aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--Makefile6
-rw-r--r--lfacme-ualpn.7.in41
-rw-r--r--ualpn.sh.in55
3 files changed, 100 insertions, 2 deletions
diff --git a/Makefile b/Makefile
index 8aef3e8..bcf080d 100644
--- a/Makefile
+++ b/Makefile
@@ -25,7 +25,8 @@ LIB= init.sh dnsutils.sh
CHALLENGEMODE?= 0755
CHALLENGE= dns.sh \
http.sh \
- kerberos.sh
+ kerberos.sh \
+ ualpn.sh
BINMODE?= 0755
BIN= lfacme-renew.sh \
@@ -44,7 +45,8 @@ MAN5= acme.conf.5 \
MAN7= lfacme.7 \
lfacme-dns.7 \
lfacme-http.7 \
- lfacme-kerberos.7
+ lfacme-kerberos.7 \
+ lfacme-ualpn.7
MAN8= lfacme-renew.8 \
lfacme-setup.8
diff --git a/lfacme-ualpn.7.in b/lfacme-ualpn.7.in
new file mode 100644
index 0000000..dceaa8d
--- /dev/null
+++ b/lfacme-ualpn.7.in
@@ -0,0 +1,41 @@
+.\" This source code is released into the public domain.
+.Dd June 4, 2025
+.Dt LFACME-UALPN 7
+.Os
+.Sh NAME
+.Nm lfacme-ualpn
+.Nd validate an ACME challenge via TLS using ualpn
+.Sh SYNOPSIS
+In
+.Xr domains.conf 5 :
+.Bd -ragged -offset indent
+.Ar domain
+challenge=ualpn
+.Ed
+.Sh DESCRIPTION
+The
+.Nm
+challenge hook will respond to an ACME domain validation using a TLS-based
+.Dq tls-alpn-01
+authorization.
+To use this challenge hook, configure one or more domains with
+.Dq challenge=ualpn
+in
+.Xr domains.conf 5 .
+.Pp
+The
+.Dq tls-alpn-01
+challenge expects the authorization token to be provided in response to a
+TLS connection to port 443 on the domain to be valided.
+This functionality is provided by the
+.Xr ualpn 1
+daemon, which is part of uacme.
+The
+.Xr ualpn 1
+daemon must be configured and running for this challenge handler to work.
+.Sh SEE ALSO
+.Xr acme.conf 5 ,
+.Xr domains.conf 5 ,
+.Xr lfacme 7 ,
+.Xr lfacme-renew 8 ,
+.Xr ualpn 1
diff --git a/ualpn.sh.in b/ualpn.sh.in
new file mode 100644
index 0000000..372ed27
--- /dev/null
+++ b/ualpn.sh.in
@@ -0,0 +1,55 @@
+#! /bin/sh
+# This source code is released into the public domain.
+
+. __LIBDIR__/init.sh
+
+# begin, done or failed
+ACTION=$1
+# ACME method, must be http-01.
+METHOD=$2
+# The full domain name we're authorising.
+DOMAIN=$3
+# Token name.
+TOKEN=$4
+# The token value we need to create.
+AUTH=$5
+
+if [ "$#" -ne 5 ]; then
+ _fatal "missing arguments"
+fi
+
+if [ "$METHOD" != "tls-alpn-01" ]; then
+ exit 1
+fi
+
+case "$ACTION" in
+ begin)
+ _verbose "creating validation token %s" "$_file"
+ status="$(ualpn <<EOF
+auth ${DOMAIN} ${AUTH}
+EOF
+)"
+ if [ "$status" = "OK" ]; then
+ exit 0
+ else
+ exit 1
+ fi
+ ;;
+
+ done|failed)
+ _verbose "deleting validation token %s" "$_file"
+ status="$(ualpn <<EOF
+unauth ${DOMAIN}
+EOF
+)"
+ if [ "$status" = "OK" ]; then
+ exit 0
+ else
+ exit 1
+ fi
+ ;;
+
+ *)
+ _fatal "unknown action: %s" "$ACTION"
+ ;;
+esac