Skip to content

Instantly share code, notes, and snippets.

@seia-soto

seia-soto/hook.sh

Last active February 15, 2023 16:20
Show Gist options
  • Save seia-soto/9da434e9c6123644664c4b5f62c03179 to your computer and use it in GitHub Desktop.
Save seia-soto/9da434e9c6123644664c4b5f62c03179 to your computer and use it in GitHub Desktop.
Download ZIP
dehydrated hook to integrate with nginx via http-01
Raw
hook.sh
#!/usr/bin/env bash
reload_nginx() {
echo "reload nginx"
service nginx reload
}
create_autoconfig() {
local DOMAIN="${1}"
local AUTOCONFIG="/etc/nginx/snippets/autoconfig-${DOMAIN}"
if [[ ! -f "/etc/nginx/conf.d/${DOMAIN}.conf" ]]; then
cat > "/etc/nginx/conf.d/${DOMAIN}.conf" << EOL
server {
server_name ${DOMAIN};
include snippets/autoconfig-${DOMAIN}/config;
}
EOL
fi;
if [[ ! -d "${AUTOCONFIG}" ]]; then
mkdir -p "${AUTOCONFIG}"
fi;
if [[ ! -f "${AUTOCONFIG}/fullchain" ]]; then
echo "set temporary certificates: domain=${DOMAIN} path=${AUTOCONFIG}/fullchain"
touch "${AUTOCONFIG}/fullchain"
fi;
if [[ ! -f "${AUTOCONFIG}/key" ]]; then
echo "set temporary certificates: domain=${DOMAIN} path=${AUTOCONFIG}/key"
touch "${AUTOCONFIG}/key"
fi;
if [[ ! -f "${AUTOCONFIG}/config" ]]; then
cat > "${AUTOCONFIG}/config" << EOL
listen 80 proxy_protocol;
EOL
fi;
echo "${AUTOCONFIG}"
}
deploy_challenge() {
local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
# This hook is called once for every domain that needs to be
# validated, including any alternative names you may have listed.
#
# Parameters:
# - DOMAIN
# The domain name (CN or subject alternative name) being
# validated.
# - TOKEN_FILENAME
# The name of the file containing the token to be served for HTTP
# validation. Should be served by your web server as
# /.well-known/acme-challenge/${TOKEN_FILENAME}.
# - TOKEN_VALUE
# The token value that needs to be served for validation. For DNS
# validation, this is what you want to put in the _acme-challenge
# TXT record. For HTTP validation it is the value that is expected
# be found in the $TOKEN_FILENAME file.
# Simple example: Use nsupdate with local named
# printf 'server 127.0.0.1\nupdate add _acme-challenge.%s 300 IN TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key
local AUTOCONFIG="$(create_autoconfig "${DOMAIN}" "${AUTOCONFIG}")"
echo "set challenge route: domain=${DOMAIN}"
cat > "${AUTOCONFIG}/config" << EOL
listen 80 proxy_protocol;
listen 443 ssl http2 proxy_protocol;
if (\$scheme = http) {
return 301 https://\$host\$request_uri;
}
ssl_certificate ${AUTOCONFIG}/certificate;
ssl_certificate_key ${AUTOCONFIG}/privatekey;
location ^~ /.well-known/acme-challenge {
alias /var/www/dehydrated;
}
EOL
reload_nginx
}
clean_challenge() {
local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
# This hook is called after attempting to validate each domain,
# whether or not validation was successful. Here you can delete
# files or DNS records that are no longer needed.
#
# The parameters are the same as for deploy_challenge.
# Simple example: Use nsupdate with local named
# printf 'server 127.0.0.1\nupdate delete _acme-challenge.%s TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key
}
sync_cert() {
local KEYFILE="${1}" CERTFILE="${2}" FULLCHAINFILE="${3}" CHAINFILE="${4}" REQUESTFILE="${5}"
# This hook is called after the certificates have been created but before
# they are symlinked. This allows you to sync the files to disk to prevent
# creating a symlink to empty files on unexpected system crashes.
#
# This hook is not intended to be used for further processing of certificate
# files, see deploy_cert for that.
#
# Parameters:
# - KEYFILE
# The path of the file containing the private key.
# - CERTFILE
# The path of the file containing the signed certificate.
# - FULLCHAINFILE
# The path of the file containing the full certificate chain.
# - CHAINFILE
# The path of the file containing the intermediate certificate(s).
# - REQUESTFILE
# The path of the file containing the certificate signing request.
# Simple example: sync the files before symlinking them
# sync "${KEYFILE}" "${CERTFILE}" "${FULLCHAINFILE}" "${CHAINFILE}" "${REQUESTFILE}"
echo "creation success fullchain=${FULLCHAINFILE}"
}
deploy_cert() {
local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}"
# This hook is called once for each certificate that has been
# produced. Here you might, for instance, copy your new certificates
# to service-specific locations and reload the service.
#
# Parameters:
# - DOMAIN
# The primary domain name, i.e. the certificate common
# name (CN).
# - KEYFILE
# The path of the file containing the private key.
# - CERTFILE
# The path of the file containing the signed certificate.
# - FULLCHAINFILE
# The path of the file containing the full certificate chain.
# - CHAINFILE
# The path of the file containing the intermediate certificate(s).
# - TIMESTAMP
# Timestamp when the specified certificate was created.
# Simple example: Copy file to nginx config
# cp "${KEYFILE}" "${FULLCHAINFILE}" /etc/nginx/ssl/; chown -R nginx: /etc/nginx/ssl
# systemctl reload nginx
local AUTOCONFIG="$(create_autoconfig "${DOMAIN}" "${AUTOCONFIG}")"
