forked from rembik/dehydrated-hetzner-hook
-
Notifications
You must be signed in to change notification settings - Fork 0
/
hook.sh
executable file
·155 lines (130 loc) · 4.98 KB
/
hook.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
#!/usr/bin/env bash
#
# Deploy a DNS challenge using lexicon
set -e
set -u
set -o pipefail
export PROVIDER_UPDATE_DELAY=${PROVIDER_UPDATE_DELAY:-"30"}
export PROVIDER=${PROVIDER:-"hetzner"}
function deploy_challenge {
local chain=($@)
for ((i=0; i < $#; i+=3)); do
local DOMAIN="${chain[i]}" TOKEN_FILENAME="${chain[i+1]}" TOKEN_VALUE="${chain[i+2]}"
echo "deploy_challenge called: ${DOMAIN}, ${TOKEN_FILENAME}, ${TOKEN_VALUE}"
if [ "${PROVIDER}" != "hetzner" ]; then
lexicon $PROVIDER create ${DOMAIN} TXT --name="_acme-challenge.${DOMAIN}." \
--content="${TOKEN_VALUE}"
else
local PROPAGATED="yes"
if ((i < $# - 3)); then
local PROPAGATED="no"
fi
lexicon $PROVIDER create ${DOMAIN} TXT --name="_acme-challenge.${DOMAIN}." \
--content="${TOKEN_VALUE}" --propagated="${PROPAGATED}"
fi
done
if [ "${PROVIDER}" != "hetzner" ]; then
local DELAY_COUNTDOWN=$PROVIDER_UPDATE_DELAY
while [ $DELAY_COUNTDOWN -gt 0 ]; do
echo -ne "${DELAY_COUNTDOWN}\033[0K\r"
sleep 1
: $((DELAY_COUNTDOWN--))
done
fi
# This hook is called once for every domain chain that needs to be
# validated, including any alternative names you may have listed.
#
# Parameters:
# - DOMAIN
# The domain name (CN or subject alternative name) being
# validated.
# - TOKEN_FILENAME
# The name of the file containing the token to be served for HTTP
# validation. Should be served by your web server as
# /.well-known/acme-challenge/${TOKEN_FILENAME}.
# - TOKEN_VALUE
# The token value that needs to be served for validation. For DNS
# validation, this is what you want to put in the _acme-challenge
# TXT record. For HTTP validation it is the value that is expected
# be found in the $TOKEN_FILENAME file.
}
function clean_challenge {
local chain=($@)
for ((i=0; i < $#; i+=3)); do
local DOMAIN="${chain[i]}" TOKEN_FILENAME="${chain[i+1]}" TOKEN_VALUE="${chain[i+2]}"
echo "clean_challenge called: ${DOMAIN}, ${TOKEN_FILENAME}, ${TOKEN_VALUE}"
lexicon $PROVIDER delete ${DOMAIN} TXT --name="_acme-challenge.${DOMAIN}." \
--content="${TOKEN_VALUE}"
done
# This hook is called after attempting to validate each domain
# chain, whether or not validation was successful. Here you
# can delete files or DNS records that are no longer needed.
#
# The parameters are the same as for deploy_challenge.
}
function invalid_challenge() {
local DOMAIN="${1}" RESPONSE="${2}"
echo " + invalid_challenge called: ${DOMAIN}, ${RESPONSE}"
# This hook is called if the challenge response has failed, so domain
# owners can be aware and act accordingly.
#
# Parameters:
# - DOMAIN
# The primary domain name, i.e. the certificate common
# name (CN).
# - RESPONSE
# The response that the verification server returned
}
function deploy_cert {
local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}"
echo " + deploy_cert called: ${DOMAIN}, ${KEYFILE}, ${FULLCHAINFILE}"
# This hook is called once for each certificate that has been
# produced. Here you might, for instance, copy your new certificates
# to service-specific locations and reload the service.
#
# Parameters:
# - DOMAIN
# The primary domain name, i.e. the certificate common
# name (CN).
# - KEYFILE
# The path of the file containing the private key.
# - CERTFILE
# The path of the file containing the signed certificate.
# - FULLCHAINFILE
# The path of the file containing the full certificate chain.
# - CHAINFILE
# The path of the file containing the intermediate certificate(s).
}
function unchanged_cert {
local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}"
echo " + unchanged_cert called: ${DOMAIN}, ${KEYFILE}, ${FULLCHAINFILE}"
# This hook is called once for each certificate that is still
# valid and therefore wasn't reissued.
#
# Parameters:
# - DOMAIN
# The primary domain name, i.e. the certificate common
# name (CN).
# - KEYFILE
# The path of the file containing the private key.
# - CERTFILE
# The path of the file containing the signed certificate.
# - FULLCHAINFILE
# The path of the file containing the full certificate chain.
# - CHAINFILE
# The path of the file containing the intermediate certificate(s).
}
exit_hook() {
# This hook is called at the end of a dehydrated command and can be used
# to do some final (cleanup or other) tasks.
:
}
startup_hook() {
# This hook is called before the dehydrated command to do some initial tasks
# (e.g. starting a webserver).
:
}
HANDLER=$1; shift;
if [ -n "$(type -t $HANDLER)" ] && [ "$(type -t $HANDLER)" = function ]; then
$HANDLER "$@"
fi