From a38275f6d7b051ff6186603b9ad594c6b0d85c1c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Tue, 14 Dec 2021 12:37:18 +0100 Subject: [PATCH] __uacme*, __nginx: allow external ACME provider, EAB authentication --- type/__nginx/man.rst | 10 ++++++++++ type/__nginx/manifest | 22 +++++++++++++++++++++- type/__nginx/parameter/optional | 2 ++ type/__uacme_account/gencode-remote | 17 ++++++++++++++++- type/__uacme_account/man.rst | 11 +++++++++++ type/__uacme_account/parameter/optional | 2 ++ type/__uacme_obtain/files/renew.sh.sh | 4 ++-- type/__uacme_obtain/manifest | 16 ++++++++++++++++ type/__uacme_obtain/parameter/optional | 2 ++ 9 files changed, 82 insertions(+), 4 deletions(-) diff --git a/type/__nginx/man.rst b/type/__nginx/man.rst index 71d47e7..c1827c0 100644 --- a/type/__nginx/man.rst +++ b/type/__nginx/man.rst @@ -28,6 +28,16 @@ uacme-hookscript Custom hook passed to the __uacme_obtain type: useful to integrate the dns-01 challenge with third-party DNS providers. +acme-url + ACMEv2 server directory object URL. Lets'Encrypt is used by default. + +acme-eab-credentials + Specify RFC8555 External Account Binding credentials according to + https://tools.ietf.org/html/rfc8555#section-7.3.4, in order to associate a new + ACME account with an existing account in a non-ACME system such as a CA + customer database. KEYID must be an ASCII string. KEY must be + base64url-encoded. + EXAMPLES -------- diff --git a/type/__nginx/manifest b/type/__nginx/manifest index b552319..cdd483a 100644 --- a/type/__nginx/manifest +++ b/type/__nginx/manifest @@ -36,6 +36,20 @@ then set_custom_uacme_hookscript="--hookscript $uacme_hookscript" fi +set_custom_acme_url= +if [ -f "${__object:?}/parameter/acme-url" ]; +then + custom_acme_url=$(cat "${__object:?}/parameter/acme-url") + set_custom_acme_url="--acme-url $custom_acme_url" +fi + +set_acme_eab_credentials= +if [ -f "${__object:?}/parameter/acme-eab-credentials" ]; +then + acme_eab_credentials=$(cat "${__object:?}/parameter/acme-eab-credentials") + set_acme_eab_credentials="--eab-credentials $acme_eab_credentials" +fi + # Deploy simple HTTP vhost, allowing to serve ACME challenges. __nginx_vhost "301-to-https-$domain" \ --domain "$domain" --altdomains "$altdomains" --to-https @@ -46,12 +60,18 @@ if [ -f "${__object:?}/parameter/force-cert-ownership-to" ]; then cert_ownership=$(cat "${__object:?}/parameter/force-cert-ownership-to") fi -__uacme_account +# shellcheck disable=SC2086 +__uacme_account \ + $set_custom_acme_url \ + $set_acme_eab_credentials \ + # shellcheck disable=SC2086 require="__nginx_vhost/301-to-https-$domain __uacme_account" \ __uacme_obtain "$domain" \ --altdomains "$altdomains" \ $set_custom_uacme_hookscript \ + $set_custom_acme_url \ + $set_acme_eab_credentials \ --owner "$cert_ownership" \ --install-key-to "$nginx_certdir/$domain/privkey.pem" \ --install-cert-to "/$nginx_certdir/$domain/fullchain.pem" \ diff --git a/type/__nginx/parameter/optional b/type/__nginx/parameter/optional index 1a5fb95..8d6fae6 100644 --- a/type/__nginx/parameter/optional +++ b/type/__nginx/parameter/optional @@ -2,4 +2,6 @@ config domain altdomains uacme-hookscript +acme-url +acme-eab-credentials force-cert-ownership-to diff --git a/type/__uacme_account/gencode-remote b/type/__uacme_account/gencode-remote index e1d9551..b75d2d7 100644 --- a/type/__uacme_account/gencode-remote +++ b/type/__uacme_account/gencode-remote @@ -18,6 +18,21 @@ then admin_mail="$(cat "${__object:?}/parameter/admin-mail")"; fi +# Autoaccept ACME server terms (if any) upon new account creation. +uacme_opts="--yes" + +# Non-default ACMEv2 server directory object URL. +if [ -f "${__object:?