From: Lukas Schauer Date: Sun, 28 Jan 2018 18:43:03 +0000 (+0100) Subject: moved deploy_challenge to earlier loop so it works with multiple challenge tokens... X-Git-Tag: v0.6.0~36 X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=afba7c694cb0a6d8f150e2c5e2bd86a3c688312a;p=thirdparty%2Fdehydrated.git moved deploy_challenge to earlier loop so it works with multiple challenge tokens on the same identifier (important for wildcard certificate), fixed array-name, removed hook-chain warning --- diff --git a/CHANGELOG b/CHANGELOG index e9f0b1a..ab54613 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -3,7 +3,7 @@ This file contains a log of major changes in dehydrated ## [x.x.x] - xxxx-xx-xx ## Changed -- ... +- Challenge validation loop has been modified to loop over authorization identifiers instead of altnames (ACMEv2 + wildcard support) ## Added - Support for ACME v02 (including wildcard certificates!) diff --git a/dehydrated b/dehydrated index 6c3af64..88455bd 100755 --- a/dehydrated +++ b/dehydrated @@ -675,7 +675,7 @@ sign_csr() { fi # Gather challenge information - challenge_identifier[${idx}]="${identifier}" + challenge_identifiers[${idx}]="${identifier}" challenge_tokens[${idx}]="$(echo "${challenge}" | get_json_string_value token)" if [[ ${API} -eq 2 ]]; then challenge_uris[${idx}]="$(echo "${challenge}" | get_json_string_value url)" @@ -698,6 +698,7 @@ sign_csr() { keyauth_hook="$(printf '%s' "${keyauth}" | "${OPENSSL}" dgst -sha256 -binary | urlbase64)" ;; esac + keyauths[${idx}]="${keyauth}" deploy_args[${idx}]="${identifier} ${challenge_tokens[${idx}]} ${keyauth_hook}" @@ -706,30 +707,25 @@ sign_csr() { local num_pending_challenges=${idx} echo " + ${num_pending_challenges} pending challenge(s)" - # Detect duplicate challenge identifiers - if [ "${HOOK_CHAIN}" = "yes" ] && [ -n "$(tr ' ' '\n' <<< "${challenge_identifier[*]}" | sort | uniq -d)" ]; then - echo "!! Disabling HOOK_CHAIN for this certificate (see https://dehydrated.de/docs/hook_chain.md#problem-with-wildcard-certificates for more information)" - HOOK_CHAIN=no - fi - - # Deploy challenge tokens using chained hook + # Deploy challenge tokens if [[ ${num_pending_challenges} -ne 0 ]]; then - # shellcheck disable=SC2068 + echo " + Deploying challenge tokens..." if [[ -n "${HOOK}" ]] && [[ "${HOOK_CHAIN}" = "yes" ]]; then - echo " + Deploying challenge tokens..." "${HOOK}" "deploy_challenge" ${deploy_args[@]} + elif [[ -n "${HOOK}" ]]; then + # Run hook script to deploy the challenge token + local idx=0 + while [ ${idx} -lt ${num_pending_challenges} ]; do + "${HOOK}" "deploy_challenge" ${deploy_args[${idx}]} + idx=$((idx+1)) + done fi fi # Validate pending challenges local idx=0 while [ ${idx} -lt ${num_pending_challenges} ]; do - echo " + Responding to challenge for ${challenge_identifier[${idx}]} authorization..." - - # Run hook script to deploy the challenge token - if [[ -n "${HOOK}" ]] && [[ "${HOOK_CHAIN}" != "yes" ]]; then - "${HOOK}" "deploy_challenge" ${deploy_args[${idx}]} - fi + echo " + Responding to challenge for ${challenge_identifiers[${idx}]} authorization..." # Ask the acme-server to verify our challenge and wait until it is no longer pending if [[ ${API} -eq 1 ]]; then diff --git a/docs/hook_chain.md b/docs/hook_chain.md index 5a3da12..a4f7a5b 100644 --- a/docs/hook_chain.md +++ b/docs/hook_chain.md @@ -60,15 +60,3 @@ HOOK: clean_challenge lukas.im blablabla blablabla.supersecure www.lukas.im blub HOOK: deploy_cert lukas.im /etc/dehydrated/certs/lukas.im/privkey.pem /etc/dehydrated/certs/lukas.im/cert.pem /etc/dehydrated/certs/lukas.im/fullchain.pem /etc/dehydrated/certs/lukas.im/chain.pem 1460152408 + Done! ``` - -# Problem with wildcard certificates - -For wildcard certificates the upper level domain is used for verification, e.g. -`*.foo.example.com` will be verified at `foo.example.com`. - -In cases where both `foo.example.com` and `*.foo.example.com` would have to be -validated there would be a conflict since both will have different tokens but -both are expected to be resolved under `_acme-challenge.foo.example.com`. - -If dehydrated detects this kind of configuration it will automatically fall back -to non-chaining behaviour (until the next certificate).