starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-11 22:30:44 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

passing domain&altnames to dns-01 hook script? #96

New Issue
Closed
opened 2025-12-29 00:24:41 +01:00 by adam · 5 comments
adam commented 2025-12-29 00:24:41 +01:00
Owner
Copy Link

Originally created by @ghost on GitHub (May 7, 2016).

I'm using DNS-01.

I'm creating a cert with multiple altnames.

I exec

letsencrypt.sh -c --force \
--config ./config.sh \
--hook ./hook.sh \
--domain "example.com www.example.com s1.example.com s2 example.com"

In 'letsencrypt.sh`, 1st "--domain" param is main domain, subsequent params are altnames

...
# Create certificate for domain(s)
sign_domain() {
  domain="${1}"
  altnames="${*}"
  timestamp="$(date +%s)"
...

Per 'docs/dns-verification.md', in order to respond to the challenge, my DNS must contain entries for all of the domain+altnames. Here, e.g.,

_acme-challenge     IN    TXT    $4
_acme-challenge.www IN    TXT    $4
_acme-challenge.s1  IN    TXT    $4
_acme-challenge.s2  IN    TXT    $4

This DNS record prep needs to be done in my hook.sh. And, I need to prepare the DNS, and wait for it to fully propagate, before answering the challenges.

So, I'd like to create ALL the necessary DNS records, and reload-dns-to-propagate, early in the hook.

But when invoking the script, at the initial invocation, 4 params are passed,

1: deploy_challenge
2: example.com
3: 5gA...
4: GpU...

with ONLY the main domain available at this stage.

How can I get the full list of domain+altnames from letsencrypt.sh into my hook, on 1st call?

The info's there, as sign_domain() call's parsing the names ...

Do I have to separately/manually replicate the parse in my hook.sh -- dealing with either "--domain ..." or 'domains.txt' ?

Originally created by @ghost on GitHub (May 7, 2016). I'm using DNS-01. I'm creating a cert with multiple altnames. I exec ``` letsencrypt.sh -c --force \ --config ./config.sh \ --hook ./hook.sh \ --domain "example.com www.example.com s1.example.com s2 example.com" ``` In 'letsencrypt.sh`, 1st "--domain" param is main domain, subsequent params are altnames ``` ... # Create certificate for domain(s) sign_domain() { domain="${1}" altnames="${*}" timestamp="$(date +%s)" ... ``` Per 'docs/dns-verification.md', in order to respond to the challenge, my DNS must contain entries for all of the domain+altnames. Here, e.g., ``` _acme-challenge IN TXT $4 _acme-challenge.www IN TXT $4 _acme-challenge.s1 IN TXT $4 _acme-challenge.s2 IN TXT $4 ``` This DNS record prep needs to be done in my hook.sh. And, I need to prepare the DNS, and wait for it to fully propagate, _before_ answering the challenges. So, I'd like to create ALL the necessary DNS records, and reload-dns-to-propagate, early in the hook. But when invoking the script, at the initial invocation, 4 params are passed, ``` 1: deploy_challenge 2: example.com 3: 5gA... 4: GpU... ``` with ONLY the main domain available at this stage. How can I get the full list of domain+altnames from letsencrypt.sh into my hook, on 1st call? The info's there, as sign_domain() call's parsing the names ... Do I have to separately/manually replicate the parse in my hook.sh -- dealing with either "--domain ..." or 'domains.txt' ?
adam closed this issue 2025-12-29 00:24:42 +01:00
adam commented 2025-12-29 00:24:42 +01:00
Author
Owner
Copy Link

@germeier commented on GitHub (May 7, 2016):

use HOOK_CHAIN, see https://github.com/lukas2511/letsencrypt.sh/blob/master/docs/hook_chain.md

@germeier commented on GitHub (May 7, 2016): use HOOK_CHAIN, see https://github.com/lukas2511/letsencrypt.sh/blob/master/docs/hook_chain.md
adam commented 2025-12-29 00:24:44 +01:00
Author
Owner
Copy Link

@ghost commented on GitHub (May 7, 2016):

Great, thx.

With

./config.sh
    ...
+   HOOK_CHAIN="yes"
    ...

