From: Lukas Schauer Date: Sun, 3 Mar 2019 19:22:41 +0000 (+0100) Subject: new hook: sync_cert (closes #609) X-Git-Tag: v0.6.3~7 X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=e4a32acbe25ac76b7909d4a8b42d697acf5c4310;p=thirdparty%2Fdehydrated.git new hook: sync_cert (closes #609) --- diff --git a/CHANGELOG b/CHANGELOG index 376be2e..c89cbd1 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -9,6 +9,7 @@ This file contains a log of major changes in dehydrated ## Added - Initial support for tls-alpn-01 validation +- New hook: sync_cert (for syncing certificate files to disk, see example hook description) ## [0.6.2] - 2018-04-25 ## Added diff --git a/dehydrated b/dehydrated index 75edc62..c9afe21 100755 --- a/dehydrated +++ b/dehydrated @@ -1054,6 +1054,9 @@ sign_domain() { rm "${tmpcert}" "${tmpchain}" fi + # Wait for hook script to sync the files before creating the symlinks + [[ -n "${HOOK}" ]] && "${HOOK}" "sync_cert" "${certdir}/privkey-${timestamp}.pem" "${certdir}/cert-${timestamp}.pem" "${certdir}/fullchain-${timestamp}.pem" "${certdir}/chain-${timestamp}.pem" "${certdir}/cert-${timestamp}.csr" + # Update symlinks [[ "${privkey}" = "privkey.pem" ]] || ln -sf "privkey-${timestamp}.pem" "${certdir}/privkey.pem" diff --git a/docs/examples/hook.sh b/docs/examples/hook.sh index 2cc81b7..d7dc8c8 100755 --- a/docs/examples/hook.sh +++ b/docs/examples/hook.sh @@ -37,6 +37,32 @@ clean_challenge() { # printf 'server 127.0.0.1\nupdate delete _acme-challenge.%s TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key } +sync_cert() { + local KEYFILE="${1}" CERTFILE="${2}" FULLCHAINFILE="${3}" CHAINFILE="${4}" REQUESTFILE="${5}" + + # This hook is called after the certificates have been created but before + # they are symlinked. This allows you to sync the files to disk to prevent + # creating a symlink to empty files on unexpected system crashes. + # + # This hook is not intended to be used for further processing of certificate + # files, see deploy_cert for that. + # + # Parameters: + # - KEYFILE + # The path of the file containing the private key. + # - CERTFILE + # The path of the file containing the signed certificate. + # - FULLCHAINFILE + # The path of the file containing the full certificate chain. + # - CHAINFILE + # The path of the file containing the intermediate certificate(s). + # - REQUESTFILE + # The path of the file containing the certificate signing request. + + # Simple example: sync the files before symlinking them + # sync "${KEYFILE}" "${CERTFILE} "${FULLCHAINFILE}" "${CHAINFILE}" "${REQUESTFILE}" +} + deploy_cert() { local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}" @@ -189,6 +215,6 @@ exit_hook() { } HANDLER="$1"; shift -if [[ "${HANDLER}" =~ ^(deploy_challenge|clean_challenge|deploy_cert|deploy_ocsp|unchanged_cert|invalid_challenge|request_failure|generate_csr|startup_hook|exit_hook)$ ]]; then +if [[ "${HANDLER}" =~ ^(deploy_challenge|clean_challenge|sync_cert|deploy_cert|deploy_ocsp|unchanged_cert|invalid_challenge|request_failure|generate_csr|startup_hook|exit_hook)$ ]]; then "$HANDLER" "$@" fi