#!/bin/sh HOOKS_DIR="/etc/dehydrated/hook.d" deploy_challenge () { local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}" # This hook is called once for every domain that needs to be # validated, including any alternative names you may have listed. # # Parameters: # - DOMAIN # The domain name (CN or subject alternative name) being # validated. # - TOKEN_FILENAME # The name of the file containing the token to be served for HTTP # validation. Should be served by your web server as # /.well-known/acme-challenge/${TOKEN_FILENAME}. # - TOKEN_VALUE # The token value that needs to be served for validation. For DNS # validation, this is what you want to put in the _acme-challenge # TXT record. For HTTP validation it is the value that is expected # be found in the $TOKEN_FILENAME file. export DOMAIN export TOKEN_FILENAME export TOKEN_VALUE run-parts --regex '^deploy_challenge.*.sh$' ${HOOKS_DIR} unset DOMAIN unset TOKEN_FILENAME unset TOKEN_VALUE } clean_challenge () { local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}" # This hook is called after attempting to validate each domain, # whether or not validation was successful. Here you can delete # files or DNS records that are no longer needed. # # The parameters are the same as for deploy_challenge. export DOMAIN export TOKEN_FILENAME export TOKEN_VALUE run-parts --regex '^clean_challenge.*.sh$' ${HOOKS_DIR} unset DOMAIN unset TOKEN_FILENAME unset TOKEN_VALUE } sync_cert () { local KEYFILE="${1}" CERTFILE="${2}" FULLCHAINFILE="${3}" CHAINFILE="${4}" REQUESTFILE="${5}" # This hook is called after the certificates have been created but before # they are symlinked. This allows you to sync the files to disk to prevent # creating a symlink to empty files on unexpected system crashes. # # This hook is not intended to be used for further processing of certificate # files, see deploy_cert for that. # # Parameters: # - KEYFILE # The path of the file containing the private key. # - CERTFILE # The path of the file containing the signed certificate. # - FULLCHAINFILE # The path of the file containing the full certificate chain. # - CHAINFILE # The path of the file containing the intermediate certificate(s). # - REQUESTFILE # The path of the file containing the certificate signing request. export KEYFILE export CERTFILE export FULLCHAINFILE export CHAINFILE export REQUESTFILE run-parts --regex '^sync_cert.*.sh$' ${HOOKS_DIR} unset KEYFILE unset CERTFILE unset FULLCHAINFILE unset CHAINFILE unset REQUESTFILE } deploy_cert () { local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}" # This hook is called once for each certificate that has been # produced. Here you might, for instance, copy your new certificates # to service-specific locations and reload the service. # # Parameters: # - DOMAIN # The primary domain name, i.e. the certificate common # name (CN). # - KEYFILE # The path of the file containing the private key. # - CERTFILE # The path of the file containing the signed certificate. # - FULLCHAINFILE # The path of the file containing the full certificate chain. # - CHAINFILE # The path of the file containing the intermediate certificate(s). # - TIMESTAMP # Timestamp when the specified certificate was created. export DOMAIN export KEYFILE export CERTFILE export FULLCHAINFILE export CHAINFILE export TIMESTAMP run-parts --regex '^deploy_cert.*.sh$' ${HOOKS_DIR} unset DOMAIN unset CERTFILE unset FULLCHAINFILE unset CHAINFILE unset TIMESTAMP } deploy_ocsp () { local DOMAIN="${1}" OCSPFILE="${2}" TIMESTAMP="${3}" # This hook is called once for each updated ocsp stapling file that has # been produced. Here you might, for instance, copy your new ocsp stapling # files to service-specific locations and reload the service. # # Parameters: # - DOMAIN # The primary domain name, i.e. the certificate common # name (CN). # - OCSPFILE # The path of the ocsp stapling file # - TIMESTAMP # Timestamp when the specified ocsp stapling file was created. export DOMAIN export OCSPFILE export TIMESTAMP run-parts --regex '^deploy_ocsp.