removed get_json_array helper, rearranged sign_domain method a bit, made grep...

removed get_json_array helper, rearranged sign_domain method a bit, made grep for PEM-format-check quiet

removed get_json_array helper, rearranged sign_domain method a bit, made grep...
removed get_json_array helper, rearranged sign_domain method a bit, made grep for PEM-format-check quiet
1446fd88 · Lukas Schauer · 59f16407 · 1446fd88
Commit 1446fd88 authored Jan 08, 2016 by Lukas Schauer
Hide whitespace changes
Inline Side-by-side

Showing with 21 additions and 34 deletions

letsencrypt.sh letsencrypt.sh +21 -34

No files found.
--- a/letsencrypt.sh
+++ b/letsencrypt.sh
@@ -145,10 +145,6 @@ get_json_string_value() {
  grep -Eo '"'"${1}"'":[[:space:]]*"[^"]*"' | cut -d'"' -f4
 }

-get_json_array() {
-  grep -Eo '"'"${1}"'":[^\[]*\[[^]]*]'
-}
-
 # OpenSSL writes to stderr/stdout even when there are no errors. So just
 # display the output if the exit code was != 0 to simplify debugging.
 _openssl() {
@@ -200,6 +196,7 @@ http_request() {
  rm -f "${tempcont}"
 }

+# Send signed request
 signed_request() {
  # Encode payload as urlbase64
  payload64="$(printf '%s' "${2}" | urlbase64)"
@@ -223,20 +220,20 @@ signed_request() {
  http_request post "${1}" "${data}"
 }

+# Create certificate for domain(s)
 sign_domain() {
  domain="${1}"
  altnames="${*}"
+  timestamp="$(date +%s)"

  echo " + Signing domains..."
  if [[ -z "${CA_NEW_AUTHZ}" ]] || [[ -z "${CA_NEW_CERT}" ]]; then
-    echo " + ERROR: Certificate authority doesn't allow certificate signing" >&2
-    exit 1
+    _exiterr "Certificate authority doesn't allow certificate signing"
  fi
-  timestamp="$(date +%s)"

  # If there is no existing certificate directory => make it
  if [[ ! -e "${BASEDIR}/certs/${domain}" ]]; then
-    echo " + make directory ${BASEDIR}/certs/${domain} ..."
+    echo " + Creating new directory ${BASEDIR}/certs/${domain} ..."
    mkdir -p "${BASEDIR}/certs/${domain}"
  fi

@@ -249,12 +246,12 @@ sign_domain() {
  fi

  # Generate signing request config and the actual signing request
+  echo " + Generating signing request..."
  SAN=""
-  for altname in $altnames; do
+  for altname in ${altnames}; do
    SAN+="DNS:${altname}, "
  done
  SAN="${SAN%%, }"
-  echo " + Generating signing request..."
  local tmp_openssl_cnf
  tmp_openssl_cnf="$(mktemp)"
  cat "${OPENSSL_CNF}" > "${tmp_openssl_cnf}"
@@ -263,20 +260,19 @@ sign_domain() {
  rm -f "${tmp_openssl_cnf}"

  # Request and respond to challenges
-  for altname in $altnames; do
+  for altname in ${altnames}; do
    # Ask the acme-server for new challenge token and extract them from the resulting json block
    echo " + Requesting challenge for ${altname}..."
    response="$(signed_request "${CA_NEW_AUTHZ}" '{"resource": "new-authz", "identifier": {"type": "dns", "value": "'"${altname}"'"}}')"

-    challenges="$(printf '%s\n' "${response}" | get_json_array challenges)"
+    challenges="$(printf '%s\n' "${response}" | grep -Eo '"challenges":[^\[]*\[[^]]*]')"
    repl=$'\n''{' # fix syntax highlighting in Vim
    challenge="$(printf "%s" "${challenges//\{/${repl}}" | grep 'http-01')"
    challenge_token="$(printf '%s' "${challenge}" | get_json_string_value token | sed 's/[^A-Za-z0-9_\-]/_/g')"
    challenge_uri="$(printf '%s' "${challenge}" | get_json_string_value uri)"

    if [[ -z "${challenge_token}" ]] || [[ -z "${challenge_uri}" ]]; then
-      echo "  + Error: Can't retrieve challenges (${response})" >&2
-      exit 1
+      _exiterr "Can't retrieve challenges (${response})"
    fi

    # Challenge response consists of the challenge token and the thumbprint of our public certificate
@@ -287,17 +283,14 @@ sign_domain() {
    chmod a+r "${WELLKNOWN}/${challenge_token}"

    # Wait for hook script to deploy the challenge if used
-    if [[ -n "${HOOK}" ]]; then
-        ${HOOK} "deploy_challenge" "${altname}" "${challenge_token}" "${keyauth}"
-    fi
+    [[ -n "${HOOK}" ]] && ${HOOK} "deploy_challenge" "${altname}" "${challenge_token}" "${keyauth}"

