diff options
| -rw-r--r-- | Makefile | 3 | ||||
| -rw-r--r-- | acme.conf.5 | 16 | ||||
| -rw-r--r-- | acme.conf.sample | 25 | ||||
| -rw-r--r-- | domains.conf.sample | 2 | ||||
| -rw-r--r-- | http.sh | 50 |
5 files changed, 88 insertions, 8 deletions
@@ -13,7 +13,8 @@ LIBMODE?= 0644 LIB= init.sh CHALLENGEMODE?= 0755 -CHALLENGE= kerberos.sh +CHALLENGE= http.sh \ + kerberos.sh BINMODE?= 0755 BIN= lfacme-renew.sh \ diff --git a/acme.conf.5 b/acme.conf.5 index 8643d55..550123a 100644 --- a/acme.conf.5 +++ b/acme.conf.5 @@ -18,7 +18,7 @@ The following variables may be set: (Required.) The URL of the ACME server. .It Va ACME_DATADIR -The path to the runtime datadirectory, where the ACME account key and any +The path to the runtime data directory, where the ACME account key and any issued certificates will be stored. The default value is .Pa /var/db/lfacme . @@ -28,6 +28,20 @@ The path to a directory containing hooks to invoke when issuing certificates .Xr domains.conf 5 ) . The default value is .Pa /usr/local/etc/lfacme/hooks . +.It Va ACME_HTTP_CHALLENGE_DIR +The directory to store ACME challenges when responding to an +.Dq http-01 +challenge with the +.Dq http +challenge handler. +This directory must be served at +.Dq /.well-known/acme-challenge +on any domain which will be validated with the +.Dq http +handler. +There is no default value; you must set this if you use the +.Dq http +handler. .It Va ACME_KERBEROS_PRINCIPAL The Kerberos principal to use when responding to a .Dq dns-01 diff --git a/acme.conf.sample b/acme.conf.sample index 2fb4ca6..257f7aa 100644 --- a/acme.conf.sample +++ b/acme.conf.sample @@ -2,7 +2,8 @@ # so you can include other files or call programs here if you like. -### ACME_URL: The URL of the ACME server. +### ACME_URL +# The URL of the ACME server. # No default, you must set this. # Let's Encrypt production: @@ -12,22 +13,34 @@ #ACME_URL="https://acme-staging-v02.api.letsencrypt.org/directory" -### ACME_DATADIR: Runtime data directory. +### ACME_DATADIR +# Runtime data directory. # This is where the ACME account key and the issued certificates are stored. # The default is /var/db/lfacme. #ACME_DATADIR="/var/db/lfacme" -### ACME_HOOKDIR: The path to the directory containing certificate hooks. +### ACME_HOOKDIR +#The path to the directory containing certificate hooks. # The default is "/usr/local/etc/lfacme/hooks". # There is usually no need to change this. #ACME_HOOKDIR="/some/directory" -### ACME_KERBEROS_PRINCIPAL: The Kerberos principal we use for nsupdate. -# The default is "host/$(hostname)", which assumes a default realm is -# configured in /etc/krb5.conf. +### ACME_HTTP_CHALLENGE_DIR +# When using the "http" challenge handler, this is the directory which contains +# ACME challenges. This must be served at /.well-known/acme-challenge on any +# domain using http validation. +# No default, you must set this if you use the "http" handler. + +#ACME_HTTP_CHALLENGE_DIR="/var/www/acme-challenge" + + +### ACME_KERBEROS_PRINCIPAL +# When using the "kerberos" challenge handler, this is the Kerberos principal +# we use for nsupdate. The default is "host/$(hostname)", which assumes a +# default realm is configured in /etc/krb5.conf. #ACME_KERBEROS_PRINCIPAL="host/server.example.org@EXAMPLE.ORG" diff --git a/domains.conf.sample b/domains.conf.sample index ec51322..98422bc 100644 --- a/domains.conf.sample +++ b/domains.conf.sample @@ -52,6 +52,8 @@ # # For example, to use RSA (instead of the default ECDSA) for all certificates: * type=rsa +# To use HTTP for all challenges: +* challenge=http # Issue a cert for example.org using the default options. # We don't provide any SANs, so the certificate name is used as the domain. @@ -0,0 +1,50 @@ +#! /bin/sh +# This source code is released into the public domain. + +. /usr/local/share/lfacme/init.sh + +# begin, done or failed +ACTION=$1 +# ACME method, must be http-01. +METHOD=$2 +# The full domain name we're authorising. +DOMAIN=$3 +# Token name. +TOKEN=$4 +# The token value we need to create. +AUTH=$5 + +if [ "$#" -ne 5 ]; then + _fatal "missing arguments" +fi + +if [ "$METHOD" != "http-01" ]; then + _warn "skip method %s" "$METHOD" + exit 1 +fi + +if [ -z "$ACME_HTTP_CHALLENGE_DIR" ]; then + _fatal "must set ACME_HTTP_CHALLENGE_DIR" +fi + +if ! [ -d "$ACME_HTTP_CHALLENGE_DIR" ]; then + _fatal "missing $ACME_HTTP_CHALLENGE_DIR" +fi + +_file="${ACME_HTTP_CHALLENGE_DIR}/${TOKEN}" + +case "$ACTION" in + begin) + echo "$AUTH" >"$_file" + exit $? + ;; + + done|failed) + rm -f "$_file" + exit $? + ;; + + *) + _fatal "unknown action: %s" "$ACTION" + ;; +esac |