All patches and comments are welcome. Please squash your changes to logical
commits before using git-format-patch and git-send-email to
patches@git.madduck.net.
If you'd read over the Git project's submission guidelines and adhered to them,
I'd be especially grateful.
4 NSUPDATE="${0%/*}/nsupdate-wrapper"
7 SERVER="<%= $dnsserver %>"
8 DEPLOYDIR="<%= $deploydir %>"
11 local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
13 # This hook is called once for every domain that needs to be
14 # validated, including any alternative names you may have listed.
18 # The domain name (CN or subject alternative name) being
21 # The name of the file containing the token to be served for HTTP
22 # validation. Should be served by your web server as
23 # /.well-known/acme-challenge/${TOKEN_FILENAME}.
25 # The token value that needs to be served for validation. For DNS
26 # validation, this is what you want to put in the _acme-challenge
27 # TXT record. For HTTP validation it is the value that is expected
28 # be found in the $TOKEN_FILENAME file.
30 # Simple example: Use nsupdate with local named
31 # printf 'server 127.0.0.1\nupdate add _acme-challenge.%s 300 IN TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key
33 _nsupdate add "$DOMAIN" "$TOKEN_FILENAME" "$TOKEN_VALUE"
37 local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
39 # This hook is called after attempting to validate each domain,
40 # whether or not validation was successful. Here you can delete
41 # files or DNS records that are no longer needed.
43 # The parameters are the same as for deploy_challenge.
45 # Simple example: Use nsupdate with local named
46 # printf 'server 127.0.0.1\nupdate delete _acme-challenge.%s TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key
48 _nsupdate delete "$DOMAIN" "$TOKEN_FILENAME" "$TOKEN_VALUE"
52 local KEYFILE="${1}" CERTFILE="${2}" FULLCHAINFILE="${3}" CHAINFILE="${4}" REQUESTFILE="${5}"
54 # This hook is called after the certificates have been created but before
55 # they are symlinked. This allows you to sync the files to disk to prevent
56 # creating a symlink to empty files on unexpected system crashes.
58 # This hook is not intended to be used for further processing of certificate
59 # files, see deploy_cert for that.
63 # The path of the file containing the private key.
65 # The path of the file containing the signed certificate.
67 # The path of the file containing the full certificate chain.
69 # The path of the file containing the intermediate certificate(s).
71 # The path of the file containing the certificate signing request.
73 # Simple example: sync the files before symlinking them
74 # sync "${KEYFILE}" "${CERTFILE} "${FULLCHAINFILE}" "${CHAINFILE}" "${REQUESTFILE}"
78 local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}"
80 # This hook is called once for each certificate that has been
81 # produced. Here you might, for instance, copy your new certificates
82 # to service-specific locations and reload the service.
86 # The primary domain name, i.e. the certificate common
89 # The path of the file containing the private key.
91 # The path of the file containing the signed certificate.
93 # The path of the file containing the full certificate chain.
95 # The path of the file containing the intermediate certificate(s).
97 # Timestamp when the specified certificate was created.
99 # Simple example: Copy file to nginx config
100 # cp "${KEYFILE}" "${FULLCHAINFILE}" /etc/nginx/ssl/; chown -R nginx: /etc/nginx/ssl
101 # systemctl reload nginx
102 cp --dereference --preserve --update --target-directory "$DEPLOYDIR" \
103 "$KEYFILE" "$CERTFILE" "$FULLCHAINFILE" "$CHAINFILE"
107 local DOMAIN="${1}" OCSPFILE="${2}" TIMESTAMP="${3}"
109 # This hook is called once for each updated ocsp stapling file that has
110 # been produced. Here you might, for instance, copy your new ocsp stapling
111 # files to service-specific locations and reload the service.
115 # The primary domain name, i.e. the certificate common
118 # The path of the ocsp stapling file
120 # Timestamp when the specified ocsp stapling file was created.
122 # Simple example: Copy file to nginx config
123 # cp "${OCSPFILE}" /etc/nginx/ssl/; chown -R nginx: /etc/nginx/ssl
124 # systemctl reload nginx
129 local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}"
131 # This hook is called once for each certificate that is still
132 # valid and therefore wasn't reissued.
136 # The primary domain name, i.e. the certificate common
139 # The path of the file containing the private key.
141 # The path of the file containing the signed certificate.
143 # The path of the file containing the full certificate chain.
145 # The path of the file containing the intermediate certificate(s).
148 invalid_challenge() {
149 local DOMAIN="${1}" RESPONSE="${2}"
151 # This hook is called if the challenge response has failed, so domain
152 # owners can be aware and act accordingly.
156 # The primary domain name, i.e. the certificate common
159 # The response that the verification server returned
161 # Simple example: Send mail to root
162 # printf "Subject: Validation of ${DOMAIN} failed!\n\nOh noez!" | sendmail root
166 local STATUSCODE="${1}" REASON="${2}" REQTYPE="${3}" HEADERS="${4}"
168 # This hook is called when an HTTP request fails (e.g., when the ACME
169 # server is busy, returns an error, etc). It will be called upon any
170 # response code that does not start with '2'. Useful to alert admins
171 # about problems with requests.
175 # The HTML status code that originated the error.
177 # The specified reason for the error.
179 # The kind of request that was made (GET, POST...)
181 # HTTP headers returned by the CA
183 # Simple example: Send mail to root
184 # printf "Subject: HTTP request failed failed!\n\nA http request failed with status ${STATUSCODE}!" | sendmail root
188 local DOMAIN="${1}" CERTDIR="${2}" ALTNAMES="${3}"
190 # This hook is called before any certificate signing operation takes place.
191 # It can be used to generate or fetch a certificate signing request with external
193 # The output should be just the cerificate signing request formatted as PEM.
197 # The primary domain as specified in domains.txt. This does not need to
198 # match with the domains in the CSR, it's basically just the directory name.
200 # Certificate output directory for this particular certificate. Can be used
201 # for storing additional files.
203 # All domain names for the current certificate as specified in domains.txt.
204 # Again, this doesn't need to match with the CSR, it's just there for convenience.
206 # Simple example: Look for pre-generated CSRs
207 # if [ -e "${CERTDIR}/pre-generated.csr" ]; then
208 # cat "${CERTDIR}/pre-generated.csr"
213 # This hook is called before the cron command to do some initial tasks
214 # (e.g. starting a webserver).
222 # This hook is called at the end of the cron command and can be used to
223 # do some final (cleanup or other) tasks.
227 # Contains error message if dehydrated exits with error
230 _make_nsupdate_script() {
231 local op; op="$1"; shift
232 echo "server $SERVER"
236 while [ -n "${1:-}" ]; do
237 if [ $# -lt 3 ]; then
238 echo >&2 "Expecting batches of 3 arguments, got $# in the last: $@"
242 # $2 is ignored for dns-01
245 echo "update $op ${rrname}.$ZONE ${TTL} IN TXT \"${txt}\""
246 shift 3 2>/dev/null || break
253 script="$(_make_nsupdate_script "$@")" || return 1
254 echo "$script" | $NSUPDATE
258 if [[ "${HANDLER}" =~ ^(deploy_challenge|clean_challenge|sync_cert|deploy_cert|deploy_ocsp|unchanged_cert|invalid_challenge|request_failure|generate_csr|startup_hook|exit_hook)$ ]]; then