From 64ac331b10cc7d4907207c3d75cfb88c9ec51117 Mon Sep 17 00:00:00 2001
From: Lexi Winter <ivy@FreeBSD.org>
Date: Tue, 3 Jun 2025 14:02:32 +0100
Subject: kerberos.sh: make keytab configurable

---
 acme.conf.5      | 10 ++++++++++
 acme.conf.sample |  7 +++++++
 kerberos.sh      |  6 +++++-
 3 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/acme.conf.5 b/acme.conf.5
index 550123a..269b99b 100644
--- a/acme.conf.5
+++ b/acme.conf.5
@@ -50,6 +50,16 @@ challenge with the
 challenge handler.
 The default value is
 .Dq host/$(hostname) .
+.It Va ACME_KERBEROS_KEYTAB
+The Kerberos keytab to use when responding to a
+.Dq dns-01
+challenge with the
+.Dq kerberos
+challenge handler.
+The keytab must contain a Kerberos key for the principal configured in
+.Va ACME_KERBEROS_PRINCIPAL .
+The default value is
+.Pa /etc/krb5.keytab .
 .El
 .Sh SEE ALSO
 .Xr domains.conf 5 ,
diff --git a/acme.conf.sample b/acme.conf.sample
index 5805a7d..86d8693 100644
--- a/acme.conf.sample
+++ b/acme.conf.sample
@@ -44,3 +44,10 @@
 # default realm is configured in /etc/krb5.conf.
 
 #ACME_KERBEROS_PRINCIPAL="host/server.example.org@EXAMPLE.ORG"
+
+### ACME_KERBEROS_KEYTAB
+# When using the "kerberos" challenge handler, this is the keytab used to
+# issue the ticket.  It must contain a key for $ACME_KERBEROS_PRINCIPAL.
+# The default is /etc/krb5.keytab.
+
+#ACME_KERBEROS_KEYTAB="/etc/krb5.keytab"
diff --git a/kerberos.sh b/kerberos.sh
index 9b5d3ae..dad7aad 100644
--- a/kerberos.sh
+++ b/kerberos.sh
@@ -22,7 +22,11 @@ if [ "$METHOD" != "dns-01" ]; then
 	exit 1
 fi
 
-if ! kinit -k -t /etc/krb5.keytab "$ACME_KERBEROS_PRINCIPAL"; then
+if [ -z "$ACME_KERBEROS_KEYTAB" ]; then
+	ACME_KERBEROS_KEYTAB="/etc/krb5.keytab"
+fi
+
+if ! kinit -k -t "$ACME_KERBEROS_KEYTAB" "$ACME_KERBEROS_PRINCIPAL"; then
 	_fatal "failed to obtain a Kerberos ticket"
 fi
 
-- 
cgit v1.2.3