__uacme*, __nginx: allow external ACME provider, EAB authentication

2021-12-14 12:37:18 +01:00 · 2021-12-14 12:37:18 +01:00 · a38275f6d7
commit a38275f6d7
parent 698525fcd2
9 changed files with 82 additions and 4 deletions
--- a/type/__nginx/man.rst
+++ b/type/__nginx/man.rst
@ -28,6 +28,16 @@ uacme-hookscript
  Custom hook passed to the __uacme_obtain type: useful to integrate the
  dns-01 challenge with third-party DNS providers.
 acme-url
  ACMEv2 server directory object URL. Lets'Encrypt is used by default.
 acme-eab-credentials
  Specify RFC8555 External Account Binding credentials according to
  https://tools.ietf.org/html/rfc8555#section-7.3.4, in order to associate a new
  ACME account with an existing account in a non-ACME system such as a CA
  customer database. KEYID must be an ASCII string. KEY must be
  base64url-encoded.
 EXAMPLES
 --------
--- a/type/__nginx/manifest
+++ b/type/__nginx/manifest
@ -36,6 +36,20 @@ then
 	set_custom_uacme_hookscript="--hookscript $uacme_hookscript"
 fi
 set_custom_acme_url=
 if [ -f "${__object:?}/parameter/acme-url" ];
 then
 	custom_acme_url=$(cat "${__object:?}/parameter/acme-url")
 	set_custom_acme_url="--acme-url $custom_acme_url"
 fi
 set_acme_eab_credentials=
 if [ -f "${__object:?}/parameter/acme-eab-credentials" ];
 then
 	acme_eab_credentials=$(cat "${__object:?}/parameter/acme-eab-credentials")
 	set_acme_eab_credentials="--eab-credentials $acme_eab_credentials"
 fi
 # Deploy simple HTTP vhost, allowing to serve ACME challenges.
 __nginx_vhost "301-to-https-$domain" \
 	--domain "$domain" --altdomains "$altdomains" --to-https
@ -46,12 +60,18 @@ if [ -f "${__object:?}/parameter/force-cert-ownership-to" ]; then
 	cert_ownership=$(cat "${__object:?}/parameter/force-cert-ownership-to")
 fi
-__uacme_account
+# shellcheck disable=SC2086
 __uacme_account \
 	$set_custom_acme_url \
 	$set_acme_eab_credentials \
 # shellcheck disable=SC2086
 require="__nginx_vhost/301-to-https-$domain __uacme_account" \
 	__uacme_obtain "$domain" \
 		--altdomains "$altdomains" \
 		$set_custom_uacme_hookscript \
 		$set_custom_acme_url \
 		$set_acme_eab_credentials \
 		--owner "$cert_ownership" \
 		--install-key-to "$nginx_certdir/$domain/privkey.pem" \
 		--install-cert-to "/$nginx_certdir/$domain/fullchain.pem" \
--- a/type/__nginx/parameter/optional
+++ b/type/__nginx/parameter/optional
@ -2,4 +2,6 @@ config
 domain
 altdomains
 uacme-hookscript
 acme-url
 acme-eab-credentials
 force-cert-ownership-to
--- a/type/__uacme_account/gencode-remote
+++ b/type/__uacme_account/gencode-remote
@ -18,6 +18,21 @@ then
 	admin_mail="$(cat "${__object:?}/parameter/admin-mail")";
 fi
 # Autoaccept ACME server terms (if any) upon new account creation.
 uacme_opts="--yes"
 # Non-default ACMEv2 server directory object URL.
 if [ -f "${__object:?}/parameter/acme-url" ]; then
 	custom_acme_url=$(cat "${__object:?}/parameter/acme-url")
 	uacme_opts="$uacme_opts --acme-url $custom_acme_url"
