search

dehydrated-io / dehydrated

letsencrypt/acme client implemented as a shell-script – just add water
https://dehydrated.io
MIT License
5.96k stars 716 forks source link

Respect domain-specific hooks when using dns-01 challenge type #921

Open henk84 opened 10 months ago

henk84 commented 10 months ago

https://github.com/dehydrated-io/dehydrated/blob/e3ef43c816f73d443f32410862d9253d35cf3f99/dehydrated#L325-L326

This check ignores a domain specific configfile containing a domain specific hook.

(I’m not sure whether I need to say more or what to say more. If it’s unclear, let me know and I’ll try again/harder to explain better.)

This is important when handling multiple domains spread over multiple hosts on an admin system: a domain dependent hook-script is important for deploying the certs to the correct machines.

Yes, there are ways to work around it, but it would be nice if one wouldn’t have to work around them.

Spontaneous idea: it would be cool to have hooks for each action in each domain, e.g.:

domains.d/example.org/deploy_challenge
domains.d/example.org/clean_challenge
domains.d/example.org/exit_hook
domains.d/example.org/deploy_cert
domains.d/example.net/deploy_cert
default_hooks/deploy_challenge
default_hooks/clean_challenge
henk84 commented 10 months ago

https://github.com/dehydrated-io/dehydrated/blob/e3ef43c816f73d443f32410862d9253d35cf3f99/dehydrated#L325-L326

This check ignores a domain specific configfile containing a domain specific hook.

(I’m not sure whether I need to say more or what to say more. If it’s unclear, let me know and I’ll try again/harder to explain better.)

This is important when handling multiple domains spread over multiple hosts on an admin system: a domain dependent hook-script is important for deploying the certs to the correct machines.

Yes, there are ways to work around it, but it would be nice if one wouldn’t have to work around them.

Spontaneous idea: it would be cool to have hooks for each action in each domain, e.g.:

domains.d/example.org/deploy_challenge
domains.d/example.org/clean_challenge
domains.d/example.org/exit_hook
domains.d/example.org/deploy_cert
domains.d/example.net/deploy_cert
default_hooks/deploy_challenge
default_hooks/clean_challenge

I managed to build something similar to this. It is based on the hook from https://ente.limmat.ch/ftp/pub/software/bash/letsencrypt/

I then added code like the following:

case "$reason" in
[…]
    deploy_cert|unchanged_cert|invalid_challenge|request_failure|startup_hook|exit_hook)
        # echo "running ${reason} hook"
        if [ -x "domains.d/${HOST}_hooks/${reason}.sh" ]
        then
            domains.d/${HOST}_hooks/${reason}.sh "${@}"
        elif [ -x "domains.d/hooks/common-${reason}.sh" ]
        then
            domains.d/hooks/common-${reason}.sh "${@}"
        else
            # echo "No hook for ${reason} found to run"
            reason="nothing to do!"
        fi
        ;;

Example for a "common" hook:

#!/usr/bin/env bash

REASON="${1}" DOMAIN="${2}" KEYFILE="${3}" CERTFILE="${4}" FULLCHAINFILE="${5}" CHAINFILE="${6}" TIMESTAMP="${7}"

. domains.d/${DOMAIN}_vars

for srv in ${servers[@]}
do
    rsync \
        --copy-links \
        --human-readable \
        --verbose \
        --partial \
        --progress \
        --chown=root:ssl-cert \
        --chmod=0644 \
        "${FULLCHAINFILE}" \
        "root@${srv}:/etc/ssl/localcerts/${DOMAIN}.crt"
    rsync \
        --copy-links \
        --human-readable \
        --verbose \
        --partial \
        --progress \
        --chown=root:ssl-cert \
        --chmod=0640 \
        "${KEYFILE}" \
        "root@${srv}:/etc/ssl/private/${DOMAIN}.key"

    for sv in ${services[@]}
    do
        ssh root@${srv} service ${sv} reload
    done
done

Issue can be closed.