forked from ungleich-public/cdist-contrib
__uacme*, __nginx: allow external ACME provider, EAB authentication
This commit is contained in:
parent
698525fcd2
commit
a38275f6d7
9 changed files with 82 additions and 4 deletions
|
@ -28,6 +28,16 @@ uacme-hookscript
|
||||||
Custom hook passed to the __uacme_obtain type: useful to integrate the
|
Custom hook passed to the __uacme_obtain type: useful to integrate the
|
||||||
dns-01 challenge with third-party DNS providers.
|
dns-01 challenge with third-party DNS providers.
|
||||||
|
|
||||||
|
acme-url
|
||||||
|
ACMEv2 server directory object URL. Lets'Encrypt is used by default.
|
||||||
|
|
||||||
|
acme-eab-credentials
|
||||||
|
Specify RFC8555 External Account Binding credentials according to
|
||||||
|
https://tools.ietf.org/html/rfc8555#section-7.3.4, in order to associate a new
|
||||||
|
ACME account with an existing account in a non-ACME system such as a CA
|
||||||
|
customer database. KEYID must be an ASCII string. KEY must be
|
||||||
|
base64url-encoded.
|
||||||
|
|
||||||
EXAMPLES
|
EXAMPLES
|
||||||
--------
|
--------
|
||||||
|
|
||||||
|
|
|
@ -36,6 +36,20 @@ then
|
||||||
set_custom_uacme_hookscript="--hookscript $uacme_hookscript"
|
set_custom_uacme_hookscript="--hookscript $uacme_hookscript"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
set_custom_acme_url=
|
||||||
|
if [ -f "${__object:?}/parameter/acme-url" ];
|
||||||
|
then
|
||||||
|
custom_acme_url=$(cat "${__object:?}/parameter/acme-url")
|
||||||
|
set_custom_acme_url="--acme-url $custom_acme_url"
|
||||||
|
fi
|
||||||
|
|
||||||
|
set_acme_eab_credentials=
|
||||||
|
if [ -f "${__object:?}/parameter/acme-eab-credentials" ];
|
||||||
|
then
|
||||||
|
acme_eab_credentials=$(cat "${__object:?}/parameter/acme-eab-credentials")
|
||||||
|
set_acme_eab_credentials="--eab-credentials $acme_eab_credentials"
|
||||||
|
fi
|
||||||
|
|
||||||
# Deploy simple HTTP vhost, allowing to serve ACME challenges.
|
# Deploy simple HTTP vhost, allowing to serve ACME challenges.
|
||||||
__nginx_vhost "301-to-https-$domain" \
|
__nginx_vhost "301-to-https-$domain" \
|
||||||
--domain "$domain" --altdomains "$altdomains" --to-https
|
--domain "$domain" --altdomains "$altdomains" --to-https
|
||||||
|
@ -46,12 +60,18 @@ if [ -f "${__object:?}/parameter/force-cert-ownership-to" ]; then
|
||||||
cert_ownership=$(cat "${__object:?}/parameter/force-cert-ownership-to")
|
cert_ownership=$(cat "${__object:?}/parameter/force-cert-ownership-to")
|
||||||
fi
|
fi
|
||||||
|
|
||||||
__uacme_account
|
# shellcheck disable=SC2086
|
||||||
|
__uacme_account \
|
||||||
|
$set_custom_acme_url \
|
||||||
|
$set_acme_eab_credentials \
|
||||||
|
|
||||||
# shellcheck disable=SC2086
|
# shellcheck disable=SC2086
|
||||||
require="__nginx_vhost/301-to-https-$domain __uacme_account" \
|
require="__nginx_vhost/301-to-https-$domain __uacme_account" \
|
||||||
__uacme_obtain "$domain" \
|
__uacme_obtain "$domain" \
|
||||||
--altdomains "$altdomains" \
|
--altdomains "$altdomains" \
|
||||||
$set_custom_uacme_hookscript \
|
$set_custom_uacme_hookscript \
|
||||||
|
$set_custom_acme_url \
|
||||||
|
$set_acme_eab_credentials \
|
||||||
--owner "$cert_ownership" \
|
--owner "$cert_ownership" \
|
||||||
--install-key-to "$nginx_certdir/$domain/privkey.pem" \
|
--install-key-to "$nginx_certdir/$domain/privkey.pem" \
|
||||||
--install-cert-to "/$nginx_certdir/$domain/fullchain.pem" \
|
--install-cert-to "/$nginx_certdir/$domain/fullchain.pem" \
|
||||||
|
|
|
@ -2,4 +2,6 @@ config
|
||||||
domain
|
domain
|
||||||
altdomains
|
altdomains
|
||||||
uacme-hookscript
|
uacme-hookscript
|
||||||
|
acme-url
|
||||||
|
acme-eab-credentials
|
||||||
force-cert-ownership-to
|
force-cert-ownership-to
|
||||||
|
|
|
@ -18,6 +18,21 @@ then
|
||||||
admin_mail="$(cat "${__object:?}/parameter/admin-mail")";
|
admin_mail="$(cat "${__object:?}/parameter/admin-mail")";
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Autoaccept ACME server terms (if any) upon new account creation.
|
||||||
|
uacme_opts="--yes"
|
||||||
|
|
||||||
|
# Non-default ACMEv2 server directory object URL.
|
||||||
|
if [ -f "${__object:?}/parameter/acme-url" ]; then
|
||||||
|
custom_acme_url=$(cat "${__object:?}/parameter/acme-url")
|
||||||
|
uacme_opts="$uacme_opts --acme-url $custom_acme_url"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Specify RFC8555 External Account Binding credentials.
|
||||||
|
if [ -f "${__object:?}/parameter/eab-credentials" ]; then
|
||||||
|
eab_credentials=$(cat "${__object:?}/parameter/eab-credentials")
|
||||||
|
uacme_opts="$uacme_opts --eab $eab_credentials"
|
||||||
|
fi
|
||||||
|
|
||||||
confdir="${default_confdir:?}"
|
confdir="${default_confdir:?}"
|
||||||
if [ -f "${__object:?}/parameter/confdir" ];
|
if [ -f "${__object:?}/parameter/confdir" ];
|
||||||
then
|
then
|
||||||
|
@ -27,6 +42,6 @@ fi
|
||||||
cat << EOF
|
cat << EOF
|
||||||
if ! [ -f "${confdir}/private/key.pem" ];
|
if ! [ -f "${confdir}/private/key.pem" ];
|
||||||
then
|
then
|
||||||
uacme -y new ${admin_mail}
|
uacme $uacme_opts new ${admin_mail}
|
||||||
fi
|
fi
|
||||||
EOF
|
EOF
|
||||||
|
|
|
@ -23,6 +23,16 @@ confdir
|
||||||
admin-mail
|
admin-mail
|
||||||
Administrative contact email to register the account with.
|
Administrative contact email to register the account with.
|
||||||
|
|
||||||
|
acme-url
|
||||||
|
ACMEv2 server directory object URL. Lets'Encrypt is used by default.
|
||||||
|
|
||||||
|
eab-credentials
|
||||||
|
Specify RFC8555 External Account Binding credentials according to
|
||||||
|
https://tools.ietf.org/html/rfc8555#section-7.3.4, in order to associate a new
|
||||||
|
ACME account with an existing account in a non-ACME system such as a CA
|
||||||
|
customer database. KEYID must be an ASCII string. KEY must be
|
||||||
|
base64url-encoded. This is parameter is not supported by uacme < 1.6.
|
||||||
|
|
||||||
EXAMPLES
|
EXAMPLES
|
||||||
--------
|
--------
|
||||||
|
|
||||||
|
@ -43,6 +53,7 @@ SEE ALSO
|
||||||
AUTHORS
|
AUTHORS
|
||||||
-------
|
-------
|
||||||
Joachim Desroches <joachim.desroches@epfl.ch>
|
Joachim Desroches <joachim.desroches@epfl.ch>
|
||||||
|
Timothée Floure <timothee.floure@posteo.net>
|
||||||
|
|
||||||
COPYING
|
COPYING
|
||||||
-------
|
-------
|
||||||
|
|
|
@ -1,2 +1,4 @@
|
||||||
confdir
|
confdir
|
||||||
admin-mail
|
admin-mail
|
||||||
|
acme-url
|
||||||
|
eab-credentials
|
||||||
|
|
|
@ -7,8 +7,8 @@ UACME_CHALLENGE_PATH=${CHALLENGEDIR:?}
|
||||||
export UACME_CHALLENGE_PATH
|
export UACME_CHALLENGE_PATH
|
||||||
|
|
||||||
# Issue certificate.
|
# Issue certificate.
|
||||||
uacme -c ${CONFDIR:?} -h ${HOOKSCRIPT:?} ${DISABLE_OCSP?} ${MUST_STAPLE?} ${KEYTYPE?} \\
|
uacme -c ${CONFDIR:?} -h ${HOOKSCRIPT:?} ${DISABLE_OCSP?} ${ACME_URL?} \\
|
||||||
issue -- ${DOMAIN:?}
|
${EAB_CREDENTIALS?} ${MUST_STAPLE?} ${KEYTYPE?} issue -- ${DOMAIN:?}
|
||||||
|
|
||||||
# Note: exit code 0 means that certificate was issued.
|
# Note: exit code 0 means that certificate was issued.
|
||||||
# Note: exit code 1 means that certificate was still valid, hence not renewed.
|
# Note: exit code 1 means that certificate was still valid, hence not renewed.
|
||||||
|
|
|
@ -69,6 +69,22 @@ then
|
||||||
fi
|
fi
|
||||||
export MUST_STAPLE
|
export MUST_STAPLE
|
||||||
|
|
||||||
|
# Non-default ACMEv2 server directory object URL.
|
||||||
|
ACME_URL=
|
||||||
|
if [ -f "${__object:?}/parameter/acme-url" ]; then
|
||||||
|
custom_acme_url=$(cat "${__object:?}/parameter/acme-url")
|
||||||
|
ACME_URL="--acme-url $custom_acme_url"
|
||||||
|
fi
|
||||||
|
export ACME_URL
|
||||||
|
|
||||||
|
# Specify RFC8555 External Account Binding credentials.
|
||||||
|
EAB_CREDENTIALS=
|
||||||
|
if [ -f "${__object:?}/parameter/eab-credentials" ]; then
|
||||||
|
eab_credentials_param=$(cat "${__object:?}/parameter/eab-credentials")
|
||||||
|
EAB_CREDENTIALS="--eab $eab_credentials_param"
|
||||||
|
fi
|
||||||
|
export EAB_CREDENTIALS
|
||||||
|
|
||||||
OWNER=root
|
OWNER=root
|
||||||
if [ -f "${__object:?}/parameter/owner" ];
|
if [ -f "${__object:?}/parameter/owner" ];
|
||||||
then
|
then
|
||||||
|
|
|
@ -5,3 +5,5 @@ owner
|
||||||
install-cert-to
|
install-cert-to
|
||||||
install-key-to
|
install-key-to
|
||||||
renew-hook
|
renew-hook
|
||||||
|
acme-url
|
||||||
|
eab-credentials
|
||||||
|
|
Loading…
Reference in a new issue