__uacme*, __nginx: allow external ACME provider, EAB authentication

2021-12-14 12:37:18 +01:00 · 2021-12-14 12:37:18 +01:00 · a38275f6d7
commit a38275f6d7
parent 698525fcd2
9 changed files with 82 additions and 4 deletions
--- a/type/__nginx/man.rst
+++ b/type/__nginx/man.rst
@ -28,6 +28,16 @@ uacme-hookscript
  Custom hook passed to the __uacme_obtain type: useful to integrate the
  dns-01 challenge with third-party DNS providers.

+acme-url
+  ACMEv2 server directory object URL. Lets'Encrypt is used by default.
+
+acme-eab-credentials
+  Specify RFC8555 External Account Binding credentials according to
+  https://tools.ietf.org/html/rfc8555#section-7.3.4, in order to associate a new
+  ACME account with an existing account in a non-ACME system such as a CA
+  customer database. KEYID must be an ASCII string. KEY must be
+  base64url-encoded.
+
 EXAMPLES
 --------

--- a/type/__nginx/manifest
+++ b/type/__nginx/manifest
@ -36,6 +36,20 @@ then
 	set_custom_uacme_hookscript="--hookscript $uacme_hookscript"
 fi

+set_custom_acme_url=
+if [ -f "${__object:?}/parameter/acme-url" ];
+then
+	custom_acme_url=$(cat "${__object:?}/parameter/acme-url")
+	set_custom_acme_url="--acme-url $custom_acme_url"
+fi
+
+set_acme_eab_credentials=
+if [ -f "${__object:?}/parameter/acme-eab-credentials" ];
+then
+	acme_eab_credentials=$(cat "${__object:?}/parameter/acme-eab-credentials")
+	set_acme_eab_credentials="--eab-credentials $acme_eab_credentials"
+fi
+
 # Deploy simple HTTP vhost, allowing to serve ACME challenges.
 __nginx_vhost "301-to-https-$domain" \
 	--domain "$domain" --altdomains "$altdomains" --to-https
@ -46,12 +60,18 @@ if [ -f "${__object:?}/parameter/force-cert-ownership-to" ]; then
 	cert_ownership=$(cat "${__object:?}/parameter/force-cert-ownership-to")
 fi

-__uacme_account
+# shellcheck disable=SC2086
+__uacme_account \
+	$set_custom_acme_url \
+	$set_acme_eab_credentials \
+
 # shellcheck disable=SC2086
 require="__nginx_vhost/301-to-https-$domain __uacme_account" \
 	__uacme_obtain "$domain" \
 		--altdomains "$altdomains" \
 		$set_custom_uacme_hookscript \
+		$set_custom_acme_url \
+		$set_acme_eab_credentials \
 		--owner "$cert_ownership" \
 		--install-key-to "$nginx_certdir/$domain/privkey.pem" \
 		--install-cert-to "/$nginx_certdir/$domain/fullchain.pem" \
--- a/type/__nginx/parameter/optional
+++ b/type/__nginx/parameter/optional
@ -2,4 +2,6 @@ config
 domain
 altdomains
 uacme-hookscript
+acme-url
+acme-eab-credentials
 force-cert-ownership-to
--- a/type/__uacme_account/gencode-remote
+++ b/type/__uacme_account/gencode-remote
@ -18,6 +18,21 @@ then
 	admin_mail="$(cat "${__object:?}/parameter/admin-mail")";
 fi

