2 changed files with 152 additions and 2 deletions
@ -0,0 +1,151 @@ |
|||||
|
#!/usr/bin/env bash |
||||
|
# |
||||
|
# Example how to deploy a DNS challenge using lexicon |
||||
|
|
||||
|
set -e |
||||
|
set -u |
||||
|
set -o pipefail |
||||
|
|
||||
|
export PROVIDER_UPDATE_DELAY=${PROVIDER_UPDATE_DELAY:-"30"} |
||||
|
export PROVIDER=${PROVIDER:-"cloudflare"} |
||||
|
|
||||
|
function deploy_challenge { |
||||
|
local chain=($@) |
||||
|
for ((i=0; i < $#; i+=3)); do |
||||
|
local DOMAIN="${chain[i]}" TOKEN_FILENAME="${chain[i+1]}" TOKEN_VALUE="${chain[i+2]}" |
||||
|
|
||||
|
echo "deploy_challenge called: ${DOMAIN}, ${TOKEN_FILENAME}, ${TOKEN_VALUE}" |
||||
|
if [ "${PROVIDER,,}" == "powerdns" ]; then |
||||
|
lexicon $PROVIDER create ${DOMAIN} TXT --name="_acme-challenge.${DOMAIN}." --content="${TOKEN_VALUE}" --pdns-server ${LEXICON_POWERDNS_SERVER} |
||||
|
else |
||||
|
lexicon $PROVIDER create ${DOMAIN} TXT --name="_acme-challenge.${DOMAIN}." --content="${TOKEN_VALUE}" |
||||
|
fi |
||||
|
|
||||
|
done |
||||
|
|
||||
|
local DELAY_COUNTDOWN=$PROVIDER_UPDATE_DELAY |
||||
|
while [ $DELAY_COUNTDOWN -gt 0 ]; do |
||||
|
echo -ne "${DELAY_COUNTDOWN}\033[0K\r" |
||||
|
sleep 1 |
||||
|
: $((DELAY_COUNTDOWN--)) |
||||
|
done |
||||
|
|
||||
|
# This hook is called once for every domain chain that needs to be |
||||
|
# validated, including any alternative names you may have listed. |
||||
|
# |
||||
|
# Parameters: |
||||
|
# - DOMAIN |
||||
|
# The domain name (CN or subject alternative name) being |
||||
|
# validated. |
||||
|
# - TOKEN_FILENAME |
||||
|
# The name of the file containing the token to be served for HTTP |
||||
|
# validation. Should be served by your web server as |
||||
|
# /.well-known/acme-challenge/${TOKEN_FILENAME}. |
||||
|
# - TOKEN_VALUE |
||||
|
# The token value that needs to be served for validation. For DNS |
||||
|
# validation, this is what you want to put in the _acme-challenge |
||||
|
# TXT record. For HTTP validation it is the value that is expected |
||||
|
# be found in the $TOKEN_FILENAME file. |
||||
|
} |
||||
|
|
||||
|
function clean_challenge { |
||||
|
local chain=($@) |
||||
|
for ((i=0; i < $#; i+=3)); do |
||||
|
local DOMAIN="${chain[i]}" TOKEN_FILENAME="${chain[i+1]}" TOKEN_VALUE="${chain[i+2]}" |
||||
|
|
||||
|
echo "clean_challenge called: ${DOMAIN}, ${TOKEN_FILENAME}, ${TOKEN_VALUE}" |
||||
|
|
||||
|
if [ "${PROVIDER,,}" == "powerdns" ]; then |
||||
|
lexicon $PROVIDER delete ${DOMAIN} TXT --name="_acme-challenge.${DOMAIN}." --content="${TOKEN_VALUE}" --pdns-server ${LEXICON_POWERDNS_SERVER} |
||||
|
else |
||||
|
lexicon $PROVIDER delete ${DOMAIN} TXT --name="_acme-challenge.${DOMAIN}." --content="${TOKEN_VALUE}" |
||||
|
fi |
||||
|
|
||||
|
done |
||||
|
|
||||
|
# This hook is called after attempting to validate each domain |
||||
|
# chain, whether or not validation was successful. Here you |
||||
|
# can delete files or DNS records that are no longer needed. |
||||
|
# |
||||
|
