1 #!/bin/sh /etc/rc.common
5 export CHALLENGE_DIR
=$run_dir/challenge
6 export CERT_DIR
=/etc
/ssl
/acme
8 HOOK
=/usr
/lib
/acme
/hook
11 # shellcheck source=net/acme/files/functions.sh
12 .
/usr
/lib
/acme
/functions.sh
15 log debug
"cleaning up"
16 if [ -e $run_dir/lock
]; then
19 if [ "$NFT_HANDLE" ]; then
20 # $NFT_HANDLE contains the string 'handle XX' so pass it unquoted to nft
21 nft delete rule inet fw4 input
$NFT_HANDLE
28 # compatibility for old option name
29 config_get_bool staging
"$section" use_staging
30 if [ -z "$staging" ]; then
31 config_get_bool staging
"$section" staging
0
34 config_get calias
"$section" calias
36 config_get dalias
"$section" dalias
38 config_get domains
"$section" domains
41 main_domain
="$(first_arg $domains)"
42 config_get keylength
"$section" keylength ec-256
44 config_get dns
"$section" dns
46 config_get acme_server
"$section" acme_server
48 config_get days
"$section" days
50 config_get standalone
"$section" standalone
0
52 config_get dns_wait
"$section" dns_wait
55 config_get webroot
"$section" webroot
57 if [ "$webroot" ]; then
58 log warn
"Option \"webroot\" is deprecated, please remove it and change your web server's config so it serves ACME challenge requests from $CHALLENGE_DIR."
69 config_get_bool enabled
"$section" enabled
1
70 [ "$enabled" = 1 ] ||
return
72 load_options
"$section"
73 if [ -z "$dns" ] && [ "$standalone" = 0 ]; then
74 mkdir
-p "$CHALLENGE_DIR"
77 if [ "$standalone" = 1 ] && [ -z "$NFT_HANDLE" ]; then
78 if ! NFT_HANDLE
=$
(nft
-a -e insert rule inet fw4 input tcp dport
80 counter accept comment ACME |
grep -o 'handle [0-9]\+'); then
81 log debug
"added nft rule: $NFT_HANDLE"
87 config_list_foreach
"$section" credentials load_credentials
95 config_get account_email
"$section" account_email
96 if [ -z "$account_email" ]; then
97 log err
"account_email option is required"
102 config_get state_dir
"$section" state_dir
103 if [ "$state_dir" ]; then
104 log warn
"Option \"state_dir\" is deprecated, please remove it. Certificates now exist in $CERT_DIR."
105 mkdir
-p "$state_dir"
111 config_get debug
"$section" debug
0
114 # only look for the first acme section
120 exec 200>$run_dir/lock
121 if ! flock
-n 200; then
122 log err
"Another ACME instance is already running."
129 config_foreach load_globals acme
131 config_foreach get_cert cert
135 procd_add_config_trigger config.change acme \
136 /etc
/init.d
/acme start