From: et@corde.org Date: Tue, 8 Dec 2015 13:03:59 +0000 (+0100) Subject: A single HOOK to handle challenge, cleaning of challenge files and uploading of certs. X-Git-Tag: v0.1.0~171 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c24843c666a9316ede2d6c37b5052dc8a5ddaeb8;p=thirdparty%2Fdehydrated.git A single HOOK to handle challenge, cleaning of challenge files and uploading of certs. --- diff --git a/config.sh.example b/config.sh.example index 27163a4..e807212 100644 --- a/config.sh.example +++ b/config.sh.example @@ -9,10 +9,16 @@ #OPENSSL_CNF=.... # system default (see openssl version -d) #ROOTCERT="lets-encrypt-x1-cross-signed.pem" -# program called before responding to the challenge, arguments: path/to/token -# token; can be used to e.g. upload the challenge if this script doesn't run -# on the webserver -#HOOK_CHALLENGE= +# Program or function called in certain situations +# +# After generating the challenge-response, or after failed challenge +# Given arguments: clean_challenge|deploy_challenge token-filename token-content +# +# After successfully signing certificate +# Given arguments: deploy_cert path/to/privkey.pem path/to/cert.pem path/to/fullchain.pem +# +# BASEDIR and WELLKNOWN variables are exported and can be used in an external program +#HOOK= # try to renew certs that are within RENEW_DAYS days of their expiration date #RENEW_DAYS="14" @@ -22,4 +28,3 @@ # email to use during the registration #CONTACT_EMAIL= - diff --git a/letsencrypt.sh b/letsencrypt.sh index 90a368b..0d4f065 100755 --- a/letsencrypt.sh +++ b/letsencrypt.sh @@ -7,7 +7,7 @@ set -o pipefail # Default config values CA="https://acme-v01.api.letsencrypt.org" LICENSE="https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf" -HOOK_CHALLENGE= +HOOK= RENEW_DAYS="14" KEYSIZE="4096" WELLKNOWN=".acme-challenges" @@ -29,6 +29,10 @@ BASEDIR="${BASEDIR%%/}" umask 077 # paranoid umask, we're creating private keys +# Export some environment variables to be used in hook script +export WELLKNOWN +export BASEDIR + anti_newline() { tr -d '\n\r' } @@ -78,6 +82,12 @@ _request() { echo "Details:" >&2 echo "$(<"${tempcont}"))" >&2 rm -f "${tempcont}" + + # Wait for hook script to clean the challenge if used + if [[ -n "${HOOK}" ]]; then + ${HOOK} "clean_challenge" "${challenge_token}" "${keyauth}" + fi + exit 1 fi @@ -173,8 +183,8 @@ sign_domain() { chmod a+r "${WELLKNOWN}/${challenge_token}" # Wait for hook script to deploy the challenge if used - if [ -n "${HOOK_CHALLENGE}" ]; then - ${HOOK_CHALLENGE} "${WELLKNOWN}/${challenge_token}" "${keyauth}" + if [[ -n "${HOOK}" ]]; then + ${HOOK} "deploy_challenge" "${challenge_token}" "${keyauth}" fi # Ask the acme-server to verify our challenge and wait until it becomes valid @@ -195,6 +205,12 @@ sign_domain() { echo " + Challenge is valid!" else echo " + Challenge is invalid! (returned: ${status})" + + # Wait for hook script to clean the challenge if used + if [[ -n "${HOOK}" ]] && [[ -n "${challenge_token}" ]]; then + ${HOOK} "clean_challenge" "${challenge_token}" "${keyauth}" + fi + exit 1 fi @@ -231,6 +247,12 @@ sign_domain() { rm -f "${BASEDIR}/certs/${domain}/cert.pem" ln -s "cert-${timestamp}.pem" "${BASEDIR}/certs/${domain}/cert.pem" + # Wait for hook script to clean the challenge and to deploy cert if used + if [[ -n "${HOOK}" ]]; then + ${HOOK} "deploy_cert" "${BASEDIR}/certs/${domain}/privkey.pem" "${BASEDIR}/certs/${domain}/cert.pem" "${BASEDIR}/certs/${domain}/fullchain.pem" + fi + + unset challenge_token echo " + Done!" } @@ -278,7 +300,7 @@ if [[ "${1:-}" = "revoke" ]]; then echo "Usage: ${0} revoke path/to/cert.pem" exit 1 fi - + echo "Revoking ${2}" revoke_cert "${2}"