diff options
Diffstat (limited to 'bin/dehydrated-hook.d')
| -rwxr-xr-x | bin/dehydrated-hook.d | 297 |
1 files changed, 297 insertions, 0 deletions
diff --git a/bin/dehydrated-hook.d b/bin/dehydrated-hook.d new file mode 100755 index 0000000..62095e5 --- /dev/null +++ b/bin/dehydrated-hook.d @@ -0,0 +1,297 @@ +#!/bin/sh +HOOKS_DIR="/etc/dehydrated/hook.d" + +deploy_challenge () +{ + local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}" + + # This hook is called once for every domain that needs to be + # validated, including any alternative names you may have listed. + # + # Parameters: + # - DOMAIN + # The domain name (CN or subject alternative name) being + # validated. + # - TOKEN_FILENAME + # The name of the file containing the token to be served for HTTP + # validation. Should be served by your web server as + # /.well-known/acme-challenge/${TOKEN_FILENAME}. + # - TOKEN_VALUE + # The token value that needs to be served for validation. For DNS + # validation, this is what you want to put in the _acme-challenge + # TXT record. For HTTP validation it is the value that is expected + # be found in the $TOKEN_FILENAME file. + + export DOMAIN + export TOKEN_FILENAME + export TOKEN_VALUE + run-parts --regex '^deploy_challenge.*.sh$' ${HOOKS_DIR} + unset DOMAIN + unset TOKEN_FILENAME + unset TOKEN_VALUE +} + +clean_challenge () +{ + local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}" + + # This hook is called after attempting to validate each domain, + # whether or not validation was successful. Here you can delete + # files or DNS records that are no longer needed. + # + # The parameters are the same as for deploy_challenge. + + export DOMAIN + export TOKEN_FILENAME + export TOKEN_VALUE + run-parts --regex '^clean_challenge.*.sh$' ${HOOKS_DIR} + unset DOMAIN + unset TOKEN_FILENAME + unset TOKEN_VALUE +} + +sync_cert () +{ + local KEYFILE="${1}" CERTFILE="${2}" FULLCHAINFILE="${3}" CHAINFILE="${4}" REQUESTFILE="${5}" + + # This hook is called after the certificates have been created but before + # they are symlinked. This allows you to sync the files to disk to prevent + # creating a symlink to empty files on unexpected system crashes. + # + # This hook is not intended to be used for further processing of certificate + # files, see deploy_cert for that. + # + # Parameters: + # - KEYFILE + # The path of the file containing the private key. + # - CERTFILE + # The path of the file containing the signed certificate. + # - FULLCHAINFILE + # The path of the file containing the full certificate chain. + # - CHAINFILE + # The path of the file containing the intermediate certificate(s). + # - REQUESTFILE + # The path of the file containing the certificate signing request. + + export KEYFILE + export CERTFILE + export FULLCHAINFILE + export CHAINFILE + export REQUESTFILE + run-parts --regex '^sync_cert.*.sh$' ${HOOKS_DIR} + unset KEYFILE + unset CERTFILE + unset FULLCHAINFILE + unset CHAINFILE + unset REQUESTFILE +} + +deploy_cert () +{ + local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}" + + # This hook is called once for each certificate that has been + # produced. Here you might, for instance, copy your new certificates + # to service-specific locations and reload the service. + # + # Parameters: + # - DOMAIN + # The primary domain name, i.e. the certificate common + # name (CN). + # - KEYFILE + # The path of the file containing the private key. + # - CERTFILE + # The path of the file containing the signed certificate. + # - FULLCHAINFILE + # The path of the file containing the full certificate chain. + # - CHAINFILE + # The path of the file containing the intermediate certificate(s). + # - TIMESTAMP + # Timestamp when the specified certificate was created. + + export DOMAIN + export KEYFILE + export CERTFILE + export FULLCHAINFILE + export CHAINFILE + export TIMESTAMP + run-parts --regex '^deploy_cert.*.sh$' ${HOOKS_DIR} + unset DOMAIN + unset CERTFILE + unset FULLCHAINFILE + unset CHAINFILE + unset TIMESTAMP +} + +deploy_ocsp () +{ + local DOMAIN="${1}" OCSPFILE="${2}" TIMESTAMP="${3}" + + # This hook is called once for each updated ocsp stapling file that has + # been produced. Here you might, for instance, copy your new ocsp stapling + # files to service-specific locations and reload the service. + # + # Parameters: + # - DOMAIN + # The primary domain name, i.e. the certificate common + # name (CN). + # - OCSPFILE + # The path of the ocsp stapling file + # - TIMESTAMP + # Timestamp when the specified ocsp stapling file was created. + + export DOMAIN + export OCSPFILE + export TIMESTAMP + run-parts --regex '^deploy_ocsp.