From: Markus Germeier Date: Tue, 15 Dec 2015 19:56:07 +0000 (+0100) Subject: remove --sign in favor of two options "--force" and "--domain" (try 2) X-Git-Tag: v0.1.0~124^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F49%2Fhead;p=thirdparty%2Fdehydrated.git remove --sign in favor of two options "--force" and "--domain" (try 2) --- diff --git a/.travis.yml b/.travis.yml index d6c25b5..81bfdc9 100644 --- a/.travis.yml +++ b/.travis.yml @@ -30,7 +30,7 @@ script: # move config out of the way and try signing certificate by using temporary config location - mv config.sh tmp_config.sh - - ./letsencrypt.sh --sign "${TMP_URL}" -f tmp_config.sh + - ./letsencrypt.sh --domain "${TMP_URL}" -f tmp_config.sh - mv tmp_config.sh config.sh # run in cron mode (should find a non-expiring certificate) + check running without given mode (should default to cron mode) diff --git a/README.md b/README.md index a59ae04..1b2c6cf 100644 --- a/README.md +++ b/README.md @@ -26,12 +26,13 @@ Default command: cron Commands: --cron (-c) Sign/renew non-existant/changed(TODO)/expiring certificates. - --sign (-s) domain.tld Force-sign specific certificate from domains.txt, even if not yet expiring or changed. --revoke (-r) path/to/cert.pem Revoke specified certificate --help (-h) Show help text --env (-e) Output configuration variables for use in other scripts Parameters: + --domain (-d) domain.tld Use specified domain name instead of domains.txt, use multiple times for certificate with SAN names + --force (-x) force renew of certificate even if it is longer valid than value in RENEW_DAYS --config (-f) path/to/config.sh Use specified config file --privkey (-p) path/to/key.pem Use specified private key instead of account key (useful for revocation) ``` diff --git a/letsencrypt.sh b/letsencrypt.sh index 3054ed8..9bc25a3 100755 --- a/letsencrypt.sh +++ b/letsencrypt.sh @@ -222,6 +222,11 @@ _request() { ${HOOK} "clean_challenge" '' "${challenge_token}" "${keyauth}" fi + # remove temporary domains.txt file if used + if [[ -n "${PARAM_DOMAIN:-}" ]]; then + rm "${DOMAINS_TXT}" + fi + exit 1 fi @@ -395,13 +400,24 @@ sign_domain() { # Usage: --cron (-c) # Description: Sign/renew non-existant/changed(TODO)/expiring certificates. -command_cron() { +command_sign_domains() { + if [[ -n "${PARAM_DOMAIN:-}" ]]; then + # we are using a temporary domains.txt file so we don't need to duplicate any code + DOMAINS_TXT="$(mktemp)" + echo "${PARAM_DOMAIN}" > "${DOMAINS_TXT}" + fi # Generate certificates for all domains found in domains.txt. Check if existing certificate are about to expire <"${DOMAINS_TXT}" sed 's/^\s*//g;s/\s*$//g' | grep -v '^#' | grep -v '^$' | while read -r line; do domain="$(printf '%s\n' "${line}" | cut -d' ' -f1)" + morenames="$(printf '%s\n' "${line}" | cut -s -d' ' -f2-)" cert="${BASEDIR}/certs/${domain}/cert.pem" - echo "Processing ${domain}" + if [[ -z "${morenames}" ]];then + echo "Processing ${domain}" + else + echo "Processing ${domain} with SAN: ${morenames}" + fi + if [[ -e "${cert}" ]]; then echo " + Found existing cert..." @@ -409,33 +425,26 @@ command_cron() { echo -n " + Valid till ${valid} " if openssl x509 -checkend $((RENEW_DAYS * 86400)) -noout -in "${cert}"; then - echo "(Longer than ${RENEW_DAYS} days). Skipping!" - continue + echo -n "(Longer than ${RENEW_DAYS} days). " + if [[ "${PARAM_FORCE:-}" = "yes" ]]; then + echo "Ignoring because --force was specified!" + else + echo "Skipping!" + continue + fi + else + echo "(Less than ${RENEW_DAYS} days). Renewing!" fi - echo "(Less than ${RENEW_DAYS} days). Renewing!" fi # shellcheck disable=SC2086 sign_domain $line done -} -# Usage: --sign (-s) domain.tld -# Description: Force-sign specific certificate from domains.txt, even if not yet expiring or changed. -command_sign() { - # Generate certificates for all domains found in domains.txt. Check if existing certificate are about to expire - <"${DOMAINS_TXT}" sed 's/^\s*//g;s/\s*$//g' | grep -E "^${1}($|\s)" | head -1 | while read -r line; do - domain="$(printf '%s\n' "${line}" | cut -d' ' -f1)" - cert="${BASEDIR}/certs/${domain}/cert.pem" - - echo "Processing ${domain}" - if [[ -e "${cert}" ]]; then - echo " + Found existing cert... ignoring." - fi - - # shellcheck disable=SC2086 - sign_domain $line - done || (echo "No entry for ${1} found in ${DOMAINS_TXT}."; exit 1) + # remove temporary domains.txt file if used + if [[ -n "${PARAM_DOMAIN:-}" ]]; then + rm "${DOMAINS_TXT}" + fi } # Usage: --revoke (-r) path/to/cert.pem @@ -509,7 +518,8 @@ for arg; do case "${arg}" in --help) args="${args}-h ";; --cron) args="${args}-c ";; - --sign) args="${args}-s ";; + --domain) args="${args}-d ";; + --force ) args="${args}-x ";; --revoke) args="${args}-r ";; --privkey) args="${args}-p ";; --config) args="${args}-f ";; @@ -547,7 +557,7 @@ check_parameters() { fi } -while getopts ":hcer:s:f:p:" option; do +while getopts ":hcer:d:xf:p:" option; do case "${option}" in h) command_help @@ -564,10 +574,20 @@ while getopts ":hcer:s:f:p:" option; do check_parameters "${OPTARG:-}" revoke_me="${OPTARG}" ;; - s) - set_command sign + d) + # PARAM_Usage: --domain (-d) domain.tld + # PARAM_Description: Use specified domain name instead of domains.txt, use multiple times for certificate with SAN names check_parameters "${OPTARG:-}" - sign_me="${OPTARG}" + if [[ -z "${PARAM_DOMAIN:-}" ]]; then + PARAM_DOMAIN="${OPTARG}" + else + PARAM_DOMAIN="${PARAM_DOMAIN} ${OPTARG}" + fi + ;; + x) + # PARAM_Usage: --force (-x) + # PARAM_Description: force renew of certificate even if it is longer valid than value in RENEW_DAYS + PARAM_FORCE="yes" ;; f) # PARAM_Usage: --config (-f) path/to/config.sh @@ -598,14 +618,11 @@ init_system case "${COMMAND}" in cron) - command_cron + command_sign_domains ;; env) command_env ;; - sign) - command_sign "${sign_me}" - ;; revoke) command_revoke "${revoke_me}" ;;