1 #!/bin/sh /etc/rc.common
5 export CHALLENGE_DIR
=$run_dir/challenge
6 export CERT_DIR
=/etc
/ssl
/acme
8 HOOK
=/usr
/lib
/acme
/hook
11 # shellcheck source=net/acme/files/functions.sh
12 .
"$IPKG_INSTROOT/usr/lib/acme/functions.sh"
15 log debug
"cleaning up"
16 if [ -e $run_dir/lock
]; then
19 if [ "$NFT_HANDLE" ]; then
20 # $NFT_HANDLE contains the string 'handle XX' so pass it unquoted to nft
21 nft delete rule inet fw4 input
$NFT_HANDLE
28 # compatibility for old option name
29 config_get_bool staging
"$section" use_staging
30 if [ -z "$staging" ]; then
31 config_get_bool staging
"$section" staging
0
34 config_get calias
"$section" calias
36 config_get dalias
"$section" dalias
38 config_get domains
"$section" domains
41 main_domain
="$(first_arg $domains)"
42 config_get keylength
"$section" keylength
43 if [ "$keylength" ]; then
44 log warn
"Option \"keylength\" is deprecated, please use key_type (e.g., ec256, rsa2048) instead."
46 ec-
*) key_type
=${keylength/-/} ;;
47 *) key_type
=rsa
$keylength ;;
50 config_get key_type
"$section" key_type ec256
53 config_get dns
"$section" dns
55 config_get acme_server
"$section" acme_server
57 config_get days
"$section" days
59 config_get standalone
"$section" standalone
60 [ -n "$standalone" ] && log warn
"Option \"standalone\" is deprecated."
61 config_get dns_wait
"$section" dns_wait
63 config_get webroot
"$section" webroot
64 if [ "$webroot" ]; then
65 log warn
"Option \"webroot\" is deprecated, please remove it and change your web server's config so it serves ACME challenge requests from $CHALLENGE_DIR."
66 CHALLENGE_DIR
=$webroot
69 config_get validation_method
"$section" validation_method
70 # if validation_method isn't set then guess it
71 if [ -z "$validation_method" ]; then
72 if [ -n "$dns" ]; then
73 validation_method
="dns"
74 elif [ "$standalone" = 1 ]; then
75 validation_method
="standalone"
77 validation_method
="webroot"
79 log warn
"Please set \"option validation_method $validation_method\"."
81 export validation_method
91 config_get_bool enabled
"$section" enabled
1
92 [ "$enabled" = 1 ] ||
return
94 load_options
"$section"
95 if [ "$validation_method" = "webroot" ]; then
96 mkdir
-p "$CHALLENGE_DIR"
99 if [ "$validation_method" = "standalone" ] && [ -z "$NFT_HANDLE" ]; then
100 if ! NFT_HANDLE
=$
(nft
-a -e insert rule inet fw4 input tcp dport
80 counter accept comment ACME |
grep -o 'handle [0-9]\+'); then
103 log debug
"added nft rule: $NFT_HANDLE"
109 config_list_foreach
"$section" credentials load_credentials
117 config_get account_email
"$section" account_email
118 if [ -z "$account_email" ]; then
119 log err
"account_email option is required"
124 config_get state_dir
"$section" state_dir
125 if [ "$state_dir" ]; then
126 log warn
"Option \"state_dir\" is deprecated, please remove it. Certificates now exist in $CERT_DIR."
127 mkdir
-p "$state_dir"
133 config_get debug
"$section" debug
0
136 # only look for the first acme section
142 exec 200>$run_dir/lock
143 if ! flock
-n 200; then
144 log err
"Another ACME instance is already running."
151 config_foreach load_globals acme
153 config_foreach get_cert cert
157 procd_add_config_trigger config.change acme \
158 /etc
/init.d
/acme start