blob: e29f9c316c704cb11978b560c5abe4b07bd485e7 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
|
#! /bin/sh
# This source code is released into the public domain.
. __LIBDIR__/init.sh
. __LIBDIR__/dnsutils.sh
# begin, done or failed
ACTION=$1
# ACME method, must be dns-01.
METHOD=$2
# This is the full domain name we're authorising.
DOMAIN=$3
# Token name, not used for dns-01.
TOKEN=$4
# The token value we need to create.
AUTH=$5
_KINIT="$(_findbin kinit $ACME_KERBEROS_KINIT)"
if [ "$#" -ne 5 ]; then
_fatal "missing arguments"
fi
if [ "$METHOD" != "dns-01" ]; then
exit 1
fi
if [ -z "$ACME_KERBEROS_PRINCIPAL" ]; then
ACME_KERBEROS_PRINCIPAL="host/$(hostname)"
fi
if [ -z "$ACME_KERBEROS_KEYTAB" ]; then
ACME_KERBEROS_KEYTAB="/etc/krb5.keytab"
fi
if ! [ -r "$ACME_KERBEROS_KEYTAB" ]; then
_fatal "keytab does not exist (or is not readable): %s" \
"$ACME_KERBEROS_KEYTAB"
fi
if ! $_KINIT -k -t "$ACME_KERBEROS_KEYTAB" "$ACME_KERBEROS_PRINCIPAL"; then
_fatal "failed to obtain a Kerberos ticket"
fi
# Add a new record using nsupdate.
_add_record() {
local domain="$1"
local auth="$2"
$_NSUPDATE -g <<EOF
update add _acme-challenge.${DOMAIN}. 300 IN TXT "${AUTH}"
send
EOF
return $?
}
# Remove an existing record using nsupdate.
_remove_record() {
local domain="$1"
local auth="$2"
$_NSUPDATE -g <<EOF
update delete _acme-challenge.${DOMAIN}. 300 IN TXT "${AUTH}"
send
EOF
return $?
}
case "$ACTION" in
begin)
if ! _add_record "$DOMAIN" "$AUTH"; then
_fatal "failed to add the DNS record for %s" "$DOMAIN"
exit 1
fi
if ! lfacme_dns_wait_for_record "$DOMAIN" "$AUTH"; then
_fatal "timed out waiting for the DNS record for '%s' to be published" \
"$DOMAIN"
exit 1
fi
exit 0
;;
done|failed)
_remove_record "$DOMAIN" "$AUTH"
exit $?
;;
*)
_fatal "unknown action: %s" "$ACTION"
;;
esac
|