*.sh$' ${HOOKS_DIR} unset DOMAIN unset OCSPFILE unset TIMESTAMP } unchanged_cert () { local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" # This hook is called once for each certificate that is still # valid and therefore wasn't reissued. # # Parameters: # - DOMAIN # The primary domain name, i.e. the certificate common # name (CN). # - KEYFILE # The path of the file containing the private key. # - CERTFILE # The path of the file containing the signed certificate. # - FULLCHAINFILE # The path of the file containing the full certificate chain. # - CHAINFILE # The path of the file containing the intermediate certificate(s). export DOMAIN export KEYFILE export CERTFILE export FULLCHAINFILE export CHAINFILE run-parts --regex '^unchanged_cert.*.sh$' ${HOOKS_DIR} unset DOMAIN unset CERTFILE unset FULLCHAINFILE unset CHAINFILE } invalid_challenge () { local DOMAIN="${1}" RESPONSE="${2}" # This hook is called if the challenge response has failed, so domain # owners can be aware and act accordingly. # # Parameters: # - DOMAIN # The primary domain name, i.e. the certificate common # name (CN). # - RESPONSE # The response that the verification server returned # Simple example: Send mail to root # printf "Subject: Validation of ${DOMAIN} failed!\n\nOh noez!" | sendmail root export DOMAIN export RESPONSE run-parts --regex '^invalid_challenge.*.sh$' ${HOOKS_DIR} unset DOMAIN unset RESPONSE } request_failure () { local STATUSCODE="${1}" REASON="${2}" REQTYPE="${3}" HEADERS="${4}" # This hook is called when an HTTP request fails (e.g., when the ACME # server is busy, returns an error, etc). It will be called upon any # response code that does not start with '2'. Useful to alert admins # about problems with requests. # # Parameters: # - STATUSCODE # The HTML status code that originated the error. # - REASON # The specified reason for the error. # - REQTYPE # The kind of request that was made (GET, POST...) # - HEADERS # HTTP headers returned by the CA export STATUSCODE export REASON export REQTYPE export HEADERS run-parts --regex '^request_failure.*.sh$' ${HOOKS_DIR} unset STATUSCODE unset REASON unset REQTYPE unset HEADERS } generate_csr () { local DOMAIN="${1}" CERTDIR="${2}" ALTNAMES="${3}" # This hook is called before any certificate signing operation takes place. # It can be used to generate or fetch a certificate signing request with external # tools. # The output should be just the cerificate signing request formatted as PEM. # # Parameters: # - DOMAIN # The primary domain as specified in domains.txt. This does not need to # match with the domains in the CSR, it's basically just the directory name. # - CERTDIR # Certificate output directory for this particular certificate. Can be used # for storing additional files. # - ALTNAMES # All domain names for the current certificate as specified in domains.txt. # Again, this doesn't need to match with the CSR, it's just there for convenience. # Simple example: Look for pre-generated CSRs # if [ -e "${CERTDIR}/pre-generated.csr" ]; then # cat "${CERTDIR}/pre-generated.csr" # fi export DOMAIN export CERTDIR export ALTNAMES run-parts --regex '^generate_csr.*.sh$' ${HOOKS_DIR} unset DOMAIN unset CERTDIR unset ALTNAMES } startup_hook () { # This hook is called before the cron command to do some initial tasks # (e.g. starting a webserver). run-parts --regex '^startup.*.sh$' ${HOOKS_DIR} } exit_hook () { local ERROR="${1:-}" # This hook is called at the end of the cron command and can be used to # do some final (cleanup or other) tasks. # # Parameters: # - ERROR # Contains error message if dehydrated exits with error export ERROR run-parts --regex '^exit_hook.*.sh$' ${HOOKS_DIR} unset ERROR } HANDLER="$1"; shift if echo "${HANDLER}" | grep -o -E '^(deploy_challenge|clean_challenge|sync_cert|deploy_cert|deploy_ocsp|unchanged_cert|invalid_challenge|request_failure|generate_csr|startup_hook|exit_hook)$' then "$HANDLER" "$@" fi