diff options
| -rw-r--r-- | acme.conf.5.in | 7 | ||||
| -rw-r--r-- | dns.sh.in | 4 | ||||
| -rw-r--r-- | dnsutils.sh.in | 7 | ||||
| -rw-r--r-- | init.sh.in | 43 | ||||
| -rw-r--r-- | kerberos.sh.in | 13 | ||||
| -rw-r--r-- | lfacme-dns.7.in | 14 | ||||
| -rw-r--r-- | lfacme-kerberos.7.in | 21 | ||||
| -rw-r--r-- | lfacme-ualpn.7.in | 14 | ||||
| -rw-r--r-- | ualpn.sh.in | 6 |
9 files changed, 117 insertions, 12 deletions
diff --git a/acme.conf.5.in b/acme.conf.5.in index d968c74..a13f6ff 100644 --- a/acme.conf.5.in +++ b/acme.conf.5.in @@ -39,6 +39,13 @@ The path to a directory containing hooks to invoke when issuing certificates .Xr domains.conf 5 ) . The default path is .Pa __CONFDIR__/hooks . +.It Va ACME_UACME +Path to the +.Xr uacme 1 +program. +If not specified, +.Ev $PATH +will be searched. .El .Pp Additional configuration variables may be used by the ACME validation hooks; @@ -32,7 +32,7 @@ _add_record() { local domain="$1" local auth="$2" - nsupdate -k "$ACME_DNS_KEYFILE" <<EOF + $_NSUPDATE -k "$ACME_DNS_KEYFILE" <<EOF update add _acme-challenge.${DOMAIN}. 300 IN TXT "${AUTH}" send EOF @@ -44,7 +44,7 @@ _remove_record() { local domain="$1" local auth="$2" - nsupdate -k "$ACME_DNS_KEYFILE" <<EOF + $_NSUPDATE -k "$ACME_DNS_KEYFILE" <<EOF update delete _acme-challenge.${DOMAIN}. 300 IN TXT "${AUTH}" send EOF diff --git a/dnsutils.sh.in b/dnsutils.sh.in index a1523ff..290f1e3 100644 --- a/dnsutils.sh.in +++ b/dnsutils.sh.in @@ -2,6 +2,9 @@ # # Utility functions for DNS-based authorizations. +_DIG="$(_findbin dig $ACME_DNS_DIG)" +_NSUPDATE="$(_findbin nsupdate $ACME_DNS_NSUPDATE)" + # Retrieve the nameservers for a given domain. On failure, prints an error # message and exits. lfacme_dns_getnameservers() { @@ -19,7 +22,7 @@ lfacme_dns_getnameservers() { # For CNAME records, a query for NS will return the CNAME. # Therefore we have to check we actually got NS records. local nameservers="$( - dig "$_trydomain" ns +noall +answer | \ + $_DIG "$_trydomain" ns +noall +answer | \ awk '$4 == "NS" { print $5 }' )" @@ -53,7 +56,7 @@ lfacme_dns_wait_for_nameserver() { fi local _rdatas="$( - dig "_acme-challenge.$domain" txt @$nameserver \ + $_DIG "_acme-challenge.$domain" txt @$nameserver \ +noall +answer \ | awk '$4 == "TXT" { print $5 }' )" @@ -1,12 +1,14 @@ # This source code is released into the public domain. -_PROGNAME="$0" +_PROGNAME="${0##*/}" + +trap 'exit 1' TERM _fatal() { local _fmt=$1; shift local _msg="$(printf "$_fmt" "$@")" printf >&2 '%s: FATAL: %s\n' "$_PROGNAME" "$_msg" - exit 1 + kill $$ } _error() { @@ -80,16 +82,51 @@ fi if [ ! -d "$ACME_DATADIR" ]; then _info "creating directory %s" "$ACME_DATADIR" mkdir -p "$ACME_DATADIR" + if [ "$?" -ne 0 ]; then + exit 1 + fi fi # The domains.conf file. _DOMAINS="${_CONFDIR}/domains.conf" +# Find a program based on $PATH, or return the second argument if specified. +# If the program isn't found, print an error and exit. +_findbin() { + local cmd="$1" + local force="$2" + + if ! [ -z "$force" ]; then + if ! [ -x "$force" ]; then + _fatal "not found or not executable: %s" "$force" + fi + + echo $force + return 0 + fi + + local oIFS="$IFS" + local IFS=: + for dir in $PATH; do + local _bin="${dir}/${cmd}" + + if ! [ -x "$_bin" ]; then + continue + fi + + echo $_bin + return 0 + done + IFS="$oIFS" + + _fatal "required command '%s' not found" "$cmd" +} + # uacme's base directory; this is where it puts certificates. _UACME_DIR="${ACME_DATADIR}/certs" # The uacme executable. -_UACME=uacme +_UACME="$(_findbin uacme $ACME_UACME)" _LFACME_UACME_FLAGS="" if ! [ -z "$LFACME_VERBOSE" ]; then diff --git a/kerberos.sh.in b/kerberos.sh.in index 41d99c2..e29f9c3 100644 --- a/kerberos.sh.in +++ b/kerberos.sh.in @@ -15,6 +15,8 @@ TOKEN=$4 # The token value we need to create. AUTH=$5 +_KINIT="$(_findbin kinit $ACME_KERBEROS_KINIT)" + if [ "$#" -ne 5 ]; then _fatal "missing arguments" fi @@ -31,7 +33,12 @@ if [ -z "$ACME_KERBEROS_KEYTAB" ]; then ACME_KERBEROS_KEYTAB="/etc/krb5.keytab" fi -if ! kinit -k -t "$ACME_KERBEROS_KEYTAB" "$ACME_KERBEROS_PRINCIPAL"; then +if ! [ -r "$ACME_KERBEROS_KEYTAB" ]; then + _fatal "keytab does not exist (or is not readable): %s" \ + "$ACME_KERBEROS_KEYTAB" +fi + +if ! $_KINIT -k -t "$ACME_KERBEROS_KEYTAB" "$ACME_KERBEROS_PRINCIPAL"; then _fatal "failed to obtain a Kerberos ticket" fi @@ -40,7 +47,7 @@ _add_record() { local domain="$1" local auth="$2" - nsupdate -g <<EOF + $_NSUPDATE -g <<EOF update add _acme-challenge.${DOMAIN}. 300 IN TXT "${AUTH}" send EOF @@ -52,7 +59,7 @@ _remove_record() { local domain="$1" local auth="$2" - nsupdate -g <<EOF + $_NSUPDATE -g <<EOF update delete _acme-challenge.${DOMAIN}. 300 IN TXT "${AUTH}" send EOF diff --git a/lfacme-dns.7.in b/lfacme-dns.7.in index 441931f..4d25031 100644 --- a/lfacme-dns.7.in +++ b/lfacme-dns.7.in @@ -52,6 +52,20 @@ challenge hook supports the following configuration options in The key file that will be passed to .Xr nsupdate 1 to authenticate the DNS update. +.It Va ACME_DNS_DIG +Path to the +.Xr dig 1 +program. +If not specified, +.Ev $PATH +will be searched. +.It Va ACME_DNS_NSUPDATE +Path to the +.Xr nsupdate 1 +program. +If not specified, +.Ev $PATH +will be searched. .El .Sh SEE ALSO .Xr acme.conf 5 , diff --git a/lfacme-kerberos.7.in b/lfacme-kerberos.7.in index a2bd73b..ae96109 100644 --- a/lfacme-kerberos.7.in +++ b/lfacme-kerberos.7.in @@ -65,6 +65,27 @@ This must contain a key for the principal configured by .Va ACME_KERBEROS_PRINCIPAL . The default value is .Pa /etc/krb5.keytab . +.It Va ACME_KERBEROS_KINIT +Path to the +.Xr kinit 1 +program. +If not specified, +.Ev $PATH +will be searched. +.It Va ACME_DNS_DIG +Path to the +.Xr dig 1 +program. +If not specified, +.Ev $PATH +will be searched. +.It Va ACME_DNS_NSUPDATE +Path to the +.Xr nsupdate 1 +program. +If not specified, +.Ev $PATH +will be searched. .El .Sh DNS SERVER CONFIGURATION For diff --git a/lfacme-ualpn.7.in b/lfacme-ualpn.7.in index 80efd2c..2762f0f 100644 --- a/lfacme-ualpn.7.in +++ b/lfacme-ualpn.7.in @@ -33,6 +33,20 @@ daemon, which is part of uacme. The .Xr ualpn 1 daemon must be configured and running for this challenge handler to work. +.Sh CONFIGURATION +The +.Nm +challenge hook supports the following configuration options in +.Xr acme.conf 5 : +.Bl -tag -width indent +.It Va ACME_UALPN +Path to the +.Xr ualpn 1 +program. +If not specified, +.Ev $PATH +will be searched. +.El .Sh SEE ALSO .Xr acme.conf 5 , .Xr domains.conf 5 , diff --git a/ualpn.sh.in b/ualpn.sh.in index 4e76530..80855c0 100644 --- a/ualpn.sh.in +++ b/ualpn.sh.in @@ -22,10 +22,12 @@ if [ "$METHOD" != "tls-alpn-01" ]; then exit 1 fi +_UALPN="$(_findbin ualpn $ACME_UALPN)" + case "$ACTION" in begin) _verbose "creating validation token for %s" "$DOMAIN" - status="$(ualpn <<EOF + status="$($_UALPN <<EOF auth $DOMAIN $AUTH EOF )" @@ -38,7 +40,7 @@ EOF done|failed) _verbose "deleting validation token for %s" "$DOMAIN" - status="$(ualpn <<EOF + status="$($_UALPN <<EOF unauth $DOMAIN EOF )" |