starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-11 22:30:44 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

Respect domain-specific hooks when using dns-01 challenge type #613

New Issue
Open
opened 2025-12-29 01:27:50 +01:00 by adam · 1 comment
adam commented 2025-12-29 01:27:50 +01:00
Owner
Copy Link

Originally created by @henk84 on GitHub (Oct 27, 2023).

e3ef43c816/dehydrated (L325-L326)

This check ignores a domain specific configfile containing a domain specific hook.

(I’m not sure whether I need to say more or what to say more. If it’s unclear, let me know and I’ll try again/harder to explain better.)

This is important when handling multiple domains spread over multiple hosts on an admin system: a domain dependent hook-script is important for deploying the certs to the correct machines.

Yes, there are ways to work around it, but it would be nice if one wouldn’t have to work around them.

Spontaneous idea: it would be cool to have hooks for each action in each domain, e.g.:

domains.d/example.org/deploy_challenge
domains.d/example.org/clean_challenge
domains.d/example.org/exit_hook
domains.d/example.org/deploy_cert
domains.d/example.net/deploy_cert
default_hooks/deploy_challenge
default_hooks/clean_challenge
Originally created by @henk84 on GitHub (Oct 27, 2023). https://github.com/dehydrated-io/dehydrated/blob/e3ef43c816f73d443f32410862d9253d35cf3f99/dehydrated#L325-L326 This check ignores a domain specific configfile containing a domain specific hook. (I’m not sure whether I need to say more or what to say more. If it’s unclear, let me know and I’ll try again/harder to explain better.) This is important when handling multiple domains spread over multiple hosts on an admin system: a domain dependent hook-script is important for deploying the certs to the correct machines. Yes, there are ways to work around it, but it would be nice if one wouldn’t have to work around them. Spontaneous idea: it would be cool to have hooks for each action in each domain, e.g.: ``` domains.d/example.org/deploy_challenge domains.d/example.org/clean_challenge domains.d/example.org/exit_hook domains.d/example.org/deploy_cert domains.d/example.net/deploy_cert default_hooks/deploy_challenge default_hooks/clean_challenge ```
adam commented 2025-12-29 01:27:50 +01:00
Author
Owner
Copy Link

@henk84 commented on GitHub (Oct 30, 2023):

e3ef43c816/dehydrated (L325-L326)

This check ignores a domain specific configfile containing a domain specific hook.

(I’m not sure whether I need to say more or what to say more. If it’s unclear, let me know and I’ll try again/harder to explain better.)

This is important when handling multiple domains spread over multiple hosts on an admin system: a domain dependent hook-script is important for deploying the certs to the correct machines.

Yes, there are ways to work around it, but it would be nice if one wouldn’t have to work around them.

Spontaneous idea: it would be cool to have hooks for each action in each domain, e.g.:

domains.d/example.org/deploy_challenge
domains.d/example.org/clean_challenge
domains.d/example.org/exit_hook
domains.d/example.org/deploy_cert
domains.d/example.net/deploy_cert
default_hooks/deploy_challenge
default_hooks/clean_challenge

I managed to build something similar to this.
It is based on the hook from https://ente.limmat.ch/ftp/pub/software/bash/letsencrypt/

I then added code like the following:

case "$reason" in
[…]
	deploy_cert|unchanged_cert|invalid_challenge|request_failure|startup_hook|exit_hook)
		# echo "running ${reason} hook"
		if [ -x "domains.d/${HOST}_hooks/${reason}.sh" ]
		then
			domains.d/${HOST}_hooks/${reason}.sh "${@}"
		elif [ -x "domains.d/hooks/common-${reason}.sh" ]
		then
			domains.d/hooks/common-${reason}.sh "${@}"
		else
			# echo "No hook for ${reason} found to run"
			reason="nothing to do!"
		fi
		;;

Example for a "common" hook:

#!/usr/bin/env bash

REASON="${1}" DOMAIN="${2}" KEYFILE="${3}" CERTFILE="${4}" FULLCHAINFILE="${5}" CHAINFILE="${6}" TIMESTAMP="${7}"

. domains.d/${DOMAIN}_vars

for srv in ${servers[@]}
do
	rsync \
		--copy-links \
		--human-readable \
		--verbose \
		--partial \
		--progress \
		--chown=root:ssl-cert \
		--chmod=0644 \
		"${FULLCHAINFILE}" \
		"root@${srv}:/etc/ssl/localcerts/${DOMAIN}.crt"
	rsync \
		--copy-links \
		--human-readable \
		--verbose \
		--partial \
		--progress \
		--chown=root:ssl-cert \
		--chmod=0640 \
		"${KEYFILE}" \
		"root@${srv}:/etc/ssl/private/${DOMAIN}.key"

	for sv in ${services[@]}
	do
		ssh root@${srv} service ${sv} reload
	done
done

Issue can be closed.

@henk84 commented on GitHub (Oct 30, 2023): > https://github.com/dehydrated-io/dehydrated/blob/e3ef43c816f73d443f32410862d9253d35cf3f99/dehydrated#L325-L326 > > This check ignores a domain specific configfile containing a domain specific hook. > > (I’m not sure whether I need to say more or what to say more. If it’s unclear, let me know and I’ll try again/harder to explain better.) > > This is important when handling multiple domains spread over multiple hosts on an admin system: a domain dependent hook-script is important for deploying the certs to the correct machines. > > Yes, there are ways to work around it, but it would be nice if one wouldn’t have to work around them. > > Spontaneous idea: it would be cool to have hooks for each action in each domain, e.g.: > > ``` > domains.d/example.org/deploy_challenge > domains.d/example.org/clean_challenge > domains.d/example.org/exit_hook > domains.d/example.org/deploy_cert > domains.d/example.net/deploy_cert > default_hooks/deploy_challenge > default_hooks/clean_challenge > ``` I managed to build something similar to this. It is based on the hook from https://ente.limmat.ch/ftp/pub/software/bash/letsencrypt/ I then added code like the following: ``` case "$reason" in […] deploy_cert|unchanged_cert|invalid_challenge|request_failure|startup_hook|exit_hook) # echo "running ${reason} hook" if [ -x "domains.d/${HOST}_hooks/${reason}.sh" ] then domains.d/${HOST}_hooks/${reason}.sh "${@}" elif [ -x "domains.d/hooks/common-${reason}.sh" ] then domains.d/hooks/common-${reason}.sh "${@}" else # echo "No hook for ${reason} found to run" reason="nothing to do!" fi ;; ``` Example for a "common" hook: ``` #!/usr/bin/env bash REASON="${1}" DOMAIN="${2}" KEYFILE="${3}" CERTFILE="${4}" FULLCHAINFILE="${5}" CHAINFILE="${6}" TIMESTAMP="${7}" . domains.d/${DOMAIN}_vars for srv in ${servers[@]} do rsync \ --copy-links \ --human-readable \ --verbose \ --partial \ --progress \ --chown=root:ssl-cert \ --chmod=0644 \ "${FULLCHAINFILE}" \ "root@${srv}:/etc/ssl/localcerts/${DOMAIN}.crt" rsync \ --copy-links \ --human-readable \ --verbose \ --partial \ --progress \ --chown=root:ssl-cert \ --chmod=0640 \ "${KEYFILE}" \ "root@${srv}:/etc/ssl/private/${DOMAIN}.key" for sv in ${services[@]} do ssh root@${srv} service ${sv} reload done done ``` Issue can be closed.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#613
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?