-    # Ask the acme-server to verify our challenge and wait until it becomes valid
+    # Ask the acme-server to verify our challenge and wait until it is no longer pending
    echo " + Responding to challenge for ${altname}..."
    result="$(signed_request "${challenge_uri}" '{"resource": "challenge", "keyAuthorization": "'"${keyauth}"'"}')"

    status="$(printf '%s\n' "${result}" | get_json_string_value status)"

-    # get status until a result is reached => not pending anymore
    while [[ "${status}" = "pending" ]]; do
      sleep 1
      status="$(http_request get "${challenge_uri}" | get_json_string_value status)"
@@ -313,10 +306,8 @@ sign_domain() {
    if [[ "${status}" = "valid" ]]; then
      echo " + Challenge is valid!"
    else
-      echo " + Challenge is invalid! (returned: ${status})" >&2
-      exit 1
+      _exiterr "Challenge is invalid! (returned: ${status})"
    fi
-
  done

  # Finally request certificate from the acme-server and store it in cert-${timestamp}.pem and link from cert.pem
@@ -325,7 +316,8 @@ sign_domain() {
  crt64="$(signed_request "${CA_NEW_CERT}" '{"resource": "new-cert", "csr": "'"${csr64}"'"}' | openssl base64 -e)"
  crt_path="${BASEDIR}/certs/${domain}/cert-${timestamp}.pem"
  printf -- '-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----\n' "${crt64}" > "${crt_path}"
-  # try to load the certificate to detect corruption
+
+  # Try to load the certificate to detect corruption
  echo " + Checking certificate..."
  _openssl x509 -text < "${crt_path}"

@@ -333,31 +325,26 @@ sign_domain() {
  echo " + Creating fullchain.pem..."
  cat "${crt_path}" > "${BASEDIR}/certs/${domain}/fullchain-${timestamp}.pem"
  http_request get "$(openssl x509 -in "${BASEDIR}/certs/${domain}/cert-${timestamp}.pem" -noout -text | grep 'CA Issuers - URI:' | cut -d':' -f2-)" > "${BASEDIR}/certs/${domain}/chain-${timestamp}.pem"
-  if ! grep "BEGIN CERTIFICATE" "${BASEDIR}/certs/${domain}/chain-${timestamp}.pem" > /dev/null 2>&1; then
+  if ! grep -q "BEGIN CERTIFICATE" "${BASEDIR}/certs/${domain}/chain-${timestamp}.pem"; then
    openssl x509 -in "${BASEDIR}/certs/${domain}/chain-${timestamp}.pem" -inform DER -out "${BASEDIR}/certs/${domain}/chain-${timestamp}.pem" -outform PEM
  fi
-  ln -sf "chain-${timestamp}.pem" "${BASEDIR}/certs/${domain}/chain.pem"
  cat "${BASEDIR}/certs/${domain}/chain-${timestamp}.pem" >> "${BASEDIR}/certs/${domain}/fullchain-${timestamp}.pem"
-  ln -sf "fullchain-${timestamp}.pem" "${BASEDIR}/certs/${domain}/fullchain.pem"

-  # Update remaining symlinks
-  if [ ! "${privkey}" = "privkey.pem" ]; then
-    ln -sf "privkey-${timestamp}.pem" "${BASEDIR}/certs/${domain}/privkey.pem"
-  fi
+  # Update symlinks
+  [[ "${privkey}" = "privkey.pem" ]] || ln -sf "privkey-${timestamp}.pem" "${BASEDIR}/certs/${domain}/privkey.pem"

+  ln -sf "chain-${timestamp}.pem" "${BASEDIR}/certs/${domain}/chain.pem"
+  ln -sf "fullchain-${timestamp}.pem" "${BASEDIR}/certs/${domain}/fullchain.pem"
  ln -sf "cert-${timestamp}.csr" "${BASEDIR}/certs/${domain}/cert.csr"
  ln -sf "cert-${timestamp}.pem" "${BASEDIR}/certs/${domain}/cert.pem"

  # Wait for hook script to clean the challenge and to deploy cert if used
-  if [[ -n "${HOOK}" ]]; then
-      ${HOOK} "deploy_cert" "${domain}" "${BASEDIR}/certs/${domain}/privkey.pem" "${BASEDIR}/certs/${domain}/cert.pem" "${BASEDIR}/certs/${domain}/fullchain.pem"
-  fi
+  [[ -n "${HOOK}" ]] && ${HOOK} "deploy_cert" "${domain}" "${BASEDIR}/certs/${domain}/privkey.pem" "${BASEDIR}/certs/${domain}/cert.pem" "${BASEDIR}/certs/${domain}/fullchain.pem"

  unset challenge_token
  echo " + Done!"
 }

-
 # Usage: --cron (-c)
 # Description: Sign/renew non-existant/changed/expiring certificates.
 command_sign_domains() {