From 63854b752ba7745dff3dc459f700bd594d25686e Mon Sep 17 00:00:00 2001
From: Lukas Schauer <lukas@schauer.so>
Date: Tue, 6 Feb 2018 20:54:58 +0100
Subject: [PATCH] New hook: generate_csr (see example hook script for more
 information, implements #475, replaces #377)

---
 CHANGELOG             |  1 +
 dehydrated            | 13 +++++++++++++
 docs/examples/hook.sh | 22 +++++++++++++++++++++-
 3 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG b/CHANGELOG
index ab54613..6281cf7 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -7,6 +7,7 @@ This file contains a log of major changes in dehydrated
 
 ## Added
 - Support for ACME v02 (including wildcard certificates!)
+- New hook: generate_csr (see example hook script for more information)
 
 ## [0.5.0] - 2018-01-13
 ## Changed
diff --git a/dehydrated b/dehydrated
index eda51bd..bd0319a 100755
--- a/dehydrated
+++ b/dehydrated
@@ -1169,6 +1169,19 @@ command_sign_domains() {
 
     skip="no"
 
+    # Allow for external CSR generation
+    if [[ -n "${HOOK}" ]]; then
+      local csr="$("${HOOK}" "generate_csr" "${domain}" "${certdir}" "${domain} ${morenames}")"
+      if grep -q "\-----BEGIN CERTIFICATE REQUEST-----" <<< "${csr}"; then
+        altnames="$(extract_altnames "${csr}")"
+        domain="$(cut -d' ' -f1 <<< "${altnames}")"
+        morenames="$(cut -s -d' ' -f2- <<< "${altnames}")"
+        echo " + Using CSR from hook script (real names: ${altnames})"
+        printf "%s" "${csr}" > "${certdir}/cert-${timestamp}.csr"
+      fi
+    fi
+
+    # Check domain names of existing certificate
     if [[ -e "${cert}" ]]; then
       printf " + Checking domain name(s) of existing cert..."
 
diff --git a/docs/examples/hook.sh b/docs/examples/hook.sh
index ccf731f..c85d92e 100755
--- a/docs/examples/hook.sh
+++ b/docs/examples/hook.sh
@@ -105,6 +105,26 @@ request_failure() {
     #   The kind of request that was made (GET, POST...)
 }
 
+generate_csr() {
+    local DOMAIN="${1}" CERTDIR="${2}" ALTNAMES="${3}"
+
+    # This hook is called before any certificate signing operation takes place.
+    # It can be used to generate or fetch a certificate signing request with external
+    # tools.
+    # The output should be just the cerificate signing request formatted as PEM.
+    #
+    # Parameters:
+    # - DOMAIN
+    #   The primary domain as specified in domains.txt. This does not need to
+    #   match with the domains in the CSR, it's basically just the directory name.
+    # - CERTDIR
+    #   Certificate output directory for this particular certificate. Can be used
+    #   for storing additional files.
+    # - ALTNAMES
+    #   All domain names for the current certificate as specified in domains.txt.
+    #   Again, this doesn't need to match with the CSR, it's just there for convenience.
+}
+
 startup_hook() {
   # This hook is called before the cron command to do some initial tasks
   # (e.g. starting a webserver).
@@ -120,6 +140,6 @@ exit_hook() {
 }
 
 HANDLER="$1"; shift
-if [[ "${HANDLER}" =~ ^(deploy_challenge|clean_challenge|deploy_cert|unchanged_cert|invalid_challenge|request_failure|startup_hook|exit_hook)$ ]]; then
+if [[ "${HANDLER}" =~ ^(deploy_challenge|clean_challenge|deploy_cert|unchanged_cert|invalid_challenge|request_failure|generate_csr|startup_hook|exit_hook)$ ]]; then
   "$HANDLER" "$@"
 fi
-- 
2.47.2