mirror of
https://github.com/dehydrated-io/dehydrated.git
synced 2026-07-04 04:01:39 +02:00
A single HOOK to handle challenge, cleaning of challenge files and uploading of certs.
This commit is contained in:
committed by
Lukas Schauer
parent
15accf9013
commit
c24843c666
+10
-5
@@ -9,10 +9,16 @@
|
|||||||
#OPENSSL_CNF=.... # system default (see openssl version -d)
|
#OPENSSL_CNF=.... # system default (see openssl version -d)
|
||||||
#ROOTCERT="lets-encrypt-x1-cross-signed.pem"
|
#ROOTCERT="lets-encrypt-x1-cross-signed.pem"
|
||||||
|
|
||||||
# program called before responding to the challenge, arguments: path/to/token
|
# Program or function called in certain situations
|
||||||
# token; can be used to e.g. upload the challenge if this script doesn't run
|
#
|
||||||
# on the webserver
|
# After generating the challenge-response, or after failed challenge
|
||||||
#HOOK_CHALLENGE=
|
# Given arguments: clean_challenge|deploy_challenge token-filename token-content
|
||||||
|
#
|
||||||
|
# After successfully signing certificate
|
||||||
|
# Given arguments: deploy_cert path/to/privkey.pem path/to/cert.pem path/to/fullchain.pem
|
||||||
|
#
|
||||||
|
# BASEDIR and WELLKNOWN variables are exported and can be used in an external program
|
||||||
|
#HOOK=
|
||||||
|
|
||||||
# try to renew certs that are within RENEW_DAYS days of their expiration date
|
# try to renew certs that are within RENEW_DAYS days of their expiration date
|
||||||
#RENEW_DAYS="14"
|
#RENEW_DAYS="14"
|
||||||
@@ -22,4 +28,3 @@
|
|||||||
|
|
||||||
# email to use during the registration
|
# email to use during the registration
|
||||||
#CONTACT_EMAIL=
|
#CONTACT_EMAIL=
|
||||||
|
|
||||||
|
|||||||
+26
-4
@@ -7,7 +7,7 @@ set -o pipefail
|
|||||||
# Default config values
|
# Default config values
|
||||||
CA="https://acme-v01.api.letsencrypt.org"
|
CA="https://acme-v01.api.letsencrypt.org"
|
||||||
LICENSE="https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf"
|
LICENSE="https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf"
|
||||||
HOOK_CHALLENGE=
|
HOOK=
|
||||||
RENEW_DAYS="14"
|
RENEW_DAYS="14"
|
||||||
KEYSIZE="4096"
|
KEYSIZE="4096"
|
||||||
WELLKNOWN=".acme-challenges"
|
WELLKNOWN=".acme-challenges"
|
||||||
@@ -29,6 +29,10 @@ BASEDIR="${BASEDIR%%/}"
|
|||||||
|
|
||||||
umask 077 # paranoid umask, we're creating private keys
|
umask 077 # paranoid umask, we're creating private keys
|
||||||
|
|
||||||
|
# Export some environment variables to be used in hook script
|
||||||
|
export WELLKNOWN
|
||||||
|
export BASEDIR
|
||||||
|
|
||||||
anti_newline() {
|
anti_newline() {
|
||||||
tr -d '\n\r'
|
tr -d '\n\r'
|
||||||
}
|
}
|
||||||
@@ -78,6 +82,12 @@ _request() {
|
|||||||
echo "Details:" >&2
|
echo "Details:" >&2
|
||||||
echo "$(<"${tempcont}"))" >&2
|
echo "$(<"${tempcont}"))" >&2
|
||||||
rm -f "${tempcont}"
|
rm -f "${tempcont}"
|
||||||
|
|
||||||
|
# Wait for hook script to clean the challenge if used
|
||||||
|
if [[ -n "${HOOK}" ]]; then
|
||||||
|
${HOOK} "clean_challenge" "${challenge_token}" "${keyauth}"
|
||||||
|
fi
|
||||||
|
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@@ -173,8 +183,8 @@ sign_domain() {
|
|||||||
chmod a+r "${WELLKNOWN}/${challenge_token}"
|
chmod a+r "${WELLKNOWN}/${challenge_token}"
|
||||||
|
|
||||||
# Wait for hook script to deploy the challenge if used
|
# Wait for hook script to deploy the challenge if used
|
||||||
if [ -n "${HOOK_CHALLENGE}" ]; then
|
if [[ -n "${HOOK}" ]]; then
|
||||||
${HOOK_CHALLENGE} "${WELLKNOWN}/${challenge_token}" "${keyauth}"
|
${HOOK} "deploy_challenge" "${challenge_token}" "${keyauth}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Ask the acme-server to verify our challenge and wait until it becomes valid
|
# Ask the acme-server to verify our challenge and wait until it becomes valid
|
||||||
@@ -195,6 +205,12 @@ sign_domain() {
|
|||||||
echo " + Challenge is valid!"
|
echo " + Challenge is valid!"
|
||||||
else
|
else
|
||||||
echo " + Challenge is invalid! (returned: ${status})"
|
echo " + Challenge is invalid! (returned: ${status})"
|
||||||
|
|
||||||
|
# Wait for hook script to clean the challenge if used
|
||||||
|
if [[ -n "${HOOK}" ]] && [[ -n "${challenge_token}" ]]; then
|
||||||
|
${HOOK} "clean_challenge" "${challenge_token}" "${keyauth}"
|
||||||
|
fi
|
||||||
|
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@@ -231,6 +247,12 @@ sign_domain() {
|
|||||||
rm -f "${BASEDIR}/certs/${domain}/cert.pem"
|
rm -f "${BASEDIR}/certs/${domain}/cert.pem"
|
||||||
ln -s "cert-${timestamp}.pem" "${BASEDIR}/certs/${domain}/cert.pem"
|
ln -s "cert-${timestamp}.pem" "${BASEDIR}/certs/${domain}/cert.pem"
|
||||||
|
|
||||||
|
# Wait for hook script to clean the challenge and to deploy cert if used
|
||||||
|
if [[ -n "${HOOK}" ]]; then
|
||||||
|
${HOOK} "deploy_cert" "${BASEDIR}/certs/${domain}/privkey.pem" "${BASEDIR}/certs/${domain}/cert.pem" "${BASEDIR}/certs/${domain}/fullchain.pem"
|
||||||
|
fi
|
||||||
|
|
||||||
|
unset challenge_token
|
||||||
echo " + Done!"
|
echo " + Done!"
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -278,7 +300,7 @@ if [[ "${1:-}" = "revoke" ]]; then
|
|||||||
echo "Usage: ${0} revoke path/to/cert.pem"
|
echo "Usage: ${0} revoke path/to/cert.pem"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "Revoking ${2}"
|
echo "Revoking ${2}"
|
||||||
revoke_cert "${2}"
|
revoke_cert "${2}"
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user