projects / feed / packages.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
acme-acmesh: Don't hard-code certificate directory
[feed/packages.git] / net / acme-acmesh / files / hook.sh
1 #!/bin/sh
2 set -u
3 ACME=/usr/lib/acme/client/acme.sh
4 LOG_TAG=acme-acmesh
5 # webroot option deprecated, use the exported value directly in the next major version
6 WEBROOT=${webroot:-$CHALLENGE_DIR}
7 NOTIFY=/usr/lib/acme/notify
8
9 # shellcheck source=net/acme/files/functions.sh
10 . /usr/lib/acme/functions.sh
11
12 # Needed by acme.sh
13 export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
14 export NO_TIMESTAMP=1
15
16 link_certs()
17 {
18 local main_domain
19 local domain_dir
20 domain_dir="$1"
21 main_domain="$2"
22
23
24 if [ ! -e "$CERT_DIR/$main_domain.crt" ]; then
25 ln -s "$domain_dir/$main_domain.cer" "$CERT_DIR/$main_domain.crt"
26 fi
27 if [ ! -e "$CERT_DIR/$main_domain.key" ]; then
28 ln -s "$domain_dir/$main_domain.key" "$CERT_DIR/$main_domain.key"
29 fi
30 if [ ! -e "$CERT_DIR/$main_domain.fullchain.crt" ]; then
31 ln -s "$domain_dir/fullchain.cer" "$CERT_DIR/$main_domain.fullchain.crt"
32 fi
33 if [ ! -e "$CERT_DIR/$main_domain.chain.crt" ]; then
34 ln -s "$domain_dir/ca.cer" "$CERT_DIR/$main_domain.chain.crt"
35 fi
36 }
37
38 case $1 in
39 get)
40 set --
41 [ "$debug" = 1 ] && set -- "$@" --debug
42
43 case $keylength in
44 ec-*)
45 domain_dir="$state_dir/${main_domain}_ecc"
46 set -- "$@" --ecc
47 ;;
48 *)
49 domain_dir="$state_dir/$main_domain"
50 ;;
51 esac
52
53 log info "Running ACME for $main_domain"
54
55 if [ -e "$domain_dir" ]; then
56 if [ "$staging" = 0 ] && grep -q "acme-staging" "$domain_dir/$main_domain.conf"; then
57 mv "$domain_dir" "$domain_dir.staging"
58 log info "Certificates are previously issued from a staging server, but staging option is diabled, moved to $domain_dir.staging."
59 staging_moved=1
60 else
61 set -- "$@" --renew --home "$state_dir" -d "$main_domain"
62 log info "$ACME $*"
63 trap '$NOTIFY renew-failed;exit 1' INT
64 $ACME "$@"
65 status=$?
66 trap - INT
67
68 case $status in
69 0)
70 link_certs "$domain_dir" "$main_domain"
71 $NOTIFY renewed
72 exit
73 ;;
74 2)
75 # renew skipped, ignore.
76 exit
77 ;;
78 *)
79 $NOTIFY renew-failed
80 exit 1
81 ;;
82 esac
83 fi
84 fi
85
86 for d in $domains; do
87 set -- "$@" -d "$d"
88 done
89 set -- "$@" --keylength "$keylength" --accountemail "$account_email"
90
91 if [ "$acme_server" ]; then
92 set -- "$@" --server "$acme_server"
93 # default to letsencrypt because the upstream default may change
94 elif [ "$staging" = 1 ]; then
95 set -- "$@" --server letsencrypt_test
96 else
97 set -- "$@" --server letsencrypt
98 fi
99
100 if [ "$days" ]; then
101 set -- "$@" --days "$days"
102 fi
103
104 if [ "$dns" ]; then
105 set -- "$@" --dns "$dns"
106 if [ "$dalias" ]; then
107 set -- "$@" --domain-alias "$dalias"
108 if [ "$calias" ]; then
109 log err "Both domain and challenge aliases are defined. Ignoring the challenge alias."
110 fi
111 elif [ "$calias" ]; then
112 set -- "$@" --challenge-alias "$calias"
113 fi
114 if [ "$dns_wait" ]; then
115 set -- "$@" --dnssleep "$dns_wait"
116 fi
117 elif [ "$standalone" = 1 ]; then
118 set -- "$@" --standalone --listen-v6
119 else
120 mkdir -p "$WEBROOT"
121 set -- "$@" --webroot "$WEBROOT"
122 fi
123
124 set -- "$@" --issue --home "$state_dir"
125
126 log info "$ACME $*"
127 trap '$NOTIFY issue-failed;exit 1' INT
128 "$ACME" "$@" \
129 --pre-hook "$NOTIFY prepare" \
130 --renew-hook "$NOTIFY renewed"
131 status=$?
132 trap - INT
133
134 case $status in
135 0)
136 link_certs "$domain_dir" "$main_domain"
137 $NOTIFY issued
138 ;;
139 *)
140 if [ "$staging_moved" = 1 ]; then
141 mv "$domain_dir.staging" "$domain_dir"
142 log err "Staging certificate restored"
143 elif [ -d "$domain_dir" ]; then
144 failed_dir="$domain_dir.failed-$(date +%s)"
145 mv "$domain_dir" "$failed_dir"
146 log err "State moved to $failed_dir"
147 fi
148 $NOTIFY issue-failed
149 ;;
150 esac
151 ;;
152 esac
Mirror of packages feed