Fábio Kaiser Rauber
4 years ago
2 changed files with 152 additions and 2 deletions
@ -0,0 +1,151 @@ |
|||
#!/usr/bin/env bash |
|||
# |
|||
# Example how to deploy a DNS challenge using lexicon |
|||
|
|||
set -e |
|||
set -u |
|||
set -o pipefail |
|||
|
|||
export PROVIDER_UPDATE_DELAY=${PROVIDER_UPDATE_DELAY:-"30"} |
|||
export PROVIDER=${PROVIDER:-"cloudflare"} |
|||
|
|||
function deploy_challenge { |
|||
local chain=($@) |
|||
for ((i=0; i < $#; i+=3)); do |
|||
local DOMAIN="${chain[i]}" TOKEN_FILENAME="${chain[i+1]}" TOKEN_VALUE="${chain[i+2]}" |
|||
|
|||
echo "deploy_challenge called: ${DOMAIN}, ${TOKEN_FILENAME}, ${TOKEN_VALUE}" |
|||
if [ "${PROVIDER,,}" == "powerdns" ]; then |
|||
lexicon $PROVIDER create ${DOMAIN} TXT --name="_acme-challenge.${DOMAIN}." --content="${TOKEN_VALUE}" --pdns-server ${LEXICON_POWERDNS_SERVER} |
|||
else |
|||
lexicon $PROVIDER create ${DOMAIN} TXT --name="_acme-challenge.${DOMAIN}." --content="${TOKEN_VALUE}" |
|||
fi |
|||
|
|||
done |
|||
|
|||
local DELAY_COUNTDOWN=$PROVIDER_UPDATE_DELAY |
|||
while [ $DELAY_COUNTDOWN -gt 0 ]; do |
|||
echo -ne "${DELAY_COUNTDOWN}\033[0K\r" |
|||
sleep 1 |
|||
: $((DELAY_COUNTDOWN--)) |
|||
done |
|||
|
|||
# This hook is called once for every domain chain that needs to be |
|||
# validated, including any alternative names you may have listed. |
|||
# |
|||
# Parameters: |
|||
# - DOMAIN |
|||
# The domain name (CN or subject alternative name) being |
|||
# validated. |
|||
# - TOKEN_FILENAME |
|||
# The name of the file containing the token to be served for HTTP |
|||
# validation. Should be served by your web server as |
|||
# /.well-known/acme-challenge/${TOKEN_FILENAME}. |
|||
# - TOKEN_VALUE |
|||
# The token value that needs to be served for validation. For DNS |
|||
# validation, this is what you want to put in the _acme-challenge |
|||
# TXT record. For HTTP validation it is the value that is expected |
|||
# be found in the $TOKEN_FILENAME file. |
|||
} |
|||
|
|||
function clean_challenge { |
|||
local chain=($@) |
|||
for ((i=0; i < $#; i+=3)); do |
|||
local DOMAIN="${chain[i]}" TOKEN_FILENAME="${chain[i+1]}" TOKEN_VALUE="${chain[i+2]}" |
|||
|
|||
echo "clean_challenge called: ${DOMAIN}, ${TOKEN_FILENAME}, ${TOKEN_VALUE}" |
|||
|
|||
if [ "${PROVIDER,,}" == "powerdns" ]; then |
|||
lexicon $PROVIDER delete ${DOMAIN} TXT --name="_acme-challenge.${DOMAIN}." --content="${TOKEN_VALUE}" --pdns-server ${LEXICON_POWERDNS_SERVER} |
|||
else |
|||
lexicon $PROVIDER delete ${DOMAIN} TXT --name="_acme-challenge.${DOMAIN}." --content="${TOKEN_VALUE}" |
|||
fi |
|||
|
|||
done |
|||
|
|||
# This hook is called after attempting to validate each domain |
|||
# chain, whether or not validation was successful. Here you |
|||
# can delete files or DNS records that are no longer needed. |
|||
# |
|||
# The parameters are the same as for deploy_challenge. |
|||
} |
|||
|
|||
function invalid_challenge() { |
|||
local DOMAIN="${1}" RESPONSE="${2}" |
|||
|
|||
echo "invalid_challenge called: ${DOMAIN}, ${RESPONSE}" |
|||
|
|||
# This hook is called if the challenge response has failed, so domain |
|||
# owners can be aware and act accordingly. |
|||
# |
|||
# Parameters: |
|||
# - DOMAIN |
|||
# The primary domain name, i.e. the certificate common |
|||
# name (CN). |
|||
# - RESPONSE |
|||
# The response that the verification server returned |
|||
} |
|||
|
|||
function deploy_cert { |
|||
local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" |
|||
|
|||
echo "deploy_cert called: ${DOMAIN}, ${KEYFILE}, ${CERTFILE}, ${FULLCHAINFILE}, ${CHAINFILE}" |
|||
|
|||
# This hook is called once for each certificate that has been |
|||
# produced. Here you might, for instance, copy your new certificates |
|||
# to service-specific locations and reload the service. |
|||
# |
|||
# Parameters: |
|||
# - DOMAIN |
|||
# The primary domain name, i.e. the certificate common |
|||
# name (CN). |
|||
# - KEYFILE |
|||
# The path of the file containing the private key. |
|||
# - CERTFILE |
|||
# The path of the file containing the signed certificate. |
|||
# - FULLCHAINFILE |
|||
# The path of the file containing the full certificate chain. |
|||
# - CHAINFILE |
|||
# The path of the file containing the intermediate certificate(s). |
|||
} |
|||
|
|||
function unchanged_cert { |
|||
local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" |
|||
|
|||
echo "unchanged_cert called: ${DOMAIN}, ${KEYFILE}, ${CERTFILE}, ${FULLCHAINFILE}, ${CHAINFILE}" |
|||
|
|||
# This hook is called once for each certificate that is still |
|||
# valid and therefore wasn't reissued. |
|||
# |
|||
# Parameters: |
|||
# - DOMAIN |
|||
# The primary domain name, i.e. the certificate common |
|||
# name (CN). |
|||
# - KEYFILE |
|||
# The path of the file containing the private key. |
|||
# - CERTFILE |
|||
# The path of the file containing the signed certificate. |
|||
# - FULLCHAINFILE |
|||
# The path of the file containing the full certificate chain. |
|||
# - CHAINFILE |
|||
# The path of the file containing the intermediate certificate(s). |
|||
} |
|||
|
|||
exit_hook() { |
|||
# This hook is called at the end of a dehydrated command and can be used |
|||
# to do some final (cleanup or other) tasks. |
|||
|
|||
: |
|||
} |
|||
|
|||
startup_hook() { |
|||
# This hook is called before the dehydrated command to do some initial tasks |
|||
# (e.g. starting a webserver). |
|||
|
|||
: |
|||
} |
|||
|
|||
HANDLER=$1; shift; |
|||
if [ -n "$(type -t $HANDLER)" ] && [ "$(type -t $HANDLER)" = function ]; then |
|||
$HANDLER "$@" |
|||
fi |
Loading…
Reference in new issue