implement certificate aliases as suggested by typingArtist (fixes #396)

CHANGELOG

@@ -11,6 +11,7 @@ This file contains a log of major changes in dehydrated
 - New feature for updating contact information (--account)
 - Allow automatic cleanup on exit (AUTO_CLEANUP)
 - Initial support for fetching OCSP status to be used for OCSP stapling (OCSP_FETCH)
+- Certificates can now have aliases to create multiple certificates with identical set of domains (see --alias and domains.txt documentation)
 
 ## [0.4.0] - 2017-02-05
 ## Changed

README.md

@@ -62,6 +62,7 @@ Parameters:
  --ipv4 (-4)                      Resolve names to IPv4 addresses only
  --ipv6 (-6)                      Resolve names to IPv6 addresses only
  --domain (-d) domain.tld         Use specified domain name(s) instead of domains.txt entry (one certificate!)
+ --alias certalias                Use specified name for certificate directory (and per-certificate config) instead of the primary domain (only used if --domain is specified)
  --keep-going (-g)                Keep going after encountering an error while creating/renewing multiple certificates in cron mode
  --force (-x)                     Force renew of certificate even if it is longer valid than value in RENEW_DAYS
  --no-lock (-n)                   Don't use lockfile (potentially dangerous!)

dehydrated

@@ -921,7 +921,11 @@ command_sign_domains() {
 
   if [[ -n "${PARAM_DOMAIN:-}" ]]; then
     DOMAINS_TXT="$(_mktemp)"
-    printf -- "${PARAM_DOMAIN}" > "${DOMAINS_TXT}"
+    if [[ -n "${PARAM_ALIAS:-}" ]]; then
+      printf -- "${PARAM_DOMAIN} > ${PARAM_ALIAS}" > "${DOMAINS_TXT}"
+    else
+      printf -- "${PARAM_DOMAIN}" > "${DOMAINS_TXT}"
+    fi
   elif [[ -e "${DOMAINS_TXT}" ]]; then
     if [[ ! -r "${DOMAINS_TXT}" ]]; then
       _exiterr "domains.txt found but not readable"
@@ -933,12 +937,19 @@ command_sign_domains() {
   # Generate certificates for all domains found in domains.txt. Check if existing certificate are about to expire
   ORIGIFS="${IFS}"
   IFS=$'\n'
-  for line in $(<"${DOMAINS_TXT}" tr -d '\r' | awk '{print tolower($0)}' | _sed -e 's/^[[:space:]]*//g' -e 's/[[:space:]]*$//g' -e 's/[[:space:]]+/ /g' | (grep -vE '^(#|$)' || true)); do
+  for line in $(<"${DOMAINS_TXT}" tr -d '\r' | awk '{print tolower($0)}' | _sed -e 's/^[[:space:]]*//g' -e 's/[[:space:]]*$//g' -e 's/[[:space:]]+/ /g' -e 's/([^ ])>/\1 >/g' -e 's/> />/g' | (grep -vE '^(#|$)' || true)); do
     reset_configvars
     IFS="${ORIGIFS}"
+    alias="$(grep -Eo '>[^ ]+' <<< "${line}" || true)"
+    line="$(_sed -e 's/>[^ ]+[ ]*//g' <<< "${line}")"
+    aliascount="$(grep -Eo '>' <<< "${alias}" | awk 'END {print NR}' || true )"
+    [ ${aliascount} -gt 1 ] && _exiterr "Only one alias per line is allowed in domains.txt!"
+
     domain="$(printf '%s\n' "${line}" | cut -d' ' -f1)"
     morenames="$(printf '%s\n' "${line}" | cut -s -d' ' -f2-)"
-    local certdir="${CERTDIR}/${domain}"
+    [ ${aliascount} -lt 1 ] && alias="${domain}" || alias="${alias#>}"
+
+    local certdir="${CERTDIR}/${alias}"
     cert="${certdir}/cert.pem"
     chain="${certdir}/chain.pem"
 
@@ -955,7 +966,7 @@ command_sign_domains() {
     # we could just source the config file but i decided to go this way to protect people from accidentally overriding
     # variables used internally by this script itself.
     if [[ -n "${DOMAINS_D}" ]]; then
-      certconfig="${DOMAINS_D}/${domain}"
+      certconfig="${DOMAINS_D}/${alias}"
     else
       certconfig="${certdir}/config"
     fi
@@ -1344,6 +1355,15 @@ main() {
          fi
         ;;
 
+      # PARAM_Usage: --alias certalias
+      # PARAM_Description: Use specified name for certificate directory (and per-certificate config) instead of the primary domain (only used if --domain is specified)
+      --alias)
+        shift 1
+        check_parameters "${1:-}"
+        [[ -n "${PARAM_ALIAS:-}" ]] && _exiterr "Alias can only be specified once!"
+        PARAM_ALIAS="${1}"
+        ;;
+
       # PARAM_Usage: --keep-going (-g)
       # PARAM_Description: Keep going after encountering an error while creating/renewing multiple certificates in cron mode
       --keep-going|-g)

docs/domains_txt.md

@@ -7,7 +7,13 @@ The file should have the following format:
 ```text
 example.com www.example.com
 example.net www.example.net wiki.example.net
+example.net www.example.net wiki.example.net > certalias
 ```
 
 This states that there should be two certificates `example.com` and `example.net`,
 with the other domains in the corresponding line being their alternative names.
+
+You can define an alias for your certificate which will (instead of the primary domain) be
+used as directory name under your certdir and for a per-certificate lookup.
+This allows multiple certificates with identical sets of domains but different configuration
+to exist.

docs/per-certificate-config.md

@@ -16,3 +16,10 @@ Currently supported options:
 - WELLKNOWN
 - OPENSSL_CNF
 - RENEW_DAYS
+
+## DOMAINS_D
+
+If `DOMAINS_D` is set, dehydrated will use it for your per-certificate configurations.
+Instead of `certs/example.org/config` it will look for a configuration under `DOMAINS_D/example.org`.
+
+If an alias is set, it will be used instead of the primary domain name.