diff options
Diffstat (limited to '')
-rw-r--r-- | dehydrated/TODO | 2 | ||||
-rwxr-xr-x | dehydrated/bin/dehydrated-nsupdate | 2 | ||||
-rwxr-xr-x | dehydrated/share/hooks/deploy_cert.extra | 46 | ||||
-rwxr-xr-x | dehydrated/share/hooks/exit_hook.service-reload | 10 |
4 files changed, 51 insertions, 9 deletions
diff --git a/dehydrated/TODO b/dehydrated/TODO index efbd047..b6cc845 100644 --- a/dehydrated/TODO +++ b/dehydrated/TODO @@ -1,7 +1,9 @@ TODO ==== + * add cleanup hook for extra certificates * add manpages for individual dehydrated hooks * use /etc/default for dehydrated-cron * use /etc/default for dehydrated-hook * use settings from _dehydrated.$domain.$tld for automatic configuration + * allow to configure 'use NS records' or 'use mname in SOA' per zone/tsig diff --git a/dehydrated/bin/dehydrated-nsupdate b/dehydrated/bin/dehydrated-nsupdate index c6bf6c5..657cc48 100755 --- a/dehydrated/bin/dehydrated-nsupdate +++ b/dehydrated/bin/dehydrated-nsupdate @@ -199,7 +199,7 @@ do esac fi - echo -n " + sending '${HOOK_ACTION}' for ${TXT_RECORD} to ${NAMESERVER}..." + echo -n " + sending '${HOOK_ACTION}' for ${TXT_RECORD} to ${NAMESERVER}.." # shellcheck disable=SC2086 echo "server ${NAMESERVER} diff --git a/dehydrated/share/hooks/deploy_cert.extra b/dehydrated/share/hooks/deploy_cert.extra index 56ca2f4..fd93fad 100755 --- a/dehydrated/share/hooks/deploy_cert.extra +++ b/dehydrated/share/hooks/deploy_cert.extra @@ -25,15 +25,47 @@ echo -n " + Creating extra certificate files..." DIRECTORY="$(dirname "${CERTFILE}")" -# root and intermediate CA -TMPFILE="$(mktemp -p "${DIRECTORY}" -u ca.XXXXXXXXXX)" -grep -Ev '^$' "${CHAINFILE}" | csplit -f "${TMPFILE}" -s -z - '/-----BEGIN CERTIFICATE-----/' '{*}' +if [ "$(grep -c 'BEGIN CERTIFICATE' ${FULLCHAINFILE})" -ge 3 ] +then + # - chain.pem: R3 | ISRG Root X1 + # - fullchain.pem: Certificate | R3 | ISRG Root X1 + CHAIN="long" +else + # - chain.pem: R3 + # - fullchain.pem: Certificate | R3 + CHAIN="short" +fi -mv "${TMPFILE}00" "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" -ln -sf "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate.pem" +case "${CHAIN}" in + long) + # split chain.pem + TMPFILE="$(mktemp -p "${DIRECTORY}" -u ca.XXXXXXXXXX)" + grep -Ev '^$' "${CHAINFILE}" | csplit -f "${TMPFILE}" -s -z - '/-----BEGIN CERTIFICATE-----/' '{*}' -mv "${TMPFILE}01" "${DIRECTORY}/root-${TIMESTAMP}.pem" -ln -sf "${DIRECTORY}/root-${TIMESTAMP}.pem" "${DIRECTORY}/root.pem" + # intermediate (R3) + mv "${TMPFILE}00" "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" + ln -sf "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate.pem" + + # root (ISRG Root X1) + mv "${TMPFILE}01" "${DIRECTORY}/root-${TIMESTAMP}.pem" + ln -sf "${DIRECTORY}/root-${TIMESTAMP}.pem" "${DIRECTORY}/root.pem" + ;; + + short) + # intermediate (R3) + cp "${DIRECTORY}/chain-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" + ln -sf "${DIRECTORY}/intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/intermediate.pem" + + # root (ISRG Root X1) + ISSUER_URI="$(openssl x509 -in "${DIRECTORY}/chain-${TIMESTAMP}.pem" -text -noout | grep 'Authority Information Access:' -A1 | awk -FURI: '/http/ { print $2 }')" + + if [ -n "${ISSUER_URI}" ] + then + wget -q "${ISSUER_URI}" -O - | openssl x509 -outform PEM > "${DIRECTORY}/root-${TIMESTAMP}.pem" + ln -sf "${DIRECTORY}/root-${TIMESTAMP}.pem" "${DIRECTORY}/root.pem" + fi + ;; +esac # extra certificate permutations: # * privkey_fullchain.pem: postfix diff --git a/dehydrated/share/hooks/exit_hook.service-reload b/dehydrated/share/hooks/exit_hook.service-reload index c62c133..6d20eb9 100755 --- a/dehydrated/share/hooks/exit_hook.service-reload +++ b/dehydrated/share/hooks/exit_hook.service-reload @@ -38,6 +38,14 @@ Run_chrony () fi } +Run_freeradius () +{ + if grep -Eqrs 'certificate_file = /var/lib/dehydrated' /etc/freeradius/*/* + then + service freeradius reload + fi +} + Run_haproxy () { if grep 'ssl crt' /etc/haproxy/haproxy.cfg | grep -qsv '^#' @@ -96,7 +104,7 @@ Run_redis_server () echo " + Reloading services:" -SERVICES="apache2 chrony haproxy knot-resolver postfix postgresql redis-sentinel redis-server" +SERVICES="apache2 chrony freeradius haproxy knot-resolver postfix postgresql redis-sentinel redis-server" for SERVICE in ${SERVICES} do |