From: Lukas Schauer Date: Sun, 17 Dec 2017 22:50:46 +0000 (+0100) Subject: implement certificate aliases as suggested by typingArtist (fixes #396) X-Git-Tag: v0.5.0~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c62f3d91fc69a2c646b04de9c3b624615bb4715c;p=thirdparty%2Fdehydrated.git implement certificate aliases as suggested by typingArtist (fixes #396) --- diff --git a/CHANGELOG b/CHANGELOG index b51a8b2..ac6c347 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -11,6 +11,7 @@ This file contains a log of major changes in dehydrated - New feature for updating contact information (--account) - Allow automatic cleanup on exit (AUTO_CLEANUP) - Initial support for fetching OCSP status to be used for OCSP stapling (OCSP_FETCH) +- Certificates can now have aliases to create multiple certificates with identical set of domains (see --alias and domains.txt documentation) ## [0.4.0] - 2017-02-05 ## Changed diff --git a/README.md b/README.md index 6b1f246..4c22835 100644 --- a/README.md +++ b/README.md @@ -62,6 +62,7 @@ Parameters: --ipv4 (-4) Resolve names to IPv4 addresses only --ipv6 (-6) Resolve names to IPv6 addresses only --domain (-d) domain.tld Use specified domain name(s) instead of domains.txt entry (one certificate!) + --alias certalias Use specified name for certificate directory (and per-certificate config) instead of the primary domain (only used if --domain is specified) --keep-going (-g) Keep going after encountering an error while creating/renewing multiple certificates in cron mode --force (-x) Force renew of certificate even if it is longer valid than value in RENEW_DAYS --no-lock (-n) Don't use lockfile (potentially dangerous!) diff --git a/dehydrated b/dehydrated index 3f57d55..261d568 100755 --- a/dehydrated +++ b/dehydrated @@ -921,7 +921,11 @@ command_sign_domains() { if [[ -n "${PARAM_DOMAIN:-}" ]]; then DOMAINS_TXT="$(_mktemp)" - printf -- "${PARAM_DOMAIN}" > "${DOMAINS_TXT}" + if [[ -n "${PARAM_ALIAS:-}" ]]; then + printf -- "${PARAM_DOMAIN} > ${PARAM_ALIAS}" > "${DOMAINS_TXT}" + else + printf -- "${PARAM_DOMAIN}" > "${DOMAINS_TXT}" + fi elif [[ -e "${DOMAINS_TXT}" ]]; then if [[ ! -r "${DOMAINS_TXT}" ]]; then _exiterr "domains.txt found but not readable" @@ -933,12 +937,19 @@ command_sign_domains() { # Generate certificates for all domains found in domains.txt. Check if existing certificate are about to expire ORIGIFS="${IFS}" IFS=$'\n' - for line in $(<"${DOMAINS_TXT}" tr -d '\r' | awk '{print tolower($0)}' | _sed -e 's/^[[:space:]]*//g' -e 's/[[:space:]]*$//g' -e 's/[[:space:]]+/ /g' | (grep -vE '^(#|$)' || true)); do + for line in $(<"${DOMAINS_TXT}" tr -d '\r' | awk '{print tolower($0)}' | _sed -e 's/^[[:space:]]*//g' -e 's/[[:space:]]*$//g' -e 's/[[:space:]]+/ /g' -e 's/([^ ])>/\1 >/g' -e 's/> />/g' | (grep -vE '^(#|$)' || true)); do reset_configvars IFS="${ORIGIFS}" + alias="$(grep -Eo '>[^ ]+' <<< "${line}" || true)" + line="$(_sed -e 's/>[^ ]+[ ]*//g' <<< "${line}")" + aliascount="$(grep -Eo '>' <<< "${alias}" | awk 'END {print NR}' || true )" + [ ${aliascount} -gt 1 ] && _exiterr "Only one alias per line is allowed in domains.txt!" + domain="$(printf '%s\n' "${line}" | cut -d' ' -f1)" morenames="$(printf '%s\n' "${line}" | cut -s -d' ' -f2-)" - local certdir="${CERTDIR}/${domain}" + [ ${aliascount} -lt 1 ] && alias="${domain}" || alias="${alias#>}" + + local certdir="${CERTDIR}/${alias}" cert="${certdir}/cert.pem" chain="${certdir}/chain.pem" @@ -955,7 +966,7 @@ command_sign_domains() { # we could just source the config file but i decided to go this way to protect people from accidentally overriding # variables used internally by this script itself. if [[ -n "${DOMAINS_D}" ]]; then - certconfig="${DOMAINS_D}/${domain}" + certconfig="${DOMAINS_D}/${alias}" else certconfig="${certdir}/config" fi @@ -1344,6 +1355,15 @@ main() { fi ;; + # PARAM_Usage: --alias certalias + # PARAM_Description: Use specified name for certificate directory (and per-certificate config) instead of the primary domain (only used if --domain is specified) + --alias) + shift 1 + check_parameters "${1:-}" + [[ -n "${PARAM_ALIAS:-}" ]] && _exiterr "Alias can only be specified once!" + PARAM_ALIAS="${1}" + ;; + # PARAM_Usage: --keep-going (-g) # PARAM_Description: Keep going after encountering an error while creating/renewing multiple certificates in cron mode --keep-going|-g) diff --git a/docs/domains_txt.md b/docs/domains_txt.md index d8110fe..26183e7 100644 --- a/docs/domains_txt.md +++ b/docs/domains_txt.md @@ -7,7 +7,13 @@ The file should have the following format: ```text example.com www.example.com example.net www.example.net wiki.example.net +example.net www.example.net wiki.example.net > certalias ``` This states that there should be two certificates `example.com` and `example.net`, with the other domains in the corresponding line being their alternative names. + +You can define an alias for your certificate which will (instead of the primary domain) be +used as directory name under your certdir and for a per-certificate lookup. +This allows multiple certificates with identical sets of domains but different configuration +to exist. diff --git a/docs/per-certificate-config.md b/docs/per-certificate-config.md index 9e1b25a..da88838 100644 --- a/docs/per-certificate-config.md +++ b/docs/per-certificate-config.md @@ -16,3 +16,10 @@ Currently supported options: - WELLKNOWN - OPENSSL_CNF - RENEW_DAYS + +## DOMAINS_D + +If `DOMAINS_D` is set, dehydrated will use it for your per-certificate configurations. +Instead of `certs/example.org/config` it will look for a configuration under `DOMAINS_D/example.org`. + +If an alias is set, it will be used instead of the primary domain name.