diff options
| author | Lexi Winter <ivy@FreeBSD.org> | 2025-06-04 08:51:26 +0100 |
|---|---|---|
| committer | Lexi Winter <ivy@FreeBSD.org> | 2025-06-04 08:51:26 +0100 |
| commit | 63f6a3181fea59360b2bfe430f5c798f88b22527 (patch) | |
| tree | a9f5471dfdc5478a5b337854660773e3bea861b4 /kerberos.sh | |
| parent | 7284f9864fad4432b6a6e641c03adee321148107 (diff) | |
| download | lfacme-63f6a3181fea59360b2bfe430f5c798f88b22527.tar.gz lfacme-63f6a3181fea59360b2bfe430f5c798f88b22527.tar.bz2 | |
add a TSIG-based dns validation handler
while here, reorganise and improve documentation a bit.
Diffstat (limited to 'kerberos.sh')
| -rw-r--r-- | kerberos.sh | 89 |
1 files changed, 12 insertions, 77 deletions
diff --git a/kerberos.sh b/kerberos.sh index 2bbfd0f..08663d8 100644 --- a/kerberos.sh +++ b/kerberos.sh @@ -2,6 +2,7 @@ # This source code is released into the public domain. . /usr/local/share/lfacme/init.sh +. /usr/local/share/lfacme/dnsutils.sh # begin, done or failed ACTION=$1 @@ -30,36 +31,6 @@ if ! kinit -k -t "$ACME_KERBEROS_KEYTAB" "$ACME_KERBEROS_PRINCIPAL"; then _fatal "failed to obtain a Kerberos ticket" fi -# Keep removing labels from the name until we find one with nameservers. -_getnameservers() { - local domain="$1" - - local _trydomain="$domain" - while ! [ -z "$_trydomain" ]; do - if [ "$_trydomain" = "${_trydomain#*.}" ]; then - # If there are no dots in the domain, we couldn't - # find the nameservers. - break - fi - - # For CNAME records, a query for NS will return the CNAME. - # Therefore we have to check we actually got NS records. - local nameservers="$( - dig "$_trydomain" ns +noall +answer | \ - awk '$4 == "NS" { print $5 }' - )" - - if ! [ -z "$nameservers" ]; then - echo "$nameservers" - return - fi - - _trydomain="${_trydomain#*.}" - done - - _fatal "unable to find nameservers for %s" "$_trydomain" -} - # Add a new record using nsupdate. _add_record() { local domain="$1" @@ -84,56 +55,20 @@ EOF return $? } -# Wait for the DNS record to appear on a specific nameserver. -_wait_for_nameserver() { - local domain="$1" - local auth="$2" - local nameserver="$3" - - _verbose "waiting for nameserver %s" "$nameserver" - - local waited=0 - local waitlimit=60 - while sleep 1; do - waited=$((waited + 1)) - if [ "$waited" -ge "$waitlimit" ]; then - _error "timed out waiting for '%s' on '%s'" \ - "$domain" "$nameserver" - return 1 +case "$ACTION" in + begin) + if ! _add_record "$DOMAIN" "$AUTH"; then + _fatal "failed to add the DNS record for %s" "$DOMAIN" + exit 1 fi - local _rdatas="$( - dig "_acme-challenge.$domain" txt @$nameserver \ - +noall +answer \ - | awk '$4 == "TXT" { print $5 }' - )" - for rdata in $_rdatas; do - if [ "$rdata" = "\"$auth\"" ]; then - return 0 - fi - done - done -} - -# Wait for DNS servers to have the given record. -_wait_for_record() { - local domain="$1" - local auth="$2" - local nameservers="$(_getnameservers "$domain")" - - _verbose "waiting for the DNS record '%s' to be published" "$domain" - for ns in $nameservers; do - _wait_for_nameserver "$domain" "$auth" "$ns" || return 1 - done - - return 0 -} + if ! lfacme_dns_wait_for_record "$DOMAIN" "$AUTH"; then + _fatal "timed out waiting for the DNS record for '%s' to be published" \ + "$DOMAIN" + exit 1 + fi -case "$ACTION" in - begin) - _add_record "$DOMAIN" "$AUTH" \ - && _wait_for_record "$DOMAIN" "$AUTH" - exit $? + exit 0 ;; done|failed) |