diff options
Diffstat (limited to 'bin/dehydrated-hook.d')
| -rwxr-xr-x | bin/dehydrated-hook.d | 297 |
1 files changed, 0 insertions, 297 deletions
diff --git a/bin/dehydrated-hook.d b/bin/dehydrated-hook.d deleted file mode 100755 index 62095e5..0000000 --- a/bin/dehydrated-hook.d +++ /dev/null @@ -1,297 +0,0 @@ -#!/bin/sh -HOOKS_DIR="/etc/dehydrated/hook.d" - -deploy_challenge () -{ - local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}" - - # This hook is called once for every domain that needs to be - # validated, including any alternative names you may have listed. - # - # Parameters: - # - DOMAIN - # The domain name (CN or subject alternative name) being - # validated. - # - TOKEN_FILENAME - # The name of the file containing the token to be served for HTTP - # validation. Should be served by your web server as - # /.well-known/acme-challenge/${TOKEN_FILENAME}. - # - TOKEN_VALUE - # The token value that needs to be served for validation. For DNS - # validation, this is what you want to put in the _acme-challenge - # TXT record. For HTTP validation it is the value that is expected - # be found in the $TOKEN_FILENAME file. - - export DOMAIN - export TOKEN_FILENAME - export TOKEN_VALUE - run-parts --regex '^deploy_challenge.*.sh$' ${HOOKS_DIR} - unset DOMAIN - unset TOKEN_FILENAME - unset TOKEN_VALUE -} - -clean_challenge () -{ - local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}" - - # This hook is called after attempting to validate each domain, - # whether or not validation was successful. Here you can delete - # files or DNS records that are no longer needed. - # - # The parameters are the same as for deploy_challenge. - - export DOMAIN - export TOKEN_FILENAME - export TOKEN_VALUE - run-parts --regex '^clean_challenge.*.sh$' ${HOOKS_DIR} - unset DOMAIN - unset TOKEN_FILENAME - unset TOKEN_VALUE -} - -sync_cert () -{ - local KEYFILE="${1}" CERTFILE="${2}" FULLCHAINFILE="${3}" CHAINFILE="${4}" REQUESTFILE="${5}" - - # This hook is called after the certificates have been created but before - # they are symlinked. This allows you to sync the files to disk to prevent - # creating a symlink to empty files on unexpected system crashes. - # - # This hook is not intended to be used for further processing of certificate - # files, see deploy_cert for that. - # - # Parameters: - # - KEYFILE - # The path of the file containing the private key. - # - CERTFILE - # The path of the file containing the signed certificate. - # - FULLCHAINFILE - # The path of the file containing the full certificate chain. - # - CHAINFILE - # The path of the file containing the intermediate certificate(s). - # - REQUESTFILE - # The path of the file containing the certificate signing request. - - export KEYFILE - export CERTFILE - export FULLCHAINFILE - export CHAINFILE - export REQUESTFILE - run-parts --regex '^sync_cert.*.sh$' ${HOOKS_DIR} - unset KEYFILE - unset CERTFILE - unset FULLCHAINFILE - unset CHAINFILE - unset REQUESTFILE -} - -deploy_cert () -{ - local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}" - - # This hook is called once for each certificate that has been - # produced. Here you might, for instance, copy your new certificates - # to service-specific locations and reload the service. - # - # Parameters: - # - DOMAIN - # The primary domain name, i.e. the certificate common - # name (CN). - # - KEYFILE - # The path of the file containing the private key. - # - CERTFILE - # The path of the file containing the signed certificate. - # - FULLCHAINFILE - # The path of the file containing the full certificate chain. - # - CHAINFILE - # The path of the file containing the intermediate certificate(s). - # - TIMESTAMP - # Timestamp when the specified certificate was created. - - export DOMAIN - export KEYFILE - export CERTFILE - export FULLCHAINFILE - export CHAINFILE - export TIMESTAMP - run-parts --regex '^deploy_cert.*.sh$' ${HOOKS_DIR} - unset DOMAIN - unset CERTFILE - unset FULLCHAINFILE - unset CHAINFILE - unset TIMESTAMP -} - -deploy_ocsp () -{ - local DOMAIN="${1}" OCSPFILE="${2}" TIMESTAMP="${3}" - - # This hook is called once for each updated ocsp stapling file that has - # been produced. Here you might, for instance, copy your new ocsp stapling - # files to service-specific locations and reload the service. - # - # Parameters: - # - DOMAIN - # The primary domain name, i.e. the certificate common - # name (CN). - # - OCSPFILE - # The path of the ocsp stapling file - # - TIMESTAMP - # Timestamp when the specified ocsp stapling file was created. - - export DOMAIN - export OCSPFILE - export TIMESTAMP - run-parts --regex '^deploy_ocsp.