From 403e010c5203a9ae418f4ed9636e4e56c6fafc02 Mon Sep 17 00:00:00 2001
From: Lexi Winter <lexi@le-fay.org>
Date: Wed, 4 Jun 2025 21:26:10 +0100
Subject: make program paths configurable

---
 acme.conf.5.in       |  7 +++++++
 dns.sh.in            |  4 ++--
 dnsutils.sh.in       |  7 +++++--
 init.sh.in           | 43 ++++++++++++++++++++++++++++++++++++++++---
 kerberos.sh.in       | 13 ++++++++++---
 lfacme-dns.7.in      | 14 ++++++++++++++
 lfacme-kerberos.7.in | 21 +++++++++++++++++++++
 lfacme-ualpn.7.in    | 14 ++++++++++++++
 ualpn.sh.in          |  6 ++++--
 9 files changed, 117 insertions(+), 12 deletions(-)

diff --git a/acme.conf.5.in b/acme.conf.5.in
index d968c74..a13f6ff 100644
--- a/acme.conf.5.in
+++ b/acme.conf.5.in
@@ -39,6 +39,13 @@ The path to a directory containing hooks to invoke when issuing certificates
 .Xr domains.conf 5 ) .
 The default path is
 .Pa __CONFDIR__/hooks .
+.It Va ACME_UACME
+Path to the
+.Xr uacme 1
+program.
+If not specified,
+.Ev $PATH
+will be searched.
 .El
 .Pp
 Additional configuration variables may be used by the ACME validation hooks;
diff --git a/dns.sh.in b/dns.sh.in
index 67fb280..e651cec 100644
--- a/dns.sh.in
+++ b/dns.sh.in
@@ -32,7 +32,7 @@ _add_record() {
 	local domain="$1"
 	local auth="$2"
 
-	nsupdate -k "$ACME_DNS_KEYFILE" <<EOF
+	$_NSUPDATE -k "$ACME_DNS_KEYFILE" <<EOF
 update add _acme-challenge.${DOMAIN}. 300 IN TXT "${AUTH}"
 send
 EOF
@@ -44,7 +44,7 @@ _remove_record() {
 	local domain="$1"
 	local auth="$2"
 
-	nsupdate -k "$ACME_DNS_KEYFILE" <<EOF
+	$_NSUPDATE -k "$ACME_DNS_KEYFILE" <<EOF
 update delete _acme-challenge.${DOMAIN}. 300 IN TXT "${AUTH}"
 send
 EOF
diff --git a/dnsutils.sh.in b/dnsutils.sh.in
index a1523ff..290f1e3 100644
--- a/dnsutils.sh.in
+++ b/dnsutils.sh.in
@@ -2,6 +2,9 @@
 #
 # Utility functions for DNS-based authorizations.
 
+_DIG="$(_findbin dig $ACME_DNS_DIG)"
+_NSUPDATE="$(_findbin nsupdate $ACME_DNS_NSUPDATE)"
+
 # Retrieve the nameservers for a given domain.  On failure, prints an error
 # message and exits.
 lfacme_dns_getnameservers() {
@@ -19,7 +22,7 @@ lfacme_dns_getnameservers() {
 		# For CNAME records, a query for NS will return the CNAME.
 		# Therefore we have to check we actually got NS records.
 		local nameservers="$(
-			dig "$_trydomain" ns +noall +answer | \
+			$_DIG "$_trydomain" ns +noall +answer | \
 			awk '$4 == "NS" { print $5 }'
 		)"
 
@@ -53,7 +56,7 @@ lfacme_dns_wait_for_nameserver() {
 		fi
 
 		local _rdatas="$(
-			dig "_acme-challenge.$domain" txt @$nameserver \
+			$_DIG "_acme-challenge.$domain" txt @$nameserver \
 				+noall +answer \
 			| awk '$4 == "TXT" { print $5 }'
 		)"
diff --git a/init.sh.in b/init.sh.in
index c70285c..e21b1e4 100644
--- a/init.sh.in
+++ b/init.sh.in
@@ -1,12 +1,14 @@
 # This source code is released into the public domain.
 
-_PROGNAME="$0"
+_PROGNAME="${0##*/}"
+
+trap 'exit 1' TERM
 
 _fatal() {
 	local _fmt=$1; shift
 	local _msg="$(printf "$_fmt" "$@")"
 	printf >&2 '%s: FATAL: %s\n' "$_PROGNAME" "$_msg"
-	exit 1
+	kill $$
 }
 
 _error() {
@@ -80,16 +82,51 @@ fi
 if [ ! -d "$ACME_DATADIR" ]; then
 	_info "creating directory %s" "$ACME_DATADIR"
 	mkdir -p "$ACME_DATADIR"
+	if [ "$?" -ne 0 ]; then
+		exit 1
+	fi
 fi
 
 # The domains.conf file.
 _DOMAINS="${_CONFDIR}/domains.conf"
 
+# Find a program based on $PATH, or return the second argument if specified.
+# If the program isn't found, print an error and exit.
+_findbin() {
+	local cmd="$1"
+	local force="$2"
+
+	if ! [ -z "$force" ]; then
+		if ! [ -x "$force" ]; then
+			_fatal "not found or not executable: %s" "$force"
+		fi
+
+		echo $force
+		return 0
+	fi
+
+	local oIFS="$IFS"
+	local IFS=:
+	for dir in $PATH; do
+		local _bin="${dir}/${cmd}"
+
+		if ! [ -x "$_bin" ]; then
+			continue
+		fi
+
+		echo $_bin
+		return 0
+	done
+	IFS="$oIFS"
+
+	_fatal "required command '%s' not found" "$cmd"
+}
+
 # uacme's base directory; this is where it puts certificates.
 _UACME_DIR="${ACME_DATADIR}/certs"
 
