mirror of
https://github.com/dehydrated-io/dehydrated.git
synced 2026-07-06 13:05:18 +02:00
implement certificate aliases as suggested by typingArtist (fixes #396)
This commit is contained in:
@@ -11,6 +11,7 @@ This file contains a log of major changes in dehydrated
|
|||||||
- New feature for updating contact information (--account)
|
- New feature for updating contact information (--account)
|
||||||
- Allow automatic cleanup on exit (AUTO_CLEANUP)
|
- Allow automatic cleanup on exit (AUTO_CLEANUP)
|
||||||
- Initial support for fetching OCSP status to be used for OCSP stapling (OCSP_FETCH)
|
- Initial support for fetching OCSP status to be used for OCSP stapling (OCSP_FETCH)
|
||||||
|
- Certificates can now have aliases to create multiple certificates with identical set of domains (see --alias and domains.txt documentation)
|
||||||
|
|
||||||
## [0.4.0] - 2017-02-05
|
## [0.4.0] - 2017-02-05
|
||||||
## Changed
|
## Changed
|
||||||
|
|||||||
@@ -62,6 +62,7 @@ Parameters:
|
|||||||
--ipv4 (-4) Resolve names to IPv4 addresses only
|
--ipv4 (-4) Resolve names to IPv4 addresses only
|
||||||
--ipv6 (-6) Resolve names to IPv6 addresses only
|
--ipv6 (-6) Resolve names to IPv6 addresses only
|
||||||
--domain (-d) domain.tld Use specified domain name(s) instead of domains.txt entry (one certificate!)
|
--domain (-d) domain.tld Use specified domain name(s) instead of domains.txt entry (one certificate!)
|
||||||
|
--alias certalias Use specified name for certificate directory (and per-certificate config) instead of the primary domain (only used if --domain is specified)
|
||||||
--keep-going (-g) Keep going after encountering an error while creating/renewing multiple certificates in cron mode
|
--keep-going (-g) Keep going after encountering an error while creating/renewing multiple certificates in cron mode
|
||||||
--force (-x) Force renew of certificate even if it is longer valid than value in RENEW_DAYS
|
--force (-x) Force renew of certificate even if it is longer valid than value in RENEW_DAYS
|
||||||
--no-lock (-n) Don't use lockfile (potentially dangerous!)
|
--no-lock (-n) Don't use lockfile (potentially dangerous!)
|
||||||
|
|||||||
+24
-4
@@ -921,7 +921,11 @@ command_sign_domains() {
|
|||||||
|
|
||||||
if [[ -n "${PARAM_DOMAIN:-}" ]]; then
|
if [[ -n "${PARAM_DOMAIN:-}" ]]; then
|
||||||
DOMAINS_TXT="$(_mktemp)"
|
DOMAINS_TXT="$(_mktemp)"
|
||||||
printf -- "${PARAM_DOMAIN}" > "${DOMAINS_TXT}"
|
if [[ -n "${PARAM_ALIAS:-}" ]]; then
|
||||||
|
printf -- "${PARAM_DOMAIN} > ${PARAM_ALIAS}" > "${DOMAINS_TXT}"
|
||||||
|
else
|
||||||
|
printf -- "${PARAM_DOMAIN}" > "${DOMAINS_TXT}"
|
||||||
|
fi
|
||||||
elif [[ -e "${DOMAINS_TXT}" ]]; then
|
elif [[ -e "${DOMAINS_TXT}" ]]; then
|
||||||
if [[ ! -r "${DOMAINS_TXT}" ]]; then
|
if [[ ! -r "${DOMAINS_TXT}" ]]; then
|
||||||
_exiterr "domains.txt found but not readable"
|
_exiterr "domains.txt found but not readable"
|
||||||
@@ -933,12 +937,19 @@ command_sign_domains() {
|
|||||||
# Generate certificates for all domains found in domains.txt. Check if existing certificate are about to expire
|
# Generate certificates for all domains found in domains.txt. Check if existing certificate are about to expire
|
||||||
ORIGIFS="${IFS}"
|
ORIGIFS="${IFS}"
|
||||||
IFS=$'\n'
|
IFS=$'\n'
|
||||||
for line in $(<"${DOMAINS_TXT}" tr -d '\r' | awk '{print tolower($0)}' | _sed -e 's/^[[:space:]]*//g' -e 's/[[:space:]]*$//g' -e 's/[[:space:]]+/ /g' | (grep -vE '^(#|$)' || true)); do
|
for line in $(<"${DOMAINS_TXT}" tr -d '\r' | awk '{print tolower($0)}' | _sed -e 's/^[[:space:]]*//g' -e 's/[[:space:]]*$//g' -e 's/[[:space:]]+/ /g' -e 's/([^ ])>/\1 >/g' -e 's/> />/g' | (grep -vE '^(#|$)' || true)); do
|
||||||
reset_configvars
|
reset_configvars
|
||||||
IFS="${ORIGIFS}"
|
IFS="${ORIGIFS}"
|
||||||
|
alias="$(grep -Eo '>[^ ]+' <<< "${line}" || true)"
|
||||||
|
line="$(_sed -e 's/>[^ ]+[ ]*//g' <<< "${line}")"
|
||||||
|
aliascount="$(grep -Eo '>' <<< "${alias}" | awk 'END {print NR}' || true )"
|
||||||
|
[ ${aliascount} -gt 1 ] && _exiterr "Only one alias per line is allowed in domains.txt!"