The args passed to 'hook.sh' now take the Y*X parameters form,

deploy_challenge example.com 36D... V9F... www.example.com 7-V... dTn...

over which I need to parse/iterate.

The docs/example point out

...
# Program or function called in certain situations
#
# After generating the challenge-response, or after failed challenge (in this case altname is empty)
# Given arguments: clean_challenge|deploy_challenge altname token-filename token-content
#
# After successfully signing certificate
# Given arguments: deploy_cert domain path/to/privkey.pem path/to/cert.pem path/to/fullchain.pem
#
# BASEDIR and WELLKNOWN variables are exported and can be used in an external program
# default: <unset>
#HOOK=

# Chain clean_challenge|deploy_challenge arguments together into one hook call per certificate (default: no)
#HOOK_CHAIN="no"
...

Extrapolating, in the hook chain case, the return

deploy_challenge example.com 36D... V9F... www.example.com 7-V... dTn...

is

deploy_challenge main_domain1 token-filename1 token-content1 altname2 token-filename2 token-content2

Is that correct? And, more importantly, is that stable/unchanging syntax (def'd by acme)?

@ghost commented on GitHub (May 7, 2016): Great, thx. With ``` ./config.sh ... + HOOK_CHAIN="yes" ... ``` The args passed to 'hook.sh' now take the Y*X parameters form, ``` deploy_challenge example.com 36D... V9F... www.example.com 7-V... dTn... ``` over which I need to parse/iterate. The docs/example point out ``` ... # Program or function called in certain situations # # After generating the challenge-response, or after failed challenge (in this case altname is empty) # Given arguments: clean_challenge|deploy_challenge altname token-filename token-content # # After successfully signing certificate # Given arguments: deploy_cert domain path/to/privkey.pem path/to/cert.pem path/to/fullchain.pem # # BASEDIR and WELLKNOWN variables are exported and can be used in an external program # default: <unset> #HOOK= # Chain clean_challenge|deploy_challenge arguments together into one hook call per certificate (default: no) #HOOK_CHAIN="no" ... ``` Extrapolating, in the hook chain case, the return ``` deploy_challenge example.com 36D... V9F... www.example.com 7-V... dTn... ``` is ``` deploy_challenge main_domain1 token-filename1 token-content1 altname2 token-filename2 token-content2 ``` Is that correct? And, more importantly, is that stable/unchanging syntax (def'd by acme)?
adam commented 2025-12-29 00:24:45 +01:00
Author
Owner
Copy Link

@lukas2511 commented on GitHub (May 7, 2016):

@pgnd this syntax is not exactly stable and not defined by acme, this is custom to this script only. if it changes in the future i'll add an entry to the changelog.

closing this issue as your problem seems to be solved by using HOOK_CHAIN.

@lukas2511 commented on GitHub (May 7, 2016): @pgnd this syntax is not exactly stable and not defined by acme, this is custom to this script only. if it changes in the future i'll add an entry to the changelog. closing this issue as your problem seems to be solved by using HOOK_CHAIN.
adam commented 2025-12-29 00:24:45 +01:00
Author
Owner
Copy Link

@ghost commented on GitHub (May 7, 2016):

@lukas2511 I know, but haven't seen, that upstream's working on DNS-01 auth code (still in beta?).

I assume that acme server, at some point in the procedure ACKs/returns the domain&alt-names, as well as the challenge tokens.

AfaYk, is that format defined/stable? If so, then possibly adopting it here would be helpful.

If not, of course, then we just deal with it here.

@ghost commented on GitHub (May 7, 2016): @lukas2511 I know, but haven't seen, that upstream's working on DNS-01 auth code (still in beta?). I assume that acme server, at some point in the procedure ACKs/returns the domain&alt-names, as well as the challenge tokens. AfaYk, is that format defined/stable? If so, then possibly adopting it here would be helpful. If not, of course, then we just deal with it here.
adam commented 2025-12-29 00:24:46 +01:00
Author
Owner
Copy Link

@lukas2511 commented on GitHub (May 11, 2016):

@pgnd i actually don't know how the official client works or is supposed to work, but from what i read on irc it seems that it just prints instructions

@lukas2511 commented on GitHub (May 11, 2016): @pgnd i actually don't know how the official client works or is supposed to work, but from what i read on irc it seems that it just prints instructions
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#96
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?