summaryrefslogtreecommitdiffstats
path: root/dehydrated
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--dehydrated/TODO2
-rwxr-xr-xdehydrated/bin/dehydrated-nsupdate2
-rwxr-xr-xdehydrated/share/hooks/deploy_cert.extra46
-rwxr-xr-xdehydrated/share/hooks/exit_hook.service-reload10
4 files changed, 51 insertions, 9 deletions
diff --git a/dehydrated/TODO b/dehydrated/TODO
index efbd047..b6cc845 100644
--- a/dehydrated/TODO
+++ b/dehydrated/TODO
@@ -1,7 +1,9 @@
TODO
====
+ * add cleanup hook for extra certificates
* add manpages for individual dehydrated hooks
* use /etc/default for dehydrated-cron
* use /etc/default for dehydrated-hook
* use settings from _dehydrated.$domain.$tld for automatic configuration
+ * allow to configure 'use NS records' or 'use mname in SOA' per zone/tsig
diff --git a/dehydrated/bin/dehydrated-nsupdate b/dehydrated/bin/dehydrated-nsupdate
index c6bf6c5..657cc48 100755
--- a/dehydrated/bin/dehydrated-nsupdate
+++ b/dehydrated/bin/dehydrated-nsupdate
@@ -199,7 +199,7 @@ do
esac
fi
- echo -n " + sending '${HOOK_ACTION}' for ${TXT_RECORD} to ${NAMESERVER}..."
+ echo -n " + sending '${HOOK_ACTION}' for ${TXT_RECORD} to ${NAMESERVER}.."
# shellcheck disable=SC2086
echo "server ${NAMESERVER}
diff --git a/dehydrated/share/hooks/deploy_cert.extra b/dehydrated/share/hooks/deploy_cert.extra
index 56ca2f4..fd93fad 100755
--- a/dehydrated/share/hooks/deploy_cert.extra
+++ b/dehydrated/share/hooks/deploy_cert.extra
@@ -25,15 +25,47 @@ echo -n " + Creating extra certificate files..."
DIRECTORY="$(dirname "${CERTFILE}")"
-# root and intermediate CA
-TMPFILE="$(mktemp -p "${DIRECTORY}" -u ca.XXXXXXXXXX)"
-grep -Ev '^$' "${CHAINFILE}" | csplit -f "${TMPFILE}" -s -z - '/-----BEGIN CERTIFICATE-----/' '{*}'
+if [ "$(grep -c 'BEGIN CERTIFICATE' ${FULLCHAINFILE})" -ge 3 ]
+then
+ # - chain.pem: R3 | ISRG Root X1
+ # - fullchain.pem: Certificate | R3 | ISRG Root X1
+ CHAIN="long"
+else
+ # - chain.pem: R3
+ # - fullchain.pem: Certificate | R3
+ CHAIN="short"
+fi
-mv "${TMPFILE}00" "${DIRECTORY}/intermediate-${TIMESTAMP}.pem"
-ln -sf "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate.pem"
+case "${CHAIN}" in
+ long)
+ # split chain.pem
+ TMPFILE="$(mktemp -p "${DIRECTORY}" -u ca.XXXXXXXXXX)"
+ grep -Ev '^$' "${CHAINFILE}" | csplit -f "${TMPFILE}" -s -z - '/-----BEGIN CERTIFICATE-----/' '{*}'
-mv "${TMPFILE}01" "${DIRECTORY}/root-${TIMESTAMP}.pem"
-ln -sf "${DIRECTORY}/root-${TIMESTAMP}.pem" "${DIRECTORY}/root.pem"
+ # intermediate (R3)
+ mv "${TMPFILE}00" "${DIRECTORY}/intermediate-${TIMESTAMP}.pem"
+ ln -sf "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate.pem"
+
+ # root (ISRG Root X1)
+ mv "${TMPFILE}01" "${DIRECTORY}/root-${TIMESTAMP}.pem"
+ ln -sf "${DIRECTORY}/root-${TIMESTAMP}.pem" "${DIRECTORY}/root.pem"
+ ;;
+
+ short)
+ # intermediate (R3)
+ cp "${DIRECTORY}/chain-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate-${TIMESTAMP}.pem"
+ ln -sf "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate.pem"
+
+ # root (ISRG Root X1)
+ ISSUER_URI="$(openssl x509 -in "${DIRECTORY}/chain-${TIMESTAMP}.pem" -text -noout | grep 'Authority Information Access:' -A1 | awk -FURI: '/http/ { print $2 }')"
+
+ if [ -n "${ISSUER_URI}" ]
+ then
+ wget -q "${ISSUER_URI}" -O - | openssl x509 -outform PEM > "${DIRECTORY}/root-${TIMESTAMP}.pem"
+ ln -sf "${DIRECTORY}/root-${TIMESTAMP}.pem" "${DIRECTORY}/root.pem"
+ fi
+ ;;
+esac
# extra certificate permutations:
# * privkey_fullchain.pem: postfix
diff --git a/dehydrated/share/hooks/exit_hook.service-reload b/dehydrated/share/hooks/exit_hook.service-reload
index c62c133..6d20eb9 100755
--- a/dehydrated/share/hooks/exit_hook.service-reload
+++ b/dehydrated/share/hooks/exit_hook.service-reload
@@ -38,6 +38,14 @@ Run_chrony ()
fi
}
+Run_freeradius ()
+{
+ if grep -Eqrs 'certificate_file = /var/lib/dehydrated' /etc/freeradius/*/*
+ then
+ service freeradius reload
+ fi
+}
+
Run_haproxy ()
{
if grep 'ssl crt' /etc/haproxy/haproxy.cfg | grep -qsv '^#'
@@ -96,7 +104,7 @@ Run_redis_server ()
echo " + Reloading services:"
-SERVICES="apache2 chrony haproxy knot-resolver postfix postgresql redis-sentinel redis-server"
+SERVICES="apache2 chrony freeradius haproxy knot-resolver postfix postgresql redis-sentinel redis-server"
for SERVICE in ${SERVICES}
do