A single HOOK to handle challenge, cleaning of challenge files and uploading of certs.

This commit is contained in:
et@corde.org
2015-12-08 14:03:59 +01:00
committed by Lukas Schauer
parent 15accf9013
commit c24843c666
2 changed files with 36 additions and 9 deletions
+10 -5
View File
@@ -9,10 +9,16 @@
#OPENSSL_CNF=.... # system default (see openssl version -d) #OPENSSL_CNF=.... # system default (see openssl version -d)
#ROOTCERT="lets-encrypt-x1-cross-signed.pem" #ROOTCERT="lets-encrypt-x1-cross-signed.pem"
# program called before responding to the challenge, arguments: path/to/token # Program or function called in certain situations
# token; can be used to e.g. upload the challenge if this script doesn't run #
# on the webserver # After generating the challenge-response, or after failed challenge
#HOOK_CHALLENGE= # Given arguments: clean_challenge|deploy_challenge token-filename token-content
#
# After successfully signing certificate
# Given arguments: deploy_cert path/to/privkey.pem path/to/cert.pem path/to/fullchain.pem
#
# BASEDIR and WELLKNOWN variables are exported and can be used in an external program
#HOOK=
# try to renew certs that are within RENEW_DAYS days of their expiration date # try to renew certs that are within RENEW_DAYS days of their expiration date
#RENEW_DAYS="14" #RENEW_DAYS="14"
@@ -22,4 +28,3 @@
# email to use during the registration # email to use during the registration
#CONTACT_EMAIL= #CONTACT_EMAIL=
+26 -4
View File
@@ -7,7 +7,7 @@ set -o pipefail
# Default config values # Default config values
CA="https://acme-v01.api.letsencrypt.org" CA="https://acme-v01.api.letsencrypt.org"
LICENSE="https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf" LICENSE="https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf"
HOOK_CHALLENGE= HOOK=
RENEW_DAYS="14" RENEW_DAYS="14"
KEYSIZE="4096" KEYSIZE="4096"
WELLKNOWN=".acme-challenges" WELLKNOWN=".acme-challenges"
@@ -29,6 +29,10 @@ BASEDIR="${BASEDIR%%/}"
umask 077 # paranoid umask, we're creating private keys umask 077 # paranoid umask, we're creating private keys
# Export some environment variables to be used in hook script
export WELLKNOWN
export BASEDIR
anti_newline() { anti_newline() {
tr -d '\n\r' tr -d '\n\r'
} }
@@ -78,6 +82,12 @@ _request() {
echo "Details:" >&2 echo "Details:" >&2
echo "$(<"${tempcont}"))" >&2 echo "$(<"${tempcont}"))" >&2
rm -f "${tempcont}" rm -f "${tempcont}"
# Wait for hook script to clean the challenge if used
if [[ -n "${HOOK}" ]]; then
${HOOK} "clean_challenge" "${challenge_token}" "${keyauth}"
fi
exit 1 exit 1
fi fi
@@ -173,8 +183,8 @@ sign_domain() {
chmod a+r "${WELLKNOWN}/${challenge_token}" chmod a+r "${WELLKNOWN}/${challenge_token}"
# Wait for hook script to deploy the challenge if used # Wait for hook script to deploy the challenge if used
if [ -n "${HOOK_CHALLENGE}" ]; then if [[ -n "${HOOK}" ]]; then
${HOOK_CHALLENGE} "${WELLKNOWN}/${challenge_token}" "${keyauth}" ${HOOK} "deploy_challenge" "${challenge_token}" "${keyauth}"
fi fi
# Ask the acme-server to verify our challenge and wait until it becomes valid # Ask the acme-server to verify our challenge and wait until it becomes valid
@@ -195,6 +205,12 @@ sign_domain() {
echo " + Challenge is valid!" echo " + Challenge is valid!"
else else
echo " + Challenge is invalid! (returned: ${status})" echo " + Challenge is invalid! (returned: ${status})"
# Wait for hook script to clean the challenge if used
if [[ -n "${HOOK}" ]] && [[ -n "${challenge_token}" ]]; then
${HOOK} "clean_challenge" "${challenge_token}" "${keyauth}"
fi
exit 1 exit 1
fi fi
@@ -231,6 +247,12 @@ sign_domain() {
rm -f "${BASEDIR}/certs/${domain}/cert.pem" rm -f "${BASEDIR}/certs/${domain}/cert.pem"
ln -s "cert-${timestamp}.pem" "${BASEDIR}/certs/${domain}/cert.pem" ln -s "cert-${timestamp}.pem" "${BASEDIR}/certs/${domain}/cert.pem"
# Wait for hook script to clean the challenge and to deploy cert if used
if [[ -n "${HOOK}" ]]; then
${HOOK} "deploy_cert" "${BASEDIR}/certs/${domain}/privkey.pem" "${BASEDIR}/certs/${domain}/cert.pem" "${BASEDIR}/certs/${domain}/fullchain.pem"
fi
unset challenge_token
echo " + Done!" echo " + Done!"
} }
@@ -278,7 +300,7 @@ if [[ "${1:-}" = "revoke" ]]; then
echo "Usage: ${0} revoke path/to/cert.pem" echo "Usage: ${0} revoke path/to/cert.pem"
exit 1 exit 1
fi fi
echo "Revoking ${2}" echo "Revoking ${2}"
revoke_cert "${2}" revoke_cert "${2}"