Merge pull request #7 from rudis/master

add challenge hook and minor fixes/improvements

Merge pull request #7 from rudis/master
add challenge hook and minor fixes/improvements
16a5589b · Lukas Schauer · 2e8454b4 · b33f1288 · 2e8454b4 · 16a5589b
Commit 16a5589b authored Dec 06, 2015 by Lukas Schauer
Hide whitespace changes
Inline Side-by-side

Showing with 28 additions and 7 deletions

certs/.keep certs/.keep +0 -0

config.sh.example config.sh.example +8 -1

letsencrypt.sh letsencrypt.sh +20 -6

No files found.
--- a/certs/.keep
+++ b/certs/.keep
--- a/config.sh.example
+++ b/config.sh.example
-CA="https://acme-v01.api.letsencrypt.org"
+# default values are commented
+
+#CA="https://acme-v01.api.letsencrypt.org"
 WELLKNOWN="/var/www/letsencrypt/.well-known/acme-challenge"
+
+# program called before responding to the challenge, arguments: path/to/token
+# token; can be used to e.g. upload the challenge if this script doesn't run
+# on the webserver
+#HOOK_CHALLENGE=
--- a/letsencrypt.sh
+++ b/letsencrypt.sh
@@ -4,6 +4,11 @@ set -e
 set -u
 set -o pipefail

+# default config values
+CA="https://acme-v01.api.letsencrypt.org"
+LICENSE="https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf"
+HOOK_CHALLENGE=
+
 . ./config.sh

 umask 077 # paranoid umask, we're creating private keys
@@ -43,13 +48,17 @@ hex2bin() {
 _request() {
  temperr="$(mktemp)"
  if [ "${1}" = "head" ]; then
-    curl -sSf -I "${2}" 2>${temperr}
+    curl -sSf -I "${2}" 2>"${temperr}"
  elif [ "${1}" = "get" ]; then
-    curl -sSf "${2}" 2>${temperr}
+    curl -sSf "${2}" 2>"${temperr}"
  elif [ "${1}" = "post" ]; then
-    curl -sSf "${2}" -d "${3}" 2>${temperr}
+    curl -sSf "${2}" -d "${3}" 2>"${temperr}"
+  fi
+  if [ -s "${temperr}" ]; then
+      echo "  + ERROR: An error occurred while sending ${1}-request to ${2} ($(<"${temperr}"))" >&2
+      rm -f "${temperr}"
+      exit 1
  fi
-  if [ ! -z "$(<${temperr})" ]; then echo "  + ERROR: An error occured while sending ${1}-request to ${2} ($(<"${temperr}"))" >&2; exit 1; fi
  rm -f "${temperr}"
 }

@@ -83,7 +92,7 @@ sign_domain() {

  # If there is no existing certificate directory we need a new private key
  if [ ! -e "certs/${domain}" ]; then
-    mkdir "certs/${domain}"
+    mkdir -p "certs/${domain}"
    echo "  + Generating private key..."
    openssl genrsa -out "certs/${domain}/privkey.pem" 4096 2> /dev/null > /dev/null
  fi
@@ -118,6 +127,11 @@ sign_domain() {
    printf '%s' "${keyauth}" > "${WELLKNOWN}/${challenge_token}"
    chmod a+r "${WELLKNOWN}/${challenge_token}"

+    # Wait for hook script to deploy the challenge if used
+    if [ -n "${HOOK_CHALLENGE}" ]; then
+        ${HOOK_CHALLENGE} "${WELLKNOWN}/${challenge_token}" "${keyauth}"
+    fi
+
    # Ask the acme-server to verify our challenge and wait until it becomes valid
    echo "  + Responding to challenge for ${altname}..."
    result="$(signed_request "${challenge_uri}" '{"resource": "challenge", "keyAuthorization": "'"${keyauth}"'"}')"
@@ -161,7 +175,7 @@ thumbprint="$(printf '%s' "$(printf '%s' '{"e":"'"${pubExponent64}"'","kty":"RSA
 # If we generated a new private key in the step above we have to register it with the acme-server
 if [ "${register}" = "1" ]; then
  echo "+ Registering account key with letsencrypt..."
-  signed_request "${CA}/acme/new-reg" '{"resource": "new-reg", "agreement": "https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf"}' > /dev/null
+  signed_request "${CA}/acme/new-reg" '{"resource": "new-reg", "agreement": "'"$LICENSE"'"}' > /dev/null
 fi

 # Generate certificates for all domains found in domain.txt (TODO: check if certificate already exists and is about to expire)