*.sh$' ${HOOKS_DIR} + unset DOMAIN + unset OCSPFILE + unset TIMESTAMP +} + +unchanged_cert () +{ + local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" + + # This hook is called once for each certificate that is still + # valid and therefore wasn't reissued. + # + # Parameters: + # - DOMAIN + # The primary domain name, i.e. the certificate common + # name (CN). + # - KEYFILE + # The path of the file containing the private key. + # - CERTFILE + # The path of the file containing the signed certificate. + # - FULLCHAINFILE + # The path of the file containing the full certificate chain. + # - CHAINFILE + # The path of the file containing the intermediate certificate(s). + + export DOMAIN + export KEYFILE + export CERTFILE + export FULLCHAINFILE + export CHAINFILE + run-parts --regex '^unchanged_cert.*.sh$' ${HOOKS_DIR} + unset DOMAIN + unset CERTFILE + unset FULLCHAINFILE + unset CHAINFILE +} + +invalid_challenge () +{ + local DOMAIN="${1}" RESPONSE="${2}" + + # This hook is called if the challenge response has failed, so domain + # owners can be aware and act accordingly. + # + # Parameters: + # - DOMAIN + # The primary domain name, i.e. the certificate common + # name (CN). + # - RESPONSE + # The response that the verification server returned + + # Simple example: Send mail to root + # printf "Subject: Validation of ${DOMAIN} failed!\n\nOh noez!" | sendmail root + export DOMAIN + export RESPONSE + run-parts --regex '^invalid_challenge.*.sh$' ${HOOKS_DIR} + unset DOMAIN + unset RESPONSE +} + +request_failure () +{ + local STATUSCODE="${1}" REASON="${2}" REQTYPE="${3}" HEADERS="${4}" + + # This hook is called when an HTTP request fails (e.g., when the ACME + # server is busy, returns an error, etc). It will be called upon any + # response code that does not start with '2'. Useful to alert admins + # about problems with requests. + # + # Parameters: + # - STATUSCODE + # The HTML status code that originated the error. + # - REASON + # The specified reason for the error. + # - REQTYPE + # The kind of request that was made (GET, POST...) + # - HEADERS + # HTTP headers returned by the CA + + export STATUSCODE + export REASON + export REQTYPE + export HEADERS + run-parts --regex '^request_failure.*.sh$' ${HOOKS_DIR} + unset STATUSCODE + unset REASON + unset REQTYPE + unset HEADERS +} + +generate_csr () +{ + local DOMAIN="${1}" CERTDIR="${2}" ALTNAMES="${3}" + + # This hook is called before any certificate signing operation takes place. + # It can be used to generate or fetch a certificate signing request with external + # tools. + # The output should be just the cerificate signing request formatted as PEM. + # + # Parameters: + # - DOMAIN + # The primary domain as specified in domains.txt. This does not need to + # match with the domains in the CSR, it's basically just the directory name. + # - CERTDIR + # Certificate output directory for this particular certificate. Can be used + # for storing additional files. + # - ALTNAMES + # All domain names for the current certificate as specified in domains.txt. + # Again, this doesn't need to match with the CSR, it's just there for convenience. + + # Simple example: Look for pre-generated CSRs + # if [ -e "${CERTDIR}/pre-generated.csr" ]; then + # cat "${CERTDIR}/pre-generated.csr" + # fi + export DOMAIN + export CERTDIR + export ALTNAMES + run-parts --regex '^generate_csr.*.sh$' ${HOOKS_DIR} + unset DOMAIN + unset CERTDIR + unset ALTNAMES +} + +startup_hook () +{ + # This hook is called before the cron command to do some initial tasks + # (e.g. starting a webserver). + + run-parts --regex '^startup.*.sh$' ${HOOKS_DIR} +} + +exit_hook () +{ + local ERROR="${1:-}" + + # This hook is called at the end of the cron command and can be used to + # do some final (cleanup or other) tasks. + # + # Parameters: + # - ERROR + # Contains error message if dehydrated exits with error + export ERROR + run-parts --regex '^exit_hook.*.sh$' ${HOOKS_DIR} + unset ERROR +} + +HANDLER="$1"; shift +if echo "${HANDLER}" | grep -o -E '^(deploy_challenge|clean_challenge|sync_cert|deploy_cert|deploy_ocsp|unchanged_cert|invalid_challenge|request_failure|generate_csr|startup_hook|exit_hook)$' +then + "$HANDLER" "$@" +fi |