acme-common: use validation_method option instead of guessing
The new validation_method option can be: dns, webroot or standalone. Previously we guessed the challenge type: 1. if the DNS provider is specified then it's dns 2. if standalone=1 3. fallback to webroot The logic is preserved and if the validation_method wasn't set explicitly we'll guess it in old manner. Signed-off-by: Sergey Ponomarev <stokito@gmail.com>
This commit is contained in:
parent
5ad1f0ebbe
commit
7d07c75154
|
@ -8,6 +8,7 @@ config cert 'example_wildcard'
|
||||||
list domains example.org
|
list domains example.org
|
||||||
list domains sub.example.org
|
list domains sub.example.org
|
||||||
list domains *.sub.example.org
|
list domains *.sub.example.org
|
||||||
|
option validation_method dns
|
||||||
option dns "dns_freedns"
|
option dns "dns_freedns"
|
||||||
list credentials 'FREEDNS_User="ssladmin@example.org"'
|
list credentials 'FREEDNS_User="ssladmin@example.org"'
|
||||||
list credentials 'FREEDNS_Password="1234"'
|
list credentials 'FREEDNS_Password="1234"'
|
||||||
|
@ -19,3 +20,4 @@ config cert 'example'
|
||||||
option staging 1
|
option staging 1
|
||||||
list domains example.org
|
list domains example.org
|
||||||
list domains sub.example.org
|
list domains sub.example.org
|
||||||
|
validation_method webroot
|
||||||
|
|
|
@ -56,8 +56,8 @@ load_options() {
|
||||||
export acme_server
|
export acme_server
|
||||||
config_get days "$section" days
|
config_get days "$section" days
|
||||||
export days
|
export days
|
||||||
config_get standalone "$section" standalone 0
|
config_get standalone "$section" standalone
|
||||||
export standalone
|
[ -n "$standalone" ] && log warn "Option \"standalone\" is deprecated."
|
||||||
config_get dns_wait "$section" dns_wait
|
config_get dns_wait "$section" dns_wait
|
||||||
export dns_wait
|
export dns_wait
|
||||||
config_get webroot "$section" webroot
|
config_get webroot "$section" webroot
|
||||||
|
@ -65,6 +65,20 @@ load_options() {
|
||||||
log warn "Option \"webroot\" is deprecated, please remove it and change your web server's config so it serves ACME challenge requests from $CHALLENGE_DIR."
|
log warn "Option \"webroot\" is deprecated, please remove it and change your web server's config so it serves ACME challenge requests from $CHALLENGE_DIR."
|
||||||
CHALLENGE_DIR=$webroot
|
CHALLENGE_DIR=$webroot
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
config_get validation_method "$section" validation_method
|
||||||
|
# if validation_method isn't set then guess it
|
||||||
|
if [ -z "$validation_method" ]; then
|
||||||
|
if [ -n "$dns" ]; then
|
||||||
|
validation_method="dns"
|
||||||
|
elif [ "$standalone" = 1 ]; then
|
||||||
|
validation_method="standalone"
|
||||||
|
else
|
||||||
|
validation_method="webroot"
|
||||||
|
fi
|
||||||
|
log warn "Please set \"option validation_method $validation_method\"."
|
||||||
|
fi
|
||||||
|
export validation_method
|
||||||
}
|
}
|
||||||
|
|
||||||
first_arg() {
|
first_arg() {
|
||||||
|
@ -78,11 +92,11 @@ get_cert() {
|
||||||
[ "$enabled" = 1 ] || return
|
[ "$enabled" = 1 ] || return
|
||||||
|
|
||||||
load_options "$section"
|
load_options "$section"
|
||||||
if [ -z "$dns" ] && [ "$standalone" = 0 ]; then
|
if [ "$validation_method" = "webroot" ]; then
|
||||||
mkdir -p "$CHALLENGE_DIR"
|
mkdir -p "$CHALLENGE_DIR"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$standalone" = 1 ] && [ -z "$NFT_HANDLE" ]; then
|
if [ "$validation_method" = "standalone" ] && [ -z "$NFT_HANDLE" ]; then
|
||||||
if ! NFT_HANDLE=$(nft -a -e insert rule inet fw4 input tcp dport 80 counter accept comment ACME | grep -o 'handle [0-9]\+'); then
|
if ! NFT_HANDLE=$(nft -a -e insert rule inet fw4 input tcp dport 80 counter accept comment ACME | grep -o 'handle [0-9]\+'); then
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
|
Loading…
Reference in New Issue