Skip to content

L
letsencrypt.sh
Commit 364bcccf authored by chkhanu's avatar chkhanu Committed by Lukas Schauer
Browse files
Options

Added option to select IP version of name to address resolution (#231)

parent 44aca90c
Hide whitespace changes
Inline Side-by-side
Showing with 34 additions and 3 deletions
CHANGELOG
View file @ 364bcccf
...@@ -13,6 +13,7 @@ This file contains a log of major changes in letsencrypt.sh ...@@ -13,6 +13,7 @@ This file contains a log of major changes in letsencrypt.sh
- Added option to add CSR-flag indicating OCSP stapling to be mandatory - Added option to add CSR-flag indicating OCSP stapling to be mandatory
- Initial support for configuration on per-certificate base - Initial support for configuration on per-certificate base
- Support for per-CA account keys and custom config for output cert directory, license, etc. - Support for per-CA account keys and custom config for output cert directory, license, etc.
- Added option to select IP version of name to address resolution
## Fixed ## Fixed
- letsencrypt.sh no longer stores account keys from invalid registrations - letsencrypt.sh no longer stores account keys from invalid registrations
......
README.md
View file @ 364bcccf
...@@ -41,6 +41,8 @@ Commands: ...@@ -41,6 +41,8 @@ Commands:
--env (-e) Output configuration variables for use in other scripts --env (-e) Output configuration variables for use in other scripts
Parameters: Parameters:
--ipv4 (-4) Resolve names to IPv4 addresses only
--ipv6 (-6) Resolve names to IPv6 addresses only
--domain (-d) domain.tld Use specified domain name(s) instead of domains.txt entry (one certificate!) --domain (-d) domain.tld Use specified domain name(s) instead of domains.txt entry (one certificate!)
--force (-x) Force renew of certificate even if it is longer valid than value in RENEW_DAYS --force (-x) Force renew of certificate even if it is longer valid than value in RENEW_DAYS
--ocsp Sets option in CSR indicating OCSP stapling to be mandatory --ocsp Sets option in CSR indicating OCSP stapling to be mandatory
......
docs/examples/config
View file @ 364bcccf
...@@ -10,6 +10,11 @@ ...@@ -10,6 +10,11 @@
# Default values of this config are in comments # # Default values of this config are in comments #
######################################################## ########################################################
# Resolve names to addresses of IP version only. (curl)
# supported values: 4, 6
# default: <unset>
#IP_VERSION=
# Path to certificate authority (default: https://acme-v01.api.letsencrypt.org/directory) # Path to certificate authority (default: https://acme-v01.api.letsencrypt.org/directory)
#CA="https://acme-v01.api.letsencrypt.org/directory" #CA="https://acme-v01.api.letsencrypt.org/directory"
......
letsencrypt.sh
View file @ 364bcccf
...@@ -58,6 +58,7 @@ store_configvars() { ...@@ -58,6 +58,7 @@ store_configvars() {
__HOOK_CHAIN="${HOOK_CHAIN}" __HOOK_CHAIN="${HOOK_CHAIN}"
__OPENSSL_CNF="${OPENSSL_CNF}" __OPENSSL_CNF="${OPENSSL_CNF}"
__RENEW_DAYS="${RENEW_DAYS}" __RENEW_DAYS="${RENEW_DAYS}"
__IP_VERSION="${IP_VERSION}"
} }
reset_configvars() { reset_configvars() {
...@@ -71,6 +72,7 @@ reset_configvars() { ...@@ -71,6 +72,7 @@ reset_configvars() {
HOOK_CHAIN="${__HOOK_CHAIN}" HOOK_CHAIN="${__HOOK_CHAIN}"
OPENSSL_CNF="${__OPENSSL_CNF}" OPENSSL_CNF="${__OPENSSL_CNF}"
RENEW_DAYS="${__RENEW_DAYS}" RENEW_DAYS="${__RENEW_DAYS}"
IP_VERSION="${__IP_VERSION}"
} }
