Skip to content

Commit

Permalink
Add DOKKU_LETSENCRYPT_TOS_HASH
Browse files Browse the repository at this point in the history 
Ref #73.

Adds a new configuration variable DOKKU_LETSENCRYPT_TOS_HASH that can be
set to the SHA256 hash of the current Let's Encrypt terms of services
that you agree to. If unset, the default TOS hash used in kuba/simp_le
will be used.
  • Loading branch information
@sseemayer
sseemayer committed Aug 2, 2016
1 parent 202db0f commit a849254
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 6 deletions.
11 changes: 6 additions & 5 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,11 +78,12 @@ Once the certificate is installed, you can use the `certs:*` built-in commands t
## Configuration
`dokku-letsencrypt` uses the [Dokku environment variable manager](http://dokku.viewdocs.io/dokku/configuration-management/) for all configuration. The important environment variables are:

Variable | Default | Description
--------------------------------|-------------|-------------------------------------------------------------------------
`DOKKU_LETSENCRYPT_EMAIL` | (none) | **REQUIRED:** E-mail address to use for registering with Let's Encrypt.
`DOKKU_LETSENCRYPT_GRACEPERIOD` | 30 days | Time in seconds left on a certificate before it should get renewed
`DOKKU_LETSENCRYPT_SERVER` | default | Which ACME server to use. Can be 'default', 'staging' or a URL
Variable | Default | Description
--------------------------------|-----------------------|---------------------------------------------------------------------------------
`DOKKU_LETSENCRYPT_EMAIL` | (none) | **REQUIRED:** E-mail address to use for registering with Let's Encrypt.
`DOKKU_LETSENCRYPT_GRACEPERIOD` | 30 days | Time in seconds left on a certificate before it should get renewed
`DOKKU_LETSENCRYPT_SERVER` | default | Which ACME server to use. Can be 'default', 'staging' or a URL
`DOKKU_LETSENCRYPT_TOS_HASH` | (simp\_le-controlled) | Set the SHA256 hash of the let's encrypt terms of service version you agree to.

You can set a setting using `dokku config:set --no-restart <myapp> SETTING_NAME=setting_value`. When looking for a setting, the plugin will first look if it was defined for the current app and fall back to settings defined by `--global`.

Expand Down
9 changes: 8 additions & 1 deletion functions
View file
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,13 @@ letsencrypt_configure_and_get_dir() {
server="https://acme-staging.api.letsencrypt.org/directory"
fi

# get the selected terms of service (TOS) hash
local tos_hash=${DOKKU_LETSENCRYPT_TOS_HASH}
local tos_hash_arg=''
if [ ! -z "$tos_hash" ]; then
tos_hash_arg="--tos_sha256 $tos_hash "
fi

# construct domain arguments
local domains="$(get_app_domains "$app")"
local domain_args=''
Expand All @@ -149,7 +156,7 @@ letsencrypt_configure_and_get_dir() {
domain_args="$domain_args -d $domain"
done

local config="--server $server --email $DOKKU_LETSENCRYPT_EMAIL $domain_args"
local config="--server $server --email $DOKKU_LETSENCRYPT_EMAIL ${tos_hash_arg}${domain_args}"

This comment has been minimized.

Sign in to view

Copy link
@drbraden

drbraden Aug 4, 2016
edited
Loading

I know this commit was reverted, but just in case this was partially the reason for the revert:

There is a missing space on this line between the last two args which would break both args. I believe what was meant is:

  local config="--server $server --email $DOKKU_LETSENCRYPT_EMAIL ${tos_hash_arg} ${domain_args}"

Edit: github interpreted the angle brackets around the word "space" and thought it was html.

This comment has been minimized.

Sign in to view

Copy link
@sseemayer

sseemayer Aug 4, 2016

Author Contributor

The missing space is actually intentional since the config string will be hashed to determine the certificate directory. By not introducing an additional space when no TOS hash is given the certificate directory stays the same as before the patch. If a TOS hash was given, the space you were missing can be found here

This comment has been minimized.

Sign in to view

Copy link
@drbraden

drbraden Aug 17, 2016

Ahh, clever, I totally missed that, thanks for pointing it out :)

local config_hash=$(echo "$config" | sha1sum | awk '{print $1}')
local config_dir="$le_root/certs/$config_hash"; mkdir -p "$config_dir"
Expand Down

3 comments on commit a849254

@sseemayer
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please disregard this fix, replacing it with something that doesn't require additional user interaction 😄

@drbraden
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I still think it'd be cool to be able to specify the tos_hash by env variable or as a cli argument ;)

Actually, the more I think about it, I think the cli argument route would be the cleaner way to go.

@sseemayer
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reason for the revert was that requiring the user to specify the correct TOS hash seemed too cumbersome to me. While there are some potential flexibility gains in having a configurable TOS hash, I thought it was more important to fix #73 ASAP without requiring additional user interaction and since the situation with kuba/simp_le having the wrong TOS hash will be temporary, I found it a good-enough temporary fix.

You are invited to build on this commit and propose a PR that is able to make the TOS hash configurable without complicating the default user experience, though 👍

Please sign in to comment.