aboutsummaryrefslogtreecommitdiffstats
path: root/kerberos-challenge.sh
diff options
context:
space:
mode:
Diffstat (limited to 'kerberos-challenge.sh')
-rw-r--r--kerberos-challenge.sh146
1 files changed, 146 insertions, 0 deletions
diff --git a/kerberos-challenge.sh b/kerberos-challenge.sh
new file mode 100644
index 0000000..95ca2af
--- /dev/null
+++ b/kerberos-challenge.sh
@@ -0,0 +1,146 @@
+#! /bin/sh
+# This source code is released into the public domain.
+
+. /usr/local/share/lfacme/init.sh
+
+# begin, done or failed
+ACTION=$1
+# ACME method, must be dns-01.
+METHOD=$2
+# This is the full domain name we're authorising.
+DOMAIN=$3
+# Token name, not used for dns-01.
+TOKEN=$4
+# The token value we need to create.
+AUTH=$5
+
+#set
+#exit 1
+
+if [ "$#" -ne 5 ]; then
+ _fatal "missing arguments"
+fi
+
+if [ "$METHOD" != "dns-01" ]; then
+ _warn "skip method %s" "$METHOD"
+ exit 1
+fi
+
+if ! kinit -k -t /etc/krb5.keytab "$ACME_KERBEROS_PRINCIPAL"; then
+ _fatal "failed to obtain a Kerberos ticket"
+fi
+
+# Keep removing labels from the name until we find one with nameservers.
+_getnameservers() {
+ local domain="$1"
+
+ local _trydomain="$domain"
+ while ! [ -z "$_trydomain" ]; do
+ if [ "$_trydomain" = "${_trydomain#*.}" ]; then
+ # If there are no dots in the domain, we couldn't
+ # find the nameservers.
+ break
+ fi
+
+ # For CNAME records, a query for NS will return the CNAME.
+ # Therefore we have to check we actually got NS records.
+ local nameservers="$(
+ dig "$_trydomain" ns +noall +answer | \
+ awk '$4 == "NS" { print $5 }'
+ )"
+
+ if ! [ -z "$nameservers" ]; then
+ echo "$nameservers"
+ return
+ fi
+
+ _trydomain="${_trydomain#*.}"
+ done
+
+ _fatal "unable to find nameservers for %s" "$_trydomain"
+}
+
+# Add a new record using nsupdate.
+_add_record() {
+ local domain="$1"
+ local auth="$2"
+
+ nsupdate -g <<EOF
+update add _acme-challenge.${DOMAIN}. 300 IN TXT "${AUTH}"
+send
+EOF
+ return $?
+}
+
+# Remove an existing record using nsupdate.
+_remove_record() {
+ local domain="$1"
+ local auth="$2"
+
+ nsupdate -g <<EOF
+update delete _acme-challenge.${DOMAIN}. 300 IN TXT "${AUTH}"
+send
+EOF
+ return $?
+}
+
+# Wait for the DNS record to appear on a specific nameserver.
+_wait_for_nameserver() {
+ local domain="$1"
+ local auth="$2"
+ local nameserver="$3"
+
+ echo "waiting for $domain on nameserver $ns..."
+
+ waited=0
+ waitlimit=60
+ while sleep 1; do
+ waited=$((waited + 1))
+ if [ $waited -ge $waitlimit ]; then
+ _error "timed out waiting for nameserver update for %s" \
+ "$domain"
+ return 1
+ fi
+
+ data="$(dig "_acme-challenge.$domain" txt @$nameserver +short)"
+ if [ -z "$data" ]; then
+ continue
+ fi
+
+ if [ "$data" = "\"$auth\"" ]; then
+ return 0
+ fi
+ done
+}
+
+# Wait for DNS servers to have the given record.
+_wait_for_record() {
+ local domain="$1"
+ local auth="$2"
+ local nameservers="$(_getnameservers "$domain")"
+
+ for ns in $nameservers; do
+ _wait_for_nameserver "$domain" "$auth" "$ns" || return 1
+ done
+
+ return 0
+}
+
+case "$ACTION" in
+ begin)
+ _add_record "$DOMAIN" "$AUTH" \
+ && _wait_for_record "$DOMAIN" "$AUTH"
+ exit $?
+ ;;
+
+ done|failed)
+ _remove_record "$DOMAIN" "$AUTH"
+ exit $?
+ ;;
+
+ *)
+ _fatal "unknown action: %s" "$ACTION"
+ ;;
+esac
+
+