From: Markus Germeier Date: Sun, 6 Dec 2015 14:51:38 +0000 (+0100) Subject: fixed logic to check status from our challenge X-Git-Tag: v0.1.0~201^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F11%2Fhead;p=thirdparty%2Fdehydrated.git fixed logic to check status from our challenge the old code had a problem and would interpret a challenge that returned "pending" and then "invalid" as valid. This code actually has another problem. The RFC defines: "status (optional, string): The status of this authorization. Possible values are: "pending", "valid", and "invalid". If this field is missing, then the default value is "pending"." So actually the correct way to implement this would be: while [[ -z "${status}" ]] || [[ "${status}" = "pending" ]]; do But without further checks this might lead to an endless loop. So this is "good enough(tm)". ;) --- diff --git a/letsencrypt.sh b/letsencrypt.sh index ad2e7bb..f6c9b2c 100755 --- a/letsencrypt.sh +++ b/letsencrypt.sh @@ -141,17 +141,20 @@ sign_domain() { result="$(signed_request "${challenge_uri}" '{"resource": "challenge", "keyAuthorization": "'"${keyauth}"'"}')" status="$(printf '%s\n' "${result}" | grep -Eo '"status":\s*"[^"]*"' | cut -d'"' -f4)" - if [[ ! "${status}" = "pending" ]] && [[ ! "${status}" = "valid" ]]; then - echo " + Challenge is invalid! (${result})" - exit 1 - fi + # get status until it a result is reached => not pending anymore while [[ "${status}" = "pending" ]]; do - status="$(_request get "${challenge_uri}" | grep -Eo '"status":\s*"[^"]*"' | cut -d'"' -f4)" sleep 1 + status="$(_request get "${challenge_uri}" | grep -Eo '"status":\s*"[^"]*"' | cut -d'"' -f4)" done - echo " + Challenge is valid!" + if [[ "${status}" = "valid" ]]; then + echo " + Challenge is valid!" + else + echo " + Challenge is invalid! (returned: ${status})" + exit 1 + fi + done # Finally request certificate from the acme-server and store it in cert-${timestamp}.pem and link from cert.pem