# The parameters are the same as for deploy_challenge. |
||||
|
} |
||||
|
|
||||
|
function invalid_challenge() { |
||||
|
local DOMAIN="${1}" RESPONSE="${2}" |
||||
|
|
||||
|
echo "invalid_challenge called: ${DOMAIN}, ${RESPONSE}" |
||||
|
|
||||
|
# This hook is called if the challenge response has failed, so domain |
||||
|
# owners can be aware and act accordingly. |
||||
|
# |
||||
|
# Parameters: |
||||
|
# - DOMAIN |
||||
|
# The primary domain name, i.e. the certificate common |
||||
|
# name (CN). |
||||
|
# - RESPONSE |
||||
|
# The response that the verification server returned |
||||
|
} |
||||
|
|
||||
|
function deploy_cert { |
||||
|
local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" |
||||
|
|
||||
|
echo "deploy_cert called: ${DOMAIN}, ${KEYFILE}, ${CERTFILE}, ${FULLCHAINFILE}, ${CHAINFILE}" |
||||
|
|
||||
|
# This hook is called once for each certificate that has been |
||||
|
# produced. Here you might, for instance, copy your new certificates |
||||
|
# to service-specific locations and reload the service. |
||||
|
# |
||||
|
# Parameters: |
||||
|
# - DOMAIN |
||||
|
# The primary domain name, i.e. the certificate common |
||||
|
# name (CN). |
||||
|
# - KEYFILE |
||||
|
# The path of the file containing the private key. |
||||
|
# - CERTFILE |
||||
|
# The path of the file containing the signed certificate. |
||||
|
# - FULLCHAINFILE |
||||
|
# The path of the file containing the full certificate chain. |
||||
|
# - CHAINFILE |
||||
|
# The path of the file containing the intermediate certificate(s). |
||||
|
} |
||||
|
|
||||
|
function unchanged_cert { |
||||
|
local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" |
||||
|
|
||||
|
echo "unchanged_cert called: ${DOMAIN}, ${KEYFILE}, ${CERTFILE}, ${FULLCHAINFILE}, ${CHAINFILE}" |
||||
|
|
||||
|
# This hook is called once for each certificate that is still |
||||
|
# valid and therefore wasn't reissued. |
||||
|
# |
||||
|
# Parameters: |
||||
|
# - DOMAIN |
||||
|
# The primary domain name, i.e. the certificate common |
||||
|
# name (CN). |
||||
|
# - KEYFILE |
||||
|
# The path of the file containing the private key. |
||||
|
# - CERTFILE |
||||
|
# The path of the file containing the signed certificate. |
||||
|
# - FULLCHAINFILE |
||||
|
# The path of the file containing the full certificate chain. |
||||
|
# - CHAINFILE |
||||
|
# The path of the file containing the intermediate certificate(s). |
||||
|
} |
||||
|
|
||||
|
exit_hook() { |
||||
|
# This hook is called at the end of a dehydrated command and can be used |
||||
|
# to do some final (cleanup or other) tasks. |
||||
|
|
||||
|
: |
||||
|
} |
||||
|
|
||||
|
startup_hook() { |
||||
|
# This hook is called before the dehydrated command to do some initial tasks |
||||
|
# (e.g. starting a webserver). |
||||
|
|
||||
|
: |
||||
|
} |
||||
|
|
||||
|
HANDLER=$1; shift; |
||||
|
if [ -n "$(type -t $HANDLER)" ] && [ "$(type -t $HANDLER)" = function ]; then |
||||
|
$HANDLER "$@" |
||||
|
fi |
||||
Loading…
Reference in new issue