echo "copy certificates: domain=${DOMAIN}"
cp -f "${CERTFILE}" "${AUTOCONFIG}/certificate"
cp -f "${KEYFILE}" "${AUTOCONFIG}/privatekey"
echo "set https: domain=${DOMAIN}"
cat > "${AUTOCONFIG}/config" << EOL
listen 80 proxy_protocol;
listen 443 ssl http2 proxy_protocol;
if (\$scheme = http) {
return 301 https://\$host\$request_uri;
}
ssl_certificate ${AUTOCONFIG}/certificate;
ssl_certificate_key ${AUTOCONFIG}/privatekey;
EOL
reload_nginx
}
deploy_ocsp() {
local DOMAIN="${1}" OCSPFILE="${2}" TIMESTAMP="${3}"
# This hook is called once for each updated ocsp stapling file that has
# been produced. Here you might, for instance, copy your new ocsp stapling
# files to service-specific locations and reload the service.
#
# Parameters:
# - DOMAIN
# The primary domain name, i.e. the certificate common
# name (CN).
# - OCSPFILE
# The path of the ocsp stapling file
# - TIMESTAMP
# Timestamp when the specified ocsp stapling file was created.
# Simple example: Copy file to nginx config
# cp "${OCSPFILE}" /etc/nginx/ssl/; chown -R nginx: /etc/nginx/ssl
# systemctl reload nginx
}
unchanged_cert() {
local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}"
# This hook is called once for each certificate that is still
# valid and therefore wasn't reissued.
#
# Parameters:
# - DOMAIN
# The primary domain name, i.e. the certificate common
# name (CN).
# - KEYFILE
# The path of the file containing the private key.
# - CERTFILE
# The path of the file containing the signed certificate.
# - FULLCHAINFILE
# The path of the file containing the full certificate chain.
# - CHAINFILE
# The path of the file containing the intermediate certificate(s).
}
invalid_challenge() {
local DOMAIN="${1}" RESPONSE="${2}"
# This hook is called if the challenge response has failed, so domain
# owners can be aware and act accordingly.
#
# Parameters:
# - DOMAIN
# The primary domain name, i.e. the certificate common
# name (CN).
# - RESPONSE
# The response that the verification server returned
# Simple example: Send mail to root
# printf "Subject: Validation of ${DOMAIN} failed!\n\nOh noez!" | sendmail root
}
request_failure() {
local STATUSCODE="${1}" REASON="${2}" REQTYPE="${3}" HEADERS="${4}"
# This hook is called when an HTTP request fails (e.g., when the ACME
# server is busy, returns an error, etc). It will be called upon any
# response code that does not start with '2'. Useful to alert admins
# about problems with requests.
#
# Parameters:
# - STATUSCODE
# The HTML status code that originated the error.
# - REASON
# The specified reason for the error.
# - REQTYPE
# The kind of request that was made (GET, POST...)
# - HEADERS
# HTTP headers returned by the CA
# Simple example: Send mail to root
# printf "Subject: HTTP request failed failed!\n\nA http request failed with status ${STATUSCODE}!" | sendmail root
}
generate_csr() {
local DOMAIN="${1}" CERTDIR="${2}" ALTNAMES="${3}"
# This hook is called before any certificate signing operation takes place.
# It can be used to generate or fetch a certificate signing request with external
# tools.
# The output should be just the certificate signing request formatted as PEM.
#
# Parameters:
# - DOMAIN
# The primary domain as specified in domains.txt. This does not need to
# match with the domains in the CSR, it's basically just the directory name.
# - CERTDIR
# Certificate output directory for this particular certificate. Can be used
# for storing additional files.
# - ALTNAMES
# All domain names for the current certificate as specified in domains.txt.
# Again, this doesn't need to match with the CSR, it's just there for convenience.
# Simple example: Look for pre-generated CSRs
# if [ -e "${CERTDIR}/pre-generated.csr" ]; then
# cat "${CERTDIR}/pre-generated.csr"
# fi
create_autoconfig "${DOMAIN}"
}
startup_hook() {
# This hook is called before the cron command to do some initial tasks
# (e.g. starting a webserver).
true;
}
exit_hook() {
local ERROR="${1:-}"
# This hook is called at the end of the cron command and can be used to
# do some final (cleanup or other) tasks.
#
# Parameters:
# - ERROR
# Contains error message if dehydrated exits with error
}
HANDLER="$1"; shift
if [[ "${HANDLER}" =~ ^(deploy_challenge|clean_challenge|sync_cert|deploy_cert|deploy_ocsp|unchanged_cert|invalid_challenge|request_failure|generate_csr|startup_hook|exit_hook)$ ]]; then
"$HANDLER" "$@"
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment