20:25:05 +01:00
parent 6086983c02
commit 9729751d93
1 changed files with 22 additions and 5 deletions
--- a/27
+++ b/27
@@ -306,6 +306,13 @@ get_json_string_value() {
  sed -n "${filter}"
 }

+rm_json_arrays() {
+  local filter
+  filter='s/\[[^][]*\]/null/g'
+  # remove three levels of nested arrays
+  sed -e "${filter}" -e "${filter}" -e "${filter}"
+}
+
 # OpenSSL writes to stderr/stdout even when there are no errors. So just
 # display the output if the exit code was != 0 to simplify debugging.
 _openssl() {
@@ -451,9 +458,9 @@ sign_csr() {

  local idx=0
  if [[ -n "${ZSH_VERSION:-}" ]]; then
-    local -A challenge_uris challenge_tokens keyauths deploy_args
+    local -A challenge_altnames challenge_uris challenge_tokens keyauths deploy_args
  else
-    local -a challenge_uris challenge_tokens keyauths deploy_args
+    local -a challenge_altnames challenge_uris challenge_tokens keyauths deploy_args
  fi

  # Request challenges
@@ -462,6 +469,12 @@ sign_csr() {
    echo " + Requesting challenge for ${altname}..."
    response="$(signed_request "${CA_NEW_AUTHZ}" '{"resource": "new-authz", "identifier": {"type": "dns", "value": "'"${altname}"'"}}' | clean_json)"

+    challenge_status="$(printf '%s' "${response}" | rm_json_arrays | get_json_string_value status)"
+    if [ "${challenge_status}" = "valid" ]; then
+       echo " + Already validated"
+       continue
+    fi
+
    challenges="$(printf '%s\n' "${response}" | sed -n 's/.*\("challenges":[^\[]*\[[^]]*]\).*/\1/p')"
    repl=$'\n''{' # fix syntax highlighting in Vim
    challenge="$(printf "%s" "${challenges//\{/${repl}}" | grep \""${CHALLENGETYPE}"\")"
@@ -488,6 +501,7 @@ sign_csr() {
        ;;
    esac

+    challenge_altnames[${idx}]="${altname}"
    challenge_uris[${idx}]="${challenge_uri}"
    keyauths[${idx}]="${keyauth}"
    challenge_tokens[${idx}]="${challenge_token}"
@@ -497,12 +511,15 @@ sign_csr() {
  done

  # Wait for hook script to deploy the challenges if used
-  # shellcheck disable=SC2068
-  [[ -n "${HOOK}" ]] && [[ "${HOOK_CHAIN}" = "yes" ]] && "${HOOK}" "deploy_challenge" ${deploy_args[@]}
+  if [ ${#deploy_args[@]} -ne 0 ]; then
+    # shellcheck disable=SC2068
+    [[ -n "${HOOK}" ]] && [[ "${HOOK_CHAIN}" = "yes" ]] && "${HOOK}" "deploy_challenge" ${deploy_args[@]}
+  fi

  # Respond to challenges
+  reqstatus="valid"
  idx=0
-  for altname in ${altnames}; do
+  for altname in "${challenge_altnames[@]:0}"; do
    challenge_token="${challenge_tokens[${idx}]}"
    keyauth="${keyauths[${idx}]}"