 # The uacme executable.
-_UACME=uacme
+_UACME="$(_findbin uacme $ACME_UACME)"
 
 _LFACME_UACME_FLAGS=""
 if ! [ -z "$LFACME_VERBOSE" ]; then
diff --git a/kerberos.sh.in b/kerberos.sh.in
index 41d99c2..e29f9c3 100644
--- a/kerberos.sh.in
+++ b/kerberos.sh.in
@@ -15,6 +15,8 @@ TOKEN=$4
 # The token value we need to create.
 AUTH=$5
 
+_KINIT="$(_findbin kinit $ACME_KERBEROS_KINIT)"
+
 if [ "$#" -ne 5 ]; then
 	_fatal "missing arguments"
 fi
@@ -31,7 +33,12 @@ if [ -z "$ACME_KERBEROS_KEYTAB" ]; then
 	ACME_KERBEROS_KEYTAB="/etc/krb5.keytab"
 fi
 
-if ! kinit -k -t "$ACME_KERBEROS_KEYTAB" "$ACME_KERBEROS_PRINCIPAL"; then
+if ! [ -r "$ACME_KERBEROS_KEYTAB" ]; then
+	_fatal "keytab does not exist (or is not readable): %s" \
+		"$ACME_KERBEROS_KEYTAB"
+fi
+
+if ! $_KINIT -k -t "$ACME_KERBEROS_KEYTAB" "$ACME_KERBEROS_PRINCIPAL"; then
 	_fatal "failed to obtain a Kerberos ticket"
 fi
 
@@ -40,7 +47,7 @@ _add_record() {
 	local domain="$1"
 	local auth="$2"
 
-	nsupdate -g <<EOF
+	$_NSUPDATE -g <<EOF
 update add _acme-challenge.${DOMAIN}. 300 IN TXT "${AUTH}"
 send
 EOF
@@ -52,7 +59,7 @@ _remove_record() {
 	local domain="$1"
 	local auth="$2"
 
-	nsupdate -g <<EOF
+	$_NSUPDATE -g <<EOF
 update delete _acme-challenge.${DOMAIN}. 300 IN TXT "${AUTH}"
 send
 EOF
diff --git a/lfacme-dns.7.in b/lfacme-dns.7.in
index 441931f..4d25031 100644
--- a/lfacme-dns.7.in
+++ b/lfacme-dns.7.in
@@ -52,6 +52,20 @@ challenge hook supports the following configuration options in
 The key file that will be passed to
 .Xr nsupdate 1
 to authenticate the DNS update.
+.It Va ACME_DNS_DIG
+Path to the
+.Xr dig 1
+program.
+If not specified,
+.Ev $PATH
+will be searched.
+.It Va ACME_DNS_NSUPDATE
+Path to the
+.Xr nsupdate 1
+program.
+If not specified,
+.Ev $PATH
+will be searched.
 .El
 .Sh SEE ALSO
 .Xr acme.conf 5 ,
diff --git a/lfacme-kerberos.7.in b/lfacme-kerberos.7.in
index a2bd73b..ae96109 100644
--- a/lfacme-kerberos.7.in
+++ b/lfacme-kerberos.7.in
@@ -65,6 +65,27 @@ This must contain a key for the principal configured by
 .Va ACME_KERBEROS_PRINCIPAL .
 The default value is
 .Pa /etc/krb5.keytab .
+.It Va ACME_KERBEROS_KINIT
+Path to the
+.Xr kinit 1
+program.
+If not specified,
+.Ev $PATH
+will be searched.
+.It Va ACME_DNS_DIG
+Path to the
+.Xr dig 1
+program.
+If not specified,
+.Ev $PATH
+will be searched.
+.It Va ACME_DNS_NSUPDATE
+Path to the
+.Xr nsupdate 1
+program.
+If not specified,
+.Ev $PATH
+will be searched.
 .El
 .Sh DNS SERVER CONFIGURATION
 For
diff --git a/lfacme-ualpn.7.in b/lfacme-ualpn.7.in
index 80efd2c..2762f0f 100644
--- a/lfacme-ualpn.7.in
+++ b/lfacme-ualpn.7.in
@@ -33,6 +33,20 @@ daemon, which is part of uacme.
 The
 .Xr ualpn 1
 daemon must be configured and running for this challenge handler to work.
+.Sh CONFIGURATION
+The
+.Nm
+challenge hook supports the following configuration options in
+.Xr acme.conf 5 :
+.Bl -tag -width indent
+.It Va ACME_UALPN
+Path to the
+.Xr ualpn 1
+program.
+If not specified,
+.Ev $PATH
+will be searched.
+.El
 .Sh SEE ALSO
 .Xr acme.conf 5 ,
 .Xr domains.conf 5 ,
diff --git a/ualpn.sh.in b/ualpn.sh.in
index 4e76530..80855c0 100644
--- a/ualpn.sh.in
+++ b/ualpn.sh.in
@@ -22,10 +22,12 @@ if [ "$METHOD" != "tls-alpn-01" ]; then
 	exit 1
 fi
 
+_UALPN="$(_findbin ualpn $ACME_UALPN)"
+
 case "$ACTION" in
 	begin)
 		_verbose "creating validation token for %s" "$DOMAIN"
-		status="$(ualpn <<EOF
+		status="$($_UALPN <<EOF
 auth $DOMAIN $AUTH
 EOF
 )"
@@ -38,7 +40,7 @@ EOF
 
 	done|failed)
 		_verbose "deleting validation token for %s" "$DOMAIN"
-		status="$(ualpn <<EOF
+		status="$($_UALPN <<EOF
 unauth $DOMAIN
 EOF
 )"
-- 
cgit v1.2.3