*.sh$' ${HOOKS_DIR} - unset DOMAIN - unset OCSPFILE - unset TIMESTAMP -} - -unchanged_cert () -{ - local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" - - # This hook is called once for each certificate that is still - # valid and therefore wasn't reissued. - # - # Parameters: - # - DOMAIN - # The primary domain name, i.e. the certificate common - # name (CN). - # - KEYFILE - # The path of the file containing the private key. - # - CERTFILE - # The path of the file containing the signed certificate. - # - FULLCHAINFILE - # The path of the file containing the full certificate chain. - # - CHAINFILE - # The path of the file containing the intermediate certificate(s). - - export DOMAIN - export KEYFILE - export CERTFILE - export FULLCHAINFILE - export CHAINFILE - run-parts --regex '^unchanged_cert.*.sh$' ${HOOKS_DIR} - unset DOMAIN - unset CERTFILE - unset FULLCHAINFILE - unset CHAINFILE -} - -invalid_challenge () -{ - local DOMAIN="${1}" RESPONSE="${2}" - - # This hook is called if the challenge response has failed, so domain - # owners can be aware and act accordingly. - # - # Parameters: - # - DOMAIN - # The primary domain name, i.e. the certificate common - # name (CN). - # - RESPONSE - # The response that the verification server returned - - # Simple example: Send mail to root - # printf "Subject: Validation of ${DOMAIN} failed!\n\nOh noez!" | sendmail root - export DOMAIN - export RESPONSE - run-parts --regex '^invalid_challenge.*.sh$' ${HOOKS_DIR} - unset DOMAIN - unset RESPONSE -} - -request_failure () -{ - local STATUSCODE="${1}" REASON="${2}" REQTYPE="${3}" HEADERS="${4}" - - # This hook is called when an HTTP request fails (e.g., when the ACME - # server is busy, returns an error, etc). It will be called upon any - # response code that does not start with '2'. Useful to alert admins - # about problems with requests. - # - # Parameters: - # - STATUSCODE - # The HTML status code that originated the error. - # - REASON - # The specified reason for the error. - # - REQTYPE - # The kind of request that was made (GET, POST...) - # - HEADERS - # HTTP headers returned by the CA - - export STATUSCODE - export REASON - export REQTYPE - export HEADERS - run-parts --regex '^request_failure.*.sh$' ${HOOKS_DIR} - unset STATUSCODE - unset REASON - unset REQTYPE - unset HEADERS -} - -generate_csr () -{ - local DOMAIN="${1}" CERTDIR="${2}" ALTNAMES="${3}" - - # This hook is called before any certificate signing operation takes place. - # It can be used to generate or fetch a certificate signing request with external - # tools. - # The output should be just the cerificate signing request formatted as PEM. - # - # Parameters: - # - DOMAIN - # The primary domain as specified in domains.txt. This does not need to - # match with the domains in the CSR, it's basically just the directory name. - # - CERTDIR - # Certificate output directory for this particular certificate. Can be used - # for storing additional files. - # - ALTNAMES - # All domain names for the current certificate as specified in domains.txt. - # Again, this doesn't need to match with the CSR, it's just there for convenience. - - # Simple example: Look for pre-generated CSRs - # if [ -e "${CERTDIR}/pre-generated.csr" ]; then - # cat "${CERTDIR}/pre-generated.csr" - # fi - export DOMAIN - export CERTDIR - export ALTNAMES - run-parts --regex '^generate_csr.*.sh$' ${HOOKS_DIR} - unset DOMAIN - unset CERTDIR - unset ALTNAMES -} - -startup_hook () -{ - # This hook is called before the cron command to do some initial tasks - # (e.g. starting a webserver). - - run-parts --regex '^startup.*.sh$' ${HOOKS_DIR} -} - -exit_hook () -{ - local ERROR="${1:-}" - - # This hook is called at the end of the cron command and can be used to - # do some final (cleanup or other) tasks. - # - # Parameters: - # - ERROR - # Contains error message if dehydrated exits with error - export ERROR - run-parts --regex '^exit_hook.*.sh$' ${HOOKS_DIR} - unset ERROR -} - -HANDLER="$1"; shift -if echo "${HANDLER}" | grep -o -E '^(deploy_challenge|clean_challenge|sync_cert|deploy_cert|deploy_ocsp|unchanged_cert|invalid_challenge|request_failure|generate_csr|startup_hook|exit_hook)$' -then - "$HANDLER" "$@" -fi |