}/parameter/acme-url" ]; then + custom_acme_url=$(cat "${__object:?}/parameter/acme-url") + uacme_opts="$uacme_opts --acme-url $custom_acme_url" +fi + +# Specify RFC8555 External Account Binding credentials. +if [ -f "${__object:?}/parameter/eab-credentials" ]; then + eab_credentials=$(cat "${__object:?}/parameter/eab-credentials") + uacme_opts="$uacme_opts --eab $eab_credentials" +fi + confdir="${default_confdir:?}" if [ -f "${__object:?}/parameter/confdir" ]; then @@ -27,6 +42,6 @@ fi cat << EOF if ! [ -f "${confdir}/private/key.pem" ]; then - uacme -y new ${admin_mail} + uacme $uacme_opts new ${admin_mail} fi EOF diff --git a/type/__uacme_account/man.rst b/type/__uacme_account/man.rst index be5efc6..c18bb40 100644 --- a/type/__uacme_account/man.rst +++ b/type/__uacme_account/man.rst @@ -23,6 +23,16 @@ confdir admin-mail Administrative contact email to register the account with. +acme-url + ACMEv2 server directory object URL. Lets'Encrypt is used by default. + +eab-credentials + Specify RFC8555 External Account Binding credentials according to + https://tools.ietf.org/html/rfc8555#section-7.3.4, in order to associate a new + ACME account with an existing account in a non-ACME system such as a CA + customer database. KEYID must be an ASCII string. KEY must be + base64url-encoded. This is parameter is not supported by uacme < 1.6. + EXAMPLES -------- @@ -43,6 +53,7 @@ SEE ALSO AUTHORS ------- Joachim Desroches +Timothée Floure COPYING ------- diff --git a/type/__uacme_account/parameter/optional b/type/__uacme_account/parameter/optional index 0eaba67..dff247c 100644 --- a/type/__uacme_account/parameter/optional +++ b/type/__uacme_account/parameter/optional @@ -1,2 +1,4 @@ confdir admin-mail +acme-url +eab-credentials diff --git a/type/__uacme_obtain/files/renew.sh.sh b/type/__uacme_obtain/files/renew.sh.sh index 18bf061..dc82fd9 100755 --- a/type/__uacme_obtain/files/renew.sh.sh +++ b/type/__uacme_obtain/files/renew.sh.sh @@ -7,8 +7,8 @@ UACME_CHALLENGE_PATH=${CHALLENGEDIR:?} export UACME_CHALLENGE_PATH # Issue certificate. -uacme -c ${CONFDIR:?} -h ${HOOKSCRIPT:?} ${DISABLE_OCSP?} ${MUST_STAPLE?} ${KEYTYPE?} \\ - issue -- ${DOMAIN:?} +uacme -c ${CONFDIR:?} -h ${HOOKSCRIPT:?} ${DISABLE_OCSP?} ${ACME_URL?} \\ + ${EAB_CREDENTIALS?} ${MUST_STAPLE?} ${KEYTYPE?} issue -- ${DOMAIN:?} # Note: exit code 0 means that certificate was issued. # Note: exit code 1 means that certificate was still valid, hence not renewed. diff --git a/type/__uacme_obtain/manifest b/type/__uacme_obtain/manifest index f41e881..b41ddde 100644 --- a/type/__uacme_obtain/manifest +++ b/type/__uacme_obtain/manifest @@ -69,6 +69,22 @@ then fi export MUST_STAPLE +# Non-default ACMEv2 server directory object URL. +ACME_URL= +if [ -f "${__object:?}/parameter/acme-url" ]; then + custom_acme_url=$(cat "${__object:?}/parameter/acme-url") + ACME_URL="--acme-url $custom_acme_url" +fi +export ACME_URL + +# Specify RFC8555 External Account Binding credentials. +EAB_CREDENTIALS= +if [ -f "${__object:?}/parameter/eab-credentials" ]; then + eab_credentials_param=$(cat "${__object:?}/parameter/eab-credentials") + EAB_CREDENTIALS="--eab $eab_credentials_param" +fi +export EAB_CREDENTIALS + OWNER=root if [ -f "${__object:?}/parameter/owner" ]; then diff --git a/type/__uacme_obtain/parameter/optional b/type/__uacme_obtain/parameter/optional index fd721af..9fa9846 100644 --- a/type/__uacme_obtain/parameter/optional +++ b/type/__uacme_obtain/parameter/optional @@ -5,3 +5,5 @@ owner install-cert-to install-key-to renew-hook +acme-url +eab-credentials