+# Autoaccept ACME server terms (if any) upon new account creation.
+uacme_opts="--yes"
+
+# Non-default ACMEv2 server directory object URL.
+if [ -f "${__object:?}/parameter/acme-url" ]; then
+	custom_acme_url=$(cat "${__object:?}/parameter/acme-url")
+	uacme_opts="$uacme_opts --acme-url $custom_acme_url"
+fi
+
+# Specify RFC8555 External Account Binding credentials.
+if [ -f "${__object:?}/parameter/eab-credentials" ]; then
+	eab_credentials=$(cat "${__object:?}/parameter/eab-credentials")
+	uacme_opts="$uacme_opts --eab $eab_credentials"
+fi
+
 confdir="${default_confdir:?}"
 if [ -f "${__object:?}/parameter/confdir" ];
 then
@ -27,6 +42,6 @@ fi
 cat << EOF
 if ! [ -f "${confdir}/private/key.pem" ];
 then
-	uacme -y new ${admin_mail}
+	uacme $uacme_opts new ${admin_mail}
 fi
 EOF
--- a/type/__uacme_account/man.rst
+++ b/type/__uacme_account/man.rst
@ -23,6 +23,16 @@ confdir
 admin-mail
    Administrative contact email to register the account with.

+acme-url
+   ACMEv2 server directory object URL. Lets'Encrypt is used by default.
+
+eab-credentials
+   Specify RFC8555 External Account Binding credentials according to
+   https://tools.ietf.org/html/rfc8555#section-7.3.4, in order to associate a new
+   ACME account with an existing account in a non-ACME system such as a CA
+   customer database. KEYID must be an ASCII string. KEY must be
+   base64url-encoded. This is parameter is not supported by uacme < 1.6.
+
 EXAMPLES
 --------

@ -43,6 +53,7 @@ SEE ALSO
 AUTHORS
 -------
 Joachim Desroches <joachim.desroches@epfl.ch>
+Timothée Floure <timothee.floure@posteo.net>

 COPYING
 -------
--- a/type/__uacme_account/parameter/optional
+++ b/type/__uacme_account/parameter/optional
@ -1,2 +1,4 @@
 confdir
 admin-mail
+acme-url
+eab-credentials
--- a/type/__uacme_obtain/files/renew.sh.sh
+++ b/type/__uacme_obtain/files/renew.sh.sh
@ -7,8 +7,8 @@ UACME_CHALLENGE_PATH=${CHALLENGEDIR:?}
 export UACME_CHALLENGE_PATH

 # Issue certificate.
-uacme -c ${CONFDIR:?} -h ${HOOKSCRIPT:?} ${DISABLE_OCSP?} ${MUST_STAPLE?} ${KEYTYPE?} \\
-	issue -- ${DOMAIN:?}
+uacme -c ${CONFDIR:?} -h ${HOOKSCRIPT:?} ${DISABLE_OCSP?} ${ACME_URL?} \\
+	${EAB_CREDENTIALS?} ${MUST_STAPLE?} ${KEYTYPE?} issue -- ${DOMAIN:?}

 # Note: exit code 0 means that certificate was issued.
 # Note: exit code 1 means that certificate was still valid, hence not renewed.
--- a/type/__uacme_obtain/manifest
+++ b/type/__uacme_obtain/manifest
@ -69,6 +69,22 @@ then
 fi
 export MUST_STAPLE

+# Non-default ACMEv2 server directory object URL.
+ACME_URL=
+if [ -f "${__object:?}/parameter/acme-url" ]; then
+	custom_acme_url=$(cat "${__object:?}/parameter/acme-url")
+	ACME_URL="--acme-url $custom_acme_url"
+fi
+export ACME_URL
+
+# Specify RFC8555 External Account Binding credentials.
+EAB_CREDENTIALS=
+if [ -f "${__object:?}/parameter/eab-credentials" ]; then
+	eab_credentials_param=$(cat "${__object:?}/parameter/eab-credentials")
+	EAB_CREDENTIALS="--eab $eab_credentials_param"
+fi
+export EAB_CREDENTIALS
+
 OWNER=root
 if [ -f "${__object:?}/parameter/owner" ];
 then
--- a/type/__uacme_obtain/parameter/optional
+++ b/type/__uacme_obtain/parameter/optional
@ -5,3 +5,5 @@ owner
 install-cert-to
 install-key-to
 renew-hook
+acme-url
+eab-credentials