From 4f6f4ec1f2ef749e9087b3dc8918dbcd20c01ea0 Mon Sep 17 00:00:00 2001 From: Marcin Krol Date: Tue, 24 Oct 2017 22:51:11 +0000 Subject: [PATCH] - better hook script supporting per certificate or global scripts --- hook.sh | 121 ++++++++++++++++++++++---------------------------------- 1 file changed, 48 insertions(+), 73 deletions(-) diff --git a/hook.sh b/hook.sh index d5387a4..b4e1754 100755 --- a/hook.sh +++ b/hook.sh @@ -1,82 +1,57 @@ #!/bin/sh -# concat file atomic way -atomic_concat() { - local file=$1; shift - > $file.new - chmod 600 $file.new - cat "$@" > $file.new - cp -f $file $file.dehydrated~ - mv -f $file.new $file -} +# Directory with per certificate hook scripts called after +# certificate is successfully deployed +HOOKS_D="/etc/dehydrated/hooks.d" -lighttpd_reload() { - if [ ! -x /usr/sbin/lighttpd ] || [ ! -f /etc/lighttpd/server.pem ]; then - return - fi - - echo " + Hook: Overwritting /etc/lighttpd/server.pem and reloading lighttpd..." - atomic_concat /etc/lighttpd/server.pem "$FULLCHAINCERT" "$PRIVKEY" - /sbin/service lighttpd reload -} - -haproxy_reload() { - if [ ! -x /usr/sbin/haproxy ] || [ ! -f /etc/haproxy/server.pem ]; then - return - fi - - echo " + Hook: Overwritting /etc/haproxy/server.pem and restarting haproxy..." - atomic_concat /etc/haproxy/server.pem "$FULLCHAINCERT" "$PRIVKEY" - /sbin/service haproxy reload -} - -nginx_reload() { - if [ ! -f /etc/nginx/server.crt ] || [ ! -f /etc/nginx/server.key ]; then - return - fi - - echo " + Hook: Overwritting /etc/nginx/server.{crt,key} and reloading nginx..." - atomic_concat /etc/nginx/server.crt "$FULLCHAINCERT" - atomic_concat /etc/nginx/server.key "$PRIVKEY" - /sbin/service nginx reload -} - -httpd_reload() { - if [ ! -x /etc/rc.d/init.d/httpd ]; then - return - fi - - echo " + Hook: Reloading Apache..." - /sbin/service httpd graceful -} - - -case "$1" in +HANDLER="${1}" +shift +case "${HANDLER}" in deploy_cert) - DOMAIN="$2" - PRIVKEY="$3" - CERT="$4" - FULLCHAINCERT="$5" - CHAINCERT="$6" - TIMESTAMP="$7" - - lighttpd_reload - nginx_reload - httpd_reload - haproxy_reload - ;; + local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}" + if [[ -n "${HOOKS_D}" ]]; then + if [[ ! -d "${HOOKS_D}" ]]; then + echo " + Hook: ${HANDLER}: The path ${HOOKS_D} specified for HOOKS_D does not point to a directory." + else + if [[ -f "${HOOKS_D}/${DOMAIN}" ]]; then + if [[ -r "${HOOKS_D}/${DOMAIN}" ]]; then + echo " + Hook: ${HANDLER}: Executing hook script for certificate ${DOMAIN}." + . "${HOOKS_D}/${DOMAIN}" + else + echo " + Hook: ${HANDLER}: Cannot execute hook script for certificate ${DOMAIN}." + fi + else + if [[ -f "${HOOKS_D}/global" ]] && [[ -r "${HOOKS_D}/global" ]]; then + echo " + Hook: ${HANDLER}: Executing global hook script" + . "${HOOKS_D}/global" + else + echo " + Hook: ${HANDLER}: Cannot execute global hook script." + fi + fi + fi + fi + ;; clean_challenge) - CHALLENGE_TOKEN="$2" - KEYAUTH="$3" - echo " + Hook: $1: Nothing to do..." - ;; + local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}" + echo " + Hook: ${HANDLER}: Nothing to do..." + ;; deploy_challenge) - echo " + Hook: $1: Nothing to do..." - ;; + local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}" + echo " + Hook: ${HANDLER}: Nothing to do..." + ;; +invalid_challenge) + local DOMAIN="${1}" RESPONSE="${2}" + echo " + Hook: ${HANDLER}: Nothing to do..." + ;; +request_failure) + local STATUSCODE="${1}" REASON="${2}" REQTYPE="${3}" + echo " + Hook: ${HANDLER}: Nothing to do..." + ;; unchanged_cert) - echo " + Hook: $1: Nothing to do..." - ;; + local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" + echo " + Hook: ${HANDLER}: Nothing to do..." + ;; *) - echo " + Hook: $1: Nothing to do..." - ;; + echo " + Hook: ${HANDLER}: Nothing to do..." + ;; esac -- 2.46.0