1 files changed, 86 insertions, 0 deletions

diff --git a/kerberos.sh.in b/kerberos.sh.in
new file mode 100644
index 0000000..41d99c2
--- /dev/null
+++ b/kerberos.sh.in
@@ -0,0 +1,86 @@
+#! /bin/sh
+# This source code is released into the public domain.
+
+. __LIBDIR__/init.sh
+. __LIBDIR__/dnsutils.sh
+
+# begin, done or failed
+ACTION=$1
+# ACME method, must be dns-01.
+METHOD=$2
+# This is the full domain name we're authorising.
+DOMAIN=$3
+# Token name, not used for dns-01.
+TOKEN=$4
+# The token value we need to create.
+AUTH=$5
+
+if [ "$#" -ne 5 ]; then
+	_fatal "missing arguments"
+fi
+
+if [ "$METHOD" != "dns-01" ]; then
+	exit 1
+fi
+
+if [ -z "$ACME_KERBEROS_PRINCIPAL" ]; then
+	ACME_KERBEROS_PRINCIPAL="host/$(hostname)"
+fi
+
+if [ -z "$ACME_KERBEROS_KEYTAB" ]; then
+	ACME_KERBEROS_KEYTAB="/etc/krb5.keytab"
+fi
+
+if ! kinit -k -t "$ACME_KERBEROS_KEYTAB" "$ACME_KERBEROS_PRINCIPAL"; then
+	_fatal "failed to obtain a Kerberos ticket"
+fi
+
+# Add a new record using nsupdate.
+_add_record() {
+	local domain="$1"
+	local auth="$2"
+
+	nsupdate -g <<EOF
+update add _acme-challenge.${DOMAIN}. 300 IN TXT "${AUTH}"
+send
+EOF
+	return $?
+}
+
+# Remove an existing record using nsupdate.
+_remove_record() {
+	local domain="$1"
+	local auth="$2"
+
+	nsupdate -g <<EOF
+update delete _acme-challenge.${DOMAIN}. 300 IN TXT "${AUTH}"
+send
+EOF
+	return $?
+}
+
+case "$ACTION" in
+	begin)
+		if ! _add_record "$DOMAIN" "$AUTH"; then
+			_fatal "failed to add the DNS record for %s" "$DOMAIN"
+			exit 1
+		fi
+
+		if ! lfacme_dns_wait_for_record "$DOMAIN" "$AUTH"; then
+			_fatal "timed out waiting for the DNS record for '%s' to be published" \
+				"$DOMAIN"
+			exit 1
+		fi
+
+		exit 0
+		;;
+
+	done|failed)
+		_remove_record "$DOMAIN" "$AUTH"
+		exit $?
+		;;
+
+	*)
+		_fatal "unknown action: %s" "$ACTION"
+		;;
+esac