# verify configuration values # verify configuration values
...@@ -83,6 +85,9 @@ verify_config() { ...@@ -83,6 +85,9 @@ verify_config() {
_exiterr "WELLKNOWN directory doesn't exist, please create ${WELLKNOWN} and set appropriate permissions." _exiterr "WELLKNOWN directory doesn't exist, please create ${WELLKNOWN} and set appropriate permissions."
fi fi
[[ "${KEY_ALGO}" =~ ^(rsa|prime256v1|secp384r1)$ ]] || _exiterr "Unknown public key algorithm ${KEY_ALGO}... can not continue." [[ "${KEY_ALGO}" =~ ^(rsa|prime256v1|secp384r1)$ ]] || _exiterr "Unknown public key algorithm ${KEY_ALGO}... can not continue."
if [[ -n "${IP_VERSION}" ]]; then
[[ "${IP_VERSION}" = "4" || "${IP_VERSION}" = "6" ]] || _exiterr "Unknown IP version ${IP_VERSION}... can not continue."
fi
} }
# Setup default config values, search for and load configuration files # Setup default config values, search for and load configuration files
...@@ -118,6 +123,7 @@ load_config() { ...@@ -118,6 +123,7 @@ load_config() {
CONTACT_EMAIL= CONTACT_EMAIL=
LOCKFILE= LOCKFILE=
OCSP_MUST_STAPLE="no" OCSP_MUST_STAPLE="no"
IP_VERSION=
if [[ -z "${CONFIG:-}" ]]; then if [[ -z "${CONFIG:-}" ]]; then
echo "#" >&2 echo "#" >&2
...@@ -183,6 +189,7 @@ load_config() { ...@@ -183,6 +189,7 @@ load_config() {
[[ -n "${PARAM_CHALLENGETYPE:-}" ]] && CHALLENGETYPE="${PARAM_CHALLENGETYPE}" [[ -n "${PARAM_CHALLENGETYPE:-}" ]] && CHALLENGETYPE="${PARAM_CHALLENGETYPE}"
[[ -n "${PARAM_KEY_ALGO:-}" ]] && KEY_ALGO="${PARAM_KEY_ALGO}" [[ -n "${PARAM_KEY_ALGO:-}" ]] && KEY_ALGO="${PARAM_KEY_ALGO}"
[[ -n "${PARAM_OCSP_MUST_STAPLE:-}" ]] && OCSP_MUST_STAPLE="${PARAM_OCSP_MUST_STAPLE}" [[ -n "${PARAM_OCSP_MUST_STAPLE:-}" ]] && OCSP_MUST_STAPLE="${PARAM_OCSP_MUST_STAPLE}"
[[ -n "${PARAM_IP_VERSION:-}" ]] && IP_VERSION="${PARAM_IP_VERSION}"
verify_config verify_config
store_configvars store_configvars
...@@ -316,15 +323,19 @@ _openssl() { ...@@ -316,15 +323,19 @@ _openssl() {
http_request() { http_request() {
tempcont="$(_mktemp)" tempcont="$(_mktemp)"
if [[ -n "${IP_VERSION:-}" ]]; then
ip_version="-${IP_VERSION}"
fi
set +e set +e
if [[ "${1}" = "head" ]]; then if [[ "${1}" = "head" ]]; then
statuscode="$(curl -s -w "%{http_code}" -o "${tempcont}" "${2}" -I)" statuscode="$(curl ${ip_version:-} -s -w "%{http_code}" -o "${tempcont}" "${2}" -I)"
curlret="${?}" curlret="${?}"
elif [[ "${1}" = "get" ]]; then elif [[ "${1}" = "get" ]]; then
statuscode="$(curl -s -w "%{http_code}" -o "${tempcont}" "${2}")" statuscode="$(curl ${ip_version:-} -s -w "%{http_code}" -o "${tempcont}" "${2}")"
curlret="${?}" curlret="${?}"
elif [[ "${1}" = "post" ]]; then elif [[ "${1}" = "post" ]]; then
statuscode="$(curl -s -w "%{http_code}" -o "${tempcont}" "${2}" -d "${3}")" statuscode="$(curl ${ip_version:-} -s -w "%{http_code}" -o "${tempcont}" "${2}" -d "${3}")"
curlret="${?}" curlret="${?}"
else else
set -e set -e
...@@ -957,6 +968,18 @@ main() { ...@@ -957,6 +968,18 @@ main() {
set_command cleanup set_command cleanup
;; ;;
# PARAM_Usage: --ipv4 (-4)
# PARAM_Description: Resolve names to IPv4 addresses only
--ipv4|-4)
PARAM_IP_VERSION="4"
;;
# PARAM_Usage: --ipv6 (-6)
# PARAM_Description: Resolve names to IPv6 addresses only
--ipv6|-6)
PARAM_IP_VERSION="6"
;;
# PARAM_Usage: --domain (-d) domain.tld # PARAM_Usage: --domain (-d) domain.tld
# PARAM_Description: Use specified domain name(s) instead of domains.txt entry (one certificate!) # PARAM_Description: Use specified domain name(s) instead of domains.txt entry (one certificate!)
--domain|-d) --domain|-d)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7