|
||||||
|
|
||||||
domain="$(printf '%s\n' "${line}" | cut -d' ' -f1)"
|
domain="$(printf '%s\n' "${line}" | cut -d' ' -f1)"
|
||||||
morenames="$(printf '%s\n' "${line}" | cut -s -d' ' -f2-)"
|
morenames="$(printf '%s\n' "${line}" | cut -s -d' ' -f2-)"
|
||||||
local certdir="${CERTDIR}/${domain}"
|
[ ${aliascount} -lt 1 ] && alias="${domain}" || alias="${alias#>}"
|
||||||
|
|
||||||
|
local certdir="${CERTDIR}/${alias}"
|
||||||
cert="${certdir}/cert.pem"
|
cert="${certdir}/cert.pem"
|
||||||
chain="${certdir}/chain.pem"
|
chain="${certdir}/chain.pem"
|
||||||
|
|
||||||
@@ -955,7 +966,7 @@ command_sign_domains() {
|
|||||||
# we could just source the config file but i decided to go this way to protect people from accidentally overriding
|
# we could just source the config file but i decided to go this way to protect people from accidentally overriding
|
||||||
# variables used internally by this script itself.
|
# variables used internally by this script itself.
|
||||||
if [[ -n "${DOMAINS_D}" ]]; then
|
if [[ -n "${DOMAINS_D}" ]]; then
|
||||||
certconfig="${DOMAINS_D}/${domain}"
|
certconfig="${DOMAINS_D}/${alias}"
|
||||||
else
|
else
|
||||||
certconfig="${certdir}/config"
|
certconfig="${certdir}/config"
|
||||||
fi
|
fi
|
||||||
@@ -1344,6 +1355,15 @@ main() {
|
|||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
|
|
||||||
|
# PARAM_Usage: --alias certalias
|
||||||
|
# PARAM_Description: Use specified name for certificate directory (and per-certificate config) instead of the primary domain (only used if --domain is specified)
|
||||||
|
--alias)
|
||||||
|
shift 1
|
||||||
|
check_parameters "${1:-}"
|
||||||
|
[[ -n "${PARAM_ALIAS:-}" ]] && _exiterr "Alias can only be specified once!"
|
||||||
|
PARAM_ALIAS="${1}"
|
||||||
|
;;
|
||||||
|
|
||||||
# PARAM_Usage: --keep-going (-g)
|
# PARAM_Usage: --keep-going (-g)
|
||||||
# PARAM_Description: Keep going after encountering an error while creating/renewing multiple certificates in cron mode
|
# PARAM_Description: Keep going after encountering an error while creating/renewing multiple certificates in cron mode
|
||||||
--keep-going|-g)
|
--keep-going|-g)
|
||||||
|
|||||||
@@ -7,7 +7,13 @@ The file should have the following format:
|
|||||||
```text
|
```text
|
||||||
example.com www.example.com
|
example.com www.example.com
|
||||||
example.net www.example.net wiki.example.net
|
example.net www.example.net wiki.example.net
|
||||||
|
example.net www.example.net wiki.example.net > certalias
|
||||||
```
|
```
|
||||||
|
|
||||||
This states that there should be two certificates `example.com` and `example.net`,
|
This states that there should be two certificates `example.com` and `example.net`,
|
||||||
with the other domains in the corresponding line being their alternative names.
|
with the other domains in the corresponding line being their alternative names.
|
||||||
|
|
||||||
|
You can define an alias for your certificate which will (instead of the primary domain) be
|
||||||
|
used as directory name under your certdir and for a per-certificate lookup.
|
||||||
|
This allows multiple certificates with identical sets of domains but different configuration
|
||||||
|
to exist.
|
||||||
|
|||||||
@@ -16,3 +16,10 @@ Currently supported options:
|
|||||||
- WELLKNOWN
|
- WELLKNOWN
|
||||||
- OPENSSL_CNF
|
- OPENSSL_CNF
|
||||||
- RENEW_DAYS
|
- RENEW_DAYS
|
||||||
|
|
||||||
|
## DOMAINS_D
|
||||||
|
|
||||||
|
If `DOMAINS_D` is set, dehydrated will use it for your per-certificate configurations.
|
||||||
|
Instead of `certs/example.org/config` it will look for a configuration under `DOMAINS_D/example.org`.
|
||||||
|
|
||||||
|
If an alias is set, it will be used instead of the primary domain name.
|
||||||
|
|||||||
Reference in New Issue
Block a user