new hook: sync_cert (closes #609)

diff --git a/CHANGELOG b/CHANGELOG
index 376be2e615e80b7eab39c7ca3af12d6569f84111..c89cbd1da4fa91d457325cd5f474529bf557135f 100644 (file)
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -9,6 +9,7 @@ This file contains a log of major changes in dehydrated
 
 ## Added
 - Initial support for tls-alpn-01 validation
+- New hook: sync_cert (for syncing certificate files to disk, see example hook description)
 
 ## [0.6.2] - 2018-04-25
 ## Added

diff --git a/dehydrated b/dehydrated
index 75edc62fbba3b2f48d0d6a9be8fa549a7ce7304d..c9afe211b5017d6cefa8ef03f5bc32ccc7226ff3 100755 (executable)
--- a/dehydrated
+++ b/dehydrated
@@ -1054,6 +1054,9 @@ sign_domain() {
     rm "${tmpcert}" "${tmpchain}"
   fi
 
+  # Wait for hook script to sync the files before creating the symlinks
+  [[ -n "${HOOK}" ]] && "${HOOK}" "sync_cert" "${certdir}/privkey-${timestamp}.pem" "${certdir}/cert-${timestamp}.pem" "${certdir}/fullchain-${timestamp}.pem" "${certdir}/chain-${timestamp}.pem" "${certdir}/cert-${timestamp}.csr"
+
   # Update symlinks
   [[ "${privkey}" = "privkey.pem" ]] || ln -sf "privkey-${timestamp}.pem" "${certdir}/privkey.pem"
 

diff --git a/docs/examples/hook.sh b/docs/examples/hook.sh
index 2cc81b744af5afc8c98e181e2a1c508e07f4e6df..d7dc8c8c71f8bf2850a79d24c3b7646b4d41a428 100755 (executable)
--- a/docs/examples/hook.sh
+++ b/docs/examples/hook.sh
@@ -37,6 +37,32 @@ clean_challenge() {
     # printf 'server 127.0.0.1\nupdate delete _acme-challenge.%s TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key
 }
 
+sync_cert() {
+    local KEYFILE="${1}" CERTFILE="${2}" FULLCHAINFILE="${3}" CHAINFILE="${4}" REQUESTFILE="${5}"
+
+    # This hook is called after the certificates have been created but before
+    # they are symlinked. This allows you to sync the files to disk to prevent
+    # creating a symlink to empty files on unexpected system crashes.
+    #
+    # This hook is not intended to be used for further processing of certificate
+    # files, see deploy_cert for that.
+    #
+    # Parameters:
+    # - KEYFILE
+    #   The path of the file containing the private key.
+    # - CERTFILE
+    #   The path of the file containing the signed certificate.
+    # - FULLCHAINFILE
+    #   The path of the file containing the full certificate chain.
+    # - CHAINFILE
+    #   The path of the file containing the intermediate certificate(s).
+    # - REQUESTFILE
+    #   The path of the file containing the certificate signing request.
+
+    # Simple example: sync the files before symlinking them
+    # sync "${KEYFILE}" "${CERTFILE} "${FULLCHAINFILE}" "${CHAINFILE}" "${REQUESTFILE}"
+}
+
 deploy_cert() {
     local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}"
 
@@ -189,6 +215,6 @@ exit_hook() {
 }
 
 HANDLER="$1"; shift
-if [[ "${HANDLER}" =~ ^(deploy_challenge|clean_challenge|deploy_cert|deploy_ocsp|unchanged_cert|invalid_challenge|request_failure|generate_csr|startup_hook|exit_hook)$ ]]; then
+if [[ "${HANDLER}" =~ ^(deploy_challenge|clean_challenge|sync_cert|deploy_cert|deploy_ocsp|unchanged_cert|invalid_challenge|request_failure|generate_csr|startup_hook|exit_hook)$ ]]; then
   "$HANDLER" "$@"
 fi