 fi
 # Specify RFC8555 External Account Binding credentials.
 if [ -f "${__object:?}/parameter/eab-credentials" ]; then
 	eab_credentials=$(cat "${__object:?}/parameter/eab-credentials")
 	uacme_opts="$uacme_opts --eab $eab_credentials"
 fi
 confdir="${default_confdir:?}"
 if [ -f "${__object:?}/parameter/confdir" ];
 then
@ -27,6 +42,6 @@ fi
 cat << EOF
 if ! [ -f "${confdir}/private/key.pem" ];
 then
-	uacme -y new ${admin_mail}
+	uacme $uacme_opts new ${admin_mail}
 fi
 EOF
--- a/type/__uacme_account/man.rst
+++ b/type/__uacme_account/man.rst
@ -23,6 +23,16 @@ confdir
 admin-mail
    Administrative contact email to register the account with.
 acme-url
   ACMEv2 server directory object URL. Lets'Encrypt is used by default.
 eab-credentials
   Specify RFC8555 External Account Binding credentials according to
   https://tools.ietf.org/html/rfc8555#section-7.3.4, in order to associate a new
   ACME account with an existing account in a non-ACME system such as a CA
   customer database. KEYID must be an ASCII string. KEY must be
   base64url-encoded. This is parameter is not supported by uacme < 1.6.
 EXAMPLES
 --------
@ -43,6 +53,7 @@ SEE ALSO
 AUTHORS
 -------
 Joachim Desroches <joachim.desroches@epfl.ch>
 Timothée Floure <timothee.floure@posteo.net>
 COPYING
 -------
--- a/type/__uacme_account/parameter/optional
+++ b/type/__uacme_account/parameter/optional
@ -1,2 +1,4 @@
 confdir
 admin-mail
 acme-url
 eab-credentials
--- a/type/__uacme_obtain/files/renew.sh.sh
+++ b/type/__uacme_obtain/files/renew.sh.sh
@ -7,8 +7,8 @@ UACME_CHALLENGE_PATH=${CHALLENGEDIR:?}
 export UACME_CHALLENGE_PATH
 # Issue certificate.
-uacme -c ${CONFDIR:?} -h ${HOOKSCRIPT:?} ${DISABLE_OCSP?} ${MUST_STAPLE?} ${KEYTYPE?} \\
+uacme -c ${CONFDIR:?} -h ${HOOKSCRIPT:?} ${DISABLE_OCSP?} ${ACME_URL?} \\
-	issue -- ${DOMAIN:?}
+	${EAB_CREDENTIALS?} ${MUST_STAPLE?} ${KEYTYPE?} issue -- ${DOMAIN:?}
 # Note: exit code 0 means that certificate was issued.
 # Note: exit code 1 means that certificate was still valid, hence not renewed.
--- a/type/__uacme_obtain/manifest
+++ b/type/__uacme_obtain/manifest
@ -69,6 +69,22 @@ then
 fi
 export MUST_STAPLE
 # Non-default ACMEv2 server directory object URL.
 ACME_URL=
 if [ -f "${__object:?}/parameter/acme-url" ]; then
 	custom_acme_url=$(cat "${__object:?}/parameter/acme-url")
 	ACME_URL="--acme-url $custom_acme_url"
 fi
 export ACME_URL
 # Specify RFC8555 External Account Binding credentials.
 EAB_CREDENTIALS=
 if [ -f "${__object:?}/parameter/eab-credentials" ]; then
 	eab_credentials_param=$(cat "${__object:?}/parameter/eab-credentials")
 	EAB_CREDENTIALS="--eab $eab_credentials_param"
 fi
 export EAB_CREDENTIALS
 OWNER=root
 if [ -f "${__object:?}/parameter/owner" ];
 then
--- a/type/__uacme_obtain/parameter/optional
+++ b/type/__uacme_obtain/parameter/optional
@ -5,3 +5,5 @@ owner
 install-cert-to
 install-key-to
 renew-hook
 acme-url
 eab-credentials