141 lines
3.4 KiB
Bash
141 lines
3.4 KiB
Bash
#!/bin/sh
|
|
|
|
os="$(cat "${__global:?}"/explorer/os)"
|
|
case "$os" in
|
|
alpine|ubuntu|debian)
|
|
__package uacme
|
|
|
|
default_challengedir=/var/www/.well-known/acme-challenge
|
|
default_hookscript=/usr/share/uacme/uacme.sh
|
|
default_confdir=/etc/ssl/uacme
|
|
;;
|
|
*)
|
|
echo "__uacme_obtain currently has no implementation for $os. Aborting." >&2;
|
|
exit 1;
|
|
;;
|
|
esac
|
|
|
|
CHALLENGEDIR=${default_challengedir:?}
|
|
if [ -f "${__object:?}/parameter/challengedir" ];
|
|
then
|
|
CHALLENGEDIR="$(cat "${__object:?}/parameter/challengedir")"
|
|
fi
|
|
export CHALLENGEDIR
|
|
|
|
CONFDIR="${default_confdir:?}"
|
|
if [ -f "${__object:?}/parameter/confdir" ];
|
|
then
|
|
CONFDIR="$(cat "${__object:?}/parameter/confdir")"
|
|
fi
|
|
export CONFDIR
|
|
|
|
DISABLE_OCSP=
|
|
if [ -f "${__object:?}/parameter/no-ocsp" ];
|
|
then
|
|
DISABLE_OCSP="--no-ocsp"
|
|
fi
|
|
export DISABLE_OCSP
|
|
|
|
MAIN_DOMAIN=${__object_id:?}
|
|
DOMAIN=$MAIN_DOMAIN
|
|
if [ -f "${__object:?}/parameter/altdomains" ];
|
|
then
|
|
# shellcheck disable=SC2013
|
|
for altdomain in $(cat "${__object:?}/parameter/altdomains");
|
|
do
|
|
DOMAIN="$DOMAIN $altdomain"
|
|
done
|
|
fi
|
|
export MAIN_DOMAIN DOMAIN
|
|
|
|
HOOKSCRIPT=${default_hookscript}
|
|
if [ -f "${__object:?}/parameter/hookscript" ];
|
|
then
|
|
HOOKSCRIPT="$(cat "${__object:?}/parameter/hookscript")"
|
|
fi
|
|
export HOOKSCRIPT
|
|
|
|
KEYTYPE="-t EC"
|
|
if [ -f "${__object:?}/parameter/use-rsa" ];
|
|
then
|
|
KEYTYPE="-t RSA"
|
|
fi
|
|
export KEYTYPE
|
|
|
|
MUST_STAPLE=
|
|
if [ -f "${__object:?}/parameter/must-staple" ];
|
|
then
|
|
MUST_STAPLE="--must-staple"
|
|
fi
|
|
export MUST_STAPLE
|
|
|
|
# Non-default ACMEv2 server directory object URL.
|
|
ACME_URL=
|
|
if [ -f "${__object:?}/parameter/acme-url" ]; then
|
|
custom_acme_url=$(cat "${__object:?}/parameter/acme-url")
|
|
ACME_URL="--acme-url $custom_acme_url"
|
|
fi
|
|
export ACME_URL
|
|
|
|
# Specify RFC8555 External Account Binding credentials.
|
|
EAB_CREDENTIALS=
|
|
if [ -f "${__object:?}/parameter/eab-credentials" ]; then
|
|
eab_credentials_param=$(cat "${__object:?}/parameter/eab-credentials")
|
|
EAB_CREDENTIALS="--eab $eab_credentials_param"
|
|
fi
|
|
export EAB_CREDENTIALS
|
|
|
|
OWNER=root
|
|
if [ -f "${__object:?}/parameter/owner" ];
|
|
then
|
|
OWNER="$(cat "${__object:?}/parameter/owner")"
|
|
fi
|
|
export OWNER
|
|
|
|
KEY_TARGET=
|
|
if [ -f "${__object:?}/parameter/install-key-to" ];
|
|
then
|
|
KEY_TARGET="$(cat "${__object:?}/parameter/install-key-to")"
|
|
fi
|
|
export KEY_TARGET
|
|
|
|
CERT_TARGET=
|
|
if [ -f "${__object:?}/parameter/install-cert-to" ];
|
|
then
|
|
CERT_TARGET="$(cat "${__object:?}/parameter/install-cert-to")"
|
|
fi
|
|
export CERT_TARGET
|
|
|
|
RENEW_HOOK=
|
|
if [ -f "${__object:?}/parameter/renew-hook" ];
|
|
then
|
|
if [ "$(cat "${__object:?}/parameter/renew-hook")" = "-" ]; then
|
|
RENEW_HOOK="$(cat ${__object:?}/stdin)"
|
|
else
|
|
RENEW_HOOK="$(cat "${__object:?}/parameter/renew-hook")"
|
|
fi
|
|
fi
|
|
export RENEW_HOOK
|
|
|
|
if [ -n "$KEY_TARGET" ] && [ -z "$CERT_TARGET" ]; then
|
|
echo "You cannot specify --install-key-to without --install-cert-to." >&2
|
|
exit 1
|
|
elif [ -z "$KEY_TARGET" ] && [ -n "$CERT_TARGET" ]; then
|
|
echo "You cannot specify --install-cert-to without --install-key-to." >&2
|
|
exit 1
|
|
fi
|
|
|
|
# Make sure challengedir exist.
|
|
__directory "$CHALLENGEDIR" --parents
|
|
|
|
# Generate and deploy renew script.
|
|
mkdir -p "${__object:?}/files"
|
|
"${__type:?}/files/renew.sh.sh" > "${__object:?}/files/uacme-renew.sh"
|
|
|
|
__directory "$CONFDIR/$MAIN_DOMAIN"
|
|
require="__directory/$CONFDIR/$MAIN_DOMAIN" __file "$CONFDIR/$MAIN_DOMAIN/renew.sh" \
|
|
--mode 0755 --source "${__object:?}/files/uacme-renew.sh"
|
|
|
|
# Set up renew cronjob - initial issue done in gencode-remote.
|
|
__cron "uacme-$MAIN_DOMAIN" --user root --hour 2 --minute 0 \
|
|
--command "$CONFDIR/$MAIN_DOMAIN/renew.sh"
|