acme-common: use validation_method option instead of guessing

The new validation_method option can be: dns, webroot or standalone. Previously we guessed the challenge type: 1. if the DNS provider is specified then it's dns 2. if standalone=1 3. fallback to webroot The logic is preserved and if the validation_method wasn't set explicitly we'll guess it in old manner. Signed-off-by: Sergey Ponomarev <stokito@gmail.com>
2024-02-28 21:59:27 +02:00 · 2024-02-28 21:59:27 +02:00 · 7d07c75154
parent 5ad1f0ebbe
commit 7d07c75154
2 changed files with 20 additions and 4 deletions
--- a/net/acme-common/files/acme.config
+++ b/net/acme-common/files/acme.config
@ -8,6 +8,7 @@ config cert 'example_wildcard'
 	list domains example.org
 	list domains sub.example.org
 	list domains *.sub.example.org
+	option validation_method dns
 	option dns "dns_freedns"
 	list credentials 'FREEDNS_User="ssladmin@example.org"'
 	list credentials 'FREEDNS_Password="1234"'
@ -19,3 +20,4 @@ config cert 'example'
 	option staging 1
 	list domains example.org
 	list domains sub.example.org
+	validation_method webroot
--- a/net/acme-common/files/acme.init
+++ b/net/acme-common/files/acme.init
@ -56,8 +56,8 @@ load_options() {
 	export acme_server
 	config_get days "$section" days
 	export days
-	config_get standalone "$section" standalone 0
-	export standalone
+	config_get standalone "$section" standalone
+	[ -n "$standalone" ] && log warn "Option \"standalone\" is deprecated."
 	config_get dns_wait "$section" dns_wait
 	export dns_wait
 	config_get webroot "$section" webroot
@ -65,6 +65,20 @@ load_options() {
 		log warn "Option \"webroot\" is deprecated, please remove it and change your web server's config so it serves ACME challenge requests from $CHALLENGE_DIR."
 		CHALLENGE_DIR=$webroot
 	fi
+
+	config_get validation_method "$section" validation_method
+	# if validation_method isn't set then guess it
+	if [ -z "$validation_method" ]; then
+		if [ -n "$dns" ]; then
+			validation_method="dns"
+		elif [ "$standalone" = 1 ]; then
+			validation_method="standalone"
+		else
+			validation_method="webroot"
+		fi
+		log warn "Please set \"option validation_method $validation_method\"."
+	fi
+	export validation_method
 }

 first_arg() {
@ -78,11 +92,11 @@ get_cert() {
 	[ "$enabled" = 1 ] || return

 	load_options "$section"
-	if [ -z "$dns" ] && [ "$standalone" = 0 ]; then
+	if [ "$validation_method" = "webroot" ]; then
 		mkdir -p "$CHALLENGE_DIR"
 	fi

-	if [ "$standalone" = 1 ] && [ -z "$NFT_HANDLE" ]; then
+	if [ "$validation_method" = "standalone" ] && [ -z "$NFT_HANDLE" ]; then
 		if ! NFT_HANDLE=$(nft -a -e insert rule inet fw4 input tcp dport 80 counter accept comment ACME | grep -o 'handle [0-9]\+'); then